Interesting post by Logmatic aimed at Golang developers working with logging libraries. NXLog recommended as log collector for Windows, but you can also use NXLog to replace Rsyslog.
Logging and log analysis are essential to securing infrastructure, particularly when we consider common vulnerabilities. This article, based on writer's lightning talk Let's use centralized log collection to make incident response teams happy at FOSDEM'19, aims to raise awareness about the security concerns around insufficient logging, offer a way to avoid the risk, and advocate for more secure practices.
Infomentum shares how they have solved the challenge of centralized logging with NXLog Community Edition. "One of the challenges we faced was shipping Windows Server logs from a logfile onto Logstash’s syslog listener, and we found a tool that does exactly that - nxlog-ce-2.9.1716".
"Digital threats have undergone massive change in recent years. Because of this, it’s critical to develop an incident response plan that allows you to ward off cyber attacks. Many programs on the market can help you do this, but a few of the top are Elasticsearch, NXLog, and Kibana." - suggests an article on Security Boulevard.
"Not sure what SIEM you're using, but check out greylog with nxlog clients. Pretty good stuff." - says Reddit member while discussing about Powershell Best practice Security.
Another topic on Reddit discusses Windows file auditing and reporting. "Is there a way to export or create a report from the Windows Security log about the kind of activity a user has been having on a network share?" Yes, as one user suggests - try combo of Graylog + NXLog.
NXLog integration docs with Graylog can be found here under NXLog User Guide.
The blog post written by Rapid7 is a step-by-step walkthrough of using NXLog to transform an ingress authentication log into UEF.
Can you make this happen for free? No doubt. As one Reddit member says - "Our org for $0 yearly does the following. Dump every log using NXLog to Graylog."
With nxlog as log forwarder to graylog. You can specify in nxlog config which events you want to be forwarder.
Why not nxlog for the log server as well? It’s beautiful. Highly recommended - easy XML config, decent documentation, good info and example config around. I’ve used external scripts, kvp parsing, json formatting, GELF to graylog, all works great.
This video shows a quick and easy way to send Windows Event Logs to a syslog server by installing the NXlog client on a Windows 2012 R2 Server.
Assuming your environments have been configured to log this stuff...nxlog will automatically forward all of these windows events to your SIEM for you in real time...you don't need a script to make this happen.
In his article titled Security Information & Event Management Design: Why log filtering is essential for windows domain log sources? Paul Dutot from Defence Logic raises some valid points about agent side filtering which we have been advocating for some time now. Well worth the read!
It's always delighting to hear users recommend NXLog:
NxLog - Such an awesome little free tool that will push windows events to your log aggregator in a variety of formats. Can even read in from files and push contents out