Using nxlog to collect sysmon log in Cuckoo

sysmon.py

import logging
import os
import sys

from lib.common.abstracts import Auxiliary
from lib.api.process import Process
from lib.common.results import upload_to_host

log = logging.getLogger(__name__)

SYSMON_LOG = os.path.join("c:\\", "test", "sysmon.json")
NXLOG_DIR = os.path.join("c:\\", "Program Files (x86)", "nxlog")
NXLOG_CONF = os.path.join(NXLOG_DIR, "conf", "nxlog.conf")
NXLOG_EXE = os.path.join(NXLOG_DIR, "nxlog.exe")

NXLOG_CONF_DATA = '''
define ROOT {NXLOG_DIR}

Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\nxlog.pid
SpoolDir %ROOT%\\data
LogFile %ROOT%\\data\\nxlog.log
LogLevel INFO

<Extension _json>
    Module xm_json
</Extension>

<Input in>
    Module im_msvistalog
    ReadFromLast TRUE
    SavePos FALSE
    Query <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query></QueryList>
</Input>

<Output out>
    Module om_file
    File '{SYSMON_LOG}'
    Exec to_json();
</Output>

<Route 66>
    Path in => out
</Route>
'''.format(NXLOG_DIR=NXLOG_DIR, SYSMON_LOG=SYSMON_LOG)

class Sysmon(Auxiliary):

    def start(self):
        log.info("Starting Sysmon auxilary module")

        self.options['free'] = True
        self.options['curdir'] = NXLOG_DIR
        log.info("self.options = %s", self.options)
        
        log.info("Writing nxlog config")
        with open(NXLOG_CONF, 'w') as outf:
            outf.write(NXLOG_CONF_DATA)

        if os.path.exists(SYSMON_LOG):
            log.info("Removing old sysmon log: %s", SYSMON_LOG)
            os.unlink(SYSMON_LOG)

        log.info("Starting NXLog process: %s", NXLOG_EXE)
        return Process().execute(path=NXLOG_EXE)
        
    def stop(self):
        log.info("Collecting Sysmon logs...")
        upload_to_host(
            SYSMON_LOG,
            os.path.join("logs", "sysmon.json")
        )
        return True