...
This document will provide detailed information to forward logs to Seceon SIEM Tool when the Microsoft Server serves as Domain Controller, DNS, DHCP, FTP, Apache, Windows AD, Windows MS Exchange, and Windows MSSQL role.
Prerequisite
...
| Code Block |
|---|
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
#define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
define aisiem \
1, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 17, 18,19, 20, 21, 104, 258, 259, 260, \
261, 262, 500, 517, 520, 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539,\
540, 551, 552, 565, 600, 608, 609, 621, 622, 626, 627, 628, 629, 630, 636, 642, 644,\
645, 647, 632, 663, 664, 671, 673, 675, 676, 677, 679, 680, 681, 682, 683, 684, 689,\
690, 692, 1001, 1006, 1007, 1008, 1015, 1102, 1116, 1117, 1118, 1119, 2003, 2100, \
7034, 4624, 4625, 4634, 4647, 4649, 4656, 4657, 4659, 4661, 4663, 4670, 4688, 4697, \
4704, 4705, 4717, 4718, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, \
4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, \
4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, \
4760, 4761, 4762, 4763, 4764, 4767, 4769, 4771, 4772, 4773, 4775, 4776, 4777, 4778, \
4779, 4780, 4782, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4793, 4794, \
4797, 4798, 4800, 4801, 4802, 4803, 5001, 5004, 5007, 5010, 5012, 5136, 5137, 5140, \
5141, 5142, 5143, 5144, 5145, 5376, 5377, 7045, 8003, 8004, 8007, 64004
<Input in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">* </Select>\
<Select Path="Application">* </Select>\
<Select Path="Setup">* </Select>\
<Select Path="System">* </Select>\
</Query>\
</QueryList>
<Exec>
if ($EventID NOT IN (%aisiem%)) drop();
</Exec>
</Input>
<Output out>
Module om_udp
Host 10.11.23.234
Port 5154
Exec to_json();
</Output>
<Route 1>
Path in => out
</Route>
## DNS Logs
<Input DNS_In>
Module im_file
File "C:\DNS LOG\dns*"
SavePos TRUE
InputType LineBased
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>
<Output DNS_Out>
Module om_udp
Host 10.11.23.234 <CCE IP Address>
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_dns_logs';
Exec to_syslog_bsd();
<Route DNS>
Path DNS_In => DNS_Out
</Route>
## DHCP Logs
<Input DHCP_In>
Module im_file
File "C:\Windows\system32\dhcp\DhcpSrvLog*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>
<Output DHCP_Out>
Module om_udp
Host 10.11.23.234
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_dhcp_logs';
Exec to_syslog_bsd();
</Output>
<Route DHCP>
Path DHCP_In=> DHCP_Out
</Route>
## IIS Logs
<Input in_iis>
Module im_file
File "C:\\inetpub\\logs\\LogFiles\\W3SVC*\\u_ex*"
SavePos TRUE
ReadFromLast TRUE
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>
<Output out_iis>
Module om_udp
Host 10.11.23.234
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_iis_logs';
Exec to_syslog_bsd();
</Output>
<Route in-to-out>
Path in_iis => out_iis
</Route>
## Exchange Logs
<Extension syslog>
Module xm_syslog
</Extension>
define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking
<Input in_exchange>
Module im_file
File '%BASEDIR%\MSGTRK*-*.LOG'
SavePos TRUE
Exec if $raw_event =~ /HealthMailbox/ drop();
Exec if $raw_event =~ /^#/ drop();
</Input>
<Output out_exchange>
Module om_udp
Host 10.11.23.234
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'exchange_msgtrk_log';
Exec to_syslog_bsd();
</Output>
<Route exchange>
Path in_exchange => out_exchange
</Route>
## SQL Logs
<Input in_mssql>
Module im_msvistalog
SavePos FALSE
ReadFromLast TRUE
Exec $Message = $raw_event;
# Finding some values:
Exec if $raw_event =~ /action_id:(\S+)/ $Action_ID = $1;
Exec if $raw_event =~ /database_name:(\S+)/ $DataBase = $1;
Exec if $raw_event =~ /server_instance_name:(\S+)/ $SV_Instace = $1;
Exec if $raw_event =~ /session_server_principal_name:(\S+)/ $User = $1;
Exec if $raw_event =~ /AUDIT_SUCCESS/\
{\
$Result = 'Success';\
}\
else\
$Result = 'Failure';
# Replace white spaces
Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
</Input>
<Output out_mssql>
Module om_udp
Host 10.11.23.234
Port 514
# Ensure we send in the proper format:
Exec $Hostname = hostname_fqdn();
Exec mssql_csv->to_csv(); $raw_event = $Hostname + ' mssql_logs: ' + $raw_event;
</Output>
<Route mssql>
Path in_mssql => out_mssql
</Route>
## FTP Logs
<Input FTP_In>
Module im_file
File "C:\Program Files (x86)\Ipswitch\WS_FTP Server\Logging Server\Logs*"
SavePos TRUE
InputType LineBased
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>
<Output FTP_Out>
Module om_udp
Host 10.11.23.234
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_ftp_logs';
Exec to_syslog_bsd();
</Output>
<Route FTP>
Path FTP_In => FTP_Out
</Route>
## Apache Logs
<Input Apache_In>
Module im_file
File "C:\Program Files\Apache Software Foundation\Tomcat 9.0_Tomcat9.0\localhost_access_log.*"
SavePos TRUE
InputType LineBased
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>
<Output Apache_Out>
Module om_udp
Host 10.11.23.234
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'apache';
Exec to_syslog_bsd();
</Output>
<Route Apache_Out>
Path Apache_In => Apache_Out
</Route> |
...
For IIS: Enable Logging on Windows IIS server
For MSSQL: Windows-Enabling MSSQL Logs
For DNS: To enable DNS diagnostic logging
...