7
responses

I'm attempting to use NXLog (community edition atm) to read in active directory logs into NXLog and output to syslog/json. I have a text file (one username per line) that I need to be able to compare to the username in the Windows event logs from AD. I need to be able to drop messages that the username in the Windows AD Event logs if it matches a username in the text file of usernames.

I've spent quite a bit of time googling and reading documentation and haven't found a method to achieve this. Can anyone assit?

AskedOctober 9, 2018 - 6:16pm

Answer (1)

Unfortunately I can't think of a solution using the CE but the xm_filelist module in the NXLog EE allows you to do this, e.g.: Exec if mylist->matches($AcountName) drop();

Comments (6)

  • habrosec's picture

    I'm using the trial of EE and xm_filelist. I'm trying to verify that what i'm expecting to happen is happening before I start explicit dropping. The below config appears to be writing to *both* destinations instead of just the "out" route from the "reroute()". Should this be the case according to the config? It also appears that i might be losing logs in comparison to receiving these same logs via syslog-ng.

    ```########################################
    7 # Global directives #
    8 ########################################
    9 User nxlog
    10 Group nxlog
    11
    12
    13
    14 LogFile /var/log/nxlog/nxlog.log
    15 LogLevel INFO
    16
    17 ########################################
    18 # Modules #
    19 ########################################
    20 <Extension _syslog>
    21 Module xm_syslog
    22 </Extension>
    23
    24 <Extension json>
    25 Module xm_json
    26 </Extension>
    27
    28 <Extension users>
    29 Module xm_filelist
    30 File '/home/users.txt'
    31 </Extension>
    32
    33 <Input in>
    34 Module im_tcp
    35 Host 0.0.0.0
    36 Port xxxx
    37 #$raw_event=$Message strips syslog header
    38 Exec parse_syslog(); $raw_event = $Message;
    39
    40
    41 #parse_json in the output section parses the fields so you can use $field such as $TargetUserName
    42 Exec parse_json();
    43 Exec if users->matches($TargetUserName, TRUE) reroute('out_route');
    47
    48 </Input>
    49
    50 <Output ad_out>
    51 Module om_file
    52 File '/var/log/ad/'+ year(now()) + '/' + month(now()) + '/' + day(now()) + '.log'
    53 CreateDir TRUE
    54 </Output>
    55
    56 <Output out>
    57 Module om_file
    58 File '/var/log/ad/'+ year(now()) + '/' + month(now()) + '/drop-' + day(now()) + '.log'
    59 CreateDir TRUE
    60 </Output>
    61
    62 ########################################
    63 # Routes #
    64 ########################################
    65 <Route 1>
    66 Path in => ad_out
    67 </Route>
    68
    69 <Route out_route>
    70 Path in => out
    71 </Route>```

  • b0ti's picture
    (NXLog)

    The issue here is probably that you invoke reroute() from an input module instance in the same route. I suggest adding im_null as the input there instead.

  • habrosec's picture

    Thanks so much for your help!

    With reading the documentation, using the reroute() function explicitly disables flow control which is probably why my logs aren't as large when i collect them all together. Is there a way to get around this by turning on flow control again in the new route or just increasing the buffers?

  • b0ti's picture
    (NXLog)

    You should use two modules with filtering as suggested: im_tcp => out1, out2

    Exec if mylist->matches($AcountName) drop();
    

    Add the filter to the output block. The other would need to be negated obviously.