Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

...

Overview

NXLOG is used to process the collected information from Windows event logs and forward these logs on to the OTM CCE.

...

NXLog uses Apache-style configuration files. The configuration file is loaded from its default location, or it can be explicitly specified with the -c command-line argument.

The NXLog configuration file is comprised of blocks and directives. Blocks are similar to XML tags containing multiple directives. Directive names are not case-sensitive but arguments sometimes are.

Ref. link: https://docs.nxlog.co/userguide/configure/overview.html

Pre-requisite

  • Login on collector/AD computer.

  • Download the latest version of nxlogNXLog Community Edition. It is easiest to choose the Windows msi MSI file which includes an installer. Use the link below for the community edition:

    http://nxlog.org/products/nxlog-community-edition/download    

...

Download - NXLog Community Edition 

...

  

...

Steps Of Configuration

  • Open the Nxlog configuration file at :

...

  C:\Program Files

...

\nxlog\conf\nxlog.conf (Be intact to the mentioned path )

  • Run notepad or notepad++ with the administrative rights.

  • Open the nxlog.conf file.

  • Replace the configuration file by pasting the following - Note to replace the variable (IP Address of Seceon Collector) mentioned in point 52 below with the actual Seceon Server IP address:

...

 net stop nxlog

 net start nxlog

  1. Click on: NXlog

...

2. Click on : Stop

...

3. Click on : start

...

Repeat this for all policies one by one.

Enable audit logs:  Windows- Enable Audit Logs/Poli/wiki/spaces/PP/pages/445612089cies

  • Open Command Prompt, once policies are enabled, and run the command gpupdate /force, to validate that the policies are enabled.

...

...

Verification

Can validate the success of configuration either on UI or on CCE server.

...

  • Verification Through CCE server

“sudo tcpdump -i any host port 5154 and host <IP address> -AAA” command should be ran on CCE server to check wheather or not we are getting logs .