Table of Contents
Share this post
NXLog User Guide
Table of Contents
- Introduction
- Deployment
- Configuration
- OS Support
- Integration
- 42. Amazon Web Services (AWS)
- 43. Apache HTTP Server
- 44. Apache NiFi
- 45. Apache Tomcat
- 46. APC Automatic Transfer Switch
- 47. Apple macOS kernel
- 48. ArcSight Common Event Format (CEF)
- 49. Box
- 50. Brocade switches
- 51. Browser History Logs
- 52. Check Point
- 53. Cisco ACS
- 54. Cisco ASA
- 55. Cisco FireSIGHT
- 56. Cisco IPS
- 57. Cloud Instance Metadata
- 58. Common Event Expression (CEE)
- 59. Dell EqualLogic
- 60. Dell iDRAC
- 61. Dell PowerVault MD series
- 62. Devo
- 63. DHCP logs
- 64. DNS Monitoring
- 65. Docker
- 66. Elastic Common Schema (ECS)
- 67. Elasticsearch and Kibana
- 68. F5 BIG-IP
- 69. File Integrity Monitoring
- 70. FreeRADIUS
- 71. General Electric CIMPLICITY
- 72. Google Chronicle
- 73. Graylog
- 74. HP ProCurve
- 75. IBM QRadar SIEM
- 76. Industrial Control Systems
- 77. Kubernetes
- 78. Linux Audit System
- 79. Linux system logs
- 80. Log Event Extended Format (LEEF)
- 81. LogPoint
- 82. Logstash
- 83. McAfee Enterprise Security Manager (ESM)
- 84. McAfee ePolicy Orchestrator
- 85. Microsoft Active Directory Domain Controller
- 86. Microsoft Azure
- 87. Microsoft Azure Event Hubs
- 88. Microsoft Azure Sentinel
- 89. Microsoft Defender for Identity
- 90. Microsoft Exchange
- 91. Microsoft IIS
- 92. Microsoft SharePoint
- 93. Microsoft SQL Server
- 94. Microsoft System Center Endpoint Protection
- 95. Microsoft System Center Configuration Manager
- 96. Microsoft System Center Operations Manager
- 97. MongoDB
- 98. Nagios Log Server
- 99. Nessus Vulnerability Scanner
- 100. NetApp
- 101. .NET application logs
- 102. Nginx
- 103. Okta
- 104. Oracle Database
- 105. Osquery
- 106. Postfix
- 107. Promise
- 108. Raijin Database Engine
- 109. Rapid7 InsightIDR SIEM
- 110. RSA NetWitness
- 111. SafeNet KeySecure
- 112. Salesforce
- 113. SAP
- 114. Schneider Electric Citect SCADA
- 115. Siemens SIMATIC PCS 7
- 116. Snare
- 117. Snort
- 118. Solarwinds Loggly
- 119. Splunk
- 120. Sumo Logic
- 121. Symantec Endpoint Protection
- 122. Synology DiskStation
- 123. Syslog
- 124. Sysmon
- 125. Ubiquiti UniFi
- 126. VMware vCenter
- 127. Windows AppLocker
- 128. Windows Command Line Auditing
- 129. Windows Event Log
- 130. Windows Firewall
- 131. Windows Group Policy
- 132. Windows Management Instrumentation (WMI)
- 133. Windows PowerShell
- 134. Windows Time service
- 135. Microsoft Windows Update
- 136. Windows USB auditing
- 137. YOKOGAWA FAST/TOOLS
- 138. Zeek (formerly Bro) Network Security Monitor
- Troubleshooting
- Enterprise Edition Reference Manual
- NXLog Manager
- NXLog Add-Ons
53. Cisco ACS
An example Syslog record from a Cisco Secure Access Control System (ACS) device looks like the following. For more information, refer to the Syslog Logging Configuration Scenario chapter in the Cisco Configuration Guide.
Log sample
<38>Oct 16 21:01:29 10.0.1.1 CisACS_02_FailedAuth 1k1fg93nk 1 0 Message-Type=Authen failed,User-Name=John,NAS-IP-Address=10.0.1.2,AAA Server=acs01Example 249. Collecting Cisco Secure ACS logs
The following configuration file instructs NXLog to accept Syslog messages on UDP port 1514. The payload is parsed as Syslog and then the ACS specific fields are extracted. The output is written to file in JSON format.
nxlog.conf ![[Download file]](images/icons/download_icon.png "Download file")
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<Extension _json>
Module xm_json
</Extension>
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_udp
Host 0.0.0.0
Port 1514
<Exec>
parse_syslog_bsd();
if ( $Message =~ /^CisACS_(\d\d)_(\S+) (\S+) (\d+) (\d+) (.*)$/ )
{
$ACSCategoryNumber = $1;
$ACSCategoryName = $2;
$ACSMessageId = $3;
$ACSTotalSegments = $4;
$ACSSegmentNumber = $5;
$ACSMessage = $6;
if ( $ACSMessage =~ /Message-Type=([^\,]+)/ ) $ACSMessageType = $1;
if ( $ACSMessage =~ /User-Name=([^\,]+)/ ) $AccountName = $1;
if ( $ACSMessage =~ /NAS-IP-Address=([^\,]+)/ ) $ACSNASIPAddress = $1;
if ( $ACSMessage =~ /AAA Server=([^\,]+)/ ) $ACSAAAServer = $1;
}
else log_warning("Does not match: " + $raw_event);
</Exec>
</Input>
<Output out>
Module om_file
File "tmp/output.txt"
Exec to_json();
</Output>