Versions Compared

Old Version 4

changes.mady.by.user Customer Success & Engineering

Saved on

compared with

New Version Current

changes.mady.by.user Customer Success & Engineering

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel7

This article explains the steps to configure logs from IIS application, MS SQL application and Windows OS Audit-Logs from the same machine.

Requirements

  1. Admin access to the window machine running all these applications.

  2. Admin access to the MS SQL applications.

  3. Port - UDP 514 and 5154 allowed from the windows machine running all the applications , outwards to the CCE.

NxLog Configuration

  1. Login on collector/AD computer.

  2. Download the latest version of nxlog. It is easiest to choose the Windows msi file which includes an installer. Use the link :  http://nxlog.org/products/nxlog-community-edition/download    

  3. Open the Nxlog configuration file at: C:\Program Files (x86)\nxlog\conf\nxlog.conf

  4. Replace the entire configuration file by pasting the following Below – Note to replace the variable (IP Address of Seceon Collector) with the actual Seceon Server IP address:

Code Block
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog

define ROOT C:\Program Files (x86)\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _json>    
  Module xm_json
</Extension>

#Extension for MSSQL
<Extension mssql_csv>
    Module          xm_csv
    Fields          $Hostname, $SourceName, $Action_ID, $Result, $DataBase, $SV_Instace, $User, $Message
    FieldTypes      string, string, string, string, string, string, string, string
    Delimiter       ;
</Extension>

define aisiem                                                                 \
258, 259, 260, 261, 262, 531, 532, 533, 534, 535, 536, 537, 538, 539, 540,    \
551, 552, 675, 676, 677, 679, 680, 681, 682, 683, 4624, 4625, 4634, 4647,     \
4649, 4656, 4659, 4661, 4663, 4720, 4722, 4725, 4726, 4727, 4728, 4729, 4730, \
4731, 4732, 4733, 4734, 4735, 4737, 4738, 4740, 4741, 4742, 4743, 4744, 4745, \
4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4758, 4759, 4760, 4762, \
4763, 4764, 4771, 4772, 4773, 4775, 4777, 4778, 4779, 4782, 4785, 4786, 4787, \
4788, 4793, 4794, 4797, 5140, 5142, 5143, 5144, 5145

# Input for base OS/AD Audit Logs
<Input in>
      Module im_msvistalog
      Query <QueryList>\
                  <Query Id="0">\
                        <Select Path="Security">* </Select>\
                        <Select Path="Application">* </Select>\
                        <Select Path="Setup">* </Select>\
                        <Select Path="System">* </Select>\
                  </Query>\
            </QueryList>
            <Exec>
                  if ($EventID NOT IN (%aisiem%)) drop();
            </Exec>
</Input>
#Input for MSSQL
<Input in_mssql>
    Module          im_msvistalog
    SavePos         FALSE
    ReadFromLast    TRUE
    Exec   $Message = $raw_event;
    # Finding some values:
    Exec    if $raw_event =~ /action_id:(\S+)/ $Action_ID = $1;
    Exec    if $raw_event =~ /database_name:(\S+)/ $DataBase = $1;
    Exec    if $raw_event =~ /server_instance_name:(\S+)/ $SV_Instace = $1;
    Exec    if $raw_event =~ /session_server_principal_name:(\S+)/ $User = $1;
    Exec    if $raw_event =~ /AUDIT_SUCCESS/\
              {\
                    $Result = 'Success';\
              }\
              else\
                    $Result = 'Failure';
    # Replace white spaces
    Exec            $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
</Input>

#Output for base OS/AD Audit Logs
<Output out>    
  Module om_udp    
  Host CCE_IP_ADDRESS  
  Port 5154    
  Exec to_json();
</Output>

#Output for MSSQL
<Output out_mssql>
    Module          om_udp
    Host            CCE_IP_ADDRESS
    Port            514
    # Ensure we send in the proper format:
    Exec           $Hostname = hostname_fqdn();
    Exec            mssql_csv->to_csv(); $raw_event = $Hostname + ' mssql_logs: ' + $raw_event;
</Output>

#Route for base OS/AD Audit Logs
<Route 1>    
  Path in => out
</Route>

#Route for MSSQL Logs
<Route mssql>
    Path            in_mssql => out_mssql
</Route>

...

Enabling Audit Logs on Base OS

  1. Login to the machine as Admin.

  2. Follow the instructions as given in the link : /wiki/spaces/PP/pages/445612089

Enabling Audit Logs on MSSQL

  1. Login to the machine as Admin.

  2. Follow the instructions as given in the link :

...

  1. Microsoft SQL Server through NXLog

Enabling Audit Logs on IIS

  1. Login to the machine as Admin.

  2. Follow the instructions as given in the link : Enable Logging on Windows IIS server

Verification

Verifications

  1. Login to the seceon GUI as an Administrator/User .

  2. Go to the “ Logs/Flows Collection Status“ screen on the System Tab. Ensure it is showing up the last 15 minutes data.

  3. Look for the IP / hostname of your window machine with the tag for MSSQL,IIS,Windows( IP- ms_window ,IP - ms_windowsiis , IP - ms_windowsmssql )

Using UI

STEP 1: Log in to UI >> SYSTEM

...

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS.

...

STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.

...