NxLog to QRadar with TLS
Hello Everybody,
We are currently using nxlog to send Windows logs to QRadar SIEM utsing TLS.
It works fine, but I receive extra lines in QRadar. I receive empty logs (containing Cg== on base 64, which seems to be a carriage return or a line break).
The problem appears only when using module om_ssl, not whith om_tcp or om_udp. We tried to remove line break or carriage return using nxlog configuration, but we still have the behaviour.
Has anybody seen the same problem ? How could I correct this behaviour ?
You'll find below our current configuration
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_msvistalog
ReadFromLast TRUE
</Input>
<Output ssl_out>
Module om_ssl
CertFile C:\CERTDIR\syslog-tls.cert
CertKeyFile C:\CERTDIR\syslog-tls.key
AllowUntrusted TRUE
Host 10.0.0.1
Port 6514
Exec to_syslog_snare();
</Output>
<Route 1>
Path internal => ssl_out
</Route>
Thank you !
Hello Everybody,
We are currently using nxlog to send Windows logs to QRadar SIEM utsing TLS.
It works fine, but I receive extra lines in QRadar. I receive empty logs (containing Cg== on base 64, which seems to be a carriage return or a line break).
The problem appears only when using module om_ssl, not whith om_tcp or om_udp. We tried to remove line break or carriage return using nxlog configuration, but we still have the behaviour.
Has anybody seen the same problem ? How could I correct this behaviour ?
You'll find below our current configuration
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_msvistalog
ReadFromLast TRUE
</Input>
<Output ssl_out>
Module om_ssl
CertFile C:\CERTDIR\syslog-tls.cert
CertKeyFile C:\CERTDIR\syslog-tls.key
AllowUntrusted TRUE
Host 10.0.0.1
Port 6514
Exec to_syslog_snare();
</Output>
<Route 1>
Path internal => ssl_out
</Route>
Thank you !
The windows version of NXLog generates the output with CRLF. This also seems to confuse rsyslog. Note that this is identical for both om_tcp and om_ssl so I'm not sure why om_tcp works.
We will be adding an enhancement to make it generate the output with LF only for om_tcp and om_ssl (and possibly make it configurable).
The NXLog EE has LEEF support in case that's of interest.
