NXLOG GELF - Windows Event Logs XML not all values parsed / fields created

Graylog Central (peer support)
1

1. Describe your incident:

I’m sending multiple windows security event to Graylog with NXLOG and I noticed that many of XML value / data was not parsed. For my case here, I’m sending Windwos Defender Events.

I downloaded an EICAR virus test file to trigger event:

  • XML View of WIndows Event Log:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Windows Defender" Guid="{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" /> 
  <EventID>1116</EventID> 
  <Version>0</Version> 
  <Level>3</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2023-07-18T10:23:39.6866841Z" /> 
  <EventRecordID>3312</EventRecordID> 
  <Correlation ActivityID="{a3b23bd0-4d0c-4eb1-abbd-cf8687254432}" /> 
  <Execution ProcessID="4052" ThreadID="11172" /> 
  <Channel>Microsoft-Windows-Windows Defender/Operational</Channel> 
  <Computer>CLI-COMPANY01.company.lan</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="Product Name">Antivirus Microsoft Defender</Data> 
  <Data Name="Product Version">4.18.23050.5</Data> 
  <Data Name="Detection ID">{C00260F7-2D6D-43CE-BC81-F870419F3A6F}</Data> 
  <Data Name="Detection Time">2023-07-18T10:23:39.675Z</Data> 
  <Data Name="Unused" /> 
  <Data Name="Unused2" /> 
  <Data Name="Threat ID">2147519003</Data> 
  <Data Name="Threat Name">Virus:DOS/EICAR_Test_File</Data> 
  <Data Name="Severity ID">5</Data> 
  <Data Name="Severity Name">Grave</Data> 
  <Data Name="Category ID">42</Data> 
  <Data Name="Category Name">Virus</Data> 
  <Data Name="FWLink">https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0</Data> 
  <Data Name="Status Code">1</Data> 
  <Data Name="Status Description" /> 
  <Data Name="State">1</Data> 
  <Data Name="Source ID">4</Data> 
  <Data Name="Source Name">Téléchargements et pièces jointes</Data> 
  <Data Name="Process Name">Unknown</Data> 
  <Data Name="Detection User">COMPANY\username</Data> 
  <Data Name="Unused3" /> 
  <Data Name="Path">containerfile:_C:\Users\username\Downloads\eicar_com.zip; file:_C:\Users\username\Downloads\eicar_com.zip->eicar.com; webfile:_C:\Users\username\Downloads\eicar_com.zip|https://secure.eicar.org/eicar_com.zip|pid:13452,ProcessStart:133341494195380145</Data> 
  <Data Name="Origin ID">4</Data> 
  <Data Name="Origin Name">Internet</Data> 
  <Data Name="Execution ID">0</Data> 
  <Data Name="Execution Name">Inconnu</Data> 
  <Data Name="Type ID">0</Data> 
  <Data Name="Type Name">Concret</Data> 
  <Data Name="Pre Execution Status">0</Data> 
  <Data Name="Action ID">9</Data> 
  <Data Name="Action Name">Non applicable</Data> 
  <Data Name="Unused4" /> 
  <Data Name="Error Code">0x00000000</Data> 
  <Data Name="Error Description">L’opération a réussi.</Data> 
  <Data Name="Unused5" /> 
  <Data Name="Post Clean Status">0</Data> 
  <Data Name="Additional Actions ID">0</Data> 
  <Data Name="Additional Actions String">No additional actions required</Data> 
  <Data Name="Remediation User" /> 
  <Data Name="Unused6" /> 
  <Data Name="Security intelligence Version">AV: 1.393.595.0, AS: 1.393.595.0, NIS: 1.393.595.0</Data> 
  <Data Name="Engine Version">AM: 1.1.23060.1005, NIS: 1.1.23060.1005</Data> 
  </EventData>
  </Event>
  • The Rendered view is:

image
image1106×266 11.8 KB

  • What is sent into Graylog:
{
  "Task": 0,
  "Keywords": -9223372036854776000,
  "EventType": "WARNING",
  "collector_node_id": "cli-company01",
  "gl2_remote_ip": "192.168.1.108",
  "gl2_remote_port": 57752,
  "Opcode": "Informations",
  "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Virus:DOS/EICAR_Test_File&amp;threatid=2147519003&amp;enterprise=0",
  "source": "CLI-company01.company.lan",
  "gl2_source_input": "64a3c7a431459c203793e12c",
  "SeverityValue": 3,
  "Version": 0,
  "UserID": "S-1-5-18",
  "gl2_source_node": "3b147713-efd6-45b0-83e4-f3b8aeea69ef",
  "ProcessID": 4052,
  "timestamp": "2023-07-18T09:04:11.000Z",
  "Path": "containerfile:_C:\\Users\\username\\Downloads\\eicar_com.zip; file:_C:\\Users\\username\\Downloads\\eicar_com.zip-&gt;eicar.com; webfile:_C:\\Users\\username\\Downloads\\eicar_com.zip|https://secure.eicar.org/eicar_com.zip|pid:9492,ProcessStart:133341446508423306",
  "gl2_accounted_message_size": 3040,
  "OpcodeValue": 0,
  "gl2_source_collector": "905560df-864f-4c8d-ae29-31a38d924f8f",
  "SourceModuleType": "im_msvistalog",
  "level": 4,
  "ActivityID": "{BB5C768B-C181-4EE6-9D4E-39448041431B}",
  "Channel": "Microsoft-Windows-Windows Defender/Operational",
  "streams": [
    "64b65479a69f204330b4b742"
  ],
  "gl2_message_id": "01H5M3W9QR02DB0DA42ZYQAQJH",
  "SourceName": "Microsoft-Windows-Windows Defender",
  "Severity": "WARNING",
  "message": "Antivirus Microsoft Defender a détecté un logiciel malveillant ou potentiellement indésirable.\r\n Pour plus d’informations, reportez-vous aux éléments suivants :\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0\r\n \tNom : Virus:DOS/EICAR_Test_File\r\n \tID : 2147519003\r\n \tGravité : Grave\r\n \tCatégorie : Virus\r\n \tChemin : containerfile:_C:\\Users\\username\\Downloads\\eicar_com.zip; file:_C:\\Users\\username\\Downloads\\eicar_com.zip->eicar.com; webfile:_C:\\Users\\username\\Downloads\\eicar_com.zip|https://secure.eicar.org/eicar_com.zip|pid:9492,ProcessStart:133341446508423306\r\n \tOrigine de la détection : Internet\r\n \tType de détection : Concret\r\n \tSource de détection : Téléchargements et pièces jointes\r\n \tUtilisateur : company\\username\r\n \tNom du processus : Unknown\r\n \tVersion de la veille de sécurité : AV: 1.393.595.0, AS: 1.393.595.0, NIS: 1.393.595.0\r\n \tVersion du moteur : AM: 1.1.23060.1005, NIS: 1.1.23060.1005",
  "AccountType": "User",
  "EventReceivedTime": "2023-07-18 11:04:13",
  "SourceModuleName": "windows_defender",
  "ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
  "full_message": "Antivirus Microsoft Defender a détecté un logiciel malveillant ou potentiellement indésirable.\r\n Pour plus d’informations, reportez-vous aux éléments suivants :\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0\r\n \tNom : Virus:DOS/EICAR_Test_File\r\n \tID : 2147519003\r\n \tGravité : Grave\r\n \tCatégorie : Virus\r\n \tChemin : containerfile:_C:\\Users\\username\\Downloads\\eicar_com.zip; file:_C:\\Users\\username\\Downloads\\eicar_com.zip->eicar.com; webfile:_C:\\Users\\username\\Downloads\\eicar_com.zip|https://secure.eicar.org/eicar_com.zip|pid:9492,ProcessStart:133341446508423306\r\n \tOrigine de la détection : Internet\r\n \tType de détection : Concret\r\n \tSource de détection : Téléchargements et pièces jointes\r\n \tUtilisateur : company\\username\r\n \tNom du processus : Unknown\r\n \tVersion de la veille de sécurité : AV: 1.393.595.0, AS: 1.393.595.0, NIS: 1.393.595.0\r\n \tVersion du moteur : AM: 1.1.23060.1005, NIS: 1.1.23060.1005",
  "ThreadID": 9384,
  "State": "1",
  "EventID": 1116,
  "_id": "10a28cc1-254a-11ee-9cea-0242ac150005",
  "Domain": "AUTORITE NT",
  "RecordNumber": 3302,
  "AccountName": "Syst�me"
}

It seems that many XML data from are not parsed. And so I don’t have the fields… I added some fields by filtering with regex the Rendered message but it should not be done that way.

2. My sidecar configuration for Windows Defender Event :

define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf\nxlog.d
define LOGDIR   %ROOT%\data

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO

##### EXTENSION SECTION ########

<Extension logrotate>
    Module  xm_fileop
    <Schedule>
        When    @daily
        Exec    file_cycle('%ROOT%\data\nxlog.log', 7);
     </Schedule>
</Extension>


<Extension gelfExt>
  Module xm_gelf
  # Avoid truncation of the short_message field to 64 characters.
  ShortMessageLength 65536
</Extension>

<Extension json>
    Module    xm_json
</Extension>

<Extension xml>
    Module    xm_xml
</Extension>

##### INPUT SECTION ########

<Input windows_defender>
    Module    im_msvistalog
    PollInterval 1
    SavePos True
    ReadFromLast True
    
    <QueryXML>
        <QueryList>
         <!-- Inspired by Microsoft Documentation and/or IADGOV -->
            <Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
                <!-- Modern Windows Defender event provider Detection events (1006-1009) and (1116-1119) -->
                <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[( (EventID &gt;= 1006 and EventID &lt;= 1009) )]]</Select>
                <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[( (EventID &gt;= 1116 and EventID &lt;= 1119) )]]</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>


##### OUTPUT SECTION ########


<Output gelf>
	Module om_tcp
	Host graylog.company.lan
	Port 12202
	OutputType  GELF_TCP
	<Exec>
	  # These fields are needed for Graylog
	  $gl2_source_collector = '${sidecar.nodeId}';
	  $collector_node_id = '${sidecar.nodeName}';
	  </Exec>
</Output>


##### REDIRECT SECTION ########

# Tells to logged file to be redirected to GELF TCP input

#redirect some_name to output tcp
<Route route-1>
  Path windows_defender => gelf
</Route>

3. What steps have you already taken to try and solve the problem?

I tried many methods:

4. How can the community help?

How to send the RAW XML data instead of Rendered XML data ?
Is there a way to tell NXLOG to parse correctly the logs ?

Thank you !

2

Hey @s0p4L1N

You should be able to use only to_xml() to forward the logs Graylog.

Here is alos a good example of someone Nxlog /w suggestion.

https://nxlog.co/community-forum/t/184-sending-xml-file-to-syslog-receiver

3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.