Thanks Alex !-------------------------------------------
Original Message:
Sent: Dec 04, 2020 08:26 AM
From: Alex D-C
Subject: Windows Log Parsing Issue

Hello Mebin,

there are great resources provided by Fortinet NSE Training Institute , see below
The NSE 7 Advanced Analytics 5.2 self-paced course is now released 
this course should answer your questions it was on a post a way back - 
https://fusecommunity.fortinet.com/groups/community-home/digestviewer/viewthread?MessageKey=f97db6da...

I hope this helps.
Original Message:
Sent: Dec 03, 2020 09:50 AM
From: Mebin Baby
Subject: Windows Log Parsing Issue

Hi all,

I am facing a partial parsing issue with windows logs. Message, Device Hostname fields are not getting parsed. I am using NxLog method to collect data to the FortiSIEM. Can you help me with any documentations available to create custom parsers? Any guidance will be appreciated.

Thanks in advance!

I second this, snare format is parsed by FortiSIEM, so you can tell nxlog to send in that format. 

Replace your nxlog.conf file with this one, and then restart the nxlog service. Also specify your log target of the collector instead of 1.1.1.1

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
define OUTPUT_DESTINATION_ADDRESS 1.1.1.1
define OUTPUT_DESTINATION_PORT 514
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

<Extension _syslog>
Module xm_syslog
</Extension>

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
Module xm_exec
</Extension>

<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Extension json>
Module xm_json
</Extension>


<Input internal>
Module im_internal
</Input>

<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
Exec if ($EventID == 5156) OR ($EventID == 5158) drop();
Exec $HOSTNAME=hostname();
Exec $Message =~ s/(\t|\R)/ /g;
</Input>


<Output out>
Module om_udp
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
Exec to_syslog_snare();
</Output>

<Route 1>
Path eventlog, internal => out
</Route>-------------------------------------------
Original Message:
Sent: Dec 08, 2020 08:53 AM
From: Chris Durkin
Subject: Windows Log Parsing Issue

Hello Mebin

Not sure if you have also tried using "Snare" format as the export method in NxLog?
Original Message:
Sent: Dec 03, 2020 09:50 AM
From: Mebin Baby
Subject: Windows Log Parsing Issue

Hi all,

I am facing a partial parsing issue with windows logs. Message, Device Hostname fields are not getting parsed. I am using NxLog method to collect data to the FortiSIEM. Can you help me with any documentations available to create custom parsers? Any guidance will be appreciated.

Thanks in advance!

Dear RobertEvans,

 

Sorry to bother you, I know it's been a while but I too am using nxlog to send logs to Fortisiem via snare, but I'm experiencing the problem that nxlog sends the event to Fortisiem replacing the #011 characters at the tab and the #015 character at the carriage return. Does this happen to you too? So it seems that the FortiSiem does not handle the log.

Thanks for your help.

Thanks Joe for the update. Appreciate it!

-Mebin-------------------------------------------
Original Message:
Sent: Jun 22, 2021 12:28 PM
From: Joe Skinner
Subject: Windows Log Parsing Issue

NXLog uses the WinSyslogParser.  Not parsing hostname is a bug that is fixed in 6.3.  It also fixes the random hostnames placed in the Location and Identity table.
Original Message:
Sent: Dec 03, 2020 09:50 AM
From: Mebin Baby
Subject: Windows Log Parsing Issue

Hi all,

I am facing a partial parsing issue with windows logs. Message, Device Hostname fields are not getting parsed. I am using NxLog method to collect data to the FortiSIEM. Can you help me with any documentations available to create custom parsers? Any guidance will be appreciated.

Thanks in advance!