2
responses

Hi
I'm trying to get nxlog ee running with Microsoft Sentinel still get the error

2021-04-14 19:02:04 INFO [om_http|AzureHTTP] connecting to xxxxxxxx.ods.opinsights.azure.com(xx.xx.xx.xx):443
2021-04-14 19:02:04 ERROR [om_http|AzureHTTP] SSL error, failed to load ca cert from 'C:\Program Files\nxlog\cert\test.crt', reason: no certificate or crl found
2021-04-14 19:02:04 INFO [om_http|AzureHTTP] reconnecting in 4 sec

Forwarding to Sentinel Logspace is not working.

What's wrong ? Johannes

Panic Soft

define INSTALLDIR C:\Program Files\nxlog

#ModuleDir %INSTALLDIR%\modules
#CacheDir %INSTALLDIR%\data
#SpoolDir %INSTALLDIR%\data

define CERTDIR %INSTALLDIR%\cert
define CONFDIR %INSTALLDIR%\conf\nxlog.d
define WORKSPACE xxxxxxxxxxxxxxxxxxxx
define SHAREDKEY xxxxxxxxxxxxxxxxxxxx
define SUBDOMAIN ods.opinsights.azure.com
define RESOURCE api/logs
define APIVER api-version=2016-04-01
define SIZELIMIT 65000

# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR %INSTALLDIR%\data
define MYLOGFILE %LOGDIR%\nxlog.log

# If you are not using NXLog Manager, disable the `include` line
# and enable LogLevel and LogFile.
include %CONFDIR%\*.conf

#LogLevel INFO
#LogFile %MYLOGFILE%

<Extension _json>
Module xm_json
</Extension>

<Input VAT_Eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="ForwardedEvents">
*[System[Level=0 and (EventID=4624 or EventID=4647)]]
</Select>
</Query>
</QueryList>
</QueryXML>
RemoteServer xxx
RemoteUser xxx
RemoteDomain hq
RemotePassword xxx
</Input>

<Extension plxm>
Module xm_perl
PerlCode %INSTALLDIR%\modules\extension\perl\sentinelauth.pl
</Extension>

<Output AzureHTTP>
Module om_http
URL https://%WORKSPACE%.%SUBDOMAIN%/%RESOURCE%?%APIVER%
ContentType application/json
HTTPSAllowUntrusted TRUE
HTTPSCAFile %INSTALLDIR%\cert\test.crt
<Exec>
create_stat('ec', 'COUNT');
create_stat('bc', 'COUNT');
create_var('batch');
create_var('nextbatch');
add_stat('ec',1);

#---BEGIN--- the enrichment of this event with any new fields:
$BatchNumber = get_stat('bc');
$EventNumber = get_stat('ec');
to_json();
#---END--- the enrichment of this event

if (size(get_var('batch')) + size($raw_event) + 3) > %SIZELIMIT%
# Flush this batch of events
{
set_var('nextbatch', $raw_event);
$raw_event = '[' + get_var('batch') + ']';
add_stat('bc',1);
set_var('batch',get_var('nextbatch'));
$Workspace = "%WORKSPACE%";
$SharedKey = "%SHAREDKEY%";
$ContentLength = string(size($raw_event));
$dts = strftime(now(),'YYYY-MM-DDThh:mm:ssUTC');
$dts_no_tz = replace($dts,'Z','');
$parsedate_utc_false = parsedate($dts_no_tz,FALSE);
$x_ms_date = strftime($parsedate_utc_false, '%a, %d %b %Y %T GMT');
plxm->call("genauth");
add_http_header('Authorization',$authorization);
add_http_header('Log-Type',$SourceModuleName);
add_http_header('x-ms-date',$x_ms_date);
}
else
{
$delimiter = get_stat('ec') == 1 ? '' : ",\n";
set_var('batch', get_var('batch') + $delimiter + $raw_event);
drop();
}
</Exec>
</Output>

#<Output TempFile>
# Module om_file
# File 'C:\Program Files\nxlog\data\dnsetw.json'
#</Output>

<Route DnsRoute1>
Path VAT_Eventlog => AzureHTTP
</Route>

AskedApril 14, 2021 - 7:08pm

Answer (1)

Hello Johannes,

since this appears in your messages:

2021-04-14 19:02:04 ERROR [om_http|AzureHTTP] SSL error, failed to load ca cert from 'C:\Program Files\nxlog\cert\test.crt', reason: no certificate or crl found

first question would be - is the cert present in this location and accessible by NXLog agent?

Best regards,
Rafal

Comments (1)

  • test4711's picture

    Hi Rafal which kind of cert if have to present , followed this explaination (https://nxlog.co/documentation/nxlog-user-guide/sentinel.html) and found no information regarding of an certificate.
    Only want to communicate with Azure Sentinel. (also set HTTPSAllowUntrusted TRUE)

    Many thanks for your help Johannes