I'm relatively new to NXLog and to Alien Vault Log ingestion. I have followed their set up guide here, https://cybersecurity.att.com/documentation/usm-anywhere/deployment-guide/setup/linux-logs-nxlog.htm?Highlight=linux%20logs%20nxlog.

We are using NxLog EE and the nxlog manager to push configs.

I have two modules I'm looking to collect logs with and I feel that they are pretty straight forward. I'm trying to capture /var/log/messages and the audit.log. Also wanting to capture the FIM.

Using the im_file module. I'm able to capture these logs and they get to AlienVault, they are even parsed in Json which looks nice. My issue is that you can really report on anything as they don't generate any useful flags in which Alien Vault can use to trigger alarms and such. A lot of the logs get flagged as Alien Vault Generic Results, which means that the format isn't triggering their Alien Vault Data Source plugins. Some logs are getting recognized by Alien Vault and triggering the appropriate data source, but they are also not getting any useful information to report on. When I compare these logs to the Windows logs that we are capturing, the Linux logs have significantly less metadata within them. Something as simple as eventoutcome would be nice, like if I wanted to see failed attempts to elevate to sudo and see that event fail and generate and alert.

I'm wondering if anyone would mind sharing their module configs for Linux if you use Alien Vault (ATT USM) as your SIEM.

Here is my current config I am using.

LogLevel INFO Logfile %LOGDIR%/nxlog.log

<Extension agent_managment> Module xm_soapadmin Connect 1.1.1.1 Port 4041 SocketType SSL CAFile %CERTDIR%/agent-ca.pem AllowUntrusted FALSE RequireCert TRUE <ACL conf> Directory %CONFDIR% AllowRead TRUE AllowWrite TRUE </ACL> <ACL cert> Directory %CERTDIR% AllowRead TRUE AllowWrite TRUE </ACL> </Extension>

<Extension json> Module xm_json </Extension>

<Extension syslog> Module xm_syslog </Extension>

<Input var_messages_in> Module im_file File '/var/log/messages' InputType LineBased SavePos TRUE Exec parse_syslog(); </Input>

<Input fim_linux> Module im_fim File '/bin/' File '/etc/' File '/lib/' File '/opt/nxlog/bin/' File '/opt/nxlog/lib/' File '/sbin/' File '/usr/bin/' File '/usr/sbin/' Exclude '/etc/hots.deny' Exclude '/etc/mtab' </Input>

<Input var_audit_in> Module im_file File '/var/log/audit/audit.log' InputType LineBased SavePos FALSE Exec parse_syslog();
$Hostname = hostname();
$FQDN = hostname_fqdn();
$Tag = "audit";
$SourceName = "selinux";
$Message = $Raw_Event; </Input>

<Output out_syslog_ssl_br> Module om_ssl Host 1.1.1.1 Port 6514 OutputType LineBased CAFile %CERTDIR%/agent-ca.pem CertFile %CERTDIR%/agent-cert.pem CertKeyFile %CERTDIR%/agent-key.pem Exec $EventTime = $EventReceivedTime; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; Exec $Message = to_json(); to_syslog_bsd(); </Output>

<Output out_fim_linux_ssl_BR> Module om_ssl Host 1.1.1.1 Port 6514 OutputType Binary CAFile %CERTDIR%/agent-ca.pem CertFile %CERTDIR%/agent-cert.pem CertKeyFile %CERTDIR%/agent-key.pem Exec $SourceName = "FIM-LINUX-NXLOG-EE"; Exec $EventTime = strftime($EventTime, '%Y-%m-%d %H:%M:%S'); Exec $EventReceivedTime = strftime($EventReceivedTime, '%Y-%m-%d %H:%M:%S'); Exec to_json(); to_syslog_bsd(); </Output> <Route route_syslog> Priority 1 Path var_audit_in, var_messages_in => out_syslog_ssl_br </Route> <Route FIM> Priority 2 Path fim_linux => out_fim_linux_ssl_BR </Route>