Error using eventlog API for nxlog


Error using eventlog API for nxlog

dcy-ecs@telecom.pt

Hi,

We are collecting events in our Supercharger platform from workstations with GPO subscriptions and its working great for all windows events we are filtering we see them all in the Eventlog viewer without issues.
Then, we use then nxlog installed on supercharger collectors to forward those filtered events to SIEM/syslog servers.
Nxlog uses eventlog API to get those events and forwards them, but only on one particular event 4688 we get an error message like this when executing the query:

2019-05-28 13:05:20 <hostname> AUDIT_SUCCESS 4688 [The description for EventID 4688 from source Microsoft-Windows-Security-Auditing cannot be found: The substitution string for insert index (%1) could not be found.

And the message is not forwarded because we drop the event when nxlog is not populating the $Message and other necessary variables to send the message in the correct format.
For any other event different than 4688 we see no issues.

Also, if we install nxlog with the same configuration directly on the worksations, we don´t have this issue, the eventlog API returns the event successfuly and nxlog populates the message and forwards it without any issue.

Have you any idea why this behavior could happen only for this particular event?

Thanks, your help will be much appreciated.

Kind regards.
Tamas Lengyel

dcy-ecs@telecom.pt - 5/31/2019
Hi,

We are collecting events in our Supercharger platform from workstations with GPO subscriptions and its working great for all windows events we are filtering we see them all in the Eventlog viewer without issues.
Then, we use then nxlog installed on supercharger collectors to forward those filtered events to SIEM/syslog servers.
Nxlog uses eventlog API to get those events and forwards them, but only on one particular event 4688 we get an error message like this when executing the query:

2019-05-28 13:05:20 <hostname> AUDIT_SUCCESS 4688 [The description for EventID 4688 from source Microsoft-Windows-Security-Auditing cannot be found: The substitution string for insert index (%1) could not be found.

And the message is not forwarded because we drop the event when nxlog is not populating the $Message and other necessary variables to send the message in the correct format.
For any other event different than 4688 we see no issues.

Also, if we install nxlog with the same configuration directly on the worksations, we don´t have this issue, the eventlog API returns the event successfuly and nxlog populates the message and forwards it without any issue.

Have you any idea why this behavior could happen only for this particular event?

Thanks, your help will be much appreciated.

Kind regards.

Please try changing the content format from RenderedText to Events in the subscription policy and see if it solves the problem.

dcy-ecs@telecom.pt

Tamas Lengyel - 5/31/2019
dcy-ecs@telecom.pt - 5/31/2019
Hi,

We are collecting events in our Supercharger platform from workstations with GPO subscriptions and its working great for all windows events we are filtering we see them all in the Eventlog viewer without issues.
Then, we use then nxlog installed on supercharger collectors to forward those filtered events to SIEM/syslog servers.
Nxlog uses eventlog API to get those events and forwards them, but only on one particular event 4688 we get an error message like this when executing the query:

2019-05-28 13:05:20 <hostname> AUDIT_SUCCESS 4688 [The description for EventID 4688 from source Microsoft-Windows-Security-Auditing cannot be found: The substitution string for insert index (%1) could not be found.

And the message is not forwarded because we drop the event when nxlog is not populating the $Message and other necessary variables to send the message in the correct format.
For any other event different than 4688 we see no issues.

Also, if we install nxlog with the same configuration directly on the worksations, we don´t have this issue, the eventlog API returns the event successfuly and nxlog populates the message and forwards it without any issue.

Have you any idea why this behavior could happen only for this particular event?

Thanks, your help will be much appreciated.

Kind regards.

Please try changing the content format from RenderedText to Events in the subscription policy and see if it solves the problem.

Hi Tamas,

Thank you for your update.
We already tried to change content format from Events to RederedText and vice-versa without any success. The same error appears when nxlog invoques eventlog API.

Kind regards.

GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search