2
responses

Default Payload from Source Host:
<134>1 1515988859.626061236 appliance flows src=172.21.84.107 dst=10.52.193.137 mac=5C:E0:C5:22:85:E4 protocol=tcp sport=50395 dport=443 pattern: allow all

Payload Generated by NXLog Server:
<134>May 7 15:18:02 10.101.100.193 1515988859.626061236 appliance flows src=172.21.84.107 dst=10.52.193.137 mac=5C:E0:C5:22:85:E4 protocol=tcp sport=50395 dport=443 pattern: allow all

Hi,

I have a source machine which is sending logs to NXLog server and NXlog server forward the logs to QRadar. But the payload seems to be different on NXLog Server and QRadar. Timestamp is being added additionally by NXLog server and forwarded to QRadar. Is there a way to make change on the NXLOg server to forward the default log to QRadar.

AskedMay 7, 2021 - 10:55pm

Answer (1)

Hello,

In order to help you in finding the solution - could you share your conf file?

Best regards,
Rafal

Comments (1)

  • BC_471242's picture

    User svc-nxlog
    Group infosec-siem

    Panic Soft

    # default values:
    # PidFile /opt/nxlog/var/run/nxlog/nxlog.pid
    # CacheDir /opt/nxlog/var/spool/nxlog
    # ModuleDir /opt/nxlog/lib/nxlog/modules
    # SpoolDir /opt/nxlog/var/spool/nxlog

    define CERTDIR /opt/nxlog/var/lib/nxlog/cert
    define CONFDIR /opt/nxlog/var/lib/nxlog

    # Note that these two lines define constants only; the log file location
    # is ultimately set by the `LogFile` directive (see below). The
    # `MYLOGFILE` define is also used to rotate the log file automatically
    # (see the `_fileop` block).
    define LOGDIR /opt/nxlog/var/log/nxlog
    define MYLOGFILE %LOGDIR%/nxlog.log

    # By default, `LogFile %MYLOGFILE%` is set in log4ensics.conf. This
    # allows the log file location to be modified via NXLog Manager. If you
    # are not using NXLog Manager, you can instead set `LogFile` below and
    # disable the `include` line.
    #LogFile %MYLOGFILE%
    include %CONFDIR%/log4ensics.conf

    <Extension _syslog>
    Module xm_syslog
    </Extension>

    # This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`
    # is changed in log4ensics.conf via NXLog Manager, rotation of the new
    # file should also be configured there.
    <Extension _fileop>
    Module xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
    Every 1 hour
    <Exec>
    if ( file_exists('%MYLOGFILE%') and
    (file_size('%MYLOGFILE%') >= 5M) )
    {
    file_cycle('%MYLOGFILE%', 8);
    }
    </Exec>
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
    When @weekly
    Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
    </Schedule>
    </Extension>