Log Forwarding to Azure Sentinel

Tags:

#1 test4711 3 years ago

Hi I'm trying to get nxlog ee running with Microsoft Sentinel still get the error

2021-04-14 19:02:04 INFO [om_http|AzureHTTP] connecting to xxxxxxxx.ods.opinsights.azure.com(xx.xx.xx.xx):443 2021-04-14 19:02:04 ERROR [om_http|AzureHTTP] SSL error, failed to load ca cert from 'C:\Program Files\nxlog\cert\test.crt', reason: no certificate or crl found 2021-04-14 19:02:04 INFO [om_http|AzureHTTP] reconnecting in 4 sec

Forwarding to Sentinel Logspace is not working.

What's wrong ? Johannes

Panic Soft

define INSTALLDIR C:\Program Files\nxlog

#ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data

define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d define WORKSPACE xxxxxxxxxxxxxxxxxxxx define SHAREDKEY xxxxxxxxxxxxxxxxxxxx define SUBDOMAIN ods.opinsights.azure.com define RESOURCE api/logs define APIVER api-version=2016-04-01 define SIZELIMIT 65000

Note that these two lines define constants only; the log file location

is ultimately set by the `LogFile` directive (see below). The

`MYLOGFILE` define is also used to rotate the log file automatically

(see the `_fileop` block).

define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log

If you are not using NXLog Manager, disable the `include` line

and enable LogLevel and LogFile.

include %CONFDIR%*.conf

#LogLevel INFO #LogFile %MYLOGFILE%

<Extension _json> Module xm_json </Extension>

<Input VAT_Eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="ForwardedEvents"> *[System[Level=0 and (EventID=4624 or EventID=4647)]] </Select> </Query> </QueryList> </QueryXML> RemoteServer xxx RemoteUser xxx RemoteDomain hq RemotePassword xxx </Input>

<Extension plxm> Module xm_perl PerlCode %INSTALLDIR%\modules\extension\perl\sentinelauth.pl </Extension>

<Output AzureHTTP> Module om_http URL https://%WORKSPACE%.%SUBDOMAIN%/%RESOURCE%?%APIVER% ContentType application/json HTTPSAllowUntrusted TRUE HTTPSCAFile %INSTALLDIR%\cert\test.crt <Exec> create_stat('ec', 'COUNT'); create_stat('bc', 'COUNT'); create_var('batch'); create_var('nextbatch'); add_stat('ec',1);

    #---BEGIN--- the enrichment of this event with any new fields:
    $BatchNumber = get_stat('bc');
    $EventNumber = get_stat('ec');
    to_json();
    #---END--- the enrichment of this event

    if (size(get_var('batch')) + size($raw_event) + 3) &gt; %SIZELIMIT%
    # Flush this batch of events
    {
        set_var('nextbatch', $raw_event);
        $raw_event = '[' + get_var('batch') + ']';
        add_stat('bc',1);
        set_var('batch',get_var('nextbatch'));
        $Workspace = &quot;%WORKSPACE%&quot;;
        $SharedKey = &quot;%SHAREDKEY%&quot;;
        $ContentLength = string(size($raw_event));
        $dts = strftime(now(),'YYYY-MM-DDThh:mm:ssUTC');
        $dts_no_tz = replace($dts,'Z','');
        $parsedate_utc_false = parsedate($dts_no_tz,FALSE);
        $x_ms_date = strftime($parsedate_utc_false, '%a, %d %b %Y %T GMT');
        plxm-&gt;call(&quot;genauth&quot;);
        add_http_header('Authorization',$authorization);
        add_http_header('Log-Type',$SourceModuleName);
        add_http_header('x-ms-date',$x_ms_date);
    }
    else
    {
        $delimiter = get_stat('ec') == 1 ? '' : &quot;,\n&quot;;
        set_var('batch', get_var('batch') + $delimiter + $raw_event);
        drop();
    }
&lt;/Exec&gt;

</Output>

#<Output TempFile>

Module om_file

File 'C:\Program Files\nxlog\data\dnsetw.json'

#</Output>

<Route DnsRoute1> Path VAT_Eventlog => AzureHTTP </Route>

Permalink

#2 rafDeactivated Nxlog ✓ 3 years ago

#1 test4711

Hi I'm trying to get nxlog ee running with Microsoft Sentinel still get the error 2021-04-14 19:02:04 INFO [om_http|AzureHTTP] connecting to xxxxxxxx.ods.opinsights.azure.com(xx.xx.xx.xx):443 2021-04-14 19:02:04 ERROR [om_http|AzureHTTP] SSL error, failed to load ca cert from 'C:\Program Files\nxlog\cert\test.crt', reason: no certificate or crl found 2021-04-14 19:02:04 INFO [om_http|AzureHTTP] reconnecting in 4 sec Forwarding to Sentinel Logspace is not working. What's wrong ? Johannes Panic Soft define INSTALLDIR C:\Program Files\nxlog #ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d define WORKSPACE xxxxxxxxxxxxxxxxxxxx define SHAREDKEY xxxxxxxxxxxxxxxxxxxx define SUBDOMAIN ods.opinsights.azure.com define RESOURCE api/logs define APIVER api-version=2016-04-01 define SIZELIMIT 65000 Note that these two lines define constants only; the log file location is ultimately set by the LogFile directive (see below). The MYLOGFILE define is also used to rotate the log file automatically (see the _fileop block). define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log If you are not using NXLog Manager, disable the include line and enable LogLevel and LogFile. include %CONFDIR%*.conf #LogLevel INFO #LogFile %MYLOGFILE% <Extension _json> Module xm_json </Extension> <Input VAT_Eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="ForwardedEvents"> *[System[Level=0 and (EventID=4624 or EventID=4647)]] </Select> </Query> </QueryList> </QueryXML> RemoteServer xxx RemoteUser xxx RemoteDomain hq RemotePassword xxx </Input> <Extension plxm> Module xm_perl PerlCode %INSTALLDIR%\modules\extension\perl\sentinelauth.pl </Extension> <Output AzureHTTP> Module om_http URL https://%WORKSPACE%.%SUBDOMAIN%/%RESOURCE%?%APIVER% ContentType application/json HTTPSAllowUntrusted TRUE HTTPSCAFile %INSTALLDIR%\cert\test.crt <Exec> create_stat('ec', 'COUNT'); create_stat('bc', 'COUNT'); create_var('batch'); create_var('nextbatch'); add_stat('ec',1); #---BEGIN--- the enrichment of this event with any new fields: $BatchNumber = get_stat('bc'); $EventNumber = get_stat('ec'); to_json(); #---END--- the enrichment of this event if (size(get_var('batch')) + size($raw_event) + 3) > %SIZELIMIT% # Flush this batch of events { set_var('nextbatch', $raw_event); $raw_event = '[' + get_var('batch') + ']'; add_stat('bc',1); set_var('batch',get_var('nextbatch')); $Workspace = "%WORKSPACE%"; $SharedKey = "%SHAREDKEY%"; $ContentLength = string(size($raw_event)); $dts = strftime(now(),'YYYY-MM-DDThh:mm:ssUTC'); $dts_no_tz = replace($dts,'Z',''); $parsedate_utc_false = parsedate($dts_no_tz,FALSE); $x_ms_date = strftime($parsedate_utc_false, '%a, %d %b %Y %T GMT'); plxm->call("genauth"); add_http_header('Authorization',$authorization); add_http_header('Log-Type',$SourceModuleName); add_http_header('x-ms-date',$x_ms_date); } else { $delimiter = get_stat('ec') == 1 ? '' : ",\n"; set_var('batch', get_var('batch') + $delimiter + $raw_event); drop(); } </Exec> </Output> #<Output TempFile> Module om_file File 'C:\Program Files\nxlog\data\dnsetw.json' #</Output> <Route DnsRoute1> Path VAT_Eventlog => AzureHTTP </Route>

Hello Johannes,

since this appears in your messages:

2021-04-14 19:02:04 ERROR [om_http|AzureHTTP] SSL error, failed to load ca cert from 'C:\Program Files\nxlog\cert\test.crt', reason: no certificate or crl found

first question would be - is the cert present in this location and accessible by NXLog agent?

Best regards,
Rafal