Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 23 Next »

IMPORTANCE

NXLOG is used to process the collected information from Windows event logs and forward these logs on to the OTM CCE.

STEPS OF CONFIGURATION:-

  • Login on collector/AD computer.

  • Download the latest version of nxlog. It is easiest to choose the Windows msi file which includes an installer. Use the link below for the community edition:

    http://nxlog.org/products/nxlog-community-edition/download    

  • Open the Nxlog configuration file at :

        C:\Program Files (x86)\nxlog\conf\nxlog.conf (Be intact to the mentioned path )

  • Open the nxlog.conf file in notepad .

  • Replace the configuration file by pasting the following - Note to replace the variable (IP Address of Seceon Collector) mentioned in point 52 below with the actual Seceon Server IP address:

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:\Program Files\nxlog

#define ROOT C:\Program Files (x86)\nxlog
#define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _json>    
  Module xm_json
</Extension>
define aisiem                                                                       \
1, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 17, 18,19, 20, 21, 104, 258, 259, 260,  \
261, 262, 500, 517, 520, 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539,\
540, 551, 552, 565, 600, 608, 609, 621, 622, 626, 627, 628, 629, 630, 636, 642, 644,\
645, 647, 632, 663, 664, 671, 673, 675, 676, 677, 679, 680, 681, 682, 683, 684, 689,\
690, 692, 1001, 1006, 1007, 1008, 1015, 1102, 1116, 1117, 1118, 1119, 2003, 2100,   \
7034, 4624, 4625, 4634, 4647, 4649, 4656, 4657, 4659, 4661, 4663, 4670, 4688, 4697, \
4704, 4705, 4717, 4718, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, \
4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, \
4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, \
4760, 4761, 4762, 4763, 4764, 4767, 4769, 4771, 4772, 4773, 4775, 4776, 4777, 4778, \
4779, 4780, 4782, 4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4793, 4794, \
4797, 4798, 4800, 4801, 4802, 4803, 5001, 5004, 5007, 5010, 5012, 5136, 5137, 5140, \
5141, 5142, 5143, 5144, 5145, 5376, 5377, 7045, 8003, 8004, 8007, 64004

<Input in>
      Module im_msvistalog
      Query <QueryList>\
                  <Query Id="0">\
                        <Select Path="Security">* </Select>\
                        <Select Path="Application">* </Select>\
                        <Select Path="Setup">* </Select>\
                        <Select Path="System">* </Select>\
                  </Query>\
            </QueryList>
            <Exec>
                  if ($EventID NOT IN (%aisiem%)) drop();
            </Exec>
</Input>

<Output out>    
  Module om_udp    
  Host CCE_IP_ADDRESS  
  Port 5154    
  Exec to_json();
</Output>

<Route 1>    
  Path in => out
</Route>
  • Open Services (from search box on your windows) and restart nxlog from list of services. If you do not find this service, type the following commands at an elevated (as an administrator) command prompt: 

 net stop nxlog

 net start nxlog

  1. Click on: NXlog

2.Click on : Stop

3.Click on : start

  • Search for : Local Policies in search box again .

  • Click on: Local Policies

  • Click on: audit Policy

  • Click on Success and failure checkbox >>apply >>ok .

Repeat this for all poilicies one by one .

Enable audit logs:  Windows- Enable Audit Logs/Policies

  • Open Command Prompt , once policies are enabled , and run the command gpupdate /force , to validate that the policies are enabled .

VERIFICATION:-

Can validate the success of configuration either on UI or on CCE server.

  • Verification through UI

1.Open UI >>Systems

2. Dropdown systems and go inside logs and flows collection status.

.

3.Under Source device IP address section the device configured will reflect.

  • Verification Through CCE server

“sudo tcpdump -i any host 5154 and host <IP address> -AAA” command should be ran on CCE server to check wheather or not we are getting logs .

  • No labels