Event Tracing for Windows (im_etw)
This module can be used to collect events through Event Tracing for Windows (ETW).
ETW is a mechanism in Windows designed for efficient logging of both kernel and user-mode applications. Debug and Analytical channels are based on ETW and cannot be collected as regular Windows Event Log channels via the im_msvistalog module. Various Windows services such as the Windows Firewall and DNS Server can be configured to log events through Windows Event Tracing.
The im_etw module reads event tracing data directly for maximum efficiency. Unlike other solutions, im_etw does not save ETW event data into intermediary trace files that need to be parsed again.
The im_etw module is only available on the Windows platform. |
Configuration
The im_etw module accepts the following directives in addition to the common module directives. It is required to specify one of File, KernelFlags, Provider, or Session directives.
Required directives
One of the following four directives must be specified for the module to start.
This optional directive can be used to specify a full path to a log file.
Supported file types have the
|
|||||
This directive specifies that kernel trace logs should be collected, and accepts a comma-separated list of flags to use for filtering the logs.
The following values are allowed:
|
|||||
This directive specifies the name (not GUID) of the ETW provider from which to collect trace logs.
Providers available for tracing can be listed by running the command
In addition to specifying a provider name, the Provider directive can also be used as a block directive, allowing multiple providers to be enabled within the same session. In this case, the following sub-directives can be used:
|
Optional directives
Optional directive.
Defaults to |
|
This optional directive specifies the log level for collecting trace events.
Because kernel log sessions do not provide log levels, this directive is only available in combination with the Provider directive.
Valid values include |
|
This optional directive is used for filtering ETW events based on keywords. Defaults to 0x00000000. For more information, see System ETW Provider Event Keyword-Level Settings in the Microsoft documentation. |
|
This optional directive is used for filtering Windows ETW events based on keywords. Defaults to 0x00000000. For more information, see System ETW Provider Event Keyword-Level Settings in the Microsoft documentation. |
|
This optional directive is used to specify whether DNS, UDP and TCP payloads from the $PacketData field should be parsed.
Defaults to |
|
This optional directive specifies the path to be set to the |
Fields
The following fields are used by im_etw.
Depending on the ETW provider from which NXLog collects trace logs, the set of fields generated by the im_etw module may slightly vary. In addition to the fields listed below, the module can generate special provider-specific fields. If the module is configured to collect trace logs from a custom provider (for example, from a custom user-mode application), the module will also generate fields derived from the custom provider trace logs.
$raw_event
(type: string)-
A list of event fields in key-value pairs.
$AccountName
(type: string)-
The username associated with the event.
$AccountType
(type: string)-
The type of the account. Possible values are:
User
,Group
,Domain
,Alias
,Well Known Group
,Deleted Account
,Invalid
,Unknown
, andComputer
.
$ActivityID
(type: string)-
The ID of the activity corresponding to the event.
$Category
(type: string)-
The name of a particular component of the provider.
$Channel
(type: string)-
The name of the channel where the event log was written to.
$ChannelID
(type: integer)-
The ID of the channel where the event log was written to.
$dns.*.class
(type: string)-
Field common to all Resource Records. Contains the class of the RR as string. The class has one of the following values:
IN (1) // Internet class IN_QU (32769) // Internet class with QU flag set to True CH (3) // Chaos class HS (4) // Hesiod class ANY (255) // ANY class
$dns.*.type
(type: string)-
Field common to all Resource Records. Contains the type of the RR as string. The type has one of the following values:
A (1) // IPv4 address record NS (2) // Name Server record MD (3) // Obsolete, replaced by MX MF (4) // Obsolete, replaced by MX CNAME (5) // Canonical name record SOA (6) // Start of Authority record MB (7) // mailbox domain name record MG (8) // mail group member record MR (9) // mail rename domain name record NULL_R (10) // NULL record WKS (11) // well known service description record PTR (12) // Pointer record HINFO (13) // Host information record MINFO (14) // mailbox or mail list information record MX (15) // Mail exchanger record TXT (16) // Text record RP (17) // Responsible person record AFSDB (18) // AFS database record X25 (19) // DNS X25 resource record ISDN (20) // Integrated Services Digital Network record RT (21) // Route Through record NSAP (22) // network service access point address record NSAP_PTR (23) // network service access point address pointer record SIG (24) // Signature record (RFC 2535) KEY (25) // Key record (RFC 2535) PX (26) // Mail Mapping Information record (RFC 1664) GPOS (27) // DNS Geographical Position record AAAA (28) // IPv6 address record LOC (29) // Location record NXT (30) // Obsolete record EID (31) // DNS Endpoint Identifier record NIMLOC (32) // DNS Nimrod Locator record SRV (33) // Service locator record (RFC 2052) ATMA (34) // Asynchronous Transfer Mode address record NAPTR (35) // Naming Authority Pointer record (RFC 2168) KX (36) // Key eXchanger record (RFC 2230) CERT (37) // Certificate record (RFC 2538) A6 (38) // Obsolete, replaced by AAAA type DNAM (39) // Delegation Name record (RFC 2672) SINK (40) // Kitchen sink record OPT (41) // Option record (RFC 2671) APL (42) // Address Prefix List record DS (43) // Delegation signer record SSHFP (44) // SSH Public Key Fingerprint record IPSECKEY (45) // IPsec Key record RRSIG (46) // DNSSEC signature record NSEC (47) // Next-Secure record DNSKEY (48) // DNS Key record DHCID (49) // DHCP identifier record NSEC3 (50) // NSEC record version 3 NSEC3PARAM (51) // NSEC3 parameters PTR_NAME (192) // 0xC0 - pointer to a name TKEY (249) // Transaction Key (RFC 2930) TSIG (250) // Transaction Signature (RFC 2845) IXFR (251) // IXFR (Incremental zone transfer) AXFR (252) // AXFR (Transfer of an entire zone) ALL (255) // All cached records CAA (257) // Certification Authority Authorization (RFC 6844)
$dns.additional
(type: string)-
A string dump of a JSON object, containing an array with the details of each DNS additional RR.
{ "dns.additional.name": <string>, "dns.additional.type": <string>, "dns.additional.class": <string>, "dns.additional.ttl": <integer>, // Time to live "dns.additional.data": <string>, // Data in a format specific to the DNS type }
$dns.answer
(type: string)-
A string dump of a JSON object, containing an array with the details of each DNS answer RR.
{ "dns.answer.name": <string>, "dns.answer.type": <string>, "dns.answer.class": <string>, "dns.answer.ttl": <integer>, // Time to live "dns.answer.data": <string>, // Data in a format specific to the DNS type }
$dns.flags.authentic_data
(type: boolean)-
DNS header flag. Authentic Data [RFC4035][RFC6840][RFC Errata 4924]
$dns.flags.checking_disabled
(type: boolean)-
DNS header flag. Checking Disabled [RFC4035][RFC6840][RFC Errata 4927]
$dns.flags.query_or_response
(type: boolean)-
DNS header flag. Indicates whether the DNS packet is a query ro a response
$dns.flags.truncated_response
(type: boolean)-
DNS header flag. Truncated Response [RFC1035]
$dns.id
(type: integer)-
An integer indicating the ID of the DNS packet.
$dns.mx.data.preference
(type: integer)-
An integer containing the MX Preference
$dns.opcode
(type: string)-
A string indicating the operation code of the DNS packet. The value is one of the following:
QUERY (0) Query [RFC1035] IQUERY (1) IQuery (Inverse Query, OBSOLETE) [RFC3425] STATUS (2) Status [RFC1035] UNASSIGNED (3) Status [RFC1035] NOTIFY (4) Notify [RFC1996] UPDATE (5) Update [RFC2136] DSO (6) DNS Stateful Operations (DSO) [RFC8490]
$dns.query
(type: string)-
A string dump of a JSON object, containing an array with the details of each DNS query RR.
{ "dns.query.name": <string>, // DNS Query Name (QNAME) "dns.query.type": <string>, "dns.query.class": <string>, }
$dns.response.code
(type: string)-
A string indicating the response code (RCODE) of the DNS packet. The value is one of the following:
NOERROR (0) No Error [RFC1035] FORMERR (1) Format Error [RFC1035] SERVFAIL (2) Server Failure [RFC1035] NXDOMAIN (3) Non-Existent Domain [RFC1035] NOTIMP (4) Not Implemented [RFC1035] REFUSED (5) Query Refused [RFC1035] YXDOMAIN (6) Name Exists when it should not [RFC2136][RFC6672] YXRRSET (7) RR Set Exists when it should not [RFC2136] NXRRSET (8) RR Set that should exist does not [RFC2136] NOTAUTH (9) Server Not Authoritative for zone [RFC2136] // Not Authorized [RFC8945] NOTZONE (10) Name not contained in zone [RFC2136] DSOTYPENI (11) DSO-TYPE Not Implemented [RFC8490] BADVERS_BADSIG (16) BADVERS - Bad OPT Version [RFC6891] // BADSIG - TSIG Signature Failure [RFC8945] BADKEY (17) Key not recognized [RFC8945] BADTIME (18) Signature out of time window [RFC8945] BADMODE (19) Bad TKEY Mode [RFC2930] BADNAME (20) Duplicate key name [RFC2930] BADALG (21) Algorithm not supported [RFC2930] BADTRUNC (22) Bad Truncation [RFC8945] BADCOOKIE (23) Bad/missing Server Cookie [RFC7873]
$dns.soa.data.auth_mailbox
(type: string)-
A string containing the DNS SOA type Responsible authority’s mailbox
$dns.soa.data.expire_limit
(type: string)-
A string containing the DNS SOA type Expire Limit
$dns.soa.data.min_ttl
(type: string)-
A string containing the DNS SOA type Minimum Time To Live
$dns.soa.data.name_server
(type: string)-
A string containing the DNS SOA type Primary name server
$dns.soa.data.refresh_interval
(type: string)-
A string containing the DNS SOA type Refresh Interval
$dns.soa.data.retry_interval
(type: string)-
A string containing the DNS SOA type Retry Interval
$dns.soa.data.serial_number
(type: string)-
A string containing the DNS SOA type Serial Number
$Domain
(type: string)-
The domain name of the user.
$EventID
(type: integer)-
The Event ID, corresponding to the provider, that indicates the type of event.
$EventTime
(type: datetime)-
The time when the event was generated.
$EventType
(type: string)-
One of
CRITICAL
,ERROR
,WARNING
,DEBUG
,AUDIT_FAILURE
,AUDIT_SUCCESS
, orINFO
.
$ExecutionProcessID
(type: integer)-
The ID of the process that generated the event.
$ExecutionThreadID
(type: integer)-
The ID of the thread that generated the event.
$Hostname
(type: string)-
The name of the system where the event was generated.
$Keywords
(type: string)-
A keyword bit mask corresponding to the current event.
$Level
(type: string)-
The level of the event that was generated.
$LevelValue
(type: string)-
An integer indicating the level of the event that was generated.
$Opcode
(type: string)-
The name of the operation corresponding to the event.
$OpcodeValue
(type: integer)-
An integer indicating the operation corresponding to the event.
$PacketData
(type: string)-
The UDP or TCP payload of DNS event data as HEX. ($ParsedPacketData) contains the human readable representation of this data.
$ParsedPacketData
(type: string)-
Human readable representation in JSON format of the data extracted by parsing the PacketData field.
$ProviderGuid
(type: string)-
The GUID of the trace provider, corresponding to the $SourceName.
$Severity
(type: string)-
The normalized severity name of the event. See $SeverityValue.
$SeverityValue
(type: integer)-
The normalized severity number of the event, mapped as follows.
Event Log Severity Normalized Severity 0/Audit Success
2/INFO
0/Audit Failure
4/ERROR
1/Critical
5/CRITICAL
2/Error
4/ERROR
3/Warning
3/WARNING
4/Information
2/INFO
5/Verbose
1/DEBUG
$SourceName
(type: string)-
The name of the trace provider.
$TaskValue
(type: integer)-
An integer indicating a particular component of the provider.
$Version
(type: integer)-
The version of the event type.
Examples
With this configuration, NXLog Agent will collect trace events from the Windows kernel.
Only events matching the PROCESS
and THREAD
flags will be collected.
<Input etw>
Module im_etw
KernelFlags PROCESS, THREAD
</Input>
With this configuration, NXLog Agent will collect events from the
Microsoft-Windows-Firewall
trace provider.
<Input etw>
Module im_etw
Provider Microsoft-Windows-Firewall
</Input>
With this configuration, NXLog Agent will collect events from the specified providers.
<Input etw>
Module im_etw
<Provider>
Name Microsoft-Windows-Firewall
Level Verbose
</Provider>
<Provider>
Name Microsoft-Windows-DNS-Client
Level Critical
</Provider>
<Provider>
Name Microsoft-Windows-Audit
Level Information
</Provider>
</Input>
With this configuration, NXLog Agent will collect events from the specified session.
<Input etw>
Module im_etw
Session DiagLog
</Input>
With this configuration, NXLog Agent will assign an event log level for a specified provider.
<Input etw>
Module im_etw
Provider Microsoft-Windows-DNS-Client
Level verbose
MatchAnyKeyword 0xFFFFFFFF
MatchAllKeyword 0x0
</Input>