Sending Event Logs To Different Destinations

#1 ABCReed 2 years ago

Hello,

I am new to using NXLog as it was suggested by my company's current SIEM vendor to be utilized when sending logs to our collectors. I am using NXLog on our Windows Event Forwarding Server to send logs the SIEM. I can get it working where i send all logs coming into the Forwarded Events log section to the collectors. However, I am not able to get it setup where i send logs from specific server to a specific destination. Ideally I would like to have each source sending logs to the WEF server going to a different port on the collector so I can manage them within the SIEM individually vs all as one. Below is what i am using for my input and output config. I am not sure if i need two input sections since it is coming from the same location? Currently this is just sending all logs from server1 and 2 to both ports on the collector. Any help would be appreciated.

<Input server1_in> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="ForwardedEvents">*</Select>
</Query>
</QueryList>

</Input> <Input server2_in> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="ForwardedEvents">*</Select>
</Query>
</QueryList> </Input>

<Output server1_out> Module om_udp Host Collector IP Port 1111 Exec if ($MessageSourceAddress == "Server1 IP") to_syslog_snare(); </Output>

<Output server2_out> Module om_udp Host Collector IP Port 2222 Exec if ($MessageSourceAddress == "Server2 IP") to_syslog_snare(); </Output>

<Route 1> Path server1_in => server1_out </Route> <Route 2> Path server2_in => server2_out </Route>

Permalink

#2 NenadMDeactivated Nxlog ✓ 2 years ago

#1 ABCReed

Hello, I am new to using NXLog as it was suggested by my company's current SIEM vendor to be utilized when sending logs to our collectors. I am using NXLog on our Windows Event Forwarding Server to send logs the SIEM. I can get it working where i send all logs coming into the Forwarded Events log section to the collectors. However, I am not able to get it setup where i send logs from specific server to a specific destination. Ideally I would like to have each source sending logs to the WEF server going to a different port on the collector so I can manage them within the SIEM individually vs all as one. Below is what i am using for my input and output config. I am not sure if i need two input sections since it is coming from the same location? Currently this is just sending all logs from server1 and 2 to both ports on the collector. Any help would be appreciated. <Input server1_in> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="ForwardedEvents">*</Select> </Query> </QueryList> </Input> <Input server2_in> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="ForwardedEvents">*</Select> </Query> </QueryList> </Input> <Output server1_out> Module om_udp Host Collector IP Port 1111 Exec if ($MessageSourceAddress == "Server1 IP") to_syslog_snare(); </Output> <Output server2_out> Module om_udp Host Collector IP Port 2222 Exec if ($MessageSourceAddress == "Server2 IP") to_syslog_snare(); </Output> <Route 1> Path server1_in => server1_out </Route> <Route 2> Path server2_in => server2_out </Route>

Hello Lance

You don't really need two identical input sections. In case you'd like to collect different Windows logs then multiple instances of the im_msvistalog module would be needed, but it's not the case here. You can specify as many input and output modules as you want in the Route section. Let's assume you've removed the server2_in input. Your Route should look like the following:

<Route 1> Path server1_in => server1_out, server2_out </Route>

Regarding the problem with sending all logs from server1 and 2 to both ports on the collector...well, with this output modules - it is supposed to do so. The only thing that it does is that if the MessageSourceAddress field matches the IP then the log is being converted to the SNARE Syslog formatted log message.

I believe that the output modules you're looking for should look like:

<Output server1_out> Module om_udp Host Collector IP Port 1111 <Exec> if ($MessageSourceAddress == "Server1 IP") to_syslog_snare(); else drop(); </Exec> </Output>

<Output server2_out> Module om_udp Host Collector IP Port 2222 <Exec> if ($MessageSourceAddress == "Server2 IP") to_syslog_snare(); else drop(); </Exec> </Output>