6
responses

Hi Team,

We are using Nxlog to send logs to RSA(SIEM), but few of the security logs are not sending to RSA.
Below are the event ids we are not receiving:
Event ids starting with 4860- 4890.
Below is the configuration which we are using in RSA.

Can you please check below configuration and let me know if anything needs to be changed to receive the windows security and application logs.

********************************************************************
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nslog.log

<Extension syslog>
Module xm_syslog
</Extension>

<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Application'>*</Select>
<Select Path='Security'>*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>

<Output out>
Module om_tcp
Host hostname(hided)
Port 514
Exec to_syslog_snare();$raw_event = replace($raw_event, "\t", ',');
</Output>

<Route 1>
Path in => out
</Route>
***********************************************************************

AskedJune 19, 2020 - 5:58am

Comments (6)

  • Arkadiy's picture
    (NXLog)

    Hello Vignesh,

    Could you please share with us some things:
    - nxlog version you are using;
    - OS under which you are running;
    - and is there any way for you to be sure that those events are happening but they aren't forwarding? Maybe you have an example you might to share with us?

    Best regards, Arch

  • vigneshmoorthy's picture

    - nxlog version you are using; -- version:2.10.2150
    - OS under which you are running; -- OS-AWS Windows server 2016
    - and is there any way for you to be sure that those events are happening but they aren't forwarding? Maybe you have an example you might to share with us? -- Yes events are generating but not forwarding. Please find the attached screenshot.
    i can see 4897, 4880,4898 event IDs are captured under Windows Logs --> Security.

    I can share you the screenshot if you provide email ID.

  • Arkadiy's picture
    (NXLog)

    If this is about privacy then please feel free to drop me them at arkadiy.kulikov@nxlog,org

    Otherwise you could post them here as a xml.
    Also could you please attach nxlog.log file?

    Regards, Arch

  • vigneshmoorthy's picture

    I have sent configuration file and windows event ID captured(screenshot) to your email.

    Thanks for your quick response.

    Please assist to fix as fast as possible

  • vigneshmoorthy's picture

    I have sent configuration file and windows event ID captured(screenshot) to your email.

    Thanks for your quick response.

    Please assist to fix as fast as possible

  • vigneshmoorthy's picture

    Hi Team,

    We are unable to receive any logs from Windows to RSA Netwitness SIEM. Below configuration we are using it.

    Currently we couldn't able to share the nxlog file because there is an issue in copying from Remote server. I can share the screenshot of nxlog log file.

    This is very critical server which we unable to receive logs.

    Need your urgent help, will be appreciated.

    *******************************************
    define ROOT C:\Program Files (x86)\nxlog

    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data
    LogFile %ROOT%\data\nslog.log

    <Extension syslog>
    Module xm_syslog
    </Extension>

    <Input in>
    Module im_msvistalog
    </Input>

    <Output out>
    Module om_tcp
    Host hostname(hided)
    Port 514
    Exec to_syslog_snare();$raw_event = replace($raw_event, "\t", ',');
    </Output>

    <Route 1>
    Path in => out
    </Route>
    ************************************************************

Answers (0)