1.IMPORTANCE
2.STEPS OF CONFIGURATION
3.VERIFICATION
IMPORTANCE
NXLOG is used to process the collected information and send it on to the OTM CCE.
STEPS OF CONFIGURATION:-
Login on collector/AD computer.
Download the latest version of nxlog. It is easiest to choose the Windows msi file which includes an installer. Use the link below:
http://nxlog.org/products/nxlog-community-edition/download
Open the Nxlog configuration file at :
C:\Program Files (x86)\nxlog\conf\nxlog.conf (Be intact to the mentioned path )
Open the nxlog.conf file in notepad .
Replace the configuration file by pasting the following - Note to replace the variable (
IP Address of Seceon Collector
) mentioned in point 52 below with the actual Seceon Server IP address:
## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _json> Module xm_json </Extension> define aisiem \ 1, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 17, 18,19, 20, 21, 104, 258, 259, 260, \ 261, 262, 500, 517, 520, 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539,\ 540, 551, 552, 565, 600, 608, 609, 621, 622, 626, 627, 628, 629, 630, 636, 642, 644,\ 645, 647, 632, 663, 664, 671, 673, 675, 676, 677, 679, 680, 681, 682, 683, 684, 689,\ 690, 692, 1001, 1006, 1007, 1008, 1015, 1102, 1116, 1117, 1118, 1119, 2003, 2100, \ 7034, 4624, 4625, 4634, 4647, 4649, 4656, 4657, 4659, 4661, 4663, 4670, 4688, 4697, \ 4704, 4705, 4717, 4718, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, \ 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, \ 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, \ 4760, 4761, 4762, 4763, 4764, 4767, 4769, 4771, 4772, 4773, 4775, 4776, 4777, 4778, \ 4779, 4780, 4782, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4793, 4794, \ 4797, 4798, 4800, 4801, 4802, 4803, 5001, 5004, 5007, 5010, 5012, 5136, 5137, 5140, \ 5141, 5142, 5143, 5144, 5145, 5376, 5377, 7045, 8003, 8004, 8007, 64004 <Input in> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Security">* </Select>\ <Select Path="Application">* </Select>\ <Select Path="Setup">* </Select>\ <Select Path="System">* </Select>\ </Query>\ </QueryList> <Exec> if ($EventID NOT IN (%aisiem%)) drop(); </Exec> </Input> <Output out> Module om_udp Host CCE_IP_ADDRESS Port 5154 Exec to_json(); </Output> <Route 1> Path in => out </Route>
Open Services (from search box) and restart nxlog from services or type the following at an elevated command prompt:
net stop nxlog
net start nxlog
Click on : Local Policies>>Audit Policies >>Click on Success and failure checkbox >>apply >>ok
Enable audit logs: Windows- Enable Audit Logs/Policies
Open Command Prompt , once policies are enabled , and run the command gpupdate /force , to validate that the policies are enabled .
VERIFICATION:-
Can validate the success of configuration either on UI or on CCE server.
Verification through UI
1.Open UI >>Systems
2. Dropdown systems and go inside logs and flows collection status.
.
3.Under Source device IP address section the device configured will reflect.
Verification Through CCE server
“sudo tcpdump -i any host 514 and host <IP address> -AAA” command should be ran on CCE server to check wheather or not we are getting logs .