1
response

Hello all,
I wanted to syslog the Windows logs to one of my SIEM in snare format. when i configure the nxlog as given below, the hostname is there in header. but i wanted to use any of the IP address of the server in header.

current logs format:
Dec 15 11:18:52 ad-server.ad.cap62.test MSWinEventLog 1 Directory Service 1742824 Tue Dec 15 11:18:52 2015 103 NTDS ISAM N/A N/A Information ad-server.ad.cap62.test Knowledge Consistency Checker NTDS (500) NTDSA: The database engine stopped the instance (0). 458

the format i need:
Dec 15 11:18:52 10.10.10.1 MSWinEventLog 1 Directory Service 1742824 Tue Dec 15 11:18:52 2015 103 NTDS ISAM N/A N/A Information ad-server.ad.cap62.test Knowledge Consistency Checker NTDS (500) NTDSA: The database engine stopped the instance (0). 458

config file:
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
Module xm_syslog
</Extension>

<Input internal>
Module im_internal
</Input>

<Input in>
Module im_msvistalog
</Input>

<Output out>
Module om_udp
Host <IP Address of host>
Port 514
Exec to_syslog_snare();
</Output>

<Route 1>
Path eventlog, in => out
</Route>

Please anyone help me with that?

AskedAugust 17, 2018 - 2:34am

Answer (1)

You probably want something like Exec $Hostname = string(host_ip()); to pull from the Windows agents. Converting to string because $Hostname is expecting a string value.