3
responses

Hello,

I am new to using NXLog as it was suggested by my company's current SIEM vendor to be utilized when sending logs to our collectors. I am using NXLog on our Windows Event Forwarding Server to send logs the SIEM. I can get it working where i send all logs coming into the Forwarded Events log section to the collectors. However, I am not able to get it setup where i send logs from specific server to a specific destination. Ideally I would like to have each source sending logs to the WEF server going to a different port on the collector so I can manage them within the SIEM individually vs all as one. Below is what i am using for my input and output config. I am not sure if i need two input sections since it is coming from the same location? Currently this is just sending all logs from server1 and 2 to both ports on the collector. Any help would be appreciated.

<Input server1_in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="ForwardedEvents">*</Select>\
</Query>\
</QueryList>

</Input>
<Input server2_in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="ForwardedEvents">*</Select>\
</Query>\
</QueryList>
</Input>
#
<Output server1_out>
Module om_udp
Host Collector IP
Port 1111
Exec if ($MessageSourceAddress == "Server1 IP") to_syslog_snare();
</Output>
#
<Output server2_out>
Module om_udp
Host Collector IP
Port 2222
Exec if ($MessageSourceAddress == "Server2 IP") to_syslog_snare();
</Output>
#
<Route 1>
Path server1_in => server1_out
</Route>
<Route 2>
Path server2_in => server2_out
</Route>

AskedJanuary 10, 2022 - 8:14pm

Answer (1)

Hello Lance

You don't really need two identical input sections. In case you'd like to collect different Windows logs then multiple instances of the im_msvistalog module would be needed, but it's not the case here.
You can specify as many input and output modules as you want in the Route section. Let's assume you've removed the server2_in input. Your Route should look like the following:

<Route 1>
Path server1_in => server1_out, server2_out
</Route>

Regarding the problem with sending all logs from server1 and 2 to both ports on the collector...well, with this output modules - it is supposed to do so. The only thing that it does is that if the MessageSourceAddress field matches the IP then the log is being converted to the SNARE Syslog formatted log message.

I believe that the output modules you're looking for should look like:

#
<Output server1_out>
Module om_udp
Host Collector IP
Port 1111
<Exec>
if ($MessageSourceAddress == "Server1 IP")
to_syslog_snare();
else
drop();
</Exec>
</Output>
#
<Output server2_out>
Module om_udp
Host Collector IP
Port 2222
<Exec>
if ($MessageSourceAddress == "Server2 IP")
to_syslog_snare();
else
drop();
</Exec>
</Output>
#

Comments (2)

  • ABCReed's picture

    Hello,

    Thank you for the helpful information. I have removed my duplicate input and fixed my route as well. However, I am still having issues getting these logs to separate. Updating the config with the Output you suggested results in my destination host not receiving any logs on any of the listed ports. If i comment out the Exec it starts working again but by sends all logs to all ports which makes sense. Not sure if there is anything else i can try? Trying to look into the NXLog manual, it states that the $MessageSourceAddress variable is available in the im_udp and im_ssl module. Not sure if that means without those modules, that variable is not able to be used?

    Thanks again for the assistance.

  • NenadM's picture
    (NXLog)

    Hello

    You are right about the $MessageSourceAddress field. It is added by the im_udp or im_ssl module and not the input module you are using - im_msvistalog. This module usually adds the fields shown in the example below (it varies depending on the source message structure):

    Field Value
    $EventType AUDIT_FAILURE
    $EventID 4625
    $SourceName Microsoft-Windows-Security-Auditing
    $Channel Security
    $Category Logon
    $TargetUserSid S-1-0-0
    $TargetUserName linda
    $TargetDomainName WINHOST
    $Status 0xc000006d
    $FailureReason %%2313
    $SubStatus 0xc000006a
    $LogonType 2
    $Message any string of characters

    So, the criteria for the output module to determine whether to send the log or to drop it could be:

    if $Message =~ /Server1_IP/
    

    OR

    if $Message =~ /Server1_fqdn/
    

    or whatever string of characters that is unique for the logs coming from the Server1.

    I suggest you to route the logs to a local file and then analyze their structure. In that way you can find the best criteria to be used for filtering:

    <Input server1_in>
       Module im_msvistalog
       Query <QueryList>\
       <Query Id="0">\
             <Select Path="ForwardedEvents">*</Select>\
       </Query>\
    </QueryList>
    
    <Output file>
       Module  om_file
       File    "C:\\logs\\some_file.txt"
    </Output>