5
responses

Hi,

I want to send syslog from Windows Server 2012 R2 (using NxLog) from my SIEM (FORTISIEM)

AskedJune 17, 2018 - 8:08pm

Comments (5)

  • Zhengshi's picture
    (NXLog)

    Are you having any issues after you have attempted to setup the config for your environment?
    If you are looking for ways to configure your NXLog agent, the User Guide has many examples on syslog as input and output. Please see the following sections. If you do not find what you are looking for, a search of the document may show what you are looking for.

    https://nxlog.co/documentation/nxlog-user-guide#xm_syslog

    https://nxlog.co/documentation/nxlog-user-guide#snare

  • Deyvis Valladares Loza's picture

    Hi Zhengshi,

    I have already configured the NXLog, my FortiSIEM receives the logs but with the following format, for example:

    14>1 2018-06-18T12:21:54.126244-05:00 DESKTOP-TK6DBDM Microsoft-Windows-Security-Auditing 4 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="5156" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="1" Task="12810" OpcodeValue="0" RecordNumber="72022" ThreadID="8676" Channel="Security" Category="Filtering Platform Connection" Opcode="Información" Application="\\device\\harddiskvolume2\\windows\\system32\\svchost.exe" Direction="%%14592" SourceAddress="fe80::5866:48d4:d8bd:cd83" SourcePort="52128" DestAddress="ff02::1:3" DestPort="5355" Protocol="17" FilterRTID="66029" LayerName="%%14610" LayerRTID="46" RemoteUserID="S-1-0-0" RemoteMachineID="S-1-0-0" EventReceivedTime="2018-06-18 12:21:58" SourceModuleName="in_eventlog" SourceModuleType="im_msvistalog"] La Plataforma de filtrado de Windows permitió una conexión. Información de aplicación: Id. de proceso: 2660 Nombre de aplicación: \device\harddiskvolume2\windows\system32\svchost.exe Información de red: Dirección: Enlace interno Dirección de origen: fe80::5866:48d4:d8bd:cd83 Puerto de origen: 52128 Dirección de destino: ff02::1:3 Puerto de destino: 5355 Protocolo: 17 Información de filtro: Id. de tiempo de ejecución de filtro: 66029 Nombre de nivel: Recibir o aceptar Id. de tiempo de ejecución de nivel: 46

    Pero quiero que reciba con este formato, por ejemplo:

    Thu May 07 02:23:58 2015 WIN-2008-249.ersijiu.com 10.1.2.249 AccelOps-WUA-WinLog [monitorStatus]="Success"
    [eventName]="Security"
    [eventSource]="Microsoft-Windows-Security-Auditing" [eventId]="4624" [eventType]="Audit Success"
    [domain]=""
    [computer]="WIN-2008-249.ersijiu.com" [user]="" [userSID]="" [userSIDAcctType]=""
    FortiSIEM - Windows Agent & Agent Manager Installation Guide
    Fortinet Technologies Inc.
    29
    Sample logs generated by FortiSIEM Windows Agents Setting up FortiSIEM Windows Agent and Agent Manager
    [eventTime]="May 07 2015 10:23:56"
    [deviceTime]="May 07 2015 10:23:56" [msg]="An account was successfully logged on." [[Subject]][Security
    ID]="S-1-0-0" [Account Name]=""
    [Account Domain]="" [Logon ID]="0x0" [Logon Type]="3" [[New Logon]][Security ID]="S-1-5-21-
    3459063063-1203930890-2363081030-500"
    [Account Name]="Administrator" [Account Domain]="ERSIJIU" [Logon ID]="0xb9bd3" [Logon GUID]="
    {00000000-0000-0000-0000-000000000000}"
    [[Process Information]][Process ID]="0x0" [Process Name]="" [[Network Information]][Workstation
    Name]="SP171" [Source Network Address]="10.1.2.171"
    [Source Port]="52409" [[Detailed Authentication Information]][Logon Process]="NtLmSsp"
    [Authentication Package]="NTLM" [Transited Services]=""
    [Package Name (NTLM only)]="NTLM V2" [Key Length]="128" [details]=""

    What do I have to change in the "nxlog.conf" file?

  • b0ti's picture
    (NXLog)

    What do I have to change in the "nxlog.conf" file?

    Since you have not provided what you have in your config file we can only guess. Based on the log sample you probably have to_syslog_ietf() in the config. If your FortiSIEM doesn't understand this you can try using the snare syslog format with to_syslog_snare() or the RFC3164 syslog format with to_syslog_bsd().

  • Deyvis Valladares Loza's picture

    Sorry, This is my configuration in nxlog.conf:

    ## This is a sample configuration file. See the nxlog reference manual about the
    ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

    ## Please set the ROOT to the folder your nxlog was installed into,
    ## otherwise it will not start.

    #define ROOT C:\Program Files\nxlog
    define ROOT C:\Program Files (x86)\nxlog

    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data
    LogFile %ROOT%\data\nxlog.log

    <Extension syslog>
    Module xm_syslog
    </Extension>
    <Input in_eventlog>
    # For windows 2008/vista/7/8/2012/2012R2 and latter use the following:
    Module im_msvistalog
    ReadFromLast TRUE
    SavePos TRUE
    </Input>

    <Processor format_log>
    Module pm_transformer
    Exec $Hostname = hostname();
    </Processor>

    <Output out_eventlog>
    Module om_udp
    Host 34.232.146.52
    Port 514
    Exec to_syslog_snare();
    </Output>

    <Route eventlog>
    Path in_eventlog => format_log => out_eventlog
    </Route>

  • EL_GA's picture

    Using to_syslog_snare is not going output the logs in the format that the Windows parser on FortiSIEM is going to recognize. You're going to have to modify the logs via NXLog to look like what the parser is expecting, or you're going to have to write a new FortiSIEM parser.

    You may be able to use regex and replacement to match the relevant details, like so https://regex101.com/r/4g2HD1/1 , then replace the $text with [$text], then check the event format recognizer of the FortiSIEM parser and append what it's looking for. That should be enough to get it to match.

Answers (0)