Log Forwarding to Azure Sentinel

View thread

test4711

Hi I'm trying to get nxlog ee running with Microsoft Sentinel still get the error

2021-04-14 19:02:04 INFO [om_http|AzureHTTP] connecting to xxxxxxxx.ods.opinsights.azure.com(xx.xx.xx.xx):443 2021-04-14 19:02:04 ERROR [om_http|AzureHTTP] SSL error, failed to load ca cert from 'C:\Program Files\nxlog\cert\test.crt', reason: no certificate or crl found 2021-04-14 19:02:04 INFO [om_http|AzureHTTP] reconnecting in 4 sec

Forwarding to Sentinel Logspace is not working.

What's wrong ? Johannes

Panic Soft

define INSTALLDIR C:\Program Files\nxlog

#ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data

define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d define WORKSPACE xxxxxxxxxxxxxxxxxxxx define SHAREDKEY xxxxxxxxxxxxxxxxxxxx define SUBDOMAIN ods.opinsights.azure.com define RESOURCE api/logs define APIVER api-version=2016-04-01 define SIZELIMIT 65000

Note that these two lines define constants only; the log file location

is ultimately set by the LogFile directive (see below). The

MYLOGFILE define is also used to rotate the log file automatically

(see the _fileop block).

define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log

If you are not using NXLog Manager, disable the include line

and enable LogLevel and LogFile.

include %CONFDIR%*.conf

#LogLevel INFO #LogFile %MYLOGFILE%

<Extension _json> Module xm_json </Extension>

<Input VAT_Eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="ForwardedEvents"> *[System[Level=0 and (EventID=4624 or EventID=4647)]] </Select> </Query> </QueryList> </QueryXML> RemoteServer xxx RemoteUser xxx RemoteDomain hq RemotePassword xxx </Input>

<Extension plxm> Module xm_perl PerlCode %INSTALLDIR%\modules\extension\perl\sentinelauth.pl </Extension>

<Output AzureHTTP> Module om_http URL https://%WORKSPACE%.%SUBDOMAIN%/%RESOURCE%?%APIVER% ContentType application/json HTTPSAllowUntrusted TRUE HTTPSCAFile %INSTALLDIR%\cert\test.crt <Exec> create_stat('ec', 'COUNT'); create_stat('bc', 'COUNT'); create_var('batch'); create_var('nextbatch'); add_stat('ec',1);

    #---BEGIN--- the enrichment of this event with any new fields:
    $BatchNumber = get_stat('bc');
    $EventNumber = get_stat('ec');
    to_json();
    #---END--- the enrichment of this event

    if (size(get_var('batch')) + size($raw_event) + 3) &gt; %SIZELIMIT%
    # Flush this batch of events
    {
        set_var('nextbatch', $raw_event);
        $raw_event = '[' + get_var('batch') + ']';
        add_stat('bc',1);
        set_var('batch',get_var('nextbatch'));
        $Workspace = &quot;%WORKSPACE%&quot;;
        $SharedKey = &quot;%SHAREDKEY%&quot;;
        $ContentLength = string(size($raw_event));
        $dts = strftime(now(),'YYYY-MM-DDThh:mm:ssUTC');
        $dts_no_tz = replace($dts,'Z','');
        $parsedate_utc_false = parsedate($dts_no_tz,FALSE);
        $x_ms_date = strftime($parsedate_utc_false, '%a, %d %b %Y %T GMT');
        plxm-&gt;call(&quot;genauth&quot;);
        add_http_header('Authorization',$authorization);
        add_http_header('Log-Type',$SourceModuleName);
        add_http_header('x-ms-date',$x_ms_date);
    }
    else
    {
        $delimiter = get_stat('ec') == 1 ? '' : &quot;,\n&quot;;
        set_var('batch', get_var('batch') + $delimiter + $raw_event);
        drop();
    }
&lt;/Exec&gt;

</Output>

#<Output TempFile>

Module om_file

File 'C:\Program Files\nxlog\data\dnsetw.json'

#</Output>

<Route DnsRoute1> Path VAT_Eventlog => AzureHTTP </Route>