NetXMS Support Forum

Hi,

Windows Event Log Record Details windows shows XML representation of a logged event in the Details tab. Is there any way to parse the XML representation, not just the Message field?

Thank you,

Leo

No, the XML is not available for parsing. It could be possible to pass it as a parameter of generated events, but that won't be much of use, as analysis should be done at Log Parser level and Log Parser does not allow parsing using NXSL.
What exactly field(s) do you need from the XML?

Hi Filipp,

Thank yo for your prompt reply. For example, let's take the Security log Event ID 4624 (An account was successfully logged on). To check if the logged in account is an intruder, the following fields are needed:

Subject: Account Name; Account Domain
Logon Information: Logon Type; Virtual Account; Elevated Token
New Logon: Account Name; Account Domain
Network Information: Workstation Name; Source Network Address


Some of these fields should be used in the matching regular expression to select just a subset of 4624 events, some are required for future event processing to make the final decision if it an intrusion, a suspicious activity, or a legitimate usage scenario.
I would argue that using a regular expression against well-structured XML is a much better way to extract all the information than processing formatted text of the message.

When you say that it could be possible to pass XML as a parameter of generated events, does it mean that there is a way to do that in the current implementation. If yes, how it can be done? It can be useful for in-depth analysis of some events.

Thank you,

Leo

Current implementation does not support adding XML to events. I've created an issue to add this:
https://track.radensolutions.com/issue/NX-2072
also there's no exact plan when this could be implemented.

Thank you, Filipp!