Versions Compared

Old Version 2

changes.mady.by.user Customer Success & Engineering (Unlicensed)

Saved on

compared with

New Version Current

changes.mady.by.user Customer Success & Engineering (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

To export logs

Table of Contents


Overview

This  documents will help you how to configure Windows events.

To export events from Windows machines/servers, we use a third-party software called "Nxlog".NXLog is a multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs. In concept, NXLog is similar to syslog-ng or Rsyslog but it is not limited to UNIX and syslog only. It supports different platforms(like windows in our case), log sources and formats, so NXLog can be used to implement a centralized, scalable logging system. NXLog Community Edition is open source and can be downloaded free of charge with no license costs or limitations.

A. Types of Windows

...

events

Windows servers have generate two type types of logsevents:

Type 1: Windows Native

...

Events

Type 2: Windows-based Application

...

Events

...

Type 1: Windows Native

...

Events -

For these, we can use both the Event collection options methods - A.Method 1 or A.Method 2 below, to collect the eventsExample - OS Logsevents, Audit Logs and USB Logs.

...

events(/wiki/spaces/PP/pages/445612089) and Driver Framework events like USB events, CD Drive events etc.(/wiki/spaces/RB/pages/4227200).

Type 2: Windows-based Application events -

For Application logs events, we have to use Event collection option- A.1Method 1 of event collection, which is to run nxlog agent on the server to read the logs events from a specific location and export them to CCEs. Example: MSSQL, DNS , DHCP, IIS, MsExchange, and SMTP.

B.Methods of Event Collection from Windows -

There are two methods of event collection from Windows servers, depending on the type of logs events the server generates:

  • Nxlog Agent configured on the same server
  • Nxlog Agent configured on a collector setup

Both the methods are described as below:

...

Method 1: Nxlog Agent configured on the same server:

In this case, the Nxlog configuration is done on the same server from which the logs events are forwarded. In the case of nxlog configuration from:

  • Base OS: Please use the instructions as in the link below to configure nxlog:

Nxlog Configuration for Windows AD Logs 

  • Application logs events from MSSQL: Please use the instructions as in the link below:

Configuring logs from Windows MSSQL serverNxlog configuration

  • Application logs events from DNS: Please use the instructions as in the link below:

Configuring DHCP logs from DHCP server using NxlogsWindows DHCP Nxlog configuration

  • Application logs events from DHCP: Please use the instructions as in the link below:

Configure Logs from Windows DNS serverNxlog configuration

  • Application logs events from IIS: Please use the instructions as in the link below:

Configuring logs from Windows IIS serverNxlog configuration

  • Application logs events from MS Exchange - Please use the instructions as in the link below:

Windows MS Exchange Nxlog configuration for MS Exchange server

  • Application logs events from SMTP- Please use the instructions as in the link below:

Configuring Windows SMTP server using Nxlog configuration

Note: In certain scenario if Partnerpartner/customer can mount application logs events location to collector or any other centralized location then we can use both Event collection option.

...

Method 2: Windows

...

Event Subscriptions with Nxlog configured on Windows Collector

...

This method requires three steps as below:

Step 1.Collector Machine Setup- Setup the Windows Collector:

Windows Collector machine will be one small Windows VM, with configurations as below:

  1. Compute Power: Windows 2012 Server- 2 Ghz or faster.
  2. Minimum Memory DRAM: 2 GB
  3. Minimum Disk: 40 GB
  4. Network Interface: 1 GigE

2.SubscriptionStep 2- Create subscriptions on Windows Collector:

Once the collector VM Windows Collector is up and running, subscriptions can be added to it for all the windows remote Windows machines in the same domain that we have to get the logs forwarded from. For subscriptions, please refer to the instructions as in the link:

Event collection at windows collector computer3. Event forwarding from source Collection at Windows Collector Server

Step 3- Forward events from Source computers to the Windows Collector:

To enable the events to be forwarded from the remote computers to the collector computersWindows Collector, the steps that needs to be performed are as in the link:

Event forwarding from From Source Windows ComputersServer

4.Step 4- Forward events from Windows Collector to CCE using Nxlog Configuration:

Once the events are forwarded from the remote computers Windows machines to the collector computerWindows Collector. We need to configure Nxlog on the collector computer to in turn forward the collected events to our CCE. To configure the same, please refer to:

Nxlog Configuration for Windows AD Logs 



For threat indicators generated:

Threat Indicators Generated from Windows Events