Oct 2021

Watch Now: Passive Network Monitoring and Network Packet Capture Support with the im_pcap module video tutorial

With Passive Network Monitoring, administrators have the opportunity to capture network traffic from devices that are not configured or cannot be configured to forward network activity logs. This feature also lets security personnel to catch logs from rogue devices in the network that they might not be aware of.

In this tutorial series, we'll be explaining the passive network monitoring abilities of NXLog Enterprise Edition to capture and log questionable network-related events such as Rogue DHCP Servers replies, unexpected ARP & ICMP Sweeps, and DNS Tunneling.

The im_pcap module of NXLog Enterprise Edition provides support to passively monitor network traffic by generating logs for various protocols.

Watch now this series of videos explaining how Passive Network Monitoring works with NXLog Enterprise Edition.

Putting together your first NXLog configuration

If you're already part of the NXLog community and ready to dive into the world of log collection with NXLog, you have made a great choice. However, before you start collecting logs you should know just how your NXLog log collection tool works.

The NXLog log collection tool uses loadable modules that are invoked within the input, data modification, and output stages. Because you can choose which modules to use in your NXLog configuration file, this provides countless possibilities for collecting logs based on your organization’s needs.

In this guide, we'll show you how to put together your first NXLog configuration so you can get started.

Collecting logs from General Electric CIMPLICITY

CIMPLICITY SCADA servers are responsible for collecting and distributing data within a production environment. CIMPLICITY clients connect to servers to view and manage the data collected. Some of these logs produced by General Electric CIMPLICITY are channeled through Windows Event Log, some are saved in files and databases, while others might represent network activity logged by passive network monitoring. These logs provide important information, in real-time, that can be used to determine the state, health, and security of the industrial systems that generated them.

NXLog can be configured to collect and process all types of logs produced by General Electric CIMPLICITY, including logs from Windows Event Log, File-based logs, and via Passive network monitoring.

Find out how to start collecting logs from General Electric CIMPLICITY.

Forwarding Windows DNS Server events to Azure Sentinel and/or IBM QRadar

Attackers frequently use DNS for data theft, denial-of-service, and other malicious activity. Without DNS logging, some types of security breaches would go completely undetected until the consequences of such a breach reveal some irreparable damage, only to be noticed days or weeks later. 

With an effective logging strategy responsible for forwarding quality events to a SIEM, the brunt of intrusion detection can be automated, giving security operations center (SOC) personnel more time for analyzing suspicious alerts and working on security tasks of a more proactive nature.

NXLog can be configured to collect and forward Windows DNS Server events to multiple destinations, including solutions such as Azure Sentinel and/or IBM QRadar.

Top Social Media Chatter October

What did the community have to say about NXLog on social media?  Tweet us or share our updates with us on LinkedIn for an opportunity to be listed in this newsletter.

  • NXLog is mentioned in an article about Datadog and Splunk on Medium - Read article
  • Blumira/Sysmon/NXlog integration recommended for MSP on Reddit - See thread
  • NXLog CE is mentioned as a solution for ingesting Windows event logs into Graylog - Read article
  • RDP honeypot with NXLog CE as part of the stack - Read article

Share this post