NXLog search
Let's talk Start free
Let's talk Start free
6.06

Event Log for Windows XP/2000/2003 (im_mseventlog)

This module can be used to collect Windows Event Log messages on Microsoft Windows platforms. The module looks up the available log sources stored under the registry key SYSTEM\CurrentControlSet\Services\Eventlog and polls logs from each of these sources or only the sources defined with the Sources directive.

To examine the supported platforms, see the list of installation packages.

Windows Vista, Windows 2008, and later use a new Event Log API which is not backward compatible. Messages in some events produced by sources in this new format cannot be resolved with the old API which is used by this module. If such an event is encountered, a $Message similar to the following will be set: The description for EventID XXXX from source SOURCE cannot be read by im_mseventlog because this does not support the newer WIN2008/Vista EventLog API. Consider using the im_msvistalog module instead.

Though the majority of event messages can be read with this module even on Windows 2008/Vista and later, it is recommended to use the im_msvistalog module instead.

Strings are stored in DLL and executable files and need to be read by the module when reading Windows Event Log messages. If a program (DLL/EXE) is already uninstalled and is not available for looking up a string, the following message will appear instead:

The description for EventID XXXX from source SOURCE cannot be found.

Configuration

The im_mseventlog module accepts the following directives in addition to the common module directives.

Optional directives

ReadFromLast

This optional boolean directive instructs the module on where to start reading events from the log source. Reading all events can result in a lot of messages and is usually not the expected behavior.

When TRUE, NXLog Agent will only read events logged after NXLog Agent started, unless SavePos is TRUE and a saved position for this log source is found in the cache file.
When FALSE, NXLog Agent will read all events in the log source from the start, unless SavePos is TRUE and a saved position for this log source is found in the cache file.
If the ReadFromLast directive is not specified, it defaults to TRUE.

The following matrix shows the outcome of this directive in conjunction with the SavePos directive:

ReadFromLast SavePos Saved position Outcome

TRUE

TRUE

Yes

Reads events from the saved position.

TRUE

TRUE

No

Reads events that are logged after NXLog Agent is started.

TRUE

FALSE

Yes

Reads events that are logged after NXLog Agent is started.

TRUE

FALSE

No

Reads events that are logged after NXLog Agent is started.

FALSE

TRUE

Yes

Reads events from the saved position.

FALSE

TRUE

No

Reads all events.

FALSE

FALSE

Yes

Reads all events.

FALSE

FALSE

No

Reads all events.
NOTE

The SavePos directive can be overridden by the global NoCache directive. If NoCache is TRUE, the SavePos directive is considered to be FALSE.

SavePos

This optional boolean directive instructs the module whether to save the position of the last read event before NXLog Agent exits. On the next startup, NXLog Agent will try to read the saved position from the cache file. This directive in conjunction with the ReadFromLast directive allows for resuming reading events directly from the saved position.

When TRUE, the position of the last read event are saved and will be read from the cache file upon startup.
If this directive is not specified, it defaults to TRUE.

This directive can be overridden by the global NoCache directive. If NoCache is TRUE, the SavePos directive is considered to be FALSE.

Sources

This optional directive takes a comma-separated list of EventLog filenames, such as Security, Application, to select specific EventLog sources for reading. If this directive is not specified, then all available Windows Event Log sources are read (as listed in the registry). This directive should not be confused with the $SourceName field contained within Windows Event Log and it is not a list of such names. The value of this is stored in the FileName field.

UTF8

If this optional boolean directive is set to TRUE, all strings will be converted to UTF-8 encoding. Internally this calls the convert_fields procedure. The xm_charconv module must be loaded for the character set conversion to work. The default is TRUE, but conversion will only occur if the xm_charconv module is loaded, otherwise strings will be in the local codepage.

Fields

The following fields are used by im_mseventlog.

$raw_event (type: string)

A list of event fields in key-value pairs.

$AccountName (type: string)

The username associated with the event.

$AccountType (type: string)

The type of the account. Possible values are: User, Group, Domain, Alias, Well Known Group, Deleted Account, Invalid, Unknown, and Computer.

$Category (type: string)

The category name resolved from CategoryNumber.

$CategoryNumber (type: integer)

The category number, stored as Category in the EventRecord.

$Domain (type: string)

The domain name of the user.

$EventID (type: integer)

The event ID of the EventRecord.

$EventTime (type: datetime)

The TimeGenerated field of the EventRecord.

$EventTimeWritten (type: datetime)

The TimeWritten field of the EventRecord.

$EventType (type: string)

The type of the event, which is a string describing the severity. Possible values are: ERROR, AUDIT_FAILURE, AUDIT_SUCCESS, INFO, WARNING, and UNKNOWN.

$FileName (type: string)

The logfile source of the event (for example, Security or Application).

$Hostname (type: string)

The host or computer name field of the EventRecord.

$Message (type: string)

The message from the event.

$RecordNumber (type: integer)

The number of the event record.

$Severity (type: string)

The normalized severity name of the event. See $SeverityValue.

$SeverityValue (type: integer)

The normalized severity number of the event, mapped as follows.

Event Log Severity Normalized Severity

0/Audit Success

2/INFO

0/Audit Failure

4/ERROR

1/Critical

5/CRITICAL

2/Error

4/ERROR

3/Warning

3/WARNING

4/Information

2/INFO

5/Verbose

1/DEBUG
$SourceName (type: string)

The event source which produced the event (the subsystem or application name).

Examples

Example 1. Forwarding EventLogs from a Windows Machine to a Remote Host

This configuration collects Windows Event Log and forwards the messages to a remote host via TCP.

nxlog.conf
<Input eventlog>
    Module      im_mseventlog
</Input>

<Output tcp>
    Module      om_tcp
    Host        192.168.1.1:514
</Output>

<Route eventlog_to_tcp>
    Path        eventlog => tcp
</Route>

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS