Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Overview

This document will provide detailed information to forward logs to Seceon SIEM Tool when the Microsoft Server serves as Domain Controller, DNS, DHCP, FTP, Apache, Windows AD, Windows MS Exchange, and Windows MSSQL role.

Prerequisite

Configuration Steps

  • This is a sample configuration file. See the nxlog reference manual about

    configuration options. It should be installed locally

    Please set the ROOT to the folder your nxlog was installed into, otherwise, it will not start. Additionally, ensure that some of the placeholders are updated for your environment. Examples of placeholders are CCE_IP_ADDRESS, and filenames for logfiles to read from.

Code Block
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
#define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>

define aisiem                                                                                                                                            \
1, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 17, 18,19, 20, 21, 104, 258, 259, 260,   \
261, 262, 500, 517, 520, 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539,\
540, 551, 552, 565, 600, 608, 609, 621, 622, 626, 627, 628, 629, 630, 636, 642, 644,\
645, 647, 632, 663, 664, 671, 673, 675, 676, 677, 679, 680, 681, 682, 683, 684, 689,\
690, 692, 1001, 1006, 1007, 1008, 1015, 1102, 1116, 1117, 1118, 1119, 2003, 2100,    \
7034, 4624, 4625, 4634, 4647, 4649, 4656, 4657, 4659, 4661, 4663, 4670, 4688, 4697, \
4704, 4705, 4717, 4718, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, \
4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, \
4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, \
4760, 4761, 4762, 4763, 4764, 4767, 4769, 4771, 4772, 4773, 4775, 4776, 4777, 4778, \
4779, 4780, 4782, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4793, 4794, \
4797, 4798, 4800, 4801, 4802, 4803, 5001, 5004, 5007, 5010, 5012, 5136, 5137, 5140, \
5141, 5142, 5143, 5144, 5145, 5376, 5377, 7045, 8003, 8004, 8007, 64004

<Input in>
      Module im_msvistalog
      Query <QueryList>\
                  <Query Id="0">\
                        <Select Path="Security">* </Select>\
                        <Select Path="Application">* </Select>\
                        <Select Path="Setup">* </Select>\
                        <Select Path="System">* </Select>\
                  </Query>\
            </QueryList>
            <Exec>
                  if ($EventID NOT IN (%aisiem%)) drop();
            </Exec>
</Input>

<Output out>    
  Module om_udp    
  Host 10.11.23.234  
  Port 5154    
  Exec to_json();
</Output>

<Route 1>    
  Path in => out
</Route>

## DNS Logs

<Input DNS_In>
Module im_file
File "C:\\Windows\\Sysnative\\dnsDNS LOG\dns*"
SavePos TRUE
InputType LineBased
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>

<Output DNS_Out>

Module om_udp

Host 10.11.23.234 <CCE IP Address>
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_dns_logs';
Exec to_syslog_bsd();

<Route DNS>
Path DNS_In => DNS_Out
</Route>

## DHCP Logs

<Input DHCP_In>
Module im_file
File "C:\Windows\Sysnativesystem32\dhcp\DhcpSrvLog*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>

<Output DHCP_Out>

Module om_udp
Host 10.11.23.234
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_dhcp_logs';
Exec to_syslog_bsd();
</Output>

<Route DHCP>
Path DHCP_In=> DHCP_Out
</Route>

## IIS Logs

<Input in_iis>
Module im_file
File "C:\\inetpub\\logs\\LogFiles\\W3SVC*\\u_ex*"
SavePos TRUE
ReadFromLast TRUE
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>

<Output out_iis>
Module om_udp
Host 10.11.23.234
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_iis_logs';
Exec to_syslog_bsd();
</Output>

<Route in-to-out>
Path in_iis => out_iis
</Route>

## Exchange Logs

<Extension syslog>
Module xm_syslog
</Extension>

define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking

<Input in_exchange>
Module im_file
File '%BASEDIR%\MSGTRK*-*.LOG'
SavePos TRUE
Exec if $raw_event =~ /HealthMailbox/ drop();
Exec if $raw_event =~ /^#/ drop();
</Input>

<Output out_exchange>
Module om_udp
Host 10.11.23.234
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'exchange_msgtrk_log';
Exec to_syslog_bsd();

</Output>

<Route exchange>
Path in_exchange => out_exchange
</Route>

## SQL Logs

<Input in_mssql>
Module               imim_msvistalog
SavePos             FALSE
ReadFromLast      TRUETRUE
Exec    $Message = $raw_event;
# Finding some values:
Exec      ifif $raw_event =~ /action_id:(\S+)/ $Action_ID = $1;
Exec      ifif $raw_event =~ /database_name:(\S+)/ $DataBase = $1;
Exec      ifif $raw_event =~ /server_instance_name:(\S+)/ $SV_Instace = $1;
Exec      ifif $raw_event =~ /session_server_principal_name:(\S+)/ $User = $1;
Exec      ifif $raw_event =~ /AUDIT_SUCCESS/\
{\
$Result = 'Success';\
}\
else\
$Result = 'Failure';
# Replace white spaces
Exec                  $Message$Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
</Input>

<Input<Output inout_exchange>mssql>
Module im_file File 'C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking'
SavePos TRUE
Exec if $raw_event =~ /HealthMailbox/ drop();
Exec if $raw_event =~ /^#/ drop();
</Input>

<Output out>
Module om_udp
Host CCE_IP_ADDRESS
Port 5154
Exec to_json();
</Output>

<Output DNS_Out>

Module om_udp

Host CCE_IP_ADDRESS
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_dns_logs';
Exec to_syslog_bsd();

</Output>

<Output DHCP_Out>

Module om_udp
Host {CCE_IP ADDRESS}
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_dhcp_logs';
Exec to_syslog_bsd();

</Output>

<Output out_iis>
Module om_udp
Host CCE_IP_ADDRESS
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_iis_logs';
Exec to_syslog_bsd();
</Output>

<Output out_mssql>
Module          om_udp
Host            CCE_IP_ADDRESS
Port            514
# Ensure we send in the proper format:
Exec           $Hostname = hostname_fqdn();
Exec            mssql Module          om_udp
    Host            10.11.23.234
    Port            514
    # Ensure we send in the proper format:
    Exec           $Hostname = hostname_fqdn();
    Exec            mssql_csv->to_csv(); $raw_event = $Hostname + ' mssql_logs: ' + $raw_event;
</Output>
<Extension mssql_csv>
Module          xm_csv
Fields          $Hostname, $SourceName, $Action_ID, $Result, $DataBase, $SV_Instace, $User, $Message
FieldTypes      string, string, string, string, string, string, string, string
Delimiter       ;
</Extension>

<Output out_exchange>

<Route mssql>
    Path            in_mssql => out_mssql
</Route>

## FTP Logs

<Input FTP_In>
Module im_file
File "C:\Program Files (x86)\Ipswitch\WS_FTP Server\Logging Server\Logs*"
SavePos TRUE
InputType LineBased
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>

<Output FTP_Out>

Module om_udp

Host CCE_IP_ADDRESS10.11.23.234
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'exchangewindows_msgtrkftp_loglogs';
Exec to_syslog_bsd();

</Output>

<Route 1>FTP>
Path inFTP_In => outFTP_Out
</Route>

<Route## Apache Logs
DNS>
Path<Input DNSApache_InIn>
=>	Module DNSim_Out
</Route>

<Route DHCP>
Path DHCP_In=> DHCP_Out
</Route>

<Route in-to-out>
Path in_iis => out_iis
</Route>

<Route mssql>
Path            in_mssql => out_mssql
</Route>

<Route 1>
Path in_exchange => out_exchangefile
	File "C:\Program Files\Apache Software Foundation\Tomcat 9.0_Tomcat9.0\localhost_access_log.*"
	SavePos TRUE
	InputType LineBased
	Exec if $raw_event =~ /^#/ drop();
	Exec $Message = $raw_event;
</Input>

<Output Apache_Out>
	Module om_udp
	Host 10.11.23.234
	Port 514
	Exec $SyslogFacilityValue = 2;
	Exec $SourceName = 'apache';
	Exec to_syslog_bsd();
</Output>

<Route Apache_Out>
	Path Apache_In => Apache_Out
</Route>

Note :

To Enable the logging of IIS, DNS, and MSSQL, Please follow the below link instruction.

For IIS: Enable Logging on Windows IIS server

For MSSQL: Windows-Enabling MSSQL Logs

For DNS: To enable DNS diagnostic logging

For Windows Events: Enable Windows Events Logs(Audit Policies)

Verification Steps:

This can validate the success of configuration either on UI or on the CCE server.

...

  1. Open UI >>Systems. Navigate to System >> Log/Flow Collection Status

...

2.Under The source device, the IP address section of the device configured will reflect.

...