Mar 2021

March 2021 Newsletter

Setting up a Windows Event Collector (WEC) on Linux

Windows Event Forwarding (WEF) is a service available on Microsoft Windows platforms, which enables the forwarding of events from Windows Event Log to a central Windows Event Collector (WEC). Since the technology is built into the operating system, this means you can centralize log collection without having to install third-party software on each Windows node. Unfortunately, these events are sent over the WS-Eventing protocol, limiting the Windows Event Collector to a Windows server. 

But what happens in environments where Windows servers are rare or non-existent?

NXLog Enterprise Edition addresses this problem through its Windows Event Collector (im_wseventing) module, creating new possibilities for a centralized log collection of events from Windows clients allowing a Windows Event Collector to be set up on GNU/Linux systems using either Kerberos or certificate-based authentication. This way, helping any organization to:

  • Remotely collect logs from Windows Machines
  • Not needing to install an agent
  • Forward logs anywhere immediately

In this blog post, we'll show you how the collecting of logs occurs directly through a Linux machine helping to have low resource usage, reducing licensing cost, and enabling to collect event data in an efficient, secure and reliable way.

Find out how to set up a WEC server on Linux.

Forward Log Data to Google Chronicle

As a cloud-based service from Google, designed to collect and process log data, Google Chronicle can help alert organizations when any of their systems gets compromised. The ingested data can be searched and selected based on specific criteria, such as assets, domains, or IP addresses, and can accept both structured (UDM-formatted) and unstructured messages. For Chronicle to accept events as structured data, it needs special formatting prior to forwarding. For unstructured events, Chronicle parses and processes them on reception.

NXLog provides various ways to send logs to Chronicle, using the following methods:

  1. Forwarding directly to the Chronicle Partner Ingestion API 
  2. Forwarding via the Chronicle Forwarder Software
  3. Forwarding logs using a central NXLog agent (an enhanced replacement for Chronicle Forwarder)

Read the complete guide.

Oracle Database Integration

Oracle Database comes with a rich set of logging which can be used to monitor database security and integrity, as well as aid in troubleshooting database and server issues when they arise. Different Oracle components store logs in various locations and formats and it can be overwhelming to manage them especially when handling critical issues. It is therefore important to consolidate logging from different sources so that they can be easily accessed and processed when required.

NXLog can simplify this by collecting the different types of logs, processing them into structured data, and storing them in a central repository, or forwarding the logs to a third-party analytics platform. Our advanced guide shows you how NXLog can integrate with Oracle Database itself and can be configured to read from and write to databases hosted on Oracle.

Read Oracle Database Integration Guide.

NXLog Failover Mode

When using failover-enabled NXLog v5 output modules, it is important to understand that configuring an active-passive (failover) cluster is significantly different from other third-party failover implementations. Configuring a cluster of redundant, multiple systems able to provide identical functionality is the first prerequisite for implementing failover. In this guide we show the 2 types of failover, Self-managed and Externally managed failover, the main difference between the two is determined by where (in which tier) the following is found or occurs:

  • Configuration of which nodes comprise the cluster and which node is the default active node
  • Detection of a fault within the active node
  • Selection of the next passive node to be promoted to active status when a fault is detected

See NXLog Failover Mode for a detailed guide on configuring NXLog externally managed active-passive clusters.

NXLog Enterprise Edition vs. NXLog Community Edition

If you need to compare and contrast the two NXLog editions to determine whether the features and solutions that are important to you are available in the NXLog Community Edition or only in the NXLog Enterprise Edition, take a look at this comprehensive side-by-side comparison and analysis of both products. 

Top Social Media Chatter March

What did the community have to say about NXLog on social media?  Tweet to us or share your updates with us on LinkedIn for an opportunity to be listed in this newsletter.

Reddit discussion

  • NXlog gets recommended as a log forwarder on a Reddit thread about an Open-source SIEM solution - thread
  • NXLog mentioned in Reddit for analyzing logs for suspicious activities after new 0-day on MS Exchange Server - thread

Other places

  • Microsoft introduced 2 NXLog connectors for its Azure Sentinel SIEM platform - read blog post
  • Blumira's "Lock Down PowerShell or Else!" article describes NXlog setup and chooses it as one of their primary forms of Windows logging - read article
  • Guru99 ranked NXLog in their "15+ BEST Syslog Servers for Windows & Linux" list - read
  • Discussion about Windows Event Log Management where NXLog gets recommended by several users - read
  • SECNOLOGY integrates with NXLog as an Add-On to help users to collect their traces within specific applications - read
  • Panther Monitoring mentioned NXLog in a tweet as a tool to ingest Windows Event logs and SNMP Traps - tweet

Share this post