NX LOG Newbie Question
Good Afternoon.
I currently run a NX log solution that was setup by the vendor of our cloud IDS. I do know that we have a collection of logs coming from workstations to a central server and that server uploads the logs to the IDS. That being said, I have set up a gray log server on an Ubuntu box and I want to send my Windows DNS logs to that server so that I have a way to search DNS queries made by workstations should on of them become compromised. (via malware, ransomware, etc) I realize that there is already a config fiile for nx log that sends the event viewer logs so I am assuming that I would have to use that same file to have nx send dns logs to a different location (if that is even possible). So my questions are, Is it possible to do that? If so, is the collection service that has to be stopped in order to edit the config file?
I would send these logs to the same online IDS service but we are already going over our quota every month and management doesn't see the need to upgrade our service. Therefore, I am left to figure out another way to stay on top of DNS threat hunting.
Any input will be greatly appreciated.
Hi,
If I understand you correctly, the NXLog agent running on the windows servers. You can add the configuration below to the nxlog.conf file located at C:/Program files/nxlog/conf.
## Graylog extension Module ###
<Extension gelf>
Module xm_gelf
</Extension>
#### Input #####
<Input dns_client>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-DNS-Client/Operational">
*[System[(EventID=3006 or EventID=3008 or
EventID=3010 or EventID=3018)]]
</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
if ($QueryName == 'wpad') OR ($QueryType != '1') {
drop();
}
</Exec>
</Input>
### Output to Graylog #####
<Output to_graylog_udp>
Module om_udp
Host graylogIPAddress:Port
OutputType GELF_UDP
</Output>
<Route DNStoGrayLog>
Path dns_client => to_graylog_udp
</Route>
Kindly review the docs below for more information on this
Monitoring DNS event sources using Windows Event Log
Ensure to restart the agent service after making the modification. I hope this helps.
Regards
Jeffron