Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Device Configuration: Windows MySQL Server

 

 

Overview

We are providing you the steps to integrate your MySQL with Seceon SIEM so that you can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for Log forwarding.

For this port 514 needs to be allowed from firewall

Steps Of Configuration

  1. Login on Windows MySQL Server

  2. Download the latest version of nxlog. It is easiest to choose the Windows msi file which includes an installer: 

 http://nxlog.org/products/nxlog-community-edition/download

3. Open the Nxlog configuration file at:

        C:\Program Files (x86)\nxlog\conf\nxlog.conf

4.Use below mentioned nxlog config to configure windows MySQL log from MySQL server(replace nxlog.conf whole file content from below config ):

################################################## ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> <Input dbi> Module im_file File "C:\\Windows\\MySQL.log" SavePos TRUE InputType LineBased </Input> <Output dbi_out> Module om_udp Host CCE_IP_ADDRESS Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'mysql_logs'; Exec to_syslog_bsd(); </Output> <Route dbi> Path dbi => dbi_out </Route>

VERIFICATION OF CONFIGURATION

Verification can be done either from CCE Server or from UI.

Using UI

STEP 1: Login to UI >> SYSTEM

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS .

STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.

Using CCE SERVER

sudo tcpdump -i any host 514 and host <IP address> -AAA” command should be ran on CCE server to check whether or not we are getting logs .

 

Seceon Inc. All rights reserved. https://www.seceon.com