Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Device Configuration : MS SQL + Windows AD from same machine

This article explains the steps to configure logs from IIS application, MS SQL application and Windows OS Audit-Logs from the same machine.

Requirements

  1. Admin access to the window machine running all these applications.

  2. Admin access to the MS SQL applications.

  3. Port - UDP 514 and 5154 allowed from the windows machine running all the applications , outwards to the CCE.

NxLog Configuration

  1. Login on collector/AD computer.

  2. Download the latest version of nxlog. It is easiest to choose the Windows msi file which includes an installer. Use the link :  http://nxlog.org/products/nxlog-community-edition/download    

  3. Open the Nxlog configuration file at: C:\Program Files (x86)\nxlog\conf\nxlog.conf

  4. Replace the entire configuration file by pasting the following Below – Note to replace the variable (IP Address of Seceon Collector) with the actual Seceon Server IP address:

## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _json> Module xm_json </Extension> #Extension for MSSQL <Extension mssql_csv> Module xm_csv Fields $Hostname, $SourceName, $Action_ID, $Result, $DataBase, $SV_Instace, $User, $Message FieldTypes string, string, string, string, string, string, string, string Delimiter ; </Extension> define aisiem \ 258, 259, 260, 261, 262, 531, 532, 533, 534, 535, 536, 537, 538, 539, 540, \ 551, 552, 675, 676, 677, 679, 680, 681, 682, 683, 4624, 4625, 4634, 4647, \ 4649, 4656, 4659, 4661, 4663, 4720, 4722, 4725, 4726, 4727, 4728, 4729, 4730, \ 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4740, 4741, 4742, 4743, 4744, 4745, \ 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4758, 4759, 4760, 4762, \ 4763, 4764, 4771, 4772, 4773, 4775, 4777, 4778, 4779, 4782, 4785, 4786, 4787, \ 4788, 4793, 4794, 4797, 5140, 5142, 5143, 5144, 5145 # Input for base OS/AD Audit Logs <Input in> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Security">* </Select>\ <Select Path="Application">* </Select>\ <Select Path="Setup">* </Select>\ <Select Path="System">* </Select>\ </Query>\ </QueryList> <Exec> if ($EventID NOT IN (%aisiem%)) drop(); </Exec> </Input> #Input for MSSQL <Input in_mssql> Module im_msvistalog SavePos FALSE ReadFromLast TRUE Exec $Message = $raw_event; # Finding some values: Exec if $raw_event =~ /action_id:(\S+)/ $Action_ID = $1; Exec if $raw_event =~ /database_name:(\S+)/ $DataBase = $1; Exec if $raw_event =~ /server_instance_name:(\S+)/ $SV_Instace = $1; Exec if $raw_event =~ /session_server_principal_name:(\S+)/ $User = $1; Exec if $raw_event =~ /AUDIT_SUCCESS/\ {\ $Result = 'Success';\ }\ else\ $Result = 'Failure'; # Replace white spaces Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " "); </Input> #Output for base OS/AD Audit Logs <Output out> Module om_udp Host CCE_IP_ADDRESS Port 5154 Exec to_json(); </Output> #Output for MSSQL <Output out_mssql> Module om_udp Host CCE_IP_ADDRESS Port 514 # Ensure we send in the proper format: Exec $Hostname = hostname_fqdn(); Exec mssql_csv->to_csv(); $raw_event = $Hostname + ' mssql_logs: ' + $raw_event; </Output> #Route for base OS/AD Audit Logs <Route 1> Path in => out </Route> #Route for MSSQL Logs <Route mssql> Path in_mssql => out_mssql </Route>

Enabling Audit Logs

This configuration will need you to enable audit logs of Base OS , MSSQL Application and IIS Application. Steps described in the following sections.

Enabling Audit Logs on Base OS

  1. Login to the machine as Admin.

  2. Follow the instructions as given in the link : https://seceon.atlassian.net/wiki/spaces/PP/pages/445612089

Enabling Audit Logs on MSSQL

  1. Login to the machine as Admin.

  2. Follow the instructions as given in the link : Microsoft SQL Server through NXLog

Enabling Audit Logs on IIS

  1. Login to the machine as Admin.

  2. Follow the instructions as given in the link : Enable Logging on Windows IIS server

Verification

Using UI

STEP 1: Log in to UI >> SYSTEM

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS.

STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.

Seceon Inc. All rights reserved. https://www.seceon.com