4
responses

Hi guys,

I wanted to use NXLog to send data from a XML file into GrayLog.

My first test worked fine with a simple XML file. But with a Nessus Report (in XML) it don't work, because this file is more complexe. Do you have an example configuration nxlog.conf to help me ?

My actual nxlog.conf :

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules

CacheDir %ROOT%\data

Pidfile %ROOT%\data\nxlog.pid

SpoolDir %ROOT%\data

LogFile %ROOT%\data\nxlog.log

<Extension gelf>

Module xm_gelf

</Extension>

<Extension multiline>


    Module	xm_multiline
    HeaderLine	/^<event>/
    EndLine	/^</event>/
</Extension>

<Extension xmlparser>
    Module	xm_xml
</Extension>

<Extension json>
    Module	xm_json
</Extension>

<Input in>
    Module	im_file
    File	"C:\Program Files\Graylog\collector-sidecar\generated\exempleFichier.xml"
    SavePos	FALSE
    ReadFromLast FALSE
    InputType	multiline
    <Exec>
      # Discard everything that doesn't seem to be an xml event   
      if $raw_event !~ /^<event>/ drop();

      # Parse the xml event
      parse_xml();

      # Rewrite some fields 
      $EventTime = parsedate($timestamp);
      delete($timestamp);
      delete($EventReceivedTime);

      # Convert to JSON
      to_json();
    </Exec>
</Input>

<Output out>
    Module      om_udp
    Host        xx.xx.xx.xx
    Port        12201
</Output>

<Route 1>
    Path        in => out
</Route>

And a (verry little) preview of my Nessus File...

<Report name="Scan_Nessus" xmlns:cm="http://www.nessus.org/cm">

<ReportHost name="192.168.1.1"><HostProperties>

<tag name="traceroute-hop-8">192.168.1.1</tag>

<tag name="LastUnauthenticatedResults">1490484150</tag>

<tag name="Credentialed_Scan">false</tag>

<tag name="policy-used">policies_scan</tag>

<tag name="patch-summary-total-cves">1</tag>

<tag name="os">other</tag>

<tag name="system-type">general-purpose</tag>

<tag name="operating-system">CISCO IOS</tag>

<tag name="traceroute-hop-7">?</tag>

<tag name="traceroute-hop-6">192.168.1.1</tag>

<tag name="traceroute-hop-5">192.168.1.2</tag>

<tag name="traceroute-hop-4">192.168.1.3</tag>

<tag name="HOST_END">Sun Mar 26 00:22:30 2017</tag>

<tag name="host-ip">192.168.1.1</tag>

<tag name="HOST_START">Sun Mar 26 00:20:19 2017</tag>

</HostProperties>

<ReportItem port="123" svc_name="ntp" protocol="udp" severity="0" pluginID="10884" pluginName="Network Time Protocol (NTP) Server Detection" pluginFamily="Service detection">

<cpe>cpe:/a:ntp:ntp</cpe>

<description>An NTP server with an insecure configuration is listening on port 123.

It provides information about its version, current date, current time, and possibly system information.</description>

<fname>ntp_open.nasl</fname>

<plugin_modification_date>2017/03/21</plugin_modification_date>

<plugin_name>Network Time Protocol (NTP) Server Detection</plugin_name>

<plugin_publication_date>2015/03/20</plugin_publication_date>

<plugin_type>remote</plugin_type>

<risk_factor>None</risk_factor>

<script_version>$Revision: 1.27 $</script_version>

<see_also>http://www.ntp.org</see_also>

<solution>n/a</solution>

<synopsis>An NTP server with an insecure configuration is listening on the remote host.</synopsis>

<plugin_output>

  Version : unknown

</plugin_output>

</ReportItem>

Thanks !

AskedApril 3, 2017 - 5:43pm

Comments (4)

  • ilovegraylog's picture

    Hello,

    Yes I know, it's because XML report generated by Nessus are very big and I don't want to post it here in full... You can find my full Nessus report here : https://paste.ee/p/octF9

     

    And if it can help, this is an official doc by Nessus to understand how this report work : https://static.tenable.com/documentation/nessus_v2_file_format.pdf

     

    The .nessus file format lists two sections named “Policy” and “Report”. Each section can have multiple components. A basic outline is shown below, including the “NessusClientData” header and footer:

     

    <NessusClientData_v2>
    <Policy><policyName>MyPolicy</policyName>
    [..]
    </Policy>
    <Report name="MyScan">
    [..]
    </Report>
    </NessusClientData_v2>

     

    The most sophisticated portion of the .nessus file format is the “Policy” section. This section enables and disables families, individual plugins, sets individual plugin preferences and specifies credentials. It also allows for a unique name and description. Below is the structure of a “Policy” section:

     

    <Policy>
    <policyName>MyName</policyName>
    <policyComments>MyComment</policyComments>
    <ServerPreferences>
    <preference>
    <name>max_simult_tcp_sessions</name>
    <value>unlimited</value>
    </preference>
    </ServerPreferences>
    <PluginsPreferences>
    <item>
      <pluginName>WebApplicationTestsSettings</pluginName>
      <pluginId>39471</pluginId>
    <fullName>WebApplicationTestsSettings[checkbox]:Enable
    webapplicationstests</fullName>
    <preferenceName>Enablewebapplicationstests</preferenceName>
    <preferenceType>checkbox</preferenceType>
    <preferenceValues>no</preferenceValues>
    <selectedValue>no</selectedValue>
    </item>
    </PluginsPreferences>
    </Preferences>
    <FamilySelection>
    <FamilyItem>
    <FamilyName>MacOS X Local Security Checks</FamilyName>
    <Status>disabled</Status>
    </FamilyItem>

    </FamilySelection>
    </Policy>

     

    Thank for your help !

  • ilovegraylog's picture

    Hi all! If someone can help me it would be perfect! Actually, my logs from this XML file are unusable because they are not parsed and I try to understand how I can parsing it :)

    Thank !

  • atmosx's picture

    Hello,

    We have created a ticket, I'll update the thread when I have a solution ready.

    If you are in a hurry, you could use xm_perl module and possibly share the solution or we can investigate and provide a solution, oversight, profiling etc. under a support contract.

    Thanks!

     

Answers (0)