NXLog Documentation

Microsoft System Center Endpoint Protection

Microsoft System Center Endpoint Protection (SCEP) is an enterprise anti-virus and anti-malware product, including a Windows Firewall manager. SCEP (formerly Forefront) is part of System Center, a workflow management solution for Windows-based IT environments. For more information, see the Endpoint Protection documentation on Microsoft Docs.

Microsoft SCEP writes events to Windows Event Log, file-based logs, and a Microsoft SQL Server database. All of these can be collected and parsed with NXLog.

Microsoft System Center Endpoint Protection events in Windows Event Log

Microsoft SCEP events include custom data in the EventData field, as shown below. Unfortunately, all the values are labeled as Data, making it difficult to process by a SIEM or log analytics platform. However, with NXLog, you can parse this data with a regular expression and assign meaningful field names to enrich the log records before forwarding them to their destination.

EventData field sample
<Data>%%830</Data>
<Data>1.5.1937.0</Data>
<Data>{92224018-9446-4C2D-AFCB-EC4456B8859E}</Data>
<Data>10</Data>
<Data>%%843</Data>
<Data></Data>
<Data>C:\\Program Files\\Mozilla Firefox\\firefox.exe</Data>
<Data>DOMAIN</Data>
<Data>admin</Data>
<Data>S-1-5-21-314323950-2314161084-4234690932-1002</Data>
<Data>EICAR_Test_File</Data>
<Data>2147519003</Data>
<Data>5</Data>
<Data>42</Data>
<Data>http://go.microsoft.com/fwlink/?linkid=37020&amp;name=EICAR_Test_File&amp;threatid=2147519003</Data>
<Data>file:C:\\Users\\admin\\Downloads\\eicar.com(2).txt</Data>
<Data></Data>
<Data></Data>
<Data>4</Data>
<Data>%%814</Data>
<Data>0</Data>
<Data>%%823</Data>
<Data></Data>
<Data></Data>
<Data>Severe</Data>
<Data>Virus</Data>
<Data></Data>
<Data></Data>
Example 1. Collecting and parsing Microsoft Forefront (FCSAM) logs from Windows Event Log

This configuration uses the im_msvistalog module to collect FCSAM client logs from Windows Event Log. This module parses the events resulting in an $EventData field containing all <Data> entries, as explained above.

Several regular expressions are defined to extract values from the $EventData field based on the event ID. The regular expressions use named capturing groups to assign values to fields depending on their position. For example, <Data>1.5.1937.0</Data> will be parsed into a $ClientVersion field with the value 1.5.1937.0.

This example includes regular expressions for parsing event IDs 3004, 3005, 5007, 5008, 1000, 1001, 1002, 1006, and 1007. Fields that are empty or do not contain valuable information are ignored. You can further enhance the configuration by adding more regular expressions to parse other FCSAM client events, parsing multiple event IDs with a single regular expression, or splitting the parsing of an event into multiple regular expressions.

nxlog.conf
<Extension json>
    Module          xm_json
</Extension>

define FCSAMEvents  3004, 3005, 5007, 5008, 1000, 1001, 1002, 1006, 1007

define EventID_3004_REGEX /(?x) \
    <Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
    <Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d{3}<\/Data> \
    <Data><\/Data> \
    <Data>(?<ProcessName>(\w{1}:\\.*\.exe))<\/Data> \
    <Data>(?<Domain>([\w\d]+))<\/Data> \
    <Data>(?<User>([\w\d]+))<\/Data> \
    <Data>(?<SID>(S-[\d\-]+))<\/Data> \
    <Data>(?<Filename>.*)<\/Data> \
    <Data>(?<ID>(\d{9,11}))<\/Data> \
    <Data>(?<SeverityID>(\d{1,2}))<\/Data> \
    <Data>(?<CategoryID>(\d{1,3}))<\/Data> \
    <Data>(?<FWLink>(http.*id=\d{10}))<\/Data> \
    <Data>(?<PathFound>(file:\w{1}:.*\.\w{2,4}))<\/Data> \
    <Data><\/Data> \
    <Data><\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d+<\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d+<\/Data> \
    <Data><\/Data> \
    <Data><\/Data> \
    <Data>(?<Severity>(\w+))<\/Data> \
    <Data>(?<Category>(\w+))<\/Data>/

define EventID_3005_REGEX /(?x) \
    <Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
    <Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
    <Data><\/Data> \
    <Data><\/Data> \
    <Data><\/Data> \
    <Data><\/Data> \
    <Data>(?<Domain>([\w\d]+))<\/Data> \
    <Data>(?<User>([\w\d]+))<\/Data> \
    <Data>(?<SID>(S-[\d\-]+))<\/Data> \
    <Data>(?<Filename>.*)<\/Data> \
    <Data>(?<ID>(\d{9,11}))<\/Data> \
    <Data>(?<SeverityID>(\d{1,2}))<\/Data> \
    <Data>(?<CategoryID>(\d{1,3}))<\/Data> \
    <Data>(?<FWLink>(http.*id=\d{10}))<\/Data> \
    <Data><\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d+<\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d+<\/Data> \
    <Data><\/Data> \
    <Data><\/Data> \
    <Data><\/Data> \
    <Data><\/Data> \
    <Data>(?<Severity>(\w+))<\/Data> \
    <Data>(?<Category>(\w+))<\/Data>/

define EventID_1000-1002_REGEX /(?x) \
    <Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
    <Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d{3}<\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d{3}<\/Data> \
    <Data>(?<Domain>([\w\d]+))<\/Data> \
    <Data>(?<User>([\w\d]+))<\/Data> \
    <Data>(?<SID>(S-[\d\-]+))<\/Data>/

define EventID_5007_REGEX /(?x) \
    <Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
    <Data>(?<Old_value>.*)<\/Data> \
    <Data>(?<New_value>.*)<\/Data> \
    <Data><\/Data> \
    <Data><\/Data>/

define EventID_5008_REGEX /(?x) \
    <Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
    <Data>(?<Resource>file(.*))<\/Data> \
    <Data>\d{1} /

define EventID_1006_REGEX /(?x) \
    <Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
    <Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d{3}<\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d{3}<\/Data> \
    <Data>(?<Domain>([\w\d]+))<\/Data> \
    <Data>(?<User>([\w\d]+))<\/Data> \
    <Data>(?<SID>(S-[\d\-]+))<\/Data> \
    <Data>(?<Filename>.*)<\/Data> \
    <Data>(?<ID>(\d{9,11}))<\/Data> \
    <Data>(?<SeverityID>(\d{1,2}))<\/Data> \
    <Data>(?<CategoryID>(\d{1,3}))<\/Data> \
    <Data>(?<FWLink>(http.*id=\d{10}))<\/Data> \
    <Data>(?<PathFound>(file:\w{1}:.*\.\w{2,4}))<\/Data> /

define EventID_1007_REGEX /(?x) \
    <Data>(?<ClientVersion>(\d+\.\d+\.\d+\.\d+))<\/Data> \
    <Data>(?<ScanID>(\{[\d\w\-]+\}))<\/Data> \
    <Data>\d+<\/Data> \
    <Data>\%\%\d{3}<\/Data> \
    <Data>\d+<\/Data> \
    <Data><\/Data> \
    <Data>(?<Domain>([\w\d]+))<\/Data> \
    <Data>(?<User>([\w\d]+))<\/Data> \
    <Data>(?<SID>(S-[\d\-]+))<\/Data> \
    <Data>(?<Filename>.*)<\/Data> \
    <Data>(?<ID>(\d{9,11}))<\/Data> \
    <Data>(?<SeverityID>(\d{1,2}))<\/Data> \
    <Data>(?<CategoryID>(\d{1,3}))<\/Data> \
    <Data>(?<FWLink>(http.*id=\d{10}))<\/Data> /

<Input scep_fcsam>
    Module    im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Application">
                    *[System[Provider[@Name='FCSAM']]]</Select>
                <Select Path="Security">*[System[Provider[@Name='FCSAM']]]</Select>
                <Select Path="System">*[System[Provider[@Name='FCSAM']]]</Select>
            </Query>
        </QueryList>
    </QueryXML>
    <Exec>
        #Drop events not defined in FCSAMEvents
        if ($EventID NOT IN (%FCSAMEvents%)) drop();

        #1. Regex for EventID==3004 event in $EventData section.
        else if ($EventID == 3004)
        $EventData =~ %EventID_3004_REGEX%;

        #2. Regex for EventID==3005 event in $EventData section.
        else if ($EventID == 3005)
        $EventData =~ %EventID_3005_REGEX%;

        #3. Regex for 1000-1002 event in $EventData section.
        else if ($EventID IN (1000, 1001, 1002))
        $EventData =~ %EventID_1000-1002_REGEX%;

        #4. Regex for EventID==5007 event in $EventData section.
        else if ($EventID == 5007)
        $EventData =~ %EventID_5007_REGEX%;

        #5. Regex for EventID==5008 event in $EventData section.
        else if ($EventID == 5008)
        $EventData =~ %EventID_5008_REGEX%;

        #6. Regex for EventID==1006 event in $EventData section.
        else if ($EventID == 1006)
        $EventData =~ %EventID_1006_REGEX%;

        #7. Regex for EventID==1007 event in $EventData section.
        else if ($EventID == 1007)
        $EventData =~ %EventID_1007_REGEX%;

        to_json();
    </Exec>
</Input>
Event sample
{
  "EventTime": "2019-01-11T12:19:22.000000+01:00",
  "Hostname": "Host.DOMAIN.local",
  "Keywords": "36028797018963968",
  "EventType": "WARNING",
  "SeverityValue": 3,
  "Severity": "Severe",
  "EventID": 3004,
  "SourceName": "FCSAM",
  "TaskValue": 0,
  "RecordNumber": 11595,
  "ExecutionProcessID": 0,
  "ExecutionThreadID": 0,
  "Channel": "System",
  "Message": "Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.\r\n For more information please see the following:\r\nhttp://go.microsoft.com/fwlink/?linkid=37020&name=EICAR_Test_File&threatid=2147519003\r\n \tScan ID: {92224018-9446-4C2D-AFCB-EC4456B8859E}\r\n \tAgent: On Access\r\n \tUser: DOMAIN\\admin\r\n \tName: EICAR_Test_File\r\n \tID: 2147519003\r\n \tSeverity: Severe\r\n \tCategory: Virus\r\n \tPath Found: file:C:\\Users\\admin\\Downloads\\eicar.com(2).txt\r\n \tAlert Type: \r\n \tProcess Name: C:\\Program Files\\Mozilla Firefox\\firefox.exe\r\n \tDetection Type: Concrete\r\n \tStatus: Suspend",
  "Opcode": "Info",
  "EventData": "<Data>%%830</Data><Data>1.5.1937.0</Data><Data>{92224018-9446-4C2D-AFCB-EC4456B8859E}</Data><Data>10</Data><Data>%%843</Data><Data></Data><Data>C:\\Program Files\\Mozilla Firefox\\firefox.exe</Data><Data>DOMAIN</Data><Data>admin</Data><Data>S-1-5-21-314323950-2314161084-4234690932-1002</Data><Data>EICAR_Test_File</Data><Data>2147519003</Data><Data>5</Data><Data>42</Data><Data>http://go.microsoft.com/fwlink/?linkid=37020&amp;name=EICAR_Test_File&amp;threatid=2147519003</Data><Data>file:C:\\Users\\admin\\Downloads\\eicar.com(2).txt</Data><Data></Data><Data></Data><Data>4</Data><Data>%%814</Data><Data>0</Data><Data>%%823</Data><Data></Data><Data></Data><Data>Severe</Data><Data>Virus</Data><Data></Data><Data></Data>",
  "EventReceivedTime": "2019-01-11T12:19:22.883100+01:00",
  "SourceModuleName": "scep_fcsam",
  "SourceModuleType": "im_msvistalog",
  "Category": "Virus",
  "CategoryID": "42",
  "ClientVersion": "1.5.1937.0",
  "FWLink": "http://go.microsoft.com/fwlink/?linkid=37020&amp;name=EICAR_Test_File&amp;threatid=2147519003",
  "Filename": "EICAR_Test_File",
  "ID": "2147519003",
  "PathFound": "file:C:\\Users\\admin\\Downloads\\eicar.com(2).txt",
  "ProcessName": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
  "SID": "S-1-5-21-314323950-2314161084-4234690932-1002",
  "ScanID": "{92224018-9446-4C2D-AFCB-EC4456B8859E}",
  "SeverityID": "5",
  "User": "DOMAIN \\ admin"
}

Collecting Microsoft SCEP log files

The SCEP client creates log files in the %allusersprofile%\Microsoft\Microsoft Antimalware\Support directory. Logging in these files provides information about:

  • Definition updates

  • Malware detection

  • Monitoring alerts

MPDetection log sample
2019-06-08T13:35:31.153Z Service started - System Center Endpoint Protection \
(DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)
MPLog log sample
2019-05-31T17:15:17.383Z Process scan (postsignatureupdatescan) started.
Signature updated via MMPC on 05-31-2019 19:15:17

In addition, you can also find SCEP client installation logs in %allusersprofile%\Microsoft\Microsoft Security Client\Support.

EppSetup log sample
SUCCESS	2019/05/31 19:12:05:782 TID:4700 PID:4692
Setup ended successfully with result: The operation completed successfully.   [00000000] 
MSSecurityClient_Setup log sample
=== Verbose logging stopped: 5/31/2019  19:11:59 ===
MSI (s) (28:2C) [19:11:59:329]: Destroying RemoteAPI object.
Example 2. Collecting and parsing Microsoft System Center Endpoint Protection log files

The following configuration uses the im_file input module to collect Microsoft SCEP logs. Since the SCEP client writes log files in the UTF-16LE character encoding, the xm_charconv extension module is used to convert the input to UTF-8.

nxlog.conf
<Extension charconv>
     Module      xm_charconv
     LineReader  UTF-16LE
</Extension>

<Extension json>
    Module       xm_json
</Extension>

<Input scep_client>
    Module       im_file
    File         'C:\ProgramData\Microsoft\Microsoft Antimalware\Support\' + \
                 'MPDetection-*.log'
    File         'C:\ProgramData\Microsoft\Microsoft Antimalware\Support\' + \
                 'MPLog-*.log'
    File         'C:\ProgramData\Microsoft\Microsoft Security Client\Support\' + \
                 'EppSetup.log'
    File         'C:\ProgramData\Microsoft\Microsoft Security Client\Support\' + \
                 'MSSecurityClient_Setup*.log'
    InputType    charconv
    <Exec>
        file_name() =~ /(?<FileName>[^\\]+)$/;

        if $FileName =~ /MPLog|MPDetection/
        {
            if $raw_event =~ /(.*\.\d{3}Z)\s+(.*)/
            {
                $EventTime = $1;
                $Message = $2;
            }
            else
            {
                $Message = $raw_event;
            }
        }

        if $FileName =~ /EppSetup/
        {
            if $raw_event =~ /(\w+)\s+(.*)\s+TID\:(\d+)\s+PID\:(\d+)/
            {
                $Status = $1;
                $EventTime = $2;
                $TID = $3;
                $PID = $4;
            }
            else
            {
                $Message = $raw_event;
            }
        }

        if $FileName =~ /MSSecurityClient_Setup/
        {
            if $raw_event =~ /.*\[(.*)\]\:(.*)/
            {
                $EventTime = $1;
                $Message = $2;
            }
            else
            {
                $Message = $raw_event;
            }
        }

        to_json();
    </Exec>
</Input>
MPDetection output sample
{
  "EventReceivedTime": "2019-06-16T14:24:51.746591+02:00",
  "SourceModuleName": "scep_client",
  "SourceModuleType": "im_file",
  "Filename": "MPDetection-05312019-191154.log",
  "EventTime": "2019-06-08T13:35:31.153Z",
  "Message": "Service started - System Center Endpoint Protection (DDEFDD14-250E-4DC8-A0B3-9D667EC5D8EB)"
}
MPLog output sample
{
  "EventReceivedTime": "2019-06-16T14:36:04.642769+02:00",
  "SourceModuleName": "scep_client",
  "SourceModuleType": "im_file",
  "Filename": "MPLog-05312019-191154.log",
  "EventTime": "2019-05-31T17:15:17.383Z",
  "Message": "Process scan (postsignatureupdatescan) started."
}
EppSetup output sample
{
  "EventReceivedTime": "2019-06-16T14:39:07.127660+02:00",
  "SourceModuleName": "scep_client",
  "SourceModuleType": "im_file",
  "Filename": "EppSetup.log",
  "Status": "SUCCESS",
  "EventTime": "2019/05/31 19:12:05:782",
  "TID": "4700",
  "PID": "4692"
}
{
  "EventReceivedTime": "2019-06-16T14:39:07.127660+02:00",
  "SourceModuleName": "scep_client",
  "SourceModuleType": "im_file",
  "Filename": "EppSetup.log",
  "Message": "Setup ended successfully with result: The operation completed successfully."
}
MSSecurityClient_Setup output sample
{
  "EventReceivedTime": "2019-06-16T14:22:17.824508+02:00",
  "SourceModuleName": "scep_client",
  "SourceModuleType": "im_file",
  "Filename": "MSSecurityClient_Setup_4.7.213.0_epp_Install.log",
  "Message": "=== Verbose logging stopped: 5/31/2019  19:11:59 ==="
}
{
  "EventReceivedTime": "2019-06-16T14:22:17.824508+02:00",
  "SourceModuleName": "scep_client",
  "SourceModuleType": "im_file",
  "Filename": "MSSecurityClient_Setup_4.7.213.0_epp_Install.log",
  "EventTime": "19:11:59:329",
  "Message": " Destroying RemoteAPI object."
}

Collecting Microsoft SCEP database logs

Microsoft System Center Endpoint Protection also logs data to a Microsoft Server SQL database.

Example 3. Collecting and parsing SCEP logs from the SCCM database

The following configuration uses the im_odbc input module to query the SCCM database. It defines two SQL queries collecting Last Malware alerts and AV Detection alerts.

nxlog.conf
<Extension json>
    Module            xm_json
</Extension>

<Input last_malware>
    Module            im_odbc
    ConnectionString  DSN=SMS;database=CM_CND;uid=user;pwd=password;
    IdType            timestamp
    SQL               SELECT DetectionTime as id,* \
                      FROM vEP_LastMalware \
                      WHERE DetectionTime > CAST(? AS datetime)
    Exec              to_json();
</Input>

<Input av_detections>
    Module            im_odbc
    ConnectionString  DSN=SMS;database=CM_CND;uid=user;pwd=password;
    IdType            timestamp
    SQL               SELECT DetectionTime as id,* \
                      FROM v_GS_Threats \
                      INNER JOIN v_R_System \
                      ON v_GS_Threats.ResourceID=v_R_System.ResourceID \
                      WHERE DetectionTime > CAST(? AS datetime)
   Exec               to_json();
</Input>
Last Malware output sample
{
  "id": "2019-06-20T18:21:14.050000+02:00",
  "RecordID": 72057594037997950,
  "MachineID": 16777219,
  "LastMessageTime": "2019-06-20T18:21:22.597000+02:00",
  "LastMessageSerialNumber": 102,
  "DetectionTime": "2019-06-20T18:21:14.050000+02:00",
  "ActionTime": "2019-06-20T18:21:22.573000+02:00",
  "ProductVersion": "4.7.213.0",
  "DetectionID": "6A70D85D-1AB0-4F20-BCAB-9B9CCEEA5ED5",
  "DetectionSource": 1,
  "PendingActions": 0,
  "Process": "Unknown",
  "UserID": 16777217,
  "ThreatName": "Virus:DOS/EICAR_Test_File",
  "ThreatID": 2147519003,
  "SeverityID": 5,
  "CategoryID": 42,
  "Path": "file:_C:\\Users\\admin\\Downloads\\eicar.com;file:_C:\\Users\\admin\\Downloads\\eicar.com.txt",
  "CleaningAction": 2,
  "ExecutionStatus": 0,
  "ActionSuccess": true,
  "ErrorCode": 0,
  "RemainingActions": 0,
  "LastRemainingActionsCleanTime": null,
  "EventReceivedTime": "2019-06-20T20:22:28.050844+02:00",
  "SourceModuleName": "last_malware",
  "SourceModuleType": "im_odbc"
}
Microsoft ceased support for System Center 2012 Endpoint Protection as of July 12, 2022. For more information, please refer to Microsoft System Center 2012 Endpoint Protection Lifecycle on Microsoft Docs.
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

NXLog EE 5.5.7535
Microsoft System Center 2012 Endpoint Protection Service Pack 2

Last revision: 5 September 2022