Configuration to send Windows Security Logs only

3
responses

cwalter

Hello, I am testing nxlog to see if it works with sending security logs to our SIEM. I only want to send the security Events on our servers, and have our config file as shown:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
Module xm_syslog
</Extension>

<Input internal>
Module im_internal
</Input>

<Input eventlog>
    Module im_msvistalog
# Uncomment the following to collect specific event logs only
     Query <QueryList>\
               <Query Id="0">\
#                  <Select Path="Application">*</Select>\
#                  <Select Path="System">*</Select>\
                   <Select Path="Security">*</Select>\
               </Query>\
           </QueryList>
</Input>

<Output out>
    Module      om_udp
    Host        10.250.254.19
    Port        514
    Exec        to_syslog_snare();
</Output>

<Route 1>
Path eventlog, internal => out
</Route>

I get some security logs, but many are missing, like logon/logoff events (4624, 4634)

1. - why are these events missing and

2. Eventually, I would like to only send certain Event ID"s to our SIEM, and hope to get help with an example of what the query would look like with the specific Event ID's needed.

I will want to just send PCI Event ID's to our SEIM for retention.

AskedJuly 1, 2016 - 6:41pm

adm

You can filter on specific event ids using the appropriate query xml. You can test and then copy from Event Viewer.

E.g.:

<QueryXML>
   <QueryList>                     
     <Query Id="0">  
        <Select Path="Security">*[System[(EventID=EventID=42 or EventID=4242)]]</Select>
     </Query>
   </QueryList>
</QueryXML>

AFAIK the missing events are caused by a permissions setting problem on the DC and is not an issue with NXLog per se.

AnsweredJuly 4, 2016 - 10:50am

Leave a comment

Comments (2)

cwalter
Leave a comment
Thanks for the help with the Event ID's... as far as the settings on the DC, do you happen to know what setting needs to be changed? I see the actual 4624 Event on the server itself, it just is not being fowarded via nxlog.... is this what your talking about:

https://www.manageengine.com/products/active-directory-audit/help/admin/domain-settings/authentication-for-collecting-audit-data.html

What "user" needs permission for nxlog...."Network Service"?

July 6, 2016 - 7:30pm

adm (NXLog)
Leave a comment
On Windows it runs under the System account by default, though this can be configured with some effort to be more restrictive.

I'm not exactly sure on the correct solution but I have seen this issue pop up in various forums with hints to DC and permissions. It's usually an all-or-nothing problem wrt the Security log and not affecting specific events only.

There are some suggestions related to Windows Event Forwarding such as this that talk about adding the NetworkService account to the Event Log Readers group but afaik this is not relevant in this case, though there are other tips there which might solve it. Especially see the "Security Event Log Forwarding on Domain Controllers" section towards the end on this page.

If you figure it out please post the solution here for future reference.

July 6, 2016 - 7:41pm

You are here

Configuration to send Windows Security Logs only

Answer (1)

Comments (2)