Versions Compared

Old Version 2

changes.mady.by.user Customer Success & Engineering (Unlicensed)

Saved on

compared with

New Version 3

changes.mady.by.user skadakia

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Microsoft Server serves as DNS & DHCP.along with Windows AD+Windows MS Exchange+Windows MSSQL + Windows IIS

  • Nxlog Utility needs to be installed on the Server with the required privileges.

  • The NXLog configuration file is comprised of blocks and directives. Blocks are similar to XML tags containing multiple directives. Directive names are not case-sensitive but arguments sometimes are.

    Ref. link: https://docs.nxlog.co/userguide/configure/overview.html

...

  • This is a sample configuration file. See the nxlog reference manual about

    configuration options. It should be installed locally

    Please set the ROOT to the folder your nxlog was installed into, otherwise, it will not start. Additionally ensure that some of the place holders are updated for your environment. Examples of a place holders are CCE_IP_ADDRESS, filenames for logfiles to read from.

Code Block
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
#define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _json>
Module xm_json
</Extension>
define aisiem                                                                       \
1, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 17, 18,19, 20, 21, 104, 258, 259, 260,  \
261, 262, 500, 517, 520, 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539,\
540, 551, 552, 565, 600, 608, 609, 621, 622, 626, 627, 628, 629, 630, 636, 642, 644,\
645, 647, 632, 663, 664, 671, 673, 675, 676, 677, 679, 680, 681, 682, 683, 684, 689,\
690, 692, 1001, 1006, 1007, 1008, 1015, 1102, 1116, 1117, 1118, 1119, 2003, 2100,   \
7034, 4624, 4625, 4634, 4647, 4649, 4656, 4657, 4659, 4661, 4663, 4670, 4688, 4697, \
4704, 4705, 4717, 4718, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, \
4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, \
4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, \
4760, 4761, 4762, 4763, 4764, 4767, 4769, 4771, 4772, 4773, 4775, 4776, 4777, 4778, \
4779, 4780, 4782, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4793, 4794, \
4797, 4798, 4800, 4801, 4802, 4803, 5001, 5004, 5007, 5010, 5012, 5136, 5137, 5140, \
5141, 5142, 5143, 5144, 5145, 5376, 5377, 7045, 8003, 8004, 8007, 64004

<Input in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">* </Select>\
<Select Path="Application">* </Select>\
<Select Path="Setup">* </Select>\
<Select Path="System">* </Select>\
</Query>\
</QueryList>
<Exec>
if ($EventID NOT IN (%aisiem%)) drop();
</Exec>
</Input>

<Input DNS_In>
Module im_file
File "C:\\Windows\\Sysnative\\dns\dns*"
SavePos TRUE
InputType LineBased
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>

<Input DHCP_In>
Module im_file
File "C:\Windows\Sysnative\dhcp\DhcpSrvLog*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>

<Input in_iis>
Module im_file
File "C:\\inetpub\\logs\\LogFiles\\W3SVC*\u_ex*"
SavePos TRUE
ReadFromLast TRUE
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>

<Input in_mssql>
Module          im_msvistalog
SavePos         FALSE
ReadFromLast    TRUE
Exec   $Message = $raw_event;
# Finding some values:
Exec    if $raw_event =~ /action_id:(\S+)/ $Action_ID = $1;
Exec    if $raw_event =~ /database_name:(\S+)/ $DataBase = $1;
Exec    if $raw_event =~ /server_instance_name:(\S+)/ $SV_Instace = $1;
Exec    if $raw_event =~ /session_server_principal_name:(\S+)/ $User = $1;
Exec    if $raw_event =~ /AUDIT_SUCCESS/\
{\
$Result = 'Success';\
}\
else\
$Result = 'Failure';
# Replace white spaces
Exec            $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
</Input>

<Input in_exchange>
Module im_file
File 'C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking'
SavePos TRUE
Exec if $raw_event =~ /HealthMailbox/ drop();
Exec if $raw_event =~ /^#/ drop();
</Input>

<Output out>
Module om_udp
Host CCE_IP_ADDRESS
Port 5154
Exec to_json();
</Output>

<Output DNS_Out>

Module om_udp

Host CCE_IP_ADDRESS
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_dns_logs';
Exec to_syslog_bsd();

</Output>

<Output DHCP_Out>

Module om_udp
Host {CCE_IP ADDRESS}
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_dhcp_logs';
Exec to_syslog_bsd();

</Output>

<Output out_iis>
Module om_udp
Host CCE_IP_ADDRESS
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_iis_logs';
Exec to_syslog_bsd();
</Output>

<Output out_mssql>
Module          om_udp
Host            CCE_IP_ADDRESS
Port            514
# Ensure we send in the proper format:
Exec           $Hostname = hostname_fqdn();
Exec            mssql_csv->to_csv(); $raw_event = $Hostname + ' mssql_logs: ' + $raw_event;
</Output>
<Extension mssql_csv>
Module          xm_csv
Fields          $Hostname, $SourceName, $Action_ID, $Result, $DataBase, $SV_Instace, $User, $Message
FieldTypes      string, string, string, string, string, string, string, string
Delimiter       ;
</Extension>

<Output out_exchange>
Module om_udp
Host CCE_IP_ADDRESS
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'exchange_msgtrk_log';
Exec to_syslog_bsd();

</Output>

<Route 1>
Path in => out
</Route>

<Route DNS>
Path DNS_In => DNS_Out
</Route>

<Route DHCP>
Path DHCP_In=> DHCP_Out
</Route>

<Route in-to-out>
Path in_iis => out_iis
</Route>

<Route mssql>
Path            in_mssql => out_mssql
</Route>

<Route 1>
Path in_exchange => out_exchange
</Route>

...