3
responses

While we have been using NXLog for years, we have always just had it forward logs to third party for evaluation. Now we are trying to forward some Windows Application Log events to a Slack channel.

We can target the correct Windows Server Application events based on an EventID and output them to a text file using NXLog. But when we are trying to use om_http to Slack we are getting an error: 400 Bad Request.

Previously we were getting errors around certs that they could not be evaluated, but we now have the certificates in a directory and a directive in our output for om_http and that error seems to have gone away.

We have tried a simple Exec $message = "Hello" at the end of our input stanza just to simplify (and eliminate any special characters) what we might be sending to Slack

Slack is expecting a JSON format.

In our output om_http stanza, we specify:
Exec to_json();
ContentType application/json

nxlog.log just continuously shows this:
2020-08-27 21:06:42 ERROR HTTP response status is not OK: 400 Bad Request
2020-08-27 21:06:51 INFO reconnecting in 0 seconds
2020-08-27 21:06:51 ERROR http response timeout from server
2020-08-27 21:06:51 INFO connecting to hooks.slack.com:443
2020-08-27 21:06:52 ERROR HTTP response status is not OK: 400 Bad Request
2020-08-27 21:07:01 INFO reconnecting in 0 seconds
2020-08-27 21:07:01 ERROR http response timeout from server
2020-08-27 21:07:01 INFO connecting to hooks.slack.com:443
2020-08-27 21:07:02 ERROR HTTP response status is not OK: 400 Bad Request

I started to go down the path of Wireshark to do some packet captures. All the traffic is encrypted, and I was hoping to capture the keys using a Windows environment variable (SSLKEYLOGFILE) on the NXLog host but that was to no avail.

Anyone can tell me what I might be missing? I'm afraid I may have a fundamental misunderstanding, or just not seeing the obvious.

AskedAugust 27, 2020 - 2:14pm

Comments (3)

  • MB_244413's picture

    Sure!

    define ROOT C:\Program Files (x86)\nxlog
    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data
    LogFile %ROOT%\data\nxlog.log
    #LogLevel DEBUG

    <Extension syslog>
    Module xm_syslog
    </Extension>

    <Extension json>
    Module xm_json
    </Extension>

    <Extension exec
    Module xm_exec
    </Extension>

    <Extension _charconv>
    Module xm_charconv
    AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2
    </Extension>

    <Extension multiline>
    Module xm_multiline
    HeaderLine /^((?!FALSE).)*$/
    </Extension>

    <Extension kvp>
    Module xm_kvp
    KVDelimiter =
    KVPDelimiter " "
    </Extension>

    <Input APP203>
    Module im_msvistalog
    <QueryXML>
    <QueryList>
    <Query Id="0" Path="Application">
    <Select Path="Application">*[System[(EventID=203)]]</Select>
    </Query>
    </QueryList>
    </QueryXML>

    Exec $raw_event = replace($raw_event, "\r\n", " ");
    Exec $raw_event = replace($raw_event, "\r", " ");
    Exec $raw_event = replace($raw_event, "\n", " ");
    Exec $raw_event = replace($raw_event, "0x0A", " ");
    Exec $raw_event = replace($raw_event, "0x0DA", " ");
    Exec $raw_event = replace($raw_event, "0x0D", " ");
    Exec $raw_event =~ s/([A-Za-z]*:[0-9]*:TRUE )|(RequiredCharacterGroups:[0-9]:TRUE[[A-Za-z0-9:]*] )|([A-Za-z]*:[0-9]*:TRUE$)//g;

    #Exec $message ="Hi Message";
    #Exec $raw_event = "Hello Raw";
    </Input>

    <Output MSWINEVENTLOGOUT>
    Module om_udp
    Host 10.44.0.5
    Port 514
    # Transmit in Snare format on local6.info
    Exec $SyslogFacilityValue = 22;to_syslog_snare();
    </Output>

    #<Output toSlackSpecops>
    # Module om_file
    # File "C:\\temp\\203.txt"
    #</Output>

    <Output toSlackSpecops>
    Module om_http
    URL https://hooks.slack.com/services/removed/removed
    HTTPSAllowUntrusted FALSE
    HTTPSCADir C:\Certs
    HTTPSCAFile C:\Certs\digiroot.cer
    Exec to_json();
    ContentType application/json
    </Output>

    <Output toLogServer>
    Module om_tcp
    Host 10.44.0.144
    Port 5544
    # <Exec>
    # kvp->parse_kvp();
    # to_json();
    # </Exec>
    </Output>

    <Route 1>
    Path MSWINEVENTLOGIN => MSWINEVENTLOGOUT
    </Route>

    <Route 2>
    Path APP203 => toSlackSpecops
    </Route>

    <Route 3>
    Path APP203 => toLogServer
    </Route>

  • MB_244413's picture

    I will try to get a proxy connection going to see if I can decrypt that traffic to learn what's going on... However, if there is anything obvious I am missing, I'd love another set of eyes to point it out to me!

Answers (0)