0
answers

Hi all,

I'm trying to deploy NXLog Enterprise to a couple of Windows domain controllers, pointed to Graylog to audit security.
As part of this, we need the "ResolveSID" feature so have gone Enterprise edition. Unfortunately only got a 1 year sub approved which doesn't allow enterprise support :(

However with Enterprise edition, the only Security events that NXLog sends to Graylog are "Event log automatic backup" events when the .evtx files get rotated - nothing else from Security (all other sources seem OK).

The interesting thing here is that the Community edition doesn't have this problem - security events are forwarded just fine.
I've also tried the 32bit v4 Enterprise MSI (since the Community edition is 32bit), but it exhibits the same behaviour as above.
The v3 Enterprise edition seems to mostly work, but ignores "ResolveSID TRUE" (it reads the setting ok, I've tested this by changing it to a non-boolean value to test that it read it to complain about it, and it did, but when set to TRUE, it still sends unresolved numeric SIDs through for Event ID 4627 "Group membership information" events)

Does anyone have any further troubleshooting tips for either of these problems? Ideally I'd like to get v4 working.

Thanks

AskedJanuary 13, 2020 - 9:27pm

Comments (4)

  • hip_nxlog's picture

    Hi Manuel, it's pretty stripped back:

    define ROOT C:\Program Files (x86)\nxlog
    
    define CERTDIR  %ROOT%\cert
    define CONFDIR  %ROOT%\conf
    define LOGDIR   %ROOT%\data
    
    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data
    LogFile %ROOT%\data\nxlog.log
    
    <Extension gelf>
        Module xm_gelf
    </Extension>
    <Input in>
        # For windows vista/2008 and above use:
        Module      im_msvistalog
        ResolveSID  TRUE
    </Input>
    
    <Output out> 
        Module      om_udp
        Host        <<<FQDN of the Graylog server>>>
        Port        12201
        OutputType  GELF
    </Output>
    
    <Route 1>
        Path        in => out
    </Route>
    

    This is for the v3 Professional MSI that's currently installed. The variant for v4 is identical except for the ROOT (without " (x86)" in the path)

    Thanks

  • Misaziv's picture
    (NXLog)

    Hi,

    I have tested this on NXLog EE v4.6, and security logs are read correctly. My advice is to remove x86 version, install latest version of NXLog (v4.6) x64 and test by also outputting to a file using om_file module. That way you can confirm that NXLog is reading and sending out the Security logs.

    MisaZ

Answers (0)