Overview
This document will provide detailed information to forward logs to Seceon SIEM Tool when the Microsoft Server serves as Domain Controller, DNS, DHCP, Windows AD, Windows MS Exchange, Windows MSSQL role.
Prerequisite
Microsoft Server serves as DNS & DHCP.along with Windows AD+Windows MS Exchange+Windows MSSQL + Windows IIS
Nxlog Utility needs to be installed on the Server with the required privileges.
The NXLog configuration file is comprised of blocks and directives. Blocks are similar to XML tags containing multiple directives. Directive names are not case-sensitive but arguments sometimes are.
Ref. link: https://docs.nxlog.co/userguide/configure/overview.html
Configuration Steps
This is a sample configuration file. See the nxlog reference manual about
configuration options. It should be installed locally
Please set the ROOT to the folder your nxlog was installed into, otherwise, it will not start. Additionally, ensure that some of the placeholders are updated for your environment. Examples of a placeholders are CCE_IP_ADDRESS, and filenames for logfiles to read from.
#Windows Server AD Server logs from Line no. 3 to 56
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
#define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _json>
Module xm_json
</Extension>
#Extension for MSSQL
<Extension mssql_csv>
Module xm_csv
Fields $Hostname, $SourceName, $Action_ID, $Result, $DataBase, $SV_Instace, $User, $Message
FieldTypes string, string, string, string, string, string, string, string
Delimiter ;
</Extension>
define aisiem \
1, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 17, 18,19, 20, 21, 104, 258, 259, 260, \
261, 262, 500, 517, 520, 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539,\
540, 551, 552, 565, 600, 608, 609, 621, 622, 626, 627, 628, 629, 630, 636, 642, 644,\
645, 647, 632, 663, 664, 671, 673, 675, 676, 677, 679, 680, 681, 682, 683, 684, 689,\
690, 692, 1001, 1006, 1007, 1008, 1015, 1102, 1116, 1117, 1118, 1119, 2003, 2100, \
7034, 4624, 4625, 4634, 4647, 4649, 4656, 4657, 4659, 4661, 4663, 4670, 4688, 4697, \
4704, 4705, 4717, 4718, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, \
4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, \
4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, \
4760, 4761, 4762, 4763, 4764, 4767, 4769, 4771, 4772, 4773, 4775, 4776, 4777, 4778, \
4779, 4780, 4782, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4793, 4794, \
4797, 4798, 4800, 4801, 4802, 4803, 5001, 5004, 5007, 5010, 5012, 5136, 5137, 5140, \
5141, 5142, 5143, 5144, 5145, 5376, 5377, 7045, 8003, 8004, 8007, 64004
<Input in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">* </Select>\
<Select Path="Application">* </Select>\
<Select Path="Setup">* </Select>\
<Select Path="System">* </Select>\
</Query>\
</QueryList>
<Exec>
if ($EventID NOT IN (%aisiem%)) drop();
</Exec>
</Input>
#Windows Server act as DNS Server logs from Line no. 50 to 69
<Input DNS_In>
Module im_file
File "C:\\Windows\\Sysnative\\dns\dns*"
SavePos TRUE
InputType LineBased
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>
#Windows Server act as DHCP Server logs from Line no. 70 to 79
<Input DHCP_In>
Module im_file
File "C:\Windows\Sysnative\dhcp\DhcpSrvLog*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>
#Windows Server act as IIS Server logs from Line no. 80 to 90
<Input in_iis>
Module im_file
File "C:\\inetpub\\logs\\LogFiles\\W3SVC*\u_ex*"
SavePos TRUE
ReadFromLast TRUE
Exec if $raw_event =~ /^#/ drop();
Exec $Message = $raw_event;
</Input>
#Windows Server act as mssql Server logs from Line no. 90 to 109
<Input in_mssql>
Module im_msvistalog
SavePos FALSE
ReadFromLast TRUE
Exec $Message = $raw_event;
# Finding some values:
Exec if $raw_event =~ /action_id:(\S+)/ $Action_ID = $1;
Exec if $raw_event =~ /database_name:(\S+)/ $DataBase = $1;
Exec if $raw_event =~ /server_instance_name:(\S+)/ $SV_Instace = $1;
Exec if $raw_event =~ /session_server_principal_name:(\S+)/ $User = $1;
Exec if $raw_event =~ /AUDIT_SUCCESS/\
{\
$Result = 'Success';\
}\
else\
$Result = 'Failure';
# Replace white spaces
Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
</Input>
#Windows Server act as IIS Server logs from Line no. 111 to 118
<Input in_exchange>
Module im_file
File 'C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking'
SavePos TRUE
Exec if $raw_event =~ /HealthMailbox/ drop();
Exec if $raw_event =~ /^#/ drop();
</Input>
#Output command line of AD Server from Line no. 120 to 126
<Output out>
Module om_udp
Host CCE_IP_ADDRESS
Port 5154
Exec to_json();
</Output>
#Output command line of DNS Server from Line no. 128 to 139
<Output DNS_Out>
Module om_udp
Host CCE_IP_ADDRESS
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_dns_logs';
Exec to_syslog_bsd();
</Output>
#Output command line of DHCP Server from Line no. 142 to 151
<Output DHCP_Out>
Module om_udp
Host {CCE_IP ADDRESS}
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_dhcp_logs';
Exec to_syslog_bsd();
</Output>
#Output command line of IIS Server from Line no. 153 to 160
<Output out_iis>
Module om_udp
Host CCE_IP_ADDRESS
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'windows_iis_logs';
Exec to_syslog_bsd();
</Output>
#Output command line of mssql Server from Line no. 163 to 176
<Output out_mssql>
Module om_udp
Host CCE_IP_ADDRESS
Port 514
# Ensure we send in the proper format:
Exec $Hostname = hostname_fqdn();
Exec mssql_csv->to_csv(); $raw_event = $Hostname + ' mssql_logs: ' + $raw_event;
</Output>
<Extension mssql_csv>
Module xm_csv
Fields $Hostname, $SourceName, $Action_ID, $Result, $DataBase, $SV_Instace, $User, $Message
FieldTypes string, string, string, string, string, string, string, string
Delimiter ;
</Extension>
#Output command line of exchange Server from Line no. 179 to 187
<Output out_exchange>
Module om_udp
Host CCE_IP_ADDRESS
Port 514
Exec $SyslogFacilityValue = 2;
Exec $SourceName = 'exchange_msgtrk_log';
Exec to_syslog_bsd();
</Output>
#Rout command line of AD Server from Line no. 190 to 192
<Route 1>
Path in => out
</Route>
#Rout command line of DNS Server from Line no. 195 to 197
<Route DNS>
Path DNS_In => DNS_Out
</Route>
#Rout command line of DHCP Server from Line no. 199 to 202
<Route DHCP>
Path DHCP_In=> DHCP_Out
</Route>
#Rout command line of IIS Server from Line no. 205 to 207
<Route in-to-out>
Path in_iis => out_iis
</Route>
#Rout command line of mssql Server from Line no. 210 to 212
<Route mssql>
Path in_mssql => out_mssql
</Route>
#Rout command line of exchange Server from Line no. 215 to 217
<Route 1>
Path in_exchange => out_exchange
</Route>
Note 1:
Please combine the (Input, output & Route) if you want to configure any specific Nxlog Utility
Example:-
Windows IIS nxlog
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> <Input in_iis> Module im_file File "C:\\inetpub\\logs\\LogFiles\\W3SVC*\u_ex*" SavePos TRUE ReadFromLast TRUE Exec if $raw_event =~ /^#/ drop(); Exec $Message = $raw_event; </Input> <Output out_iis> Module om_udp Host CCE_IP_ADDRESS Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'windows_iis_logs'; Exec to_syslog_bsd(); </Output> <Route in-to-out> Path in_iis => out_iis </Route>
Note 2:
To Enable the logging of IIS, DNS, and MSSQL, Please follow the below link instruction.
For IIS: Enable Logging on Windows IIS server
For MSSQL: Windows-Enabling MSSQL Logs
For DNS: To enable DNS diagnostic logging
For Windows Events: Enable Windows Events Logs(Audit Policies)
Verification Steps:
This can validate the success of configuration either on UI or on the CCE server.
Verification through UI
Open UI >>Systems. Navigate to System >> Log/Flow Collection Status
2.Under The source device, the IP address section of the device configured will reflect.
Verification Through the CCE server
“sudo tcpdump -i any host 5154 or 514 and host <IP address> -AAA” command should be run on the CCE server to check whether or not we are getting logs.