Skip to main content
MebinBaby
MebinBaby
New Member
December 3, 2020
Question

Windows Log Parsing Issue

  • December 3, 2020
  • 3 replies
  • 3104 views
Hi all,

I am facing a partial parsing issue with windows logs. Message, Device Hostname fields are not getting parsed. I am using NxLog method to collect data to the FortiSIEM. Can you help me with any documentations available to create custom parsers? Any guidance will be appreciated.

Thanks in advance!

    3 replies

    AlexDC
    AlexDC
    Explorer II
    December 4, 2020
    Hello Mebin,

    there are great resources provided by Fortinet NSE Training Institute , see below
    The NSE 7 Advanced Analytics 5.2 self-paced course is now released 
    this course should answer your questions it was on a post a way back - 
    https://fusecommunity.fortinet.com/groups/community-home/digestviewer/viewthread?MessageKey=f97db6da-06e7-46e4-b3eb-92f71e205418&CommunityKey=d8119bda-6fd9-4771-87ba-c34eb683ad51&tab=digestviewer#bmf97db6da-06e7-46e4-b3eb-92f71e205418

    I hope this helps.-------------------------------------------
    Original Message:
    Sent: Dec 03, 2020 09:50 AM
    From: Mebin Baby
    Subject: Windows Log Parsing Issue

    Hi all,

    I am facing a partial parsing issue with windows logs. Message, Device Hostname fields are not getting parsed. I am using NxLog method to collect data to the FortiSIEM. Can you help me with any documentations available to create custom parsers? Any guidance will be appreciated.

    Thanks in advance!

    MebinBaby
    MebinBabyAuthor
    New Member
    December 4, 2020
    Thanks Alex !-------------------------------------------
    Original Message:
    Sent: Dec 04, 2020 08:26 AM
    From: Alex D-C
    Subject: Windows Log Parsing Issue

    Hello Mebin,

    there are great resources provided by Fortinet NSE Training Institute , see below
    The NSE 7 Advanced Analytics 5.2 self-paced course is now released 
    this course should answer your questions it was on a post a way back - 
    https://fusecommunity.fortinet.com/groups/community-home/digestviewer/viewthread?MessageKey=f97db6da-06e7-46e4-b3eb-92f71e205418&CommunityKey=d8119bda-6fd9-4771-87ba-c34eb683ad51&tab=digestviewer#bmf97db6da-06e7-46e4-b3eb-92f71e205418

    I hope this helps.
    Original Message:
    Sent: Dec 03, 2020 09:50 AM
    From: Mebin Baby
    Subject: Windows Log Parsing Issue

    Hi all,

    I am facing a partial parsing issue with windows logs. Message, Device Hostname fields are not getting parsed. I am using NxLog method to collect data to the FortiSIEM. Can you help me with any documentations available to create custom parsers? Any guidance will be appreciated.

    Thanks in advance!

    cdurkin_FTNT
    Staff
    cdurkin_FTNT
    Staff
    December 8, 2020
    Hello Mebin

    Not sure if you have also tried using "Snare" format as the export method in NxLog?-------------------------------------------
    Original Message:
    Sent: Dec 03, 2020 09:50 AM
    From: Mebin Baby
    Subject: Windows Log Parsing Issue

    Hi all,

    I am facing a partial parsing issue with windows logs. Message, Device Hostname fields are not getting parsed. I am using NxLog method to collect data to the FortiSIEM. Can you help me with any documentations available to create custom parsers? Any guidance will be appreciated.

    Thanks in advance!

    RobertEvans
    RobertEvans
    New Member
    December 8, 2020
    I second this, snare format is parsed by FortiSIEM, so you can tell nxlog to send in that format. 

    Replace your nxlog.conf file with this one, and then restart the nxlog service. Also specify your log target of the collector instead of 1.1.1.1

    Panic Soft
    #NoFreeOnExit TRUE

    define ROOT C:\Program Files (x86)\nxlog
    define CERTDIR %ROOT%\cert
    define CONFDIR %ROOT%\conf
    define LOGDIR %ROOT%\data
    define LOGFILE %LOGDIR%\nxlog.log
    define OUTPUT_DESTINATION_ADDRESS 1.1.1.1
    define OUTPUT_DESTINATION_PORT 514
    LogFile %LOGFILE%

    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data

    <Extension _syslog>
    Module xm_syslog
    </Extension>

    <Extension _charconv>
    Module xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
    </Extension>

    <Extension _exec>
    Module xm_exec
    </Extension>

    <Extension _fileop>
    Module xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
    Every 1 hour
    Exec if (file_exists('%LOGFILE%') and \
    (file_size('%LOGFILE%') >= 5M)) \
    file_cycle('%LOGFILE%', 8);
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
    When @weekly
    Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
    </Extension>
    <Extension json>
    Module xm_json
    </Extension>


    <Input internal>
    Module im_internal
    </Input>

    <Input eventlog>
    Module im_msvistalog
    Query <QueryList>\
    <Query Id="0">\
    <Select Path="Application">*</Select>\
    <Select Path="System">*</Select>\
    <Select Path="Security">*</Select>\
    </Query>\
    </QueryList>
    Exec if ($EventID == 5156) OR ($EventID == 5158) drop();
    Exec $HOSTNAME=hostname();
    Exec $Message =~ s/(\t|\R)/ /g;
    </Input>


    <Output out>
    Module om_udp
    Host %OUTPUT_DESTINATION_ADDRESS%
    Port %OUTPUT_DESTINATION_PORT%
    Exec to_syslog_snare();
    </Output>

    <Route 1>
    Path eventlog, internal => out
    </Route>-------------------------------------------
    Original Message:
    Sent: Dec 08, 2020 08:53 AM
    From: Chris Durkin
    Subject: Windows Log Parsing Issue

    Hello Mebin

    Not sure if you have also tried using "Snare" format as the export method in NxLog?
    Original Message:
    Sent: Dec 03, 2020 09:50 AM
    From: Mebin Baby
    Subject: Windows Log Parsing Issue

    Hi all,

    I am facing a partial parsing issue with windows logs. Message, Device Hostname fields are not getting parsed. I am using NxLog method to collect data to the FortiSIEM. Can you help me with any documentations available to create custom parsers? Any guidance will be appreciated.

    Thanks in advance!

    aido
    aido
    New Member
    November 12, 2024

    Dear RobertEvans,

     

    Sorry to bother you, I know it's been a while but I too am using nxlog to send logs to Fortisiem via snare, but I'm experiencing the problem that nxlog sends the event to Fortisiem replacing the #011 characters at the tab and the #015 character at the carriage return. Does this happen to you too? So it seems that the FortiSiem does not handle the log.

    Thanks for your help.

    JoeSkinner
    JoeSkinner
    New Member
    June 22, 2021
    NXLog uses the WinSyslogParser.  Not parsing hostname is a bug that is fixed in 6.3.  It also fixes the random hostnames placed in the Location and Identity table.-------------------------------------------
    Original Message:
    Sent: Dec 03, 2020 09:50 AM
    From: Mebin Baby
    Subject: Windows Log Parsing Issue

    Hi all,

    I am facing a partial parsing issue with windows logs. Message, Device Hostname fields are not getting parsed. I am using NxLog method to collect data to the FortiSIEM. Can you help me with any documentations available to create custom parsers? Any guidance will be appreciated.

    Thanks in advance!

    MebinBaby
    MebinBabyAuthor
    New Member
    June 28, 2021
    Thanks Joe for the update. Appreciate it!

    -Mebin-------------------------------------------
    Original Message:
    Sent: Jun 22, 2021 12:28 PM
    From: Joe Skinner
    Subject: Windows Log Parsing Issue

    NXLog uses the WinSyslogParser.  Not parsing hostname is a bug that is fixed in 6.3.  It also fixes the random hostnames placed in the Location and Identity table.
    Original Message:
    Sent: Dec 03, 2020 09:50 AM
    From: Mebin Baby
    Subject: Windows Log Parsing Issue

    Hi all,

    I am facing a partial parsing issue with windows logs. Message, Device Hostname fields are not getting parsed. I am using NxLog method to collect data to the FortiSIEM. Can you help me with any documentations available to create custom parsers? Any guidance will be appreciated.

    Thanks in advance!

    Terms & ConditionsAccessibility statement