1.IMPORTANCE
2.STEPS OF CONFIGURATION
3.VERIFICATION
IMPORTANCE
NXLOG is used to process the collected information and send it on to the OTM CCE.
STEPS OF CONFIGURATION:-
Login on collector/AD computer.
Download the latest version of nxlog. It is easiest to choose the Windows msi file which includes an installer. Use the link below:
...
C:\Program Files (x86)\nxlog\conf\nxlog.conf (Be intact to the mentioned path )
Open the nxlog.conf file in notepad .
Replace the
...
configuration file by pasting the following
...
- Note to replace the variable (
IP Address of Seceon Collector) mentioned in point 52 below with the actual Seceon Server IP address:
| Code Block |
|---|
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _json>
Module xm_json
</Extension>
define aisiem \
1, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 17, 18,19, 20, 21, 104, 258, 259, 260, \
261, 262, 500, 517, 520, 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539,\
540, 551, 552, 565, 600, 608, 609, 621, 622, 626, 627, 628, 629, 630, 636, 642, 644,\
645, 647, 632, 663, 664, 671, 673, 675, 676, 677, 679, 680, 681, 682, 683, 684, 689,\
690, 692, 1001, 1006, 1007, 1008, 1015, 1102, 1116, 1117, 1118, 1119, 2003, 2100, \
7034, 4624, 4625, 4634, 4647, 4649, 4656, 4657, 4659, 4661, 4663, 4670, 4688, 4697, \
4704, 4705, 4717, 4718, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, \
4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, \
4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, \
4760, 4761, 4762, 4763, 4764, 4767, 4769, 4771, 4772, 4773, 4775, 4776, 4777, 4778, \
4779, 4780, 4782, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4793, 4794, \
4797, 4798, 4800, 4801, 4802, 4803, 5001, 5004, 5007, 5010, 5012, 5136, 5137, 5140, \
5141, 5142, 5143, 5144, 5145, 5376, 5377, 7045, 8003, 8004, 8007, 64004
<Input in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">* </Select>\
<Select Path="Application">* </Select>\
<Select Path="Setup">* </Select>\
<Select Path="System">* </Select>\
</Query>\
</QueryList>
<Exec>
if ($EventID NOT IN (%aisiem%)) drop();
</Exec>
</Input>
<Output out>
Module om_udp
Host CCE_IP_ADDRESS
Port 5154
Exec to_json();
</Output>
<Route 1>
Path in => out
</Route> |
Restart Open Services (from search box) and restart nxlog from services or type the following at an elevated command prompt:
net stop nxlog
net start nxlog
Click on : Local Policies>>Audit Policies >>Click on Success and failure checkbox >>apply >>ok
Enable audit logs: Windows- Enable Audit Logs
...
/Policies
Open Command Prompt , once policies are enabled , and run the command gpupdate /force , to validate that the policies are enabled .
VERIFICATION:-
Can validate the success of configuration either on UI or on CCE server.
Verification through UI
1.Open UI >>Systems
...
2. Dropdown systems and go inside logs and flows collection status.
...
.
3.Under Source device IP address section the device configured will reflect.
...
Verification Through CCE server
“sudo tcpdump -i any host 514 and host <IP address> -AAA” command should be ran on CCE server to check wheather or not we are getting logs .