Hi,
I was playing with Sysmon today and found out that actually I was wrong
here, the EventData portion is already supported. The missing piece is
UserData, which is not relevant in this case afaik.
Below is a conf that extracts Sysmon logs into a file in JSON format:
########################################################
<Extension json>
Module xm_json
</Extension>
<Input in>
Module im_msvistalog
Exec if $SourceName !~ /Sysmon/ drop();
</Input>
<Output out>
Module om_file
Exec to_json();
File "C:\\test\\sysmon.log"
</Output>
<Route 66>
Path in => out
</Route>
########################################################
If you want to pass it on as syslog, you probably need this:
########################################################
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_msvistalog
Exec if $SourceName !~ /Sysmon/ drop();
</Input>
<Output out>
Module om_udp
Exec $Message = to_json(); to_syslog_bsd();
Host 1.2.3.4
Port 1234
</Output>
<Route 66>
Path in => out
</Route>
########################################################
Regards,
Botond
On Mon, 18 Aug 2014 13:05:11 +0200
Botond Botyanszki <b...@nxlog.org> wrote:
> Hi Ronny,
>
> I think this EventData part is not handled yet, the im_msvistalog module
> needs to be enhanced.
>
> Regards,
> Botond
>
> On Sat, 9 Aug 2014 11:06:27 +0200
> Ronny Vaningh <ro...@guard-it.be> wrote:
>
> > Hi
> >
> > I was just playing around with the new Sysmon tool from sysinternals.
> >
> > It sticks all of its useful data in the EventData portion of the
> > windows event log
> >
> > I wanted to use im_msvistalog to forward windows event to a central
> > syslog server but it seems that it is not passing on any EventData
> > fields in the syslog message.
> >
> > What should I do in order to achieve this
> >
> >
> > Thanks
> >
> >
> > Ronny
> >
> >
> >
> >
> > - <file:///C:/Users/ronaldo/AppData/Local/Temp/tmpEA3.xml#>
> > <EventData> <Data Name="*UtcTime*">9/08/2014 8:56</Data>
> > <Data
> > Name="*ProcessGuid*">{00000000-E73A-53DF-0000-001xxxxx269A}</Data>
> > <Data Name="*ProcessId*">9712</Data> <Data Name="*Image*">C:\Program
> > Files (x86)\Google\Chrome\Application\chrome.exe</Data>
> > <Data Name="*User*">xxxxxx</Data>
> > <Data Name="*Protocol*">tcp</Data>
> > <Data Name="*SourceIsIpv6*">false</Data>
> > <Data Name="*SourceIp*">192.168.1.xx</Data>
> > <Data Name="*SourceHostname*">xxxx</Data>
> > <Data Name="*SourcePort*">46536</Data>
> > <Data Name="*SourcePortName*" />
> > <Data Name="*DestinationIsIpv6*">false</Data>
> > <Data Name="*DestinationIp*">a.b.c.d</Data>
> > <Data Name="*DestinationHostname*" />
> > <Data Name="*DestinationPort*">443</Data>
> > <Data Name="*DestinationPortName*">https</Data>
> > </EventData>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> nxlog-ce-users mailing list
> nxlog-ce-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
