box.win_nxlog
Introduction
These tags are used to identify Windows Event logs that are shipped to Devo using NXLog. We configure NXLog to read the desired Windows Event logs, convert them to JSON format, add a Syslog header, and send them to the Devo. For more information about sending from NXLog in JSON format over syslog, see the NXLog documentation.
Tag structure
The full tag must have two levels. The first two are fixed as box.win_nxlog. The third level identifies the type of events sent and can be assigned dynamically based on event content either in the NXLog configuration file or in a Devo relay rule (if you choose to use the Devo relay).
Technology | Brand | Type |
|---|---|---|
box | win_nxlog |
|
Therefore, the valid tags and tables include:
box.win_nxlog.application
box.win_nxlog.group_policy
box.win_nxlog.invalid
box.win_nxlog.other
box.win_nxlog.powershell
box.win_nxlog.print
box.win_nxlog.remote_conn
box.win_nxlog.security
box.win_nxlog.smb
box.win_nxlog.sysmon
box.win_nxlog.system
box.win_nxlog.windows_powershell
In addition, a parent table called simply box.win_nxlog will be available and contain all events that were associated with any tag starting with box.win_nxlog.*. For more information on how tags work, see the article about Devo tags.
How is the data sent to Devo?
Windows Event logs generated using NXlog must be sent to the Devo platform via the Devo Relay through port 13000 to secure communication, without the need for any other specific rule or configuration.