3
responses

Hello Everybody, 

We are currently using nxlog to send Windows logs to QRadar SIEM utsing TLS.

It works fine, but I receive extra lines in QRadar. I receive empty logs (containing Cg== on base 64, which seems to be a carriage return or a line break). 

The problem appears only when using module om_ssl, not whith om_tcp or om_udp. We tried to remove line break or carriage return using nxlog configuration, but  we still have the behaviour. 

Has anybody seen the same problem ? How could I correct this behaviour ? 

You'll find below our current configuration

 

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
Module xm_syslog
</Extension>

<Input internal>
    Module    im_msvistalog
    ReadFromLast TRUE
</Input>
<Output ssl_out>
    Module    om_ssl
    CertFile    C:\CERTDIR\syslog-tls.cert
    CertKeyFile    C:\CERTDIR\syslog-tls.key
    AllowUntrusted TRUE
    Host    10.0.0.1
    Port    6514
    Exec    to_syslog_snare();
</Output>

<Route 1>
    Path    internal => ssl_out
</Route>

 

Thank you !

 

 

AskedJanuary 25, 2016 - 11:49am

Answer (1)

The windows version of NXLog generates the output with CRLF. This also seems to confuse rsyslog. Note that this is identical for both om_tcp and om_ssl so I'm not sure why om_tcp works.

We will be adding an enhancement to make it generate the output with LF only for om_tcp and om_ssl (and possibly make it configurable). 

The NXLog EE has LEEF support in case that's of interest.

 

Comments (2)

  • Corentin's picture

    Thanks for your answer. I'm not sure that LEEF format is supported for Windows events logs in QRadar. 

    We tried to remove CRLF with the following line in the output :

    exec $raw_event = replace($raw_event, "\r\n", " ");

    Shouldn't it work ?