Request trial
Request Trial

Syslog'ing windows logs in snare format withIP address in header

Tags: ip address in logs | windows syslog
#1 valtervetri001

Hello all, I wanted to syslog the Windows logs to one of my SIEM in snare format. when i configure the nxlog as given below, the hostname is there in header. but i wanted to use any of the IP address of the server in header.

current logs format: Dec 15 11:18:52 ad-server.ad.cap62.test MSWinEventLog 1 Directory Service 1742824 Tue Dec 15 11:18:52 2015 103 NTDS ISAM N/A N/A Information ad-server.ad.cap62.test Knowledge Consistency Checker NTDS (500) NTDSA: The database engine stopped the instance (0). 458

the format i need: Dec 15 11:18:52 10.10.10.1 MSWinEventLog 1 Directory Service 1742824 Tue Dec 15 11:18:52 2015 103 NTDS ISAM N/A N/A Information ad-server.ad.cap62.test Knowledge Consistency Checker NTDS (500) NTDSA: The database engine stopped the instance (0). 458

config file: define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension syslog> Module xm_syslog </Extension>

<Input internal> Module im_internal </Input>

<Input in> Module im_msvistalog </Input>

<Output out> Module om_udp Host <IP Address of host> Port 514 Exec to_syslog_snare(); </Output>

<Route 1> Path eventlog, in => out </Route>

Please anyone help me with that?

Permalink
#2 Zhengshi Nxlog ✓
#1 valtervetri001
Hello all, I wanted to syslog the Windows logs to one of my SIEM in snare format. when i configure the nxlog as given below, the hostname is there in header. but i wanted to use any of the IP address of the server in header. current logs format: Dec 15 11:18:52 ad-server.ad.cap62.test MSWinEventLog 1 Directory Service 1742824 Tue Dec 15 11:18:52 2015 103 NTDS ISAM N/A N/A Information ad-server.ad.cap62.test Knowledge Consistency Checker NTDS (500) NTDSA: The database engine stopped the instance (0). 458 the format i need: Dec 15 11:18:52 10.10.10.1 MSWinEventLog 1 Directory Service 1742824 Tue Dec 15 11:18:52 2015 103 NTDS ISAM N/A N/A Information ad-server.ad.cap62.test Knowledge Consistency Checker NTDS (500) NTDSA: The database engine stopped the instance (0). 458 config file: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> <Input internal> Module im_internal </Input> <Input in> Module im_msvistalog </Input> <Output out> Module om_udp Host <IP Address of host> Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path eventlog, in => out </Route> Please anyone help me with that?

You probably want something like Exec $Hostname = string(host_ip()); to pull from the Windows agents. Converting to string because $Hostname is expecting a string value.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS