1. Describe your incident:
I’m sending multiple windows security event to Graylog with NXLOG and I noticed that many of XML value / data was not parsed. For my case here, I’m sending Windwos Defender Events.
I downloaded an EICAR virus test file to trigger event:
- XML View of WIndows Event Log:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Windows Defender" Guid="{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" />
<EventID>1116</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2023-07-18T10:23:39.6866841Z" />
<EventRecordID>3312</EventRecordID>
<Correlation ActivityID="{a3b23bd0-4d0c-4eb1-abbd-cf8687254432}" />
<Execution ProcessID="4052" ThreadID="11172" />
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>CLI-COMPANY01.company.lan</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="Product Name">Antivirus Microsoft Defender</Data>
<Data Name="Product Version">4.18.23050.5</Data>
<Data Name="Detection ID">{C00260F7-2D6D-43CE-BC81-F870419F3A6F}</Data>
<Data Name="Detection Time">2023-07-18T10:23:39.675Z</Data>
<Data Name="Unused" />
<Data Name="Unused2" />
<Data Name="Threat ID">2147519003</Data>
<Data Name="Threat Name">Virus:DOS/EICAR_Test_File</Data>
<Data Name="Severity ID">5</Data>
<Data Name="Severity Name">Grave</Data>
<Data Name="Category ID">42</Data>
<Data Name="Category Name">Virus</Data>
<Data Name="FWLink">https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0</Data>
<Data Name="Status Code">1</Data>
<Data Name="Status Description" />
<Data Name="State">1</Data>
<Data Name="Source ID">4</Data>
<Data Name="Source Name">Téléchargements et pièces jointes</Data>
<Data Name="Process Name">Unknown</Data>
<Data Name="Detection User">COMPANY\username</Data>
<Data Name="Unused3" />
<Data Name="Path">containerfile:_C:\Users\username\Downloads\eicar_com.zip; file:_C:\Users\username\Downloads\eicar_com.zip->eicar.com; webfile:_C:\Users\username\Downloads\eicar_com.zip|https://secure.eicar.org/eicar_com.zip|pid:13452,ProcessStart:133341494195380145</Data>
<Data Name="Origin ID">4</Data>
<Data Name="Origin Name">Internet</Data>
<Data Name="Execution ID">0</Data>
<Data Name="Execution Name">Inconnu</Data>
<Data Name="Type ID">0</Data>
<Data Name="Type Name">Concret</Data>
<Data Name="Pre Execution Status">0</Data>
<Data Name="Action ID">9</Data>
<Data Name="Action Name">Non applicable</Data>
<Data Name="Unused4" />
<Data Name="Error Code">0x00000000</Data>
<Data Name="Error Description">L’opération a réussi.</Data>
<Data Name="Unused5" />
<Data Name="Post Clean Status">0</Data>
<Data Name="Additional Actions ID">0</Data>
<Data Name="Additional Actions String">No additional actions required</Data>
<Data Name="Remediation User" />
<Data Name="Unused6" />
<Data Name="Security intelligence Version">AV: 1.393.595.0, AS: 1.393.595.0, NIS: 1.393.595.0</Data>
<Data Name="Engine Version">AM: 1.1.23060.1005, NIS: 1.1.23060.1005</Data>
</EventData>
</Event>
- The Rendered view is:
- What is sent into Graylog:
{
"Task": 0,
"Keywords": -9223372036854776000,
"EventType": "WARNING",
"collector_node_id": "cli-company01",
"gl2_remote_ip": "192.168.1.108",
"gl2_remote_port": 57752,
"Opcode": "Informations",
"FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0",
"source": "CLI-company01.company.lan",
"gl2_source_input": "64a3c7a431459c203793e12c",
"SeverityValue": 3,
"Version": 0,
"UserID": "S-1-5-18",
"gl2_source_node": "3b147713-efd6-45b0-83e4-f3b8aeea69ef",
"ProcessID": 4052,
"timestamp": "2023-07-18T09:04:11.000Z",
"Path": "containerfile:_C:\\Users\\username\\Downloads\\eicar_com.zip; file:_C:\\Users\\username\\Downloads\\eicar_com.zip->eicar.com; webfile:_C:\\Users\\username\\Downloads\\eicar_com.zip|https://secure.eicar.org/eicar_com.zip|pid:9492,ProcessStart:133341446508423306",
"gl2_accounted_message_size": 3040,
"OpcodeValue": 0,
"gl2_source_collector": "905560df-864f-4c8d-ae29-31a38d924f8f",
"SourceModuleType": "im_msvistalog",
"level": 4,
"ActivityID": "{BB5C768B-C181-4EE6-9D4E-39448041431B}",
"Channel": "Microsoft-Windows-Windows Defender/Operational",
"streams": [
"64b65479a69f204330b4b742"
],
"gl2_message_id": "01H5M3W9QR02DB0DA42ZYQAQJH",
"SourceName": "Microsoft-Windows-Windows Defender",
"Severity": "WARNING",
"message": "Antivirus Microsoft Defender a détecté un logiciel malveillant ou potentiellement indésirable.\r\n Pour plus d’informations, reportez-vous aux éléments suivants :\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0\r\n \tNom : Virus:DOS/EICAR_Test_File\r\n \tID : 2147519003\r\n \tGravité : Grave\r\n \tCatégorie : Virus\r\n \tChemin : containerfile:_C:\\Users\\username\\Downloads\\eicar_com.zip; file:_C:\\Users\\username\\Downloads\\eicar_com.zip->eicar.com; webfile:_C:\\Users\\username\\Downloads\\eicar_com.zip|https://secure.eicar.org/eicar_com.zip|pid:9492,ProcessStart:133341446508423306\r\n \tOrigine de la détection : Internet\r\n \tType de détection : Concret\r\n \tSource de détection : Téléchargements et pièces jointes\r\n \tUtilisateur : company\\username\r\n \tNom du processus : Unknown\r\n \tVersion de la veille de sécurité : AV: 1.393.595.0, AS: 1.393.595.0, NIS: 1.393.595.0\r\n \tVersion du moteur : AM: 1.1.23060.1005, NIS: 1.1.23060.1005",
"AccountType": "User",
"EventReceivedTime": "2023-07-18 11:04:13",
"SourceModuleName": "windows_defender",
"ProviderGuid": "{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}",
"full_message": "Antivirus Microsoft Defender a détecté un logiciel malveillant ou potentiellement indésirable.\r\n Pour plus d’informations, reportez-vous aux éléments suivants :\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0\r\n \tNom : Virus:DOS/EICAR_Test_File\r\n \tID : 2147519003\r\n \tGravité : Grave\r\n \tCatégorie : Virus\r\n \tChemin : containerfile:_C:\\Users\\username\\Downloads\\eicar_com.zip; file:_C:\\Users\\username\\Downloads\\eicar_com.zip->eicar.com; webfile:_C:\\Users\\username\\Downloads\\eicar_com.zip|https://secure.eicar.org/eicar_com.zip|pid:9492,ProcessStart:133341446508423306\r\n \tOrigine de la détection : Internet\r\n \tType de détection : Concret\r\n \tSource de détection : Téléchargements et pièces jointes\r\n \tUtilisateur : company\\username\r\n \tNom du processus : Unknown\r\n \tVersion de la veille de sécurité : AV: 1.393.595.0, AS: 1.393.595.0, NIS: 1.393.595.0\r\n \tVersion du moteur : AM: 1.1.23060.1005, NIS: 1.1.23060.1005",
"ThreadID": 9384,
"State": "1",
"EventID": 1116,
"_id": "10a28cc1-254a-11ee-9cea-0242ac150005",
"Domain": "AUTORITE NT",
"RecordNumber": 3302,
"AccountName": "Syst�me"
}
It seems that many XML data from are not parsed. And so I don’t have the fields… I added some fields by filtering with regex the Rendered message but it should not be done that way.
2. My sidecar configuration for Windows Defender Event :
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO
##### EXTENSION SECTION ########
<Extension logrotate>
Module xm_fileop
<Schedule>
When @daily
Exec file_cycle('%ROOT%\data\nxlog.log', 7);
</Schedule>
</Extension>
<Extension gelfExt>
Module xm_gelf
# Avoid truncation of the short_message field to 64 characters.
ShortMessageLength 65536
</Extension>
<Extension json>
Module xm_json
</Extension>
<Extension xml>
Module xm_xml
</Extension>
##### INPUT SECTION ########
<Input windows_defender>
Module im_msvistalog
PollInterval 1
SavePos True
ReadFromLast True
<QueryXML>
<QueryList>
<!-- Inspired by Microsoft Documentation and/or IADGOV -->
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<!-- Modern Windows Defender event provider Detection events (1006-1009) and (1116-1119) -->
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[( (EventID >= 1006 and EventID <= 1009) )]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[( (EventID >= 1116 and EventID <= 1119) )]]</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
##### OUTPUT SECTION ########
<Output gelf>
Module om_tcp
Host graylog.company.lan
Port 12202
OutputType GELF_TCP
<Exec>
# These fields are needed for Graylog
$gl2_source_collector = '${sidecar.nodeId}';
$collector_node_id = '${sidecar.nodeName}';
</Exec>
</Output>
##### REDIRECT SECTION ########
# Tells to logged file to be redirected to GELF TCP input
#redirect some_name to output tcp
<Route route-1>
Path windows_defender => gelf
</Route>
3. What steps have you already taken to try and solve the problem?
I tried many methods:
- this sample: Sample NXLog Windows Collection configuration
- this guy having same issue: GELF TCP and RAW TCP - NXLOG and GRAYLOG
4. How can the community help?
How to send the RAW XML data instead of Rendered XML data ?
Is there a way to tell NXLOG to parse correctly the logs ?
Thank you !