Table of Contents
Share this post
NXLog User Guide
Table of Contents
- Introduction
- Deployment
- Configuration
- OS Support
- Integration
- 42. Amazon Web Services (AWS)
- 43. Apache HTTP Server
- 44. Apache NiFi
- 45. Apache Tomcat
- 46. APC Automatic Transfer Switch
- 47. Apple macOS kernel
- 48. ArcSight Common Event Format (CEF)
- 49. Box
- 50. Brocade switches
- 51. Browser History Logs
- 52. Check Point
- 53. Cisco ACS
- 54. Cisco ASA
- 55. Cisco FireSIGHT
- 56. Cisco IPS
- 57. Cloud Instance Metadata
- 58. Common Event Expression (CEE)
- 59. Dell EqualLogic
- 60. Dell iDRAC
- 61. Dell PowerVault MD series
- 62. Devo
- 63. DHCP logs
- 64. DNS Monitoring
- 65. Docker
- 66. Elastic Cloud
- 67. Elastic Common Schema (ECS)
- 68. Elasticsearch and Kibana
- 69. F5 BIG-IP
- 70. File Integrity Monitoring
- 71. FreeRADIUS
- 72. General Electric CIMPLICITY
- 73. Google Chronicle
- 74. Graylog
- 75. HP ProCurve
- 76. IBM QRadar SIEM
- 77. Industrial Control Systems
- 78. Kubernetes
- 79. Linux Audit System
- 80. Linux system logs
- 81. Log Event Extended Format (LEEF)
- 82. LogPoint
- 83. Logstash
- 84. McAfee Enterprise Security Manager (ESM)
- 85. McAfee ePolicy Orchestrator
- 86. Micro Focus ArcSight Logger
- 87. Microsoft Active Directory Domain Controller
- 88. Microsoft Azure
- 89. Microsoft Azure Event Hubs
- 90. Microsoft Azure Sentinel
- 91. Microsoft Defender for Identity
- 92. Microsoft Exchange
- 93. Microsoft IIS
- 94. Microsoft SharePoint
- 95. Microsoft SQL Server
- 96. Microsoft System Center Endpoint Protection
- 97. Microsoft System Center Configuration Manager
- 98. Microsoft System Center Operations Manager
- 99. MongoDB
- 100. Nagios Log Server
- 101. Nessus Vulnerability Scanner
- 102. NetApp
- 103. .NET application logs
- 104. Nginx
- 105. Okta
- 106. Oracle Database
- 107. Osquery
- 108. Postfix
- 109. Promise
- 110. Raijin Database Engine
- 111. Rapid7 InsightIDR SIEM
- 112. RSA NetWitness
- 113. SafeNet KeySecure
- 114. Salesforce
- 115. SAP
- 116. Schneider Electric Citect SCADA
- 117. Siemens SICAM SCC
- 118. Siemens SIMATIC PCS 7
- 119. Snare
- 120. Snort
- 121. Solarwinds Loggly
- 122. Splunk
- 123. Sumo Logic
- 124. Symantec Endpoint Protection
- 125. Synology DiskStation
- 126. Syslog
- 127. Sysmon
- 128. Ubiquiti UniFi
- 129. VMware vCenter
- 130. Windows AppLocker
- 131. Windows Command Line Auditing
- 132. Windows Event Log
- 133. Windows Firewall
- 134. Windows Group Policy
- 135. Windows Management Instrumentation (WMI)
- 136. Windows PowerShell
- 137. Windows Security audit
- 138. Windows Time service
- 139. Microsoft Windows Update
- 140. Windows USB auditing
- 141. YOKOGAWA FAST/TOOLS
- 142. Zeek (formerly Bro) Network Security Monitor
- Troubleshooting
- Enterprise Edition Reference Manual
- NXLog Manager
- NXLog Add-Ons
58. Common Event Expression (CEE)
NXLog can be configured to collect or forward logs in the Common Event Expression (CEE) format. CEE was developed by MITRE as an extension for Syslog, based on JSON. MITRE’s work on CEE was discontinued in 2013.
Log sample
Dec 20 12:42:20 syslog-relay serveapp[1335]: @cee: {"pri":10,"id":121,"appname":"serveapp","pid":1335,"host":"syslog-relay","time":"2011-12-20T12:38:05.123456-05:00","action":"login","domain":"app","object":"account","status":"success"}58.1. Collecting and parsing CEE
NXLog can parse CEE with the parse_json() procedure provided by the xm_json extension module.
Example 272. Collecting CEE logs
With the following configuration, NXLog accepts CEE logs via TCP, parses
the CEE-formatted $Message field, and writes the logs to file in JSON format.
nxlog.conf ![[Download file]](images/icons/download_icon.png "Download file")
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<Extension json>
Module xm_json
</Extension>
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_tcp
Host 0.0.0.0
Port 1514
<Exec>
parse_syslog();
if $Message =~ /^@cee: ({.+})$/
{
$raw_event = $1;
parse_json();
}
</Exec>
</Input>
<Output out>
Module om_file
File '/var/log/json'
Exec to_json();
</Output>
Input sample
Oct 13 14:23:11 myserver @cee: { "purpose": "test" }Output sample
{
"EventReceivedTime": "2016-09-13 14:23:12",
"SourceModuleName": "in",
"SourceModuleType": "im_file",
"SyslogFacilityValue": 1,
"SyslogFacility": "USER",
"SyslogSeverityValue": 5,
"SyslogSeverity": "NOTICE",
"SeverityValue": 2,
"Severity": "INFO",
"Hostname": "myserver",
"EventTime": "2016-09-13 14:23:11",
"Message": "@cee: { \"purpose\": \"test\" }",
"purpose": "test"
}58.2. Generating and forwarding CEE
NXLog can also generate CEE, using the to_json() procedure provided by the xm_json extension module.
Example 273. Generating CEE logs
With this configuration, NXLog parses IETF Syslog input from file. The logs are then converted to CEE format and forwarded via TCP. The Syslog header data and IETF Syslog Structured-Data key/value list from the input are also included.
nxlog.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<Extension json>
Module xm_json
</Extension>
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_file
File '/var/log/ietf'
Exec parse_syslog();
</Input>
<Output out>
Module om_tcp
Host 192.168.1.1
Port 1514
Exec $Message = '@cee: ' + to_json(); to_syslog_bsd();
</Output>
Input sample
<13>1 2016-10-13T14:23:11.000000-06:00 myserver - - - [NXLOG@14506 Purpose="test"] This is a test message.Output sample
<13>Oct 13 14:23:11 myserver @cee: {"EventReceivedTime":"2016-10-13 14:23:12","SourceModuleName":"in","SourceModuleType":"im_file","SyslogFacilityValue":1,"SyslogFacility":"USER","SyslogSeverityValue":5,"SyslogSeverity":"NOTICE","SeverityValue":2,"Severity":"INFO","EventTime":"2016-10-13 14:23:11","Hostname":"myserver","Purpose":"test","Message":"This is a test message."}