Are you having any issues after you have attempted to setup the config for your environment?
If you are looking for ways to configure your NXLog agent, the User Guide has many examples on syslog as input and output. Please see the following sections. If you do not find what you are looking for, a search of the document may show what you are looking for.
I have already configured the NXLog, my FortiSIEM receives the logs but with the following format, for example:
14>1 2018-06-18T12:21:54.126244-05:00 DESKTOP-TK6DBDM Microsoft-Windows-Security-Auditing 4 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="5156" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="1" Task="12810" OpcodeValue="0" RecordNumber="72022" ThreadID="8676" Channel="Security" Category="Filtering Platform Connection" Opcode="Información" Application="\\device\\harddiskvolume2\\windows\\system32\\svchost.exe" Direction="%%14592" SourceAddress="fe80::5866:48d4:d8bd:cd83" SourcePort="52128" DestAddress="ff02::1:3" DestPort="5355" Protocol="17" FilterRTID="66029" LayerName="%%14610" LayerRTID="46" RemoteUserID="S-1-0-0" RemoteMachineID="S-1-0-0" EventReceivedTime="2018-06-18 12:21:58" SourceModuleName="in_eventlog" SourceModuleType="im_msvistalog"] La Plataforma de filtrado de Windows permitió una conexión. Información de aplicación: Id. de proceso: 2660 Nombre de aplicación: \device\harddiskvolume2\windows\system32\svchost.exe Información de red: Dirección: Enlace interno Dirección de origen: fe80::5866:48d4:d8bd:cd83 Puerto de origen: 52128 Dirección de destino: ff02::1:3 Puerto de destino: 5355 Protocolo: 17 Información de filtro: Id. de tiempo de ejecución de filtro: 66029 Nombre de nivel: Recibir o aceptar Id. de tiempo de ejecución de nivel: 46
Pero quiero que reciba con este formato, por ejemplo:
What do I have to change in the "nxlog.conf" file?
Since you have not provided what you have in your config file we can only guess.
Based on the log sample you probably have to_syslog_ietf() in the config. If your FortiSIEM doesn't understand this you can try using the snare syslog format with to_syslog_snare() or the RFC3164 syslog format with to_syslog_bsd().
## This is a sample configuration file. See the nxlog reference manual about the
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
<Extension syslog>
Module xm_syslog
</Extension>
<Input in_eventlog>
# For windows 2008/vista/7/8/2012/2012R2 and latter use the following:
Module im_msvistalog
ReadFromLast TRUE
SavePos TRUE
</Input>
Using to_syslog_snare is not going output the logs in the format that the Windows parser on FortiSIEM is going to recognize. You're going to have to modify the logs via NXLog to look like what the parser is expecting, or you're going to have to write a new FortiSIEM parser.
You may be able to use regex and replacement to match the relevant details, like so https://regex101.com/r/4g2HD1/1 , then replace the $text with [$text], then check the event format recognizer of the FortiSIEM parser and append what it's looking for. That should be enough to get it to match.
Comments (5)
Are you having any issues after you have attempted to setup the config for your environment?
If you are looking for ways to configure your NXLog agent, the User Guide has many examples on syslog as input and output. Please see the following sections. If you do not find what you are looking for, a search of the document may show what you are looking for.
https://nxlog.co/documentation/nxlog-user-guide#xm_syslog
https://nxlog.co/documentation/nxlog-user-guide#snare
Hi Zhengshi,
I have already configured the NXLog, my FortiSIEM receives the logs but with the following format, for example:
14>1 2018-06-18T12:21:54.126244-05:00 DESKTOP-TK6DBDM Microsoft-Windows-Security-Auditing 4 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="5156" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="1" Task="12810" OpcodeValue="0" RecordNumber="72022" ThreadID="8676" Channel="Security" Category="Filtering Platform Connection" Opcode="Información" Application="\\device\\harddiskvolume2\\windows\\system32\\svchost.exe" Direction="%%14592" SourceAddress="fe80::5866:48d4:d8bd:cd83" SourcePort="52128" DestAddress="ff02::1:3" DestPort="5355" Protocol="17" FilterRTID="66029" LayerName="%%14610" LayerRTID="46" RemoteUserID="S-1-0-0" RemoteMachineID="S-1-0-0" EventReceivedTime="2018-06-18 12:21:58" SourceModuleName="in_eventlog" SourceModuleType="im_msvistalog"] La Plataforma de filtrado de Windows permitió una conexión. Información de aplicación: Id. de proceso: 2660 Nombre de aplicación: \device\harddiskvolume2\windows\system32\svchost.exe Información de red: Dirección: Enlace interno Dirección de origen: fe80::5866:48d4:d8bd:cd83 Puerto de origen: 52128 Dirección de destino: ff02::1:3 Puerto de destino: 5355 Protocolo: 17 Información de filtro: Id. de tiempo de ejecución de filtro: 66029 Nombre de nivel: Recibir o aceptar Id. de tiempo de ejecución de nivel: 46
Pero quiero que reciba con este formato, por ejemplo:
Thu May 07 02:23:58 2015 WIN-2008-249.ersijiu.com 10.1.2.249 AccelOps-WUA-WinLog [monitorStatus]="Success"
[eventName]="Security"
[eventSource]="Microsoft-Windows-Security-Auditing" [eventId]="4624" [eventType]="Audit Success"
[domain]=""
[computer]="WIN-2008-249.ersijiu.com" [user]="" [userSID]="" [userSIDAcctType]=""
FortiSIEM - Windows Agent & Agent Manager Installation Guide
Fortinet Technologies Inc.
29
Sample logs generated by FortiSIEM Windows Agents Setting up FortiSIEM Windows Agent and Agent Manager
[eventTime]="May 07 2015 10:23:56"
[deviceTime]="May 07 2015 10:23:56" [msg]="An account was successfully logged on." [[Subject]][Security
ID]="S-1-0-0" [Account Name]=""
[Account Domain]="" [Logon ID]="0x0" [Logon Type]="3" [[New Logon]][Security ID]="S-1-5-21-
3459063063-1203930890-2363081030-500"
[Account Name]="Administrator" [Account Domain]="ERSIJIU" [Logon ID]="0xb9bd3" [Logon GUID]="
{00000000-0000-0000-0000-000000000000}"
[[Process Information]][Process ID]="0x0" [Process Name]="" [[Network Information]][Workstation
Name]="SP171" [Source Network Address]="10.1.2.171"
[Source Port]="52409" [[Detailed Authentication Information]][Logon Process]="NtLmSsp"
[Authentication Package]="NTLM" [Transited Services]=""
[Package Name (NTLM only)]="NTLM V2" [Key Length]="128" [details]=""
What do I have to change in the "nxlog.conf" file?
Since you have not provided what you have in your config file we can only guess. Based on the log sample you probably have
to_syslog_ietf()
in the config. If your FortiSIEM doesn't understand this you can try using the snare syslog format withto_syslog_snare()
or the RFC3164 syslog format withto_syslog_bsd()
.Sorry, This is my configuration in nxlog.conf:
## This is a sample configuration file. See the nxlog reference manual about the
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Input in_eventlog>
# For windows 2008/vista/7/8/2012/2012R2 and latter use the following:
Module im_msvistalog
ReadFromLast TRUE
SavePos TRUE
</Input>
<Processor format_log>
Module pm_transformer
Exec $Hostname = hostname();
</Processor>
<Output out_eventlog>
Module om_udp
Host 34.232.146.52
Port 514
Exec to_syslog_snare();
</Output>
<Route eventlog>
Path in_eventlog => format_log => out_eventlog
</Route>
Using to_syslog_snare is not going output the logs in the format that the Windows parser on FortiSIEM is going to recognize. You're going to have to modify the logs via NXLog to look like what the parser is expecting, or you're going to have to write a new FortiSIEM parser.
You may be able to use regex and replacement to match the relevant details, like so https://regex101.com/r/4g2HD1/1 , then replace the $text with [$text], then check the event format recognizer of the FortiSIEM parser and append what it's looking for. That should be enough to get it to match.