windows to syslog to splunk using json

Tags:

#1 vguyard

Hello, we are working on centralizing logging onto a syslog-ng server and using nxlog for the windows part of the infrastructure. We are using the IP of the sender to route the message to the correct file on the syslog server and I am trying to force nxlog to use the host's IP instead of it's name in the syslog header without much success.

The end goal is to forward everything (Windows, Linux, Network) to syslog-ng and from there to Splunk using the Splunk Forwarder on the syslog server. For Windows I am using the to_json() function on the part of the message so that the logs are parsed automatically on the splunk side. There are 3 different QueryXML so as to assign different severity/facility to the messages and, again, route the messages to the correct file on the syslog server.

I have tried both to_syslog_bsd() and to syslog_ietf(). For the "old" BSD format I am unable to force the IP in the syslog header when I use IETF format, the IP is correctly used but I then end up with a huge header and data (time, source, ..) being repeated several times which is not efficient

BSD format:

Apr 27 14:38:45 WIN-0KNG645FE0L Microsoft-Windows-Security-Auditing[628]: {"EventTime":"2020-04-27 14:38:45","Hostname":"10.10.231.53","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4672,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12548,"OpcodeValue":0,"RecordNumber":22998,"ActivityID":"{9B9FF64D-1C66-0003-EBF6-9F9B661CD601}","ProcessID":628,"ThreadID":692,"Channel":"Security","Category":"Special Logon","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"SYSTEM","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e7","PrivilegeList":"SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege","EventReceivedTime":"2020-04-27 14:38:47","SourceModuleName":"in_sec","SourceModuleType":"im_msvistalog","SyslogFacilityValue":17,"SyslogSeverityValue":2}

IETF format:

Apr 27 13:39:38 10.10.231.53 1 2020-04-27T13:39:36.528628+02:00 WIN-0KNG645FE0L Microsoft-Windows-Security-Auditing 628 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="5379" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="0" Task="13824" OpcodeValue="0" RecordNumber="22664" ActivityID="{9B9FF64D-1C66-0003-EBF6-9F9B661CD601}" ThreadID="1580" Channel="Security" Category="User Account Management" Opcode="Info" SubjectUserSid="S-1-5-21-4288340226-4165896404-4155820673-500" SubjectUserName="Administrator" SubjectDomainName="WIN-0KNG645FE0L" SubjectLogonId="0x53ac84" TargetName="ServerManager*" Type="0" CountOfCredentialsReturned="0" ReadOperation="%%8100" ReturnCode="3221226021" ProcessCreationTime="2020-04-27T11:39:34.659068400Z" ClientProcessId="2716" EventReceivedTime="2020-04-27 13:39:38" SourceModuleName="in_sec" SourceModuleType="im_msvistalog"] {"EventTime":"2020-04-27 13:39:36","Hostname":"10.10.231.53","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5379,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":13824,"OpcodeValue":0,"RecordNumber":22664,"ActivityID":"{9B9FF64D-1C66-0003-EBF6-9F9B661CD601}","ProcessID":628,"ThreadID":1580,"Channel":"Security","Category":"User Account Management","Opcode":"Info","SubjectUserSid":"S-1-5-21-4288340226-4165896404-4155820673-500","SubjectUserName":"Administrator","SubjectDomainName":"WIN-0KNG645FE0L","SubjectLogonId":"0x53ac84","TargetName":"ServerManager*","Type":"0","CountOfCredentialsReturned":"0","ReadOperation":"%%8100","ReturnCode":"3221226021","ProcessCreationTime":"2020-04-27T11:39:34.659068400Z","ClientProcessId":"2716","EventReceivedTime":"2020-04-27 13:39:38","SourceModuleName":"in_sec","SourceModuleType":"im_msvistalog","SyslogFacilityValue":17,"SyslogSeverityValue":2}
  • BSD format seems preferred as it make for smaller messages
  • Sending over TCP so as to not loose some of the largest messages

Edit:

  • NXLog nxlog-ce-2.10.2150
  • Windows 2019

nxlog.conf

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
  Module xm_syslog
</Extension>

<Extension _json>
  Module xm_json
</Extension>

<Input internal>
  Module im_internal
</Input>

<Input in_sys>
  Module        im_msvistalog
  <QueryXML>
    <QueryList>
      <Query Id="0">
        <Select Path="System">*</Select> 
      </Query>
    </QueryList>
  </QueryXML>
  <Exec>
    $SyslogFacilityValue = syslog_facility_value("local1"); 
    $SyslogSeverityValue = syslog_severity_value("emerg");  
#    $Message = to_json();
#    $raw_event = to_json();
#    to_syslog_bsd();
  </Exec>
</Input>
<Input in_app>
  Module        im_msvistalog 
  <QueryXML>
    <QueryList>
      <Query Id="1">
        <Select Path="Application">*</Select>
      </Query>
    </QueryList>
  </QueryXML>
  <Exec>
    $SyslogFacilityValue = syslog_facility_value("local1");
    $SyslogSeverityValue = syslog_severity_value("alert"); 
#    $Message = to_json();
#    to_syslog_bsd();
  </Exec>
</Input>
<Input in_sec>
  Module        im_msvistalog
  <QueryXML>
    <QueryList>
      <Query Id="2">
        <Select Path="Security">*</Select>
      </Query>
    </QueryList>
  </QueryXML>
  <Exec>
    $SyslogFacilityValue = syslog_facility_value("local1");
    $SyslogSeverityValue = syslog_severity_value("crit");
#    $Hostname = host_ip();
#    parse_syslog();
#    $Message = to_json();
#    to_syslog_bsd();
    delete($Message);
  </Exec>
</Input>

<Output syslog-srv>
  Module        om_tcp
  Host          10.10.231.11 
  port          514
  <Exec>
    $Hostname = host_ip();
#    parse_syslog();
#    log_info($raw_event);
    $Message = to_json();
    $Message =~ s/\\[r|n|t]/ /g;
#    to_syslog_ietf();
    to_syslog_bsd();
    $raw_event =~ s/\s{2,}/ /g;
  </Exec>
</Output>

<Route 1>
  Path in_sys, in_app, in_sec => syslog-srv
</Route>
#2 vguyard
#1 vguyard
Hello, we are working on centralizing logging onto a syslog-ng server and using nxlog for the windows part of the infrastructure. We are using the IP of the sender to route the message to the correct file on the syslog server and I am trying to force nxlog to use the host's IP instead of it's name in the syslog header without much success. The end goal is to forward everything (Windows, Linux, Network) to syslog-ng and from there to Splunk using the Splunk Forwarder on the syslog server. For Windows I am using the to_json() function on the part of the message so that the logs are parsed automatically on the splunk side. There are 3 different QueryXML so as to assign different severity/facility to the messages and, again, route the messages to the correct file on the syslog server. I have tried both to_syslog_bsd() and to syslog_ietf(). For the "old" BSD format I am unable to force the IP in the syslog header when I use IETF format, the IP is correctly used but I then end up with a huge header and data (time, source, ..) being repeated several times which is not efficient BSD format: Apr 27 14:38:45 WIN-0KNG645FE0L Microsoft-Windows-Security-Auditing[628]: {"EventTime":"2020-04-27 14:38:45","Hostname":"10.10.231.53","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4672,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12548,"OpcodeValue":0,"RecordNumber":22998,"ActivityID":"{9B9FF64D-1C66-0003-EBF6-9F9B661CD601}","ProcessID":628,"ThreadID":692,"Channel":"Security","Category":"Special Logon","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"SYSTEM","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e7","PrivilegeList":"SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege","EventReceivedTime":"2020-04-27 14:38:47","SourceModuleName":"in_sec","SourceModuleType":"im_msvistalog","SyslogFacilityValue":17,"SyslogSeverityValue":2} IETF format: Apr 27 13:39:38 10.10.231.53 1 2020-04-27T13:39:36.528628+02:00 WIN-0KNG645FE0L Microsoft-Windows-Security-Auditing 628 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="5379" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="0" Task="13824" OpcodeValue="0" RecordNumber="22664" ActivityID="{9B9FF64D-1C66-0003-EBF6-9F9B661CD601}" ThreadID="1580" Channel="Security" Category="User Account Management" Opcode="Info" SubjectUserSid="S-1-5-21-4288340226-4165896404-4155820673-500" SubjectUserName="Administrator" SubjectDomainName="WIN-0KNG645FE0L" SubjectLogonId="0x53ac84" TargetName="ServerManager*" Type="0" CountOfCredentialsReturned="0" ReadOperation="%%8100" ReturnCode="3221226021" ProcessCreationTime="2020-04-27T11:39:34.659068400Z" ClientProcessId="2716" EventReceivedTime="2020-04-27 13:39:38" SourceModuleName="in_sec" SourceModuleType="im_msvistalog"] {"EventTime":"2020-04-27 13:39:36","Hostname":"10.10.231.53","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5379,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":13824,"OpcodeValue":0,"RecordNumber":22664,"ActivityID":"{9B9FF64D-1C66-0003-EBF6-9F9B661CD601}","ProcessID":628,"ThreadID":1580,"Channel":"Security","Category":"User Account Management","Opcode":"Info","SubjectUserSid":"S-1-5-21-4288340226-4165896404-4155820673-500","SubjectUserName":"Administrator","SubjectDomainName":"WIN-0KNG645FE0L","SubjectLogonId":"0x53ac84","TargetName":"ServerManager*","Type":"0","CountOfCredentialsReturned":"0","ReadOperation":"%%8100","ReturnCode":"3221226021","ProcessCreationTime":"2020-04-27T11:39:34.659068400Z","ClientProcessId":"2716","EventReceivedTime":"2020-04-27 13:39:38","SourceModuleName":"in_sec","SourceModuleType":"im_msvistalog","SyslogFacilityValue":17,"SyslogSeverityValue":2} BSD format seems preferred as it make for smaller messages Sending over TCP so as to not loose some of the largest messages Edit: NXLog nxlog-ce-2.10.2150 Windows 2019 nxlog.conf define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> <Extension _json> Module xm_json </Extension> <Input internal> Module im_internal </Input> <Input in_sys> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="System">*</Select> </Query> </QueryList> </QueryXML> <Exec> $SyslogFacilityValue = syslog_facility_value("local1"); $SyslogSeverityValue = syslog_severity_value("emerg"); # $Message = to_json(); # $raw_event = to_json(); # to_syslog_bsd(); </Exec> </Input> <Input in_app> Module im_msvistalog <QueryXML> <QueryList> <Query Id="1"> <Select Path="Application">*</Select> </Query> </QueryList> </QueryXML> <Exec> $SyslogFacilityValue = syslog_facility_value("local1"); $SyslogSeverityValue = syslog_severity_value("alert"); # $Message = to_json(); # to_syslog_bsd(); </Exec> </Input> <Input in_sec> Module im_msvistalog <QueryXML> <QueryList> <Query Id="2"> <Select Path="Security">*</Select> </Query> </QueryList> </QueryXML> <Exec> $SyslogFacilityValue = syslog_facility_value("local1"); $SyslogSeverityValue = syslog_severity_value("crit"); # $Hostname = host_ip(); # parse_syslog(); # $Message = to_json(); # to_syslog_bsd(); delete($Message); </Exec> </Input> <Output syslog-srv> Module om_tcp Host 10.10.231.11 port 514 <Exec> $Hostname = host_ip(); # parse_syslog(); # log_info($raw_event); $Message = to_json(); $Message =~ s/\\[r|n|t]/ /g; # to_syslog_ietf(); to_syslog_bsd(); $raw_event =~ s/\s{2,}/ /g; </Exec> </Output> <Route 1> Path in_sys, in_app, in_sec => syslog-srv </Route>

Hello again, it seems that posting the question made me found the answer. It's simply the fact the the $Hostname variable expects a string value an the host_ip() function returns an integer.

So using it like so: $hostname = string(host_ip()); works as I wanted it to, a good case of RTFM!