Document toolboxDocument toolbox

box.win_nxlog

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Jun 11, 2024
2 min read
[ 1 Introduction ] [ 2 Tag structure ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

These tags are used to identify Windows Event logs that are shipped to Devo using NXLog. We configure NXLog to read the desired Windows Event logs, convert them to JSON format, add a Syslog header, and send them to the Devo.

For more information about sending from NXLog in JSON format over syslog, see the NXLog documentation

Tag structure

The full tag must have 3 levels. The first two are fixed as box.win_nxlog. The third level identifies the type of events sent and can be assigned dynamically based on event content either in the NXLog configuration file or in a Devo relay rule (if you choose to use the Devo relay).

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Windows NXLog

  • box.win_nxlog.application

  • box.win_nxlog.group_policy

  • box.win_nxlog.other

  • box.win_nxlog.security

  • box.win_nxlog.smb

  • box.win_nxlog.sysmon

  • box.win_nxlog.system

box.win_nxlog

box.win_nxlog.adfs

box.win_nxlog.adfs

box.win_nxlog.application

box.win_nxlog.application

box.win_nxlog.dhcp

box.win_nxlog.dhcp

box.win_nxlog.dns

box.win_nxlog.dns

box.win_nxlog.group_policy

box.win_nxlog.group_policy

box.win_nxlog.invalid

box.win_nxlog.invalid

box.win_nxlog.other

box.win_nxlog.other

box.win_nxlog.powershell

box.win_nxlog.powershell

box.win_nxlog.print

box.win_nxlog.print

box.win_nxlog.remote_conn

box.win_nxlog.remote_conn

box.win_nxlog.security

box.win_nxlog.security

box.win_nxlog.smb

box.win_nxlog.smb

box.win_nxlog.sysmon

box.win_nxlog.sysmon

box.win_nxlog.system

box.win_nxlog.system

box.win_nxlog.windows_powershell

box.win_nxlog.windows_powershell

The parent table called simply box.win_nxlog will be available and contain all events that were associated with any tag starting with box.win_nxlog.*. For more information on how tags work, see the article about Devo tags.

How is the data sent to Devo?

Windows Event logs generated using NXlog must be sent to the Devo platform via the Devo Relay through port 13000 to secure communication, without the need for any other specific rule or configuration.

Note that Devo ingestion only supports English language in fields. Parsers will match these fields for the correct value allocation.

For example, the following:

{"SourceName": "a simple test", ...

will be processed as expected in the parser, because we have this matching:

when('SourceName', jstr('source_name')),

We expect to find the event SourceName and we will map the value in a Devo field named source_name.

However, if we receive:

{"ソース名": "簡単なテスト", ...

it is not going to work, because there would be no match in the parser.

If we receive:

it will work properly, because the SourceName will match in the parser, and the value will be the rest.

Table structure

These are the fields displayed in these tables: