NetXMS SYSLOG | Receiving windows events log

Started by AmberCoast, September 09, 2018, 09:32:37 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

AmberCoast

September 09, 2018, 09:32:37 AM
Hi!

I've configured NetXMS to act as central syslog server. Remote ubuntu and centos machines are sending information and everything is displayed correctly.

Regarding windows - i use nxlog agent on windows server 2016 machine.

Key configuration:

<Input in>
    Module  im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
</Input>

<Processor proc>
   Module pm_transformer
   Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
   OutputFormat syslog_rfc5424
</Processor>

<Output udp>
   Module  om_udp
   Host    xx.xx.xx.xx
   Port    514
   Exec $raw_event = replace($raw_event,"\r\n"," ");
   Exec $raw_event = replace($raw_event,"\t"," ");
</Output>

<Route in_to_udp>
    Path    in => proc => udp
</Route>

Example of syslog text message received: 


1 2018-09-09T05:56:00.660046+00:00 EC2AMAZ-O9GPR2C - 752 - [NXLOG@14506 Keywords=""-9214364837600034816"" EventType=""AUDIT_SUCCESS"" EventID=""4776"" ProviderGuid=""{54849625-5478-4994-A5BA-3E3B0328C30D}"" Version=""0"" Task=""14336"" OpcodeValue=""0"" RecordNumber=""565505"" ActivityID=""{6F6FC6C1-1842-0000-06B6-D6784218D401}"" ThreadID=""8936"" Channel=""Security"" Category=""Credential Validation"" Opcode=""Info"" PackageName=""MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"" TargetUserName=""Administrator"" Workstation=""EC2AMAZ-O9GPR2C"" Status=""0x0"" EventReceivedTime=""1536472562"" SourceModuleName=""in"" SourceModuleType=""im_msvistalog""] The computer attempted to validate the credentials for an account.    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Logon Account: Administrator  Source Workstation: EC2AMAZ-O9GPR2C  Error Code: 0x0"


Tag for such is marked as "1". Is there a way to configure that Tag will be some other received field ? 

Maybe there is some good template available how to configure better nxlog WEF to work with NetXMS ? Should i use other format as output there ?

Thank You in advance.


Print
Go Up Pages1
User actions