responses
Hello, I am testing nxlog to see if it works with sending security logs to our SIEM. I only want to send the security Events on our servers, and have our config file as shown:
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
<Input eventlog>
Module im_msvistalog
# Uncomment the following to collect specific event logs only
Query <QueryList>\
<Query Id="0">\
# <Select Path="Application">*</Select>\
# <Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
</Input>
<Output out>
Module om_udp
Host 10.250.254.19
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path eventlog, internal => out
</Route>
I get some security logs, but many are missing, like logon/logoff events (4624, 4634)
1. - why are these events missing and
2. Eventually, I would like to only send certain Event ID"s to our SIEM, and hope to get help with an example of what the query would look like with the specific Event ID's needed.
I will want to just send PCI Event ID's to our SEIM for retention.
Comments (2)
Thanks for the help with the Event ID's... as far as the settings on the DC, do you happen to know what setting needs to be changed? I see the actual 4624 Event on the server itself, it just is not being fowarded via nxlog.... is this what your talking about:
https://www.manageengine.com/products/active-directory-audit/help/admin/domain-settings/authentication-for-collecting-audit-data.html
What "user" needs permission for nxlog...."Network Service"?
On Windows it runs under the System account by default, though this can be configured with some effort to be more restrictive.
I'm not exactly sure on the correct solution but I have seen this issue pop up in various forums with hints to DC and permissions. It's usually an all-or-nothing problem wrt the Security log and not affecting specific events only.
There are some suggestions related to Windows Event Forwarding such as this that talk about adding the
NetworkService
account to theEvent Log Readers
group but afaik this is not relevant in this case, though there are other tips there which might solve it. Especially see the "Security Event Log Forwarding on Domain Controllers" section towards the end on this page.If you figure it out please post the solution here for future reference.