Document toolboxDocument toolbox

box.win_nxlog

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Jan 10, 2022Version comment
5 min read

Introduction

These tags are used to identify Windows Event logs that are shipped to Devo using NXLog. We configure NXLog to read the desired Windows Event logs, convert them to JSON format, add a Syslog header, and send them to the Devo. For more information about sending from NXLog in JSON format over syslog, see the NXLog documentation

Tag structure

The full tag must have two levels. The first two are fixed as box.win_nxlog. The third level identifies the type of events sent and can be assigned dynamically based on event content either in the NXLog configuration file or in a Devo relay rule (if you choose to use the Devo relay).

Technology

Brand

Type

box

win_nxlog

  • application

  • group_policy

  • invalid

  • other

  • powershell

  • print

  • remote_conn

  • security

  • smb

  • sysmon

  • system

  • windows_powershell

Therefore, the valid tags and tables include:

  • box.win_nxlog.application

  • box.win_nxlog.group_policy

  • box.win_nxlog.invalid

  • box.win_nxlog.other

  • box.win_nxlog.powershell

  • box.win_nxlog.print

  • box.win_nxlog.remote_conn

  • box.win_nxlog.security

  • box.win_nxlog.smb

  • box.win_nxlog.sysmon

  • box.win_nxlog.system

  • box.win_nxlog.windows_powershell

In addition, a parent table called simply box.win_nxlog will be available and contain all events that were associated with any tag starting with box.win_nxlog.*. For more information on how tags work, see the article about Devo tags.

How is the data sent to Devo?

Windows Event logs generated using NXlog must be sent to the Devo platform via the Devo Relay through port 13000 to secure communication, without the need for any other specific rule or configuration.

Log samples

The following are sample logs sent to each of the box.win_nxlog tags. Also, find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

box.win_nxlog.security

2021-05-18 08:30:59.875 devo.com=10.30.16.53/milsyslog.devo.com=201.174.27.211 box.win_nxlog.security: {"EventTime":"2021-05-18 01:30:58","Hostname":"devo.com","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4624,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"Task":12544,"OpcodeValue":0,"RecordNumber":4345863065,"ProcessID":624,"ThreadID":4736,"Channel":"Security","Message":"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tImpersonation\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-21-2583275936-4121697912-1392631463-2130\r\n\tAccount Name:\t\tEF006522\r\n\tAccount Domain:\t\tDEVO\r\n\tLogon ID:\t\t0x11A4D0498\r\n\tLogon GUID:\t\t{843E9EDB-BC91-E0CA-4856-1C62C895DCD4}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\t-\r\n\tSource Network Address:\t192.168.121.134\r\n\tSource Port:\t\t58627\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tKerberos\r\n\tAuthentication Package:\tKerberos\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","Category":"Logon","Opcode":"Info","SubjectUserSid":"S-1-0-0","SubjectUserName":"-","SubjectDomainName":"-","SubjectLogonId":"0x0","TargetUserSid":"S-1-5-21-2583275936-4121697912-1392631463-2130","TargetUserName":"EF006522","TargetDomainName":"DEVO","TargetLogonId":"0x11a4d0498","LogonType":"3","LogonProcessName":"Kerberos","AuthenticationPackageName":"Kerberos","WorkstationName":"-","LogonGuid":"{843E9EDB-BC91-E0CA-4856-1C62C895DCD4}","TransmittedServices":"-","LmPackageName":"-","KeyLength":"0","ProcessName":"-","IpAddress":"192.168.121.134","IpPort":"58627","ImpersonationLevel":"%%1833","EventReceivedTime":"2021-05-18 01:30:59","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}

And this is how the logs would be parsed:

Field

Value

Type

Extra fields

Source field name

Field transformation

eventdate

2021-05-18 10:30:59.875

timestamp




host

http://devo.com

str


hostchain

split(hostchain, "=", 0)

hostIp

10.30.16.53

ip




type

security

str


vtype


EventTime

2021-05-18 01:30:58

str




timestamp

2021-05-18 03:30:58.000

timestamp


EventTime

ifthenelse(length(EventTime) = 19, parsedate(EventTime, "YYYY-MM-DD HH:mm:ss", "UTC"), parsedate(EventTime, "YYYY-MM-DD HH:mm:ss.SSSSSSZZ"))

Channel

Security

str




Keywords

-9214364837600035000

str




EventType

AUDIT_SUCCESS

str




SeverityValue

2

int




Severity

INFO

str




EventID

4624

int




SourceName

Microsoft-Windows-Security-Auditing

str




ProviderGuid

{54849625-5478-4994-A5BA-3E3B0328C30D}

str




Version

1

int




TaskValue

null

int




Category

Logon

str




Opcode

Info

str




OpcodeValue

0

int




RecordNumber

4345863065

int




ExecutionProcessID

null

int




ExecutionThreadID

null

int




Message

An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-2583275936-4121697912-1392631463-2130 Account Name: EF006522 Account Domain: DEVO Logon ID: 0x11A4D0498 Logon GUID: {843E9EDB-BC91-E0CA-4856-1C62C895DCD4} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 192.168.121.134 Source Port: 58627 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

str




IpAddress

192.168.121.134

str




IpAddress_ip4

192.168.121.134

ip


IpAddress

ip4(IpAddress)

IpPort

58627

str




EventReceivedTime

2021-05-18 01:30:59

str




SourceModuleName

in

str




SourceModuleType

im_msvistalog

str




Status

null

str




AccountName

null

str




AccountDomain

null

str




SubjectUserSid

S-1-0-0

str




SubjectUserName

-

str




SubjectDomainName

-

str




SubjectLogonId

0x0

str




SourceHostname

null

str




TargetSid

null

str




TargetUserName

EF006522

str




TargetDomainName

DEVO

str




MemberName

null

str




MemberSid

null

str




CommandLine

null

str




LogonType

3

str




ServiceName

null

str




ServiceFileName

null

str




ServiceAccount

null

str




Workstation

null

str




WorkstationName

-

str




ProcessName

-

str




ObjectServer

null

str




ObjectName

null

str




ObjectType

null

str




ImagePath

null

str




SamAccountName

null

str




rawSource

{"EventTime":"2021-05-18 01:30:58","Hostname":"http://devo.com ","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4624,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"Task":12544,"OpcodeValue":0,"RecordNumber":4345863065,"ProcessID":624,"ThreadID":4736,"Channel":"Security","Message":"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nLogon Type:\t\t\t3\r\n\r\nImpersonation Level:\t\tImpersonation\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-21-2583275936-4121697912-1392631463-2130\r\n\tAccount Name:\t\tEF006522\r\n\tAccount Domain:\t\tDEVO\r\n\tLogon ID:\t\t0x11A4D0498\r\n\tLogon GUID:\t\t{843E9EDB-BC91-E0CA-4856-1C62C895DCD4}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x0\r\n\tProcess Name:\t\t-\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\t-\r\n\tSource Network Address:\t192.168.121.134\r\n\tSource Port:\t\t58627\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tKerberos\r\n\tAuthentication Package:\tKerberos\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.","Category":"Logon","Opcode":"Info","SubjectUserSid":"S-1-0-0","SubjectUserName":"-","SubjectDomainName":"-","SubjectLogonId":"0x0","TargetUserSid":"S-1-5-21-2583275936-4121697912-1392631463-2130","TargetUserName":"EF006522","TargetDomainName":"DEVO","TargetLogonId":"0x11a4d0498","LogonType":"3","LogonProcessName":"Kerberos","AuthenticationPackageName":"Kerberos","WorkstationName":"-","LogonGuid":"{843E9EDB-BC91-E0CA-4856-1C62C895DCD4}","TransmittedServices":"-","LmPackageName":"-","KeyLength":"0","ProcessName":"-","IpAddress":"192.168.121.134","IpPort":"58627","ImpersonationLevel":"%%1833","EventReceivedTime":"2021-05-18 01:30:59","SourceModuleName":"in","SourceModuleType":"im_msvistalog"}

str




hostchain

devo.com=10.30.16.53/milsyslog.devo.com=201.174.27.211

str

✓



tag

box.win_nxlog.security

str

✓