NXLog User Guide
- Introduction
- Deployment
- Configuration
- OS Support
- Integration
- 42. Amazon Web Services (AWS)
- 43. Apache HTTP Server
- 44. Apache NiFi
- 45. Apache Tomcat
- 46. APC Automatic Transfer Switch
- 47. Apple macOS kernel
- 48. ArcSight Common Event Format (CEF)
- 49. Box
- 50. Brocade switches
- 51. Browser History Logs
- 52. Check Point
- 53. Cisco ACS
- 54. Cisco ASA
- 55. Cisco FireSIGHT
- 56. Cisco IPS
- 57. Cloud Instance Metadata
- 58. Common Event Expression (CEE)
- 59. Dell EqualLogic
- 60. Dell iDRAC
- 61. Dell PowerVault MD series
- 62. Devo
- 63. DHCP logs
- 64. DNS Monitoring
- 65. Docker
- 66. Elastic Cloud
- 67. Elastic Common Schema (ECS)
- 68. Elasticsearch and Kibana
- 69. F5 BIG-IP
- 70. File Integrity Monitoring
- 71. FreeRADIUS
- 72. General Electric CIMPLICITY
- 73. Google Chronicle
- 74. Graylog
- 75. HP ProCurve
- 76. IBM QRadar SIEM
- 77. Industrial Control Systems
- 78. Kubernetes
- 79. Linux Audit System
- 80. Linux system logs
- 81. Log Event Extended Format (LEEF)
- 82. LogPoint
- 83. Logstash
- 84. McAfee Enterprise Security Manager (ESM)
- 85. McAfee ePolicy Orchestrator
- 86. Micro Focus ArcSight Logger
- 87. Microsoft Active Directory Domain Controller
- 88. Microsoft Azure
- 89. Microsoft Azure Event Hubs
- 90. Microsoft Azure Sentinel
- 91. Microsoft Defender for Identity
- 92. Microsoft Exchange
- 93. Microsoft IIS
- 94. Microsoft SharePoint
- 95. Microsoft SQL Server
- 96. Microsoft System Center Endpoint Protection
- 97. Microsoft System Center Configuration Manager
- 98. Microsoft System Center Operations Manager
- 99. MongoDB
- 100. Nagios Log Server
- 101. Nessus Vulnerability Scanner
- 102. NetApp
- 103. .NET application logs
- 104. Nginx
- 105. Okta
- 106. Oracle Database
- 107. Osquery
- 108. Postfix
- 109. Promise
- 110. Raijin Database Engine
- 111. Rapid7 InsightIDR SIEM
- 112. RSA NetWitness
- 113. SafeNet KeySecure
- 114. Salesforce
- 115. SAP
- 116. Schneider Electric Citect SCADA
- 117. Siemens SICAM SCC
- 118. Siemens SIMATIC PCS 7
- 119. Snare
- 120. Snort
- 121. Solarwinds Loggly
- 122. Splunk
- 123. Sumo Logic
- 124. Symantec Endpoint Protection
- 125. Synology DiskStation
- 126. Syslog
- 127. Sysmon
- 128. Ubiquiti UniFi
- 129. VMware vCenter
- 130. Windows AppLocker
- 131. Windows Command Line Auditing
- 132. Windows Event Log
- 133. Windows Firewall
- 134. Windows Group Policy
- 135. Windows Management Instrumentation (WMI)
- 136. Windows PowerShell
- 137. Windows Time service
- 138. Microsoft Windows Update
- 139. Windows USB auditing
- 140. YOKOGAWA FAST/TOOLS
- 141. Zeek (formerly Bro) Network Security Monitor
- Troubleshooting
- Enterprise Edition Reference Manual
- NXLog Manager
- NXLog Add-Ons
81. Log Event Extended Format (LEEF)
NXLog Enterprise Edition can be configured to collect or forward logs in the LEEF format.
The LEEF log format is used by IBM Security QRadar products and supports Syslog as a transport. It describes an event using key-value pairs, and provides a list of predefined event attributes. Additional attributes can be used for specific applications.
SYSLOG_HEADER LEEF_HEADER|EVENT_ATTRIBUTESThe LEEF_HEADER part contains the following pipe-delimited fields.
-
LEEF version
-
Vendor
-
Product name
-
Product version
-
Event ID
-
Optional delimiter character, as the character or its hexadecimal value prefixed by
0xorx(LEEF version 2.0)
The EVENT_ATTRIBUTES part contains a list of key-value pairs separated by a tab or the delimiter specified in the LEEF header.
Oct 11 11:27:23 myserver LEEF:Version|Vendor|Product|Version|EventID|Delimiter|src=192.168.1.1⇥dst=10.0.0.181.1. Collecting LEEF logs
NXLog Enterprise Edition can parse LEEF logs with the xm_leef module’s parse_leef() procedure.
With the following configuration, NXLog will accept LEEF logs via TCP, convert them to JSON, and output the result to file.
![[Download file]](images/icons/download_icon.png "Download file"){kind=icon}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<Extension _json>
Module xm_json
</Extension>
<Extension _leef>
Module xm_leef
</Extension>
<Input in>
Module im_tcp
Host 0.0.0.0
Port 1514
Exec parse_leef();
</Input>
<Output out>
Module om_file
File '/var/log/json'
Exec to_json();
</Output>
Oct 11 11:27:23 myserver LEEF:2.0|Microsoft|MSExchange|2013 SP1|15345|src=10.50.1.1⇥dst=2.10.20.20⇥spt=1200{
"EventReceivedTime": "2016-10-11 11:27:24",
"SourceModuleName": "in",
"SourceModuleType": "im_file",
"Hostname": "myserver",
"LEEFVersion": "LEEF:2.0",
"Vendor": "Microsoft",
"SourceName": "MSExchange",
"Version": "2013 SP1",
"EventID": "15345"
}81.2. Generating LEEF logs
NXLog Enterprise Edition can also generate LEEF logs, using the to_leef() procedure provided by the xm_leef extension module.
With this configuration, NXLog will parse the input JSON format from file and forward it as LEEF via TCP.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<Extension _json>
Module xm_json
</Extension>
<Extension _leef>
Module xm_leef
</Extension>
<Input in>
Module im_file
File '/var/log/json'
Exec parse_json();
</Input>
<Output out>
Module om_tcp
Host 10.12.0.1
Port 514
Exec to_leef();
</Output>
{
"EventTime": "2016-09-13 11:23:11",
"Hostname": "myserver",
"Purpose": "test",
"Message": "This is a test log message."
}<13>Sep 13 11:23:11 myserver LEEF:1.0|NXLog|in|3.0.1775|unknown|EventReceivedTime=2016-09-13 11:23:12⇥SourceModuleName=in⇥SourceModuleType=im_file⇥devTime=2016-09-13 11:23:11⇥identHostName=myserver⇥Purpose=test⇥Message=This is a test log message.⇥devTimeFormat=yyyy-MM-dd HH:mm:ss