1
response

I'm relatively new to NXLog and to Alien Vault Log ingestion. I have followed their set up guide here, https://cybersecurity.att.com/documentation/usm-anywhere/deployment-guide/setup/linux-logs-nxlog.htm?Highlight=linux%20logs%20nxlog.

We are using NxLog EE and the nxlog manager to push configs.

I have two modules I'm looking to collect logs with and I feel that they are pretty straight forward. I'm trying to capture /var/log/messages and the audit.log. Also wanting to capture the FIM.

Using the im_file module. I'm able to capture these logs and they get to AlienVault, they are even parsed in Json which looks nice. My issue is that you can really report on anything as they don't generate any useful flags in which Alien Vault can use to trigger alarms and such. A lot of the logs get flagged as Alien Vault Generic Results, which means that the format isn't triggering their Alien Vault Data Source plugins. Some logs are getting recognized by Alien Vault and triggering the appropriate data source, but they are also not getting any useful information to report on. When I compare these logs to the Windows logs that we are capturing, the Linux logs have significantly less metadata within them. Something as simple as eventoutcome would be nice, like if I wanted to see failed attempts to elevate to sudo and see that event fail and generate and alert.

I'm wondering if anyone would mind sharing their module configs for Linux if you use Alien Vault (ATT USM) as your SIEM.

Here is my current config I am using.

LogLevel INFO
Logfile %LOGDIR%/nxlog.log

<Extension agent_managment>
Module xm_soapadmin
Connect 1.1.1.1
Port 4041
SocketType SSL
CAFile %CERTDIR%/agent-ca.pem
AllowUntrusted FALSE
RequireCert TRUE
<ACL conf>
Directory %CONFDIR%
AllowRead TRUE
AllowWrite TRUE
</ACL>
<ACL cert>
Directory %CERTDIR%
AllowRead TRUE
AllowWrite TRUE
</ACL>
</Extension>

<Extension json>
Module xm_json
</Extension>

<Extension syslog>
Module xm_syslog
</Extension>

<Input var_messages_in>
Module im_file
File '/var/log/messages'
InputType LineBased
SavePos TRUE
Exec parse_syslog();
</Input>

<Input fim_linux>
Module im_fim
File '/bin/*'
File '/etc/*'
File '/lib/*'
File '/opt/nxlog/bin/*'
File '/opt/nxlog/lib/*'
File '/sbin/*'
File '/usr/bin/*'
File '/usr/sbin/*'
Exclude '/etc/hots.deny'
Exclude '/etc/mtab'
</Input>

<Input var_audit_in>
Module im_file
File '/var/log/audit/audit.log'
InputType LineBased
SavePos FALSE
Exec parse_syslog(); \
$Hostname = hostname(); \
$FQDN = hostname_fqdn(); \
$Tag = "audit"; \
$SourceName = "selinux"; \
$Message = $Raw_Event;
</Input>

<Output out_syslog_ssl_br>
Module om_ssl
Host 1.1.1.1
Port 6514
OutputType LineBased
CAFile %CERTDIR%/agent-ca.pem
CertFile %CERTDIR%/agent-cert.pem
CertKeyFile %CERTDIR%/agent-key.pem
Exec $EventTime = $EventReceivedTime;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
Exec $Message = to_json(); to_syslog_bsd();
</Output>

<Output out_fim_linux_ssl_BR>
Module om_ssl
Host 1.1.1.1
Port 6514
OutputType Binary
CAFile %CERTDIR%/agent-ca.pem
CertFile %CERTDIR%/agent-cert.pem
CertKeyFile %CERTDIR%/agent-key.pem
Exec $SourceName = "FIM-LINUX-NXLOG-EE";
Exec $EventTime = strftime($EventTime, '%Y-%m-%d %H:%M:%S');
Exec $EventReceivedTime = strftime($EventReceivedTime, '%Y-%m-%d %H:%M:%S');
Exec to_json(); to_syslog_bsd();
</Output>
<Route route_syslog>
Priority 1
Path var_audit_in, var_messages_in => out_syslog_ssl_br
</Route>
<Route FIM>
Priority 2
Path fim_linux => out_fim_linux_ssl_BR
</Route>

AskedJune 10, 2021 - 8:32pm

Answer (1)

Hello,

Since your question regards to the NXLog EE - please, open a support ticket with your issue - that's the best way to solve your issue.

Best regards,
Raf