...
This document will provide detailed information to forward logs to Seceon SIEM Tool when the Microsoft Server serves as Domain Controller, DNS, DHCP, FTP, Apache, Windows AD, Windows MS Exchange, and Windows MSSQL role.
Prerequisite
...
This is a sample configuration file. See the nxlog reference manual about
configuration options. It should be installed locally
Please set the ROOT to the folder your nxlog was installed into, otherwise, it will not start. Additionally, ensure that some of the placeholders are updated for your environment. Examples of a placeholders are CCE_IP_ADDRESS, and filenames for logfiles to read from.
Code Block |
---|
#Windows Server AD Server logs from Line no. 3 to 56 ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. define ROOT C:\Program Files\nxlog #define ROOT C:\Program Files (x86)\nxlog #define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _json> Module xm_json </Extension> <Extension #Extensionsyslog> forModule MSSQL <Extension mssql_csv> xm_syslog </Extension> define aisiem Module xm_csv Fields $Hostname, $SourceName, $Action_ID, $Result, $DataBase, $SV_Instace, $User, $Message FieldTypes string, string, string, string, string, string, string, string Delimiter ; </Extension> define aisiem \ 1, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, \ 1, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 17, 18,19, 20, 21, 104, 258, 259, 260, \ 261, 262, 500, 517, 520, 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539,\ 540, 551, 552, 565, 600, 608, 609, 621, 622, 626, 627, 628, 629, 630, 636, 642, 644,\ 645, 647, 632, 663, 664, 671, 673, 675, 676, 677, 679, 680, 681, 682, 683, 684, 689,\ 690, 692, 1001, 1006, 1007, 1008, 1015, 1102, 1116, 1117, 1118, 1119, 2003, 2100, \ 7034, 4624, 4625, 4634, 4647, 4649, 4656, 4657, 4659, 4661, 4663, 4670, 4688, 4697, \ 4704, 4705, 4717, 4718, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, \ 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, \ 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, \ 4760, 4761, 4762, 4763, 4764, 4767, 4769, 4771, 4772, 4773, 4775, 4776, 4777, 4778, \ 4779, 4780, 4782, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4793, 4794, \ 4797, 4798, 4800, 4801, 4802, 4803, 5001, 5004, 5007, 5010, 5012, 5136, 5137, 5140, \ 5141, 5142, 5143, 5144, 5145, 5376, 5377, 7045, 8003, 8004, 8007, 64004 <Input in> Module im_msvistalog Query <QueryList>\17, 18,19, 20, 21, 104, 258, 259, 260, \ 261, 262, 500, 517, 520, 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539,\ 540, 551, 552, 565, 600, 608, 609, 621, 622, 626, 627, 628, 629, 630, 636, 642, 644,\ 645, 647, 632, 663, 664, 671, 673, 675, 676, 677, 679, 680, 681, 682, 683, 684, 689,\ 690, 692, 1001, 1006, 1007, 1008, 1015, 1102, 1116, 1117, 1118, 1119, 2003, 2100, \ 7034, 4624, 4625, 4634, 4647, 4649, 4656, 4657, 4659, 4661, 4663, 4670, 4688, 4697, \ 4704, 4705, 4717, 4718, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, \ 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, \ 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, \ 4760, 4761, 4762, 4763, 4764, 4767, 4769, 4771, 4772, 4773, 4775, 4776, 4777, 4778, \ 4779, 4780, 4782, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4793, 4794, \ 4797, 4798, 4800, 4801, 4802, 4803, 5001, 5004, 5007, 5010, 5012, 5136, 5137, 5140, \ 5141, 5142, 5143, 5144, 5145, 5376, 5377, 7045, 8003, 8004, 8007, 64004 <Input in> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Security">* </Select>\ <Select Path="Application">* </Select>\ <Select Path="SetupSecurity">* </Select>\ <Select Path="SystemApplication">* </Select>\ </Query>\ </QueryList> <Exec> if ($EventID NOT IN (%aisiem%)) drop(); </Exec> </Input> #Windows Server act as DNS Server logs from Line no. 50 to 69 <Input DNS_In> Module im_file File "C:\\Windows\\Sysnative\\dns\dns*" SavePos TRUE InputType LineBased Exec if $raw_event =~ /^#/ drop(); Exec $Message = $raw_event; </Input> #Windows Server act as DHCP Server logs from Line no. 70 to 79 <Input DHCP_In> Module im_file File "C:\Windows\Sysnative\dhcp\DhcpSrvLog*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); Exec $Message = $raw_event; </Input> #Windows Server act as IIS Server logs from Line no. 80 to 90 <Input in_iis> Module im_file File "C:\\inetpub\\logs\\LogFiles\\W3SVC*\u_ex*" SavePos TRUE ReadFromLast TRUE Exec if $raw_event =~ /^#/ drop(); Exec $Message = $raw_event; </Input> #Windows Server act as mssql Server logs from Line no. 90 to 109 <Input in_mssql> Module im_msvistalog SavePos FALSE ReadFromLast TRUE Exec $Message = $raw_event; # Finding some values: Exec if $raw_event =~ /action_id:(\S+)/ $Action_ID = $1; Exec if $raw_event =~ /database_name:(\S+)/ $DataBase = $1; Exec if $raw_event =~ /server_instance_name:(\S+)/ $SV_Instace = $1; Exec if $raw_event =~ /session_server_principal_name:(\S+)/ $User = $1; Exec if $raw_event =~ /AUDIT_SUCCESS/\ {\ $Result = 'Success';\ }\ else\ $Result = 'Failure'; # Replace white spaces Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " "); </Input> #Windows Server act as IIS Server logs from Line no. 111 to 118 <Input in_exchange> Module im_file File 'C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking' SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input> #Output command line of AD Server from Line no. 120 to 126 <Output out> Module om_udp Host CCE_IP_ADDRESS Port 5154 Exec to_json(); </Output> #Output command line of DNS Server from Line no. 128 to 139 <Output DNS_Out> Module om_udp Host CCE_IP_ADDRESS <Select Path="Setup">* </Select>\ <Select Path="System">* </Select>\ </Query>\ </QueryList> <Exec> if ($EventID NOT IN (%aisiem%)) drop(); </Exec> </Input> <Output out> Module om_udp Host 10.11.23.234 Port 5154 Exec to_json(); </Output> <Route 1> Path in => out </Route> ## DNS Logs <Input DNS_In> Module im_file File "C:\DNS LOG\dns*" SavePos TRUE InputType LineBased Exec if $raw_event =~ /^#/ drop(); Exec $Message = $raw_event; </Input> <Output DNS_Out> Module om_udp Host 10.11.23.234 <CCE IP Address> Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'windows_dns_logs'; Exec to_syslog_bsd(); <Route DNS> Path DNS_In => DNS_Out </Route> ## DHCP Logs <Input DHCP_In> Module im_file File "C:\Windows\system32\dhcp\DhcpSrvLog*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); Exec $Message = $raw_event; </Input> <Output DHCP_Out> Module om_udp Host 10.11.23.234 Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'windows_dhcp_logs'; Exec to_syslog_bsd(); </Output> <Route DHCP> Path DHCP_In=> DHCP_Out </Route> ## IIS Logs <Input in_iis> Module im_file File "C:\\inetpub\\logs\\LogFiles\\W3SVC*\\u_ex*" SavePos TRUE ReadFromLast TRUE Exec if $raw_event =~ /^#/ drop(); Exec $Message = $raw_event; </Input> <Output out_iis> Module om_udp Host 10.11.23.234 Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'windows_dnsiis_logs'; Exec to_syslog_bsd(); </Output> #Output command line of DHCP Server from Line no. 142 to 151 <Output DHCP_Out> Module om_udp Host {CCE_IP ADDRESS} Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'windows_dhcp_logs'; Exec to_syslog_bsd(); </Output> #Output command line of IIS Server from Line no. 153 to 160 <Output out_iis><Route in-to-out> Path in_iis => out_iis </Route> ## Exchange Logs <Extension syslog> Module xm_syslog </Extension> define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking <Input in_exchange> Module im_file File '%BASEDIR%\MSGTRK*-*.LOG' SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input> <Output out_exchange> Module om_udp Host CCE_IP_ADDRESS10.11.23.234 Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'windowsexchange_iismsgtrk_logslog'; Exec to_syslog_bsd(); </Output> #Output<Route commandexchange> linePath of mssql Server from Line no. 163 to 176 <Output outin_exchange => out_exchange </Route> ## SQL Logs <Input in_mssql> Module om_udp Host im_msvistalog SavePos CCE_IP_ADDRESS Port 514 #FALSE EnsureReadFromLast we send in theTRUE properExec format: Exec $Message $Hostname = hostname_fqdn(); Exec mssql_csv->to_csv(); $raw_event = $Hostname + ' mssql_logs: ' + $raw_event; </Output> <Extension mssql_csv> Module xm_csv Fields $Hostname, $SourceName, $Action_ID, $Result, $DataBase, $SV_Instace, $User, $Message FieldTypes string, string, string, string, string, string, string, string Delimiter ; </Extension> #Output command line of exchange Server from Line no. 179 to 187 <Output out_exchange> Module om_udp Host CCE_IP_ADDRESS Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'exchange_msgtrk_log'; Exec to_syslog_bsd(); </Output> #Rout command line of AD Server from Line no. 190 to 192 <Route 1> Path in => out </Route> #Rout command line of DNS Server from Line no. 195 to 197 <Route DNS> Path DNS_In => DNS_Out </Route> #Rout command line of DHCP Server from Line no. 199 to 202 <Route DHCP> Path DHCP_In=> DHCP_Out </Route> #Rout command line of IIS Server from Line no. 205 to 207 <Route in-to-out> Path in_iis => out_iis </Route> #Rout command line of mssql Server from Line no. 210 to 212 <Route mssql> Path in_mssql => out_mssql </Route> #Rout command line of exchange Server from Line no. 215 to 217 <Route 1> Path in_exchange => out_exchange </Route> |
Note 1:
Please combine the (Input, output & Route) if you want to configure any specific Nxlog Utility
Example:-
Windows IIS nxlog
Code Block |
---|
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> <Input in_iis> Module im_file File "C:\\inetpub\\logs\\LogFiles\\W3SVC*\u_ex*" SavePos TRUE ReadFromLast TRUE = $raw_event; # Finding some values: Exec if $raw_event =~ /action_id:(\S+)/ $Action_ID = $1; Exec if $raw_event =~ /database_name:(\S+)/ $DataBase = $1; Exec if $raw_event =~ /server_instance_name:(\S+)/ $SV_Instace = $1; Exec if $raw_event =~ /session_server_principal_name:(\S+)/ $User = $1; Exec if $raw_event =~ /AUDIT_SUCCESS/\ {\ $Result = 'Success';\ }\ else\ $Result = 'Failure'; # Replace white spaces Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " "); </Input> <Output out_mssql> Module om_udp Host 10.11.23.234 Port 514 # Ensure we send in the proper format: Exec $Hostname = hostname_fqdn(); Exec mssql_csv->to_csv(); $raw_event = $Hostname + ' mssql_logs: ' + $raw_event; </Output> <Route mssql> Path in_mssql => out_mssql </Route> ## FTP Logs <Input FTP_In> Module im_file File "C:\Program Files (x86)\Ipswitch\WS_FTP Server\Logging Server\Logs*" SavePos TRUE InputType LineBased Exec if $raw_event =~ /^#/ drop(); Exec $Message = $raw_event; </Input> <Output FTP_Out> Module om_udp Host 10.11.23.234 Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'windows_ftp_logs'; Exec to_syslog_bsd(); </Output> <Route FTP> Path FTP_In => FTP_Out </Route> ## Apache Logs <Input Apache_In> Module im_file File "C:\Program Files\Apache Software Foundation\Tomcat 9.0_Tomcat9.0\localhost_access_log.*" SavePos TRUE InputType LineBased Exec if $raw_event =~ /^#/ drop(); Exec $Message = $raw_event; </Input> <Output outApache_iis>Out> Module om_udp Host CCE_IP_ADDRESS 10.11.23.234 Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'windows_iis_logsapache'; Exec to_syslog_bsd(); </Output> <Route in-to-out> Apache_Out> Path inApache_iisIn => outApache_iisOut </Route> |
Note
...
:
To Enable the logging of IIS, DNS, and MSSQL, Please follow the below link instruction.
For IIS: Enable Logging on Windows IIS server
For MSSQL: Windows-Enabling MSSQL Logs
For DNS: To enable DNS diagnostic logging
...