Table of Contents |
---|
Overview
This document will provide detailed information to forward logs to Seceon SIEM Tool when the Microsoft Server serves as Domain Controller, DNS, DHCP, FTP, Apache, Windows AD, Windows MS Exchange, and Windows MSSQL role.
Prerequisite
Microsoft Server serves as DNS & DHCP.along with Windows AD+Windows MS Exchange+Windows MSSQL + Windows IIS
Nxlog Utility needs to be installed on the Server with the required privileges.
The NXLog configuration file is comprised of blocks and directives. Blocks are similar to XML tags containing multiple directives. Directive names are not case-sensitive but arguments sometimes are.
Ref. link: https://docs.nxlog.co/userguide/configure/overview.html
Configuration Steps
This is a sample configuration file. See the nxlog reference manual about
configuration options. It should be installed locally
Please set the ROOT to the folder your nxlog was installed into, otherwise, it will not start. Additionally, ensure that some of the place holders placeholders are updated for your environment. Examples of a place holders placeholders are CCE_IP_ADDRESS, and filenames for logfiles to read from.
Code Block |
---|
## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. define ROOT C:\Program Files\nxlog #define ROOT C:\Program Files (x86)\nxlog #define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _json> Module xm_json </Extension> #Extension for MSSQL <Extension mssql_csv> Module syslog> Module xm_csvsyslog </Extension> define aisiem Fields $Hostname, $SourceName, $Action_ID, $Result, $DataBase, $SV_Instace, $User, $Message FieldTypes string, string, string, string, string, string, string, string Delimiter ; </Extension> define aisiem \ 1, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 17, 18,19, 20, 21, 104, 258, 259, 260, \ 261, 262, 500, 517, 520, 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539,\ 540, 551, 552, 565, 600, 608, 609, 621, 622, 626, 627, 628, 629, 630, 636, 642, 644,\ 645, 647, 632, 663, 664, 671, 673, 675, 676, 677, 679, 680, 681, 682, 683, 684, 689,\ 690, 692, 1001, 1006, 1007, 1008, 1015, 1102, 1116, 1117, 1118, 1119, 2003, 2100, \ 7034, 4624, 4625, 4634, 4647, 4649, 4656, 4657, 4659, 4661, 4663, 4670, 4688, 4697, \ 4704, 4705, 4717, 4718, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, \ 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, \ 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, \ 4760, 4761, 4762, 4763, 4764, 4767, 4769, 4771, 4772, 4773, 4775, 4776, 4777, 4778, \ 4779, 4780, 4782, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4793, 4794, \ 4797, 4798, 4800, 4801, 4802, 4803, 5001, 5004, 5007, 5010, 5012, 5136, 5137, 5140, \ 5141, 5142, 5143, 5144, 5145, 5376, 5377, 7045, 8003, 8004, 8007, 64004 <Input in> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Security">* </Select>\ <Select Path="Application">* </Select>\ <Select Path="Setup">* </Select>\ <Select Path="System">* </Select>\ </Query>\ </QueryList> <Exec> if ($EventID NOT IN (%aisiem%)) drop(); </Exec> </Input> <Output out> Module om_udp Host 10.11.23.234 Port 5154 Exec to_json(); </Output> <Route 1> Path in => out </Route> ## DNS Logs <Input DNS_In> Module im_file File "C:\\Windows\\Sysnative\\dnsDNS LOG\dns*" SavePos TRUE InputType LineBased Exec if $raw_event =~ /^#/ drop(); Exec $Message = $raw_event; </Input> <Output DNS_Out> Module om_udp Host 10.11.23.234 <CCE IP Address> Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'windows_dns_logs'; Exec to_syslog_bsd(); <Route DNS> Path DNS_In => DNS_Out </Route> ## DHCP Logs <Input DHCP_In> Module im_file File "C:\Windows\Sysnativesystem32\dhcp\DhcpSrvLog*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); Exec $Message = $raw_event; </Input> <Output DHCP_Out> Module om_udp Host 10.11.23.234 Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'windows_dhcp_logs'; Exec to_syslog_bsd(); </Output> <Route DHCP> Path DHCP_In=> DHCP_Out </Route> ## IIS Logs <Input in_iis> Module im_file File "C:\\inetpub\\logs\\LogFiles\\W3SVC*\\u_ex*" SavePos TRUE ReadFromLast TRUE Exec if $raw_event =~ /^#/ drop(); Exec $Message = $raw_event; </Input> <Output out_iis> Module om_udp Host 10.11.23.234 Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'windows_iis_logs'; Exec to_syslog_bsd(); </Output> <Route in-to-out> Path in_iis => out_iis </Route> ## Exchange Logs <Extension syslog> Module xm_syslog </Extension> define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking <Input in_exchange> Module im_file File '%BASEDIR%\MSGTRK*-*.LOG' SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input> <Output out_exchange> Module om_udp Host 10.11.23.234 Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'exchange_msgtrk_log'; Exec to_syslog_bsd(); </Output> <Route exchange> Path in_exchange => out_exchange </Route> ## SQL Logs <Input in_mssql> Module imim_msvistalog SavePos FALSE ReadFromLast TRUETRUE Exec $Message = $raw_event; # Finding some values: Exec ifif $raw_event =~ /action_id:(\S+)/ $Action_ID = $1; Exec ifif $raw_event =~ /database_name:(\S+)/ $DataBase = $1; Exec ifif $raw_event =~ /server_instance_name:(\S+)/ $SV_Instace = $1; Exec ifif $raw_event =~ /session_server_principal_name:(\S+)/ $User = $1; Exec ifif $raw_event =~ /AUDIT_SUCCESS/\ {\ $Result = 'Success';\ }\ else\ $Result = 'Failure'; # Replace white spaces Exec $Message$Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " "); </Input> <Input<Output inout_exchange>mssql> Module im_file File 'C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking' SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input> <Output out> Module om_udp Host CCE_IP_ADDRESS Port 5154 Exec to_json(); </Output> <Output DNS_Out> Module om_udp Host CCE_IP_ADDRESS Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'windows_dns_logs'; Exec to_syslog_bsd(); </Output> <Output DHCP_Out> Module om_udp Host {CCE_IP ADDRESS} Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'windows_dhcp_logs'; Exec to_syslog_bsd(); </Output> <Output out_iis> Module om_udp Host CCE_IP_ADDRESS Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'windows_iis_logs'; Exec to_syslog_bsd(); </Output> <Output out_mssql> Module om_udp Host CCE_IP_ADDRESS Port 514 # Ensure we send in the proper format: Exec $Hostname = hostname_fqdn(); Exec mssql Module om_udp Host 10.11.23.234 Port 514 # Ensure we send in the proper format: Exec $Hostname = hostname_fqdn(); Exec mssql_csv->to_csv(); $raw_event = $Hostname + ' mssql_logs: ' + $raw_event; </Output> <Extension mssql_csv> Module xm_csv Fields $Hostname, $SourceName, $Action_ID, $Result, $DataBase, $SV_Instace, $User, $Message FieldTypes string, string, string, string, string, string, string, string Delimiter ; </Extension> <Output out_exchange> <Route mssql> Path in_mssql => out_mssql </Route> ## FTP Logs <Input FTP_In> Module im_file File "C:\Program Files (x86)\Ipswitch\WS_FTP Server\Logging Server\Logs*" SavePos TRUE InputType LineBased Exec if $raw_event =~ /^#/ drop(); Exec $Message = $raw_event; </Input> <Output FTP_Out> Module om_udp Host CCE_IP_ADDRESS10.11.23.234 Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'exchangewindows_msgtrkftp_loglogs'; Exec to_syslog_bsd(); </Output> <Route 1>FTP> Path inFTP_In => outFTP_Out </Route> ## Apache <RouteLogs DNS> Path<Input DNSApache_InIn> => Module DNSim_Out </Route> <Route DHCP> Path DHCP_In=> DHCP_Out </Route> <Route in-to-out> Path in_iis => out_iis </Route> <Route mssql> Path in_mssql => out_mssql </Route> <Route 1> Path in_exchange => out_exchangefile File "C:\Program Files\Apache Software Foundation\Tomcat 9.0_Tomcat9.0\localhost_access_log.*" SavePos TRUE InputType LineBased Exec if $raw_event =~ /^#/ drop(); Exec $Message = $raw_event; </Input> <Output Apache_Out> Module om_udp Host 10.11.23.234 Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'apache'; Exec to_syslog_bsd(); </Output> <Route Apache_Out> Path Apache_In => Apache_Out </Route> |
Note :
To Enable the logging of IIS, DNS, and MSSQL, Please follow the below link instruction.
For IIS: Enable Logging on Windows IIS server
For MSSQL: Windows-Enabling MSSQL Logs
For DNS: To enable DNS diagnostic logging
For Windows Events: Enable Windows Events Logs(Audit Policies)
Verification Steps:
This can validate the success of configuration either on UI or on the CCE server.
...