January 2020 Newsletter
New: Symantec Endpoint Security Integration Guide
The Symantec Endpoint Protection Manager (SEPM) stores log data in an MSSQL Server database or in an embedded database. NXLog can be integrated to collect logs from the MSSQL Server database and from the SEPM embedded database by using the SAP SQL Anywhere Database Client with the im_odbc module. Read the rest of the information here.
New: Rapid7 InsightIDR SIEM Integration Guide
Rapid7 InsightIDR works with data collected from network logs, authentication logs, and other log sources from endpoint devices. NXLog can be configured to collect and forward these event logs to InsightIDR. It can also be used to rewrite event fields to meet the log field name requirements of InsightIDR’s Universal Event Format (UEF). See the new Guide here.
New: Windows USB Auditing
There are multiple ways to collect USB auditing events with NXLog: from the Windows Event Log, tracing them using ETW, monitoring them in Windows Registry and reading the SetupAPI.dev.log file in the file system. See the section here to learn how.
New: Windows Group Policy
There are several ways that Windows Group Policy related logs can be acquired; Group Policy Operational logs and Security logs from Windows Event Log, Event Tracing for Windows (ETW) and File-based logs found in the file system. Read our guide here.
Extended section created for Windows Event Log collection
We have created a new section dedicated to Windows Event Log collection using modules available from the NXLog Community and Enterprise Editions.
Top Windows Security Events to Collect
This new section on "Event IDs to Monitor" aims to provide guidance about selecting important Windows event IDs to monitor with some example configurations that you can adapt to your Windows environments.
Learn more about Grok
Did you know that the xm_grok module provides parsing for unstructured log messages with Grok patterns? Read our section "Pattern Matching With Grok" for the options available to extract important metadata out of your log messages.
Enhancement to the Debugging and Troubleshooting Sections
If other troubleshooting options fail to identify (or resolve) an issue, inspecting the NXLog agent itself can prove useful. These techniques are outlined in our enhanced debugging and troubleshooting sections in the User Guide.
Solutions for Security Teams
Are you an Integrator, SOC, or MSSP interested to hear more about log collection solutions with Rapid7, Symantec Endpoint Protection Manager and other SIEMs? Contact the Sales team or download our flyer.
Top Social Media Chatter in December/January
- "nxlog --> graylog --> splunk" setup by @stelio5
- "If I remember correctly AS supports CEF. If so, look at nxlog to collect, transform to CEF, and send." from @filimentation.
- Use NXLog to send log files to Graylog. A user writes: "I do like a good bit of NXLog, the community edition covers most of the features you need and they have some brilliant guides on how to get DNS and DHCP logs out of Windows (along with all other kinds of logs)."
- Trying to get DC Logs. A user writes: "We're pushing all Windows event logs to Graylog through a UDP GELF input using just nxlog and some custom extraction rules."
- MYSTERY: Restored VM with no network adapter connected, and Time Sync turned off > VM has current time. A user shares: "Yep, I now have logging enabled on all DHCP servers and also send the logs up to papertrail via nxlog for centralised searching."
- Do you use Splunk? Some food for thought here. A user shares some candid feedback: "There aren't really any good third party syslog solutions on Windows, nxlog is probably the best but that has its own scaling issues." Feel free to get in touch with us if you have any questions regarding your NXLog + Splunk combination.
- Using NXLog to collect Windows events? A user shares their config online: "Here is my config for domain controllers using nxlog. This captures DNS server, System, and Security events on the domain controller. I have not actually looked at DNS logs, but the security events work flawlessly."
- Another user, this time utilizing NXLog for their college project on log analysis! Comment: "We use NXLog to send Windows events to Graylog. We also use Sysmon (SwiftOnSecurity has a fantastic configuration for Sysmon)."