5
responses

So we have several systems/appliances that only send to one location. However, we have a need to send logs to more than one location the issue is that the logs are sent in LEEF format and one system uses LEEF and the other system uses CEF.

I know NXLog will do the multiple sending however, will it also convert the logs it is sending?

I am asking this because we were told the Snare Central Server could do it and found out that it cannot do it without the agents installed. Clearly you cannot install agents on an appliance so before we go to the trouble of trying to setup and build out an NXLog server we need to know if this type of thing is possible.

AskedFebruary 1, 2019 - 1:27pm

Comments (2)

  • Zhengshi's picture
    (NXLog)

    Just to clarify:
    Are you saying that you will have some number of Inputs coming into the NXLog server and going out to two separate Outputs with one Output needing LEEF format and the other needing CEF as Output?
    If so, what format do the logs come in on?

    I know NXLog will do the multiple sending however, will it also convert the logs it is sending?

    The short answer is yes, NXLog can indeed convert logs on the output. The following links will show you how to create CEF and LEEF logs in NXLog.
    https://nxlog.co/documentation/nxlog-user-guide/leef.html#generating-leef-logs
    https://nxlog.co/documentation/nxlog-user-guide/cef.html#generating-and-forwarding-cef

    We do offer a free trial of NXLog EE that may be beneficial for you as well.
    https://nxlog.co/products/nxlog-enterprise-edition/download

Answer (1)

To continue from the comments, It sounds like you want something similar to the following then.

<Extension _cef>
    Module  xm_cef
</Extension>
<Extension _syslog>
    Module  xm_syslog
</Extension>
<Extension _leef>
    Module  xm_leef
</Extension>

<Input in>
    Module  im_tcp
    Host    0.0.0.0
    Port    1514
    Exec    parse_leef();
</Input>
<Output leef>
    Module  om_tcp
    Host    1.1.1.1
    Port    1514
</Output>
<Output cef>
    Module  om_tcp
    Host    1.1.1.2
    Port    1514
    Exec    to_cef(); to_syslog_bsd();
</Output>
<Route r1>
    Path    in => leef,cef
</Route>

This config skeleton will parse the LEEF input and forward it as is to the Output leef and for the Output cef it will convert to CEF and add the Syslog BSD headers.

Comments (2)

  • kmschramm's picture

    Zhegshi that is pretty much exactly what I want to accomplish. I believe this functionality is only available in the Enterprise edition however.

    ## This is a sample configuration file. See the nxlog reference manual about the
    ## configuration options. It should be installed locally under
    ## /usr/share/doc/nxlog-ce/ and is also available online at
    ## http://nxlog.org/docs
    
    ########################################
    # Global directives                    #
    ########################################
    User nxlog
    Group nxlog
    
    LogFile /var/log/nxlog/nxlog.log
    LogLevel INFO
    
    ########################################
    # Modules                              #
    ########################################
    
    <Extension _cef>
        Module  xm_cef
    </Extension>
    
    <Extension _leef>
        Module  xm_leef
    </Extension>
    
    <Extension _syslog>
        Module      xm_syslog
    </Extension>
    
    <Input Appliance1>
        Module  im_udp
        Host    <remote IP>
        Port    514
        Exec    parse_leef();
    </Input>
    
    <Input SameAppliance>
        Module  im_udp
        Host    <remote IP>
        Port    514
        Exec    parse_leef();
    </Input>
    
    <Input in1>
        Module      im_udp
        Port        514
        Exec        parse_syslog_bsd();
    </Input>
    
    <Input in2>
        Module      im_tcp
        Port        514
    </Input>
    
    <Output RemoteSystem1>
        Module  om_tcp
        Host    <RemoteDestinationIP>
        Port    <RemotePort>
        Exec    to_cef();
    </Output>
    
    <Output RemoteSystem2>
        Module  om_udp
        Host    <RemoteDestinationIP>
        Port    514
        Exec    to_leef();
    </Output>
    
    <Output fileout1>
        Module      om_file
        File        "/var/log/nxlog/logmsg.txt"
        Exec        if $Message =~ /error/ $SeverityValue = syslog_severity_value("error");
        Exec        to_syslog_bsd();
    </Output>
    
    <Output fileout2>
        Module      om_file
        File        "/var/log/nxlog/logmsg2.txt"
    </Output>
    
    ########################################
    # Routes                               #
    ########################################
    
    <Route RemoteSystem1>
        Path    Appliance1, cef => RemoteSystem1
    </Route>
    
    <Route RemoteSystem2>
        Path    SameAppliance, leef => RemoteSystem2
    </Route>
    
    <Route 1>
        Path        in1 => fileout1
    </Route>
    
    <Route tcproute>
        Path        in2 => fileout2
    </Route>