I'm relatively new to NXLog and to Alien Vault Log ingestion. I have followed their set up guide here, https://cybersecurity.att.com/documentation/usm-anywhere/deployment-guide/setup/linux-logs-nxlog.htm?Highlight=linux%20logs%20nxlog. We are using NxLog EE and the nxlog manager to push configs. I have two modules I'm looking to collect logs with and I feel that they are pretty straight forward. I'm trying to capture /var/log/messages and the audit.log. Also wanting to capture the FIM. Using the im_file module. I'm able to capture these logs and they get to AlienVault, they are even parsed in Json which looks nice. My issue is that you can really report on anything as they don't generate any useful flags in which Alien Vault can use to trigger alarms and such. A lot of the logs get flagged as Alien Vault Generic Results, which means that the format isn't triggering their Alien Vault Data Source plugins. Some logs are getting recognized by Alien Vault and triggering the appropriate data source, but they are also not getting any useful information to report on. When I compare these logs to the Windows logs that we are capturing, the Linux logs have significantly less metadata within them. Something as simple as eventoutcome would be nice, like if I wanted to see failed attempts to elevate to sudo and see that event fail and generate and alert. I'm wondering if anyone would mind sharing their module configs for Linux if you use Alien Vault (ATT USM) as your SIEM. Here is my current config I am using. LogLevel INFO Logfile %LOGDIR%/nxlog.log <Extension agent_managment> Module xm_soapadmin Connect 1.1.1.1 Port 4041 SocketType SSL CAFile %CERTDIR%/agent-ca.pem AllowUntrusted FALSE RequireCert TRUE <ACL conf> Directory %CONFDIR% AllowRead TRUE AllowWrite TRUE </ACL> <ACL cert> Directory %CERTDIR% AllowRead TRUE AllowWrite TRUE </ACL> </Extension> <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Input var_messages_in> Module im_file File '/var/log/messages' InputType LineBased SavePos TRUE Exec parse_syslog(); </Input> <Input fim_linux> Module im_fim File '/bin/' File '/etc/' File '/lib/' File '/opt/nxlog/bin/' File '/opt/nxlog/lib/' File '/sbin/' File '/usr/bin/' File '/usr/sbin/' Exclude '/etc/hots.deny' Exclude '/etc/mtab' </Input> <Input var_audit_in> Module im_file File '/var/log/audit/audit.log' InputType LineBased SavePos FALSE Exec parse_syslog(); $Hostname = hostname(); $FQDN = hostname_fqdn(); $Tag = "audit"; $SourceName = "selinux"; $Message = $Raw_Event; </Input> <Output out_syslog_ssl_br> Module om_ssl Host 1.1.1.1 Port 6514 OutputType LineBased CAFile %CERTDIR%/agent-ca.pem CertFile %CERTDIR%/agent-cert.pem CertKeyFile %CERTDIR%/agent-key.pem Exec $EventTime = $EventReceivedTime; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; Exec $Message = to_json(); to_syslog_bsd(); </Output> <Output out_fim_linux_ssl_BR> Module om_ssl Host 1.1.1.1 Port 6514 OutputType Binary CAFile %CERTDIR%/agent-ca.pem CertFile %CERTDIR%/agent-cert.pem CertKeyFile %CERTDIR%/agent-key.pem Exec $SourceName = "FIM-LINUX-NXLOG-EE"; Exec $EventTime = strftime($EventTime, '%Y-%m-%d %H:%M:%S'); Exec $EventReceivedTime = strftime($EventReceivedTime, '%Y-%m-%d %H:%M:%S'); Exec to_json(); to_syslog_bsd(); </Output> <Route route_syslog> Priority 1 Path var_audit_in, var_messages_in => out_syslog_ssl_br </Route> <Route FIM> Priority 2 Path fim_linux => out_fim_linux_ssl_BR </Route>

Hello everyone, As you can see from my NXlog config below, I am pulling the Linux auth logs in and passing them to our SIEM platform. The auth logs work fine, however as you can also see I am trying to pull in a CSV file that is located on the Linux box. Each individual event is surrounded by curly brackets e.g: {'event}, so I would like to just pull each event into a field called message and then parse these messages on our SIEM platform. I can't seem to get this to work whatsoever, the TCP connection initiates, but NXlog doesn't pickup the CSV file. Any ideas?   Cheers G ######################################## # Global directives                    # ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ######################################## # Modules                              # ######################################## <Extension _syslog> Module  xm_syslog </Extension> <Input auth_logs>         Module  im_file         File    "/var/log/auth.log"         SavePos TRUE         ReadFromLast    TRUE </Input> <Output to_relay>         Module  om_tcp         Host    127.0.0.1         Port    20009         OutputType      LineBased </Output> ######################################## # Routes                               # ######################################## <Route 1>         Path    auth_logs => to_relay </Route> <Extension csv1>         Module  xm_csv         Fields  $Message         Delimiter       '{' </Extension> <Input filein>         Module  im_file         File    "/etc/ingest/sucuri/sucuri.csv"         Exec    csv1->parse_csv(); </Input> <Output test>         Module  om_tcp         Host    127.0.0.1         Port    20002         OutputType      Binary </Output> <Route 2>         Path    filein => test </Route>

Hello  , Do someone have an issue when install on REDHAT TIKANGA ??  Error message bellow mentioned : ~[root@osgdt01 tmp]# rpm -ivh nxlog-3.0.1814-1_rhel6.x86_64.rpm error: nxlog-3.0.1814-1_rhel6.x86_64.rpm: Header V4 RSA/SHA1 signature: BAD, key ID 1da9e40e error: nxlog-3.0.1814-1_rhel6.x86_64.rpm cannot be installed anyone know what's signature: BAD ?? I have no idea for this error message , even I google it . Thanks