Event Log for Windows XP/2000/2003 (im_mseventlog)
This module can be used to collect Windows Event Log messages on Microsoft Windows platforms.
The module looks up the available log sources stored under the registry key SYSTEM\CurrentControlSet\Services\Eventlog
and polls logs from each of these sources or only the sources defined with the Sources directive.
To examine the supported platforms, see the list of installer packages in the Available Modules chapter. |
Windows Vista, Windows 2008, and later use a new Event Log API which is not backward compatible.
Messages in some events produced by sources in this new format cannot be resolved with the old API which is used by this module.
If such an event is encountered, a Though the majority of event messages can be read with this module even on Windows 2008/Vista and later, it is recommended to use the im_msvistalog module instead. |
Strings are stored in DLL and executable files and need to be read by the module when reading Windows Event Log messages. If a program (DLL/EXE) is already uninstalled and is not available for looking up a string, the following message will appear instead: The description for EventID XXXX from source SOURCE cannot be found. |
Configuration
The im_mseventlog module accepts the following directives in addition to the common module directives.
Optional directives
This optional boolean directive instructs the module to only read logs that arrive after NXLog is started.
This directive comes into effect if a saved position is not found, for example on the first start, or when the SavePos directive is The following matrix shows the outcome of this directive in conjunction with the SavePos directive:
|
|||||||||||||||||||||||||||||||||||||
If this boolean directive is set to |
|||||||||||||||||||||||||||||||||||||
This optional directive takes a comma-separated list of EventLog filenames, such as |
|||||||||||||||||||||||||||||||||||||
If this optional boolean directive is set to |
Fields
The following fields are used by im_mseventlog.
$raw_event
(type: string)-
A list of event fields in key-value pairs.
$AccountName
(type: string)-
The username associated with the event.
$AccountType
(type: string)-
The type of the account. Possible values are:
User
,Group
,Domain
,Alias
,Well Known Group
,Deleted Account
,Invalid
,Unknown
, andComputer
.
$Category
(type: string)-
The category name resolved from CategoryNumber.
$CategoryNumber
(type: integer)-
The category number, stored as Category in the EventRecord.
$Domain
(type: string)-
The domain name of the user.
$EventID
(type: integer)-
The event ID of the EventRecord.
$EventTime
(type: datetime)-
The TimeGenerated field of the EventRecord.
$EventTimeWritten
(type: datetime)-
The TimeWritten field of the EventRecord.
$EventType
(type: string)-
The type of the event, which is a string describing the severity. Possible values are:
ERROR
,AUDIT_FAILURE
,AUDIT_SUCCESS
,INFO
,WARNING
, andUNKNOWN
.
$FileName
(type: string)-
The logfile source of the event (for example,
Security
orApplication
).
$Hostname
(type: string)-
The host or computer name field of the EventRecord.
$Message
(type: string)-
The message from the event.
$RecordNumber
(type: integer)-
The number of the event record.
$Severity
(type: string)-
The normalized severity name of the event. See $SeverityValue.
$SeverityValue
(type: integer)-
The normalized severity number of the event, mapped as follows.
Event Log Severity Normalized Severity 0/Audit Success
2/INFO
0/Audit Failure
4/ERROR
1/Critical
5/CRITICAL
2/Error
4/ERROR
3/Warning
3/WARNING
4/Information
2/INFO
5/Verbose
1/DEBUG
$SourceName
(type: string)-
The event source which produced the event (the subsystem or application name).
Examples
This configuration collects Windows Event Log and forwards the messages to a remote host via TCP.
<Input eventlog>
Module im_mseventlog
</Input>
<Output tcp>
Module om_tcp
Host 192.168.1.1:514
</Output>
<Route eventlog_to_tcp>
Path eventlog => tcp
</Route>