February 2020 Newsletter
System Center Configuration Manager (SCCM) is a software management suite that enables administrators to manage the deployment and security of devices, applications and operating system patches.
NXLog can collect and forward the log data created by SCCM through:
When dealing with a large volume of logs, and it is often necessary to collect a certain portion of events by implement filtering of events from the Windows Event Log. Use the Community/Enterprise Edition im_msvistalog module to:
Specify a specific channel to collect all the events written to a single channel.
Add XPath query/queries to subscribe to events, subscribe to multiple channels and/or limit events by various attributes.
Read all events from a log file (for example, Security.evtx). This can be used for forensics purposes.
Configure for events to be discarded.
Discover what you can do to filter Windows events in our new section here.
Windows Update is a Windows system service that manages the updates and patches for the Windows operating system. The event logs related to Windows Update can be collected using Event Tracing for Windows (ETW) or from the file system in older Windows versions via the WindowsUpdate.log file. Read the section here.
Event Tracing for Windows (ETW) logs kernel, application and other system activity. ETW provides better data and uses less resources. By understanding the key characteristics of ETW, system administrators can make a well informed decision on how to utilize the logs collected via ETW to improve IT Security. Read the whitepaper here or download the PDF.
Top Social Media Chatter in January/February
- "Lovin’ your great documentation and capable product. Keep up the great work!" thanks @limpidweb !
- How to monitor for privilege escalation? Ideas here for Windows.
- Question: What are your most commonly excluded Windows Event IDs? Setting up Event ID to a Syslog server and I'm trying to filter out the extra fluff. What IDs are just plain unnecessary?. A user suggests "syslog-ng or nxlog might help as alternative collectors with more granular options; fancy a query? See options: https://nxlog.co/question/1711/configuration-send-windows-security-logs-only"
- Want to set up free or open source syslog with audio alarms? Check out the options here.
- "Depending on your familiarity with configuring ELK in security onion, winlogbeat, and nxlog are also options" suggested by a user.
- "If you are on a AD/windows environment, you should be able to use NXlog to redirect the dns server logs over to graylog...." answered for logging DNS requests with ASA.
- GREAT ideas for securing a Windows network by Xaxoxth.
Finding guidance on Windows events to monitor is always going to be useful. From a user: Windows events related to account creation, group changes, lockouts, automatic services that aren't running, some of the things NxLog discusses (https://nxlog.co/documentation/nxlog-user-guide/ad-domain-controller.html and the MS article they link to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor#appendix-l-events-to-monitor), the events noted in this article on WEFFLES (https://blogs.technet.microsoft.com/jepayne/2017/12/08/weffles/).
- NXLog and anything, really.
- Microsoft recently published a great resource including NXLog in the list. See Migrating AIX Workloads to Azure: Approaches and Best Practices
- A very interesting Educause SecList discussion on open source SIEM.