{"type":"doc","content":[{"type":"paragraph","content":[{"text":"This article explains the steps to configure logs from IIS application, MS SQL application and Windows OS Audit-Logs from the same machine.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Requirements","type":"text"}]},{"type":"paragraph","content":[{"type":"placeholder","attrs":{"text":"Create a step-by-step guide:"}}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Admin access to the window machine running all these applications.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Admin access to the MS SQL applications.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Port - UDP 514 and 5154 allowed from the windows machine running all the applications , outwards to the CCE.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"NxLog Configuration","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Login on collector/AD computer.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Download the latest version of nxlog. It is easiest to choose the Windows msi file which includes an installer. Use the link :","type":"text"},{"text":" ","type":"text","marks":[{"type":"strong"}]},{"type":"inlineCard","attrs":{"url":"http://nxlog.org/products/nxlog-community-edition/download"}},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Open the Nxlog configuration file at: ","type":"text"},{"text":"C:\\Program Files (x86)\\nxlog\\conf\\nxlog.conf","type":"text","marks":[{"type":"em"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Replace the entire configuration file by pasting the following Below – Note to replace the variable ","type":"text"},{"text":"(","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff5630"}}]},{"text":"IP Address of Seceon Collector","type":"text","marks":[{"type":"code"}]},{"text":")","type":"text","marks":[{"type":"textColor","attrs":{"color":"#ff5630"}}]},{"text":" with the actual Seceon Server IP address:","type":"text"}]}]}]},{"type":"codeBlock","content":[{"text":"## This is a sample configuration file. See the nxlog reference manual about the\n## configuration options. It should be installed locally and is also available\n## online at http://nxlog.org/docs/\n## Please set the ROOT to the folder your nxlog was installed into,\n## otherwise it will not start.\ndefine ROOT C:\\Program Files\\nxlog\n\n#define ROOT C:\\Program Files (x86)\\nxlog\n#define ROOT C:\\Program Files (x86)\\nxlog\n\nModuledir %ROOT%\\modules\nCacheDir %ROOT%\\data\nPidfile %ROOT%\\data\\nxlog.pid\nSpoolDir %ROOT%\\data\nLogFile %ROOT%\\data\\nxlog.log\n\n \n Module xm_json\n\n\n#Extension for MSSQL\n\n Module xm_csv\n Fields $Hostname, $SourceName, $Action_ID, $Result, $DataBase, $SV_Instace, $User, $Message\n FieldTypes string, string, string, string, string, string, string, string\n Delimiter ;\n\n\ndefine aisiem \\\n258, 259, 260, 261, 262, 531, 532, 533, 534, 535, 536, 537, 538, 539, 540, \\\n551, 552, 675, 676, 677, 679, 680, 681, 682, 683, 4624, 4625, 4634, 4647, \\\n4649, 4656, 4659, 4661, 4663, 4720, 4722, 4725, 4726, 4727, 4728, 4729, 4730, \\\n4731, 4732, 4733, 4734, 4735, 4737, 4738, 4740, 4741, 4742, 4743, 4744, 4745, \\\n4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4758, 4759, 4760, 4762, \\\n4763, 4764, 4771, 4772, 4773, 4775, 4777, 4778, 4779, 4782, 4785, 4786, 4787, \\\n4788, 4793, 4794, 4797, 5140, 5142, 5143, 5144, 5145\n\n# Input for base OS/AD Audit Logs\n\n Module im_msvistalog\n Query \\\n \\\n \\\n \\\n \\\n \\\n \\\n \n \n if ($EventID NOT IN (%aisiem%)) drop();\n \n\n#Input for MSSQL\n\n Module im_msvistalog\n SavePos FALSE\n ReadFromLast TRUE\n Exec $Message = $raw_event;\n # Finding some values:\n Exec if $raw_event =~ /action_id:(\\S+)/ $Action_ID = $1;\n Exec if $raw_event =~ /database_name:(\\S+)/ $DataBase = $1;\n Exec if $raw_event =~ /server_instance_name:(\\S+)/ $SV_Instace = $1;\n Exec if $raw_event =~ /session_server_principal_name:(\\S+)/ $User = $1;\n Exec if $raw_event =~ /AUDIT_SUCCESS/\\\n {\\\n $Result = 'Success';\\\n }\\\n else\\\n $Result = 'Failure';\n # Replace white spaces\n Exec $Message = replace($Message, \"\\t\", \" \"); $Message = replace($Message, \"\\n\", \" \"); $Message = replace($Message, \"\\r\", \" \");\n\n\n#Output for base OS/AD Audit Logs\n \n Module om_udp \n Host CCE_IP_ADDRESS \n Port 5154 \n Exec to_json();\n\n\n#Output for MSSQL\n\n Module om_udp\n Host CCE_IP_ADDRESS\n Port 514\n # Ensure we send in the proper format:\n Exec $Hostname = hostname_fqdn();\n Exec mssql_csv->to_csv(); $raw_event = $Hostname + ' mssql_logs: ' + $raw_event;\n\n\n#Route for base OS/AD Audit Logs\n \n Path in => out\n\n\n#Route for MSSQL Logs\n\n Path in_mssql => out_mssql\n\n\n","type":"text"}]},{"type":"paragraph"},{"type":"paragraph","content":[{"text":"Put CCE IP address on line 77 and 85 in the above script.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Enabling Audit Logs","type":"text"}]},{"type":"paragraph","content":[{"text":"This configuration will need you to enable audit logs of Base OS , MSSQL Application and IIS Application. Steps described in the following sections. ","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Enabling Audit Logs on Base OS","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Login to the machine as Admin.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Follow the instructions as given in the link : ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://seceon.atlassian.net/wiki/spaces/PP/pages/445612089"}},{"text":" ","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Enabling Audit Logs on MSSQL","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Login to the machine as Admin.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Follow the instructions as given in the link : ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://seceon.atlassian.net/wiki/spaces/SPP/pages/1570799652"}},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"type":"inlineCard","attrs":{"url":"https://seceon.atlassian.net/wiki/spaces/SPP/pages/1569849395"}},{"text":" ","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Verifications","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Login to the seceon GUI as an Administrator/User .","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Go to the “ Logs/Flows Collection Status“ screen on the System Tab. Ensure it is showing up the last 15 minutes data.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Look for the IP / hostname of your window machine with the tag for MSSQL( IP - ms_windowsmssql ) ","type":"text"}]}]}]}],"version":1}

Browser not supported