Skip to content

Windows Event Logs

Windows provides a great amount of telemetry to the Chronicle platform natively, but can also be augmented by adding Windows Sysmon to your fleet deployment.

Chronicle Data Types

  • EDR

Requirements

  • Chronicle Forwarder

Configuration

NxLog

While there are many ways to gather Windows Logs, CYDERES recommends using NxLog to send Windows Logs from strategic locations to a Chronicle Forwarder service. NxLog can natively read EVTX files and send the data over syslog in a formatted structure such as JSON. Chronicle will make full use of detailed events in System, Security and Sysmon logs.

Configuration example:

define ROOT C:\Program Files (x86)\nxlog
define OUTPUT_DESTINATION_ADDRESS <hostname>
define OUTPUT_DESTINATION_PORT <port>

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log


<Extension json>
    Module      xm_json
</Extension>

<Extension syslog>
    Module      xm_syslog
</Extension>

<Input eventlog>
    Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
</Input>

<Output out>

Module      om_tcp
Host        %OUTPUT_DESTINATION_ADDRESS%
Port        %OUTPUT_DESTINATION_PORT%
Exec        $EventTime = integer($EventTime) / 1000000;
Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000000;
Exec        $Message = to_json(); to_syslog_bsd();

</Output>

<Route 1>
Path    eventlog => out
</Route>