windows to syslog to splunk using json

View thread

vguyard

Hello, we are working on centralizing logging onto a syslog-ng server and using nxlog for the windows part of the infrastructure. We are using the IP of the sender to route the message to the correct file on the syslog server and I am trying to force nxlog to use the host's IP instead of it's name in the syslog header without much success.

The end goal is to forward everything (Windows, Linux, Network) to syslog-ng and from there to Splunk using the Splunk Forwarder on the syslog server. For Windows I am using the to_json() function on the part of the message so that the logs are parsed automatically on the splunk side. There are 3 different QueryXML so as to assign different severity/facility to the messages and, again, route the messages to the correct file on the syslog server.

I have tried both to_syslog_bsd() and to syslog_ietf(). For the "old" BSD format I am unable to force the IP in the syslog header when I use IETF format, the IP is correctly used but I then end up with a huge header and data (time, source, ..) being repeated several times which is not efficient

BSD format:

Apr 27 14:38:45 WIN-0KNG645FE0L Microsoft-Windows-Security-Auditing[628]: {"EventTime":"2020-04-27 14:38:45","Hostname":"10.10.231.53","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4672,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12548,"OpcodeValue":0,"RecordNumber":22998,"ActivityID":"{9B9FF64D-1C66-0003-EBF6-9F9B661CD601}","ProcessID":628,"ThreadID":692,"Channel":"Security","Category":"Special Logon","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"SYSTEM","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e7","PrivilegeList":"SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege","EventReceivedTime":"2020-04-27 14:38:47","SourceModuleName":"in_sec","SourceModuleType":"im_msvistalog","SyslogFacilityValue":17,"SyslogSeverityValue":2}

IETF format:

Apr 27 13:39:38 10.10.231.53 1 2020-04-27T13:39:36.528628+02:00 WIN-0KNG645FE0L Microsoft-Windows-Security-Auditing 628 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="5379" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="0" Task="13824" OpcodeValue="0" RecordNumber="22664" ActivityID="{9B9FF64D-1C66-0003-EBF6-9F9B661CD601}" ThreadID="1580" Channel="Security" Category="User Account Management" Opcode="Info" SubjectUserSid="S-1-5-21-4288340226-4165896404-4155820673-500" SubjectUserName="Administrator" SubjectDomainName="WIN-0KNG645FE0L" SubjectLogonId="0x53ac84" TargetName="ServerManager*" Type="0" CountOfCredentialsReturned="0" ReadOperation="%%8100" ReturnCode="3221226021" ProcessCreationTime="2020-04-27T11:39:34.659068400Z" ClientProcessId="2716" EventReceivedTime="2020-04-27 13:39:38" SourceModuleName="in_sec" SourceModuleType="im_msvistalog"] {"EventTime":"2020-04-27 13:39:36","Hostname":"10.10.231.53","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5379,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":13824,"OpcodeValue":0,"RecordNumber":22664,"ActivityID":"{9B9FF64D-1C66-0003-EBF6-9F9B661CD601}","ProcessID":628,"ThreadID":1580,"Channel":"Security","Category":"User Account Management","Opcode":"Info","SubjectUserSid":"S-1-5-21-4288340226-4165896404-4155820673-500","SubjectUserName":"Administrator","SubjectDomainName":"WIN-0KNG645FE0L","SubjectLogonId":"0x53ac84","TargetName":"ServerManager*","Type":"0","CountOfCredentialsReturned":"0","ReadOperation":"%%8100","ReturnCode":"3221226021","ProcessCreationTime":"2020-04-27T11:39:34.659068400Z","ClientProcessId":"2716","EventReceivedTime":"2020-04-27 13:39:38","SourceModuleName":"in_sec","SourceModuleType":"im_msvistalog","SyslogFacilityValue":17,"SyslogSeverityValue":2}
  • BSD format seems preferred as it make for smaller messages
  • Sending over TCP so as to not loose some of the largest messages

Edit:

  • NXLog nxlog-ce-2.10.2150
  • Windows 2019

nxlog.conf

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
  Module xm_syslog
</Extension>

<Extension _json>
  Module xm_json
</Extension>

<Input internal>
  Module im_internal
</Input>

<Input in_sys>
  Module        im_msvistalog
  <QueryXML>
    <QueryList>
      <Query Id="0">
        <Select Path="System">*</Select> 
      </Query>
    </QueryList>
  </QueryXML>
  <Exec>
    $SyslogFacilityValue = syslog_facility_value("local1"); 
    $SyslogSeverityValue = syslog_severity_value("emerg");  
#    $Message = to_json();
#    $raw_event = to_json();
#    to_syslog_bsd();
  </Exec>
</Input>
<Input in_app>
  Module        im_msvistalog 
  <QueryXML>
    <QueryList>
      <Query Id="1">
        <Select Path="Application">*</Select>
      </Query>
    </QueryList>
  </QueryXML>
  <Exec>
    $SyslogFacilityValue = syslog_facility_value("local1");
    $SyslogSeverityValue = syslog_severity_value("alert"); 
#    $Message = to_json();
#    to_syslog_bsd();
  </Exec>
</Input>
<Input in_sec>
  Module        im_msvistalog
  <QueryXML>
    <QueryList>
      <Query Id="2">
        <Select Path="Security">*</Select>
      </Query>
    </QueryList>
  </QueryXML>
  <Exec>
    $SyslogFacilityValue = syslog_facility_value("local1");
    $SyslogSeverityValue = syslog_severity_value("crit");
#    $Hostname = host_ip();
#    parse_syslog();
#    $Message = to_json();
#    to_syslog_bsd();
    delete($Message);
  </Exec>
</Input>

<Output syslog-srv>
  Module        om_tcp
  Host          10.10.231.11 
  port          514
  <Exec>
    $Hostname = host_ip();
#    parse_syslog();
#    log_info($raw_event);
    $Message = to_json();
    $Message =~ s/\\[r|n|t]/ /g;
#    to_syslog_ietf();
    to_syslog_bsd();
    $raw_event =~ s/\s{2,}/ /g;
  </Exec>
</Output>

<Route 1>
  Path in_sys, in_app, in_sec => syslog-srv
</Route>