InsightIDR

NXLog

NXLog is a tool that converts files to syslog, which can be useful when an application produces log output that is not accepted by InsightIDR.

Install and Configure NXLog

To start using NXLog in your environment:

  1. Download the latest version of NXLog here: http://nxlog.co/products/nxlog-community-edition/download
  2. Install NXLog locally and set the ROOT to the folder in which your NXLog was installed, otherwise NXLog will not start. The path should be similar to this: C:\Program Files (x86)\nxlog\conf\nxlog.conf
  3. Once installed, stop the NXLog service.
  4. Open the NXLog configuration file and paste the following into to the file, adjusting for your account as necessary:
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
 
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
 
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
 
<Extension _syslog>
    Module      xm_syslog
</Extension>
 
<Input in>
    Module      im_msvistalog
    ReadFromLast  True
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
 
Query <QueryList>\
  <Query Id="0" Path="Security">\
     <Select Path="Security">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0) and (EventID=4769 or EventID=4728 or EventID=4732 or EventID=4756 or EventID=4720 or EventID=4722 or EventID=4725 or EventID=4740 or EventID=4767 or EventID=4624 or EventID=4625 or EventID=4704 or EventID=4648 or EventID=4724 or EventID=4741 or EventID=4738 or EventID=4768 or EventID=4723)]]</Select>\
  </Query>\
</QueryList>
 
</Input>
 
<Output out>
    Module      om_tcp
    Host        COLLECTOR-HOST-NAME
    Port        COLLECTOR-PORT
    Exec        to_syslog_snare();
</Output>
 
<Route 1>
    Path        in => out
</Route>

For additional configuration options, see the NXLog reference manual here: http://nxlog.org/docs/

  1. Restart the NXLog service.

You can now use the new NXLog configuration.

Collect Windows Server Logs

If you need to collect security log events from your environment, but do not want to use a Domain Admin account, you can configure NXLog to collect events for you.

Use one of the following configuration files to collect security logs:

You can look at other examples and also configure the NXLog files to send encrypted messages.

Active Directory

You can use NXLog to collect domain controller security logs for Active Directory.

To use NXLog to collect the security log:

  1. Install NXLog on the domain controller.
  2. Create a new nxlog.conf file to replace the default file. The default location of this file is C:\Program Files (x86)\nxlog\conf.
  3. To collect and forward domain controller security logs to your InsightIDR Collector, use the following configuration file as an example:
#This sample nxlog.conf file can be used to read the Microsoft Security Log and send it to InsightIDR using syslog.
#Send the logs to InsightIDR in syslog_snare format.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Input in_securitylog>
   Module im_msvistalog
   Query <QueryList> \
          <Query Id="0"> \
           <Select Path="Security">*</Select> \
          </Query> \
         </QueryList>
    <Exec>     
        $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
        $raw_event = $Message;
        to_syslog_snare();
    </Exec>
</Input>

<Output out_securitylog>
   Module      om_udp
   #This is the IP address of the InsightIDR Collector
   Host            192.168.0.46
   #This is the port configured on the Event Source
   Port        10341
</Output>

<Route 1>
   Path        in_securitylog=> out_securitylog
</Route>

Microsoft DHCP

You can use NXLog to collect DHCP logs for Microsoft DHCP.

To use NXLog to collect the Microsoft DHCP log:

  1. Install NXLog on the DHCP server.
  2. Create a new nxlog.conf file to replace the default file.The default location of this file is C:\Program Files (x86)\nxlog\conf.
  3. To collect and forward DHCP logs to your InsightIDR collector, use the following configuration file as an example:
#This sample nxlog.conf file can be used to read Microsoft DHCP log files and send them to InsightIDR using syslog.
#Send the logs to InsightIDR in syslog_bsd format.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Input in_dhcp>
 Module  im_file
 #Change the location below to where the DHCP logs are.
 File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log"
 InputType LineBased
 SavePos TRUE
 <Exec>
    if $raw_event =~ /^#/ drop();
    else
    {
        to_syslog_bsd();
    }
 </Exec>
 </Input>

<Output out>
   #If you wish to send the logs using tcp instead of udp, change the module below to om_tcp.
   Module      om_udp
   #This is the IP address of the InsightIDR Collector
   Host            192.168.0.156
   #This is the port configured on the Event Source
   Port        10400
</Output>

<Route 1>
   Path        in_dhcp=> out
</Route>

Microsoft DNS

You can use NXLog to collect DNS logs for Microsoft DNS.

To use NXLog to collect the DNS log:

  1. Install NXLog on the DNS server.
  2. Create a new nxlog.conf file to replace the default file.The default location of this file is C:\Program Files (x86)\nxlog\conf.
  3. Enable the DNS file rollover. See the DNS page for instructions on how to enable rollover.
  4. To collect and forward DNS logs to your InsightIDR collector, use the following configuration file as an example:
#This sample nxlog.conf file can be used to read Microsoft DNS log files and send them to InsightIDR using encrypted syslog.
#Send the logs to InsightIDR in syslog_bsd format.#define ROOT C:\Program Files\nxlog

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Input in_dns>
 Module  im_file
 File 'c:\dnslogs\dns*.log'
 InputType LineBased
 SavePos TRUE
 <Exec>
    if $raw_event =~ /^#/ drop();
    else
    {
        to_syslog_bsd();
    }
 </Exec>
 </Input>

<Output out_dns>
   Module      om_udp
   #This is the IP address of the InsightIDR Collector
   Host            192.168.0.46
   #This is the port configured on the Event Source
   Port        10350
</Output>

<Route 1>
   Path        in_dns=>out_dns
</Route>

Microsoft Exchange Message Tracking Logs

You can use NXLog to collect Microsoft Exchange Message Tracking logs.

To use NXLog to collect the Microsoft Exchange Message Tracking logs:

  1. Install NXLog on the Exchange server.
  2. Create a new nxlog.conf file to replace the default file.The default location of this file is C:\Program Files (x86)\nxlog\conf.
  3. Use the following configuration file as an example to collect and forward the Message Tracking logs to your InsightIDR collector:
#This sample nxlog.conf file can be used to collect the Exchange Message Tracking Log and send it to InsightIDR.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
define CertDir C:\Program Files (x86)\nxlog\cert

#Define the modules that will be used by nxlog.

<Extension json>
    Module xm_json
</Extension>

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Extension MessageTrackingLog>
    Module      xm_csv
    Fields         $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version
        #FieldTypes  string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
        Delimiter   ,
    QuoteMethod    None
</Extension>

<Input in_MessageTrackingLog>
    Module  im_file
    File 'c:\logs\logfile*.log'
    InputType LineBased
    SavePos TRUE
    PollInterval 1
    <Exec>
        if $raw_event =~ /^#/ drop();
        else
        {
            MessageTrackingLog->parse_csv();
            $EventTime = parsedate($date + " " + $time);
            $SourceName = "MessageTrackingLog";                
            $raw_event = to_json();    
        }
    </Exec>
 </Input>

<Output out_MesssageTrackingLog>
    Module      om_udp
    #This is the IP address of the InsightIDR Collector
    Host        192.168.0.156
    #This is the port configured on the Universal Event Source
    Port        10060
</Output>

<Route 1>
   Path        in_MessageTrackingLog=>out_MesssageTrackingLog
</Route>

After you create this replacement file, configure a Custom Log event source in InsightIDR.

Microsoft IIS

You can use NXLog to collect Microsoft IIS logs.

To use NXLog to collect IIS logs:

  1. Install NXLog on the IIS server.
  2. Create a new nxlog.conf file to replace the default file.The default location of this file is C:\Program Files (x86)\nxlog\conf.
  3. Use the following configuration file to collect and forward the IIS logs to your InsightIDR collector:
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

# Include fileop when rotating logs or while debugging
#<Extension fileop>
#Module xm_fileop
#</Extension>

<Extension json>
     Module        xm_json
</Extension>

# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.

<Extension w3c>
    Module xm_csv
    Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, #$c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken
    FieldTypes string, string, string, string, string, string, integer, string, string, string, #string, integer, integer, integer, integer
    Delimiter ' '
</Extension>

# Convert the IIS logs to JSON and use the original event time

<Input IIS_Site1>
    Module    im_file
    File    "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
    SavePos  TRUE

    Exec if $raw_event =~ /^#/ drop();                \
       else                            \
       {                            \
            w3c->parse_csv();                    \
            $EventTime = parsedate($date + " " + $time);    \
            $SourceName = "IIS";                \
            $raw_event = to_json();                \
       }
</Input>

<Output IIS_Site1_out>
   Module      om_udp
   Host        <IDR_COLLECTOR_IP/DNS>
   Port        <IDR_EVENT_PORT>
</Output>


<Route IIS_Site1>
    Path        IIS_Site1 => IIS_Site1_out
</Route>

After you create this replacement file, configure a Generic Syslog event source in InsightIDR, which parses the IIS logs into a searchable format for Log Search.

Send Encrypted Logs

If you prefer to use encrypted syslog to transport logs to InsightIDR, you can use om_ssl in your output module. For example:

#Download the certificate from InsightIDR and place it in the folder you specify below.
<Output out_dns>
   Module      om_ssl
   #This is the IP address of the InsightIDR Collector
   Host           10.10.10.10
   #This is the port configured on the Event Source
   Port        10001
   #specify cert location, the default location is nxlog\cert.
   CAFile      %CertDir%\Rapid7CA.pem
</Output>

Other Examples

It is possible to have multiple “in” and “out” sections in the nxlog.conf file. For example, if you want to collect the security log, DHCP logs, and DNS logs from a single server, use the following nxlog.conf file:

#This sample nxlog.conf file can be used to read the Windows Security log, DHCP, and DNS logs from a domain controller.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module  xm_syslog
</Extension>

#Collect the Security log.
<Input in_securitylog>
   Module im_msvistalog
   Query <QueryList> \
          <Query Id="0"> \
           <Select Path="Security">*</Select> \
          </Query> \
         </QueryList>
    <Exec>     
        $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
        $raw_event = $Message;
        to_syslog_snare();
    </Exec>
</Input>

#Collect the Microsoft DHCP logs.
<Input in_dhcp>
 Module  im_file
 #Change the location below to where the DHCP logs are.
 File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log"
 InputType LineBased
 SavePos TRUE
 <Exec>
    if $raw_event =~ /^#/ drop();
    else
    {
        to_syslog_bsd();
    }
 </Exec>
 </Input>

#Collect the Microsoft DNS log (s).
<Input in_dns>
 Module  im_file
 File 'c:\dnslogs\dns*.log'
 InputType LineBased
 SavePos TRUE
 <Exec>
    if $raw_event =~ /^#/ drop();
    else
    {
        to_syslog_bsd();
    }
 </Exec>
 </Input>

<Output out_securitylog>
   Module      om_udp
   #This is the IP address of the InsightIDR Collector
   Host            192.168.0.46
   #This is the port configured on the Event Source
   Port        10001
 #  Exec        to_json(); $message = $raw_event;
</Output>

<Output out_dhcp>
   #If you wish to send the logs using tcp instead of udp, change the module below to om_tcp.
   Module      om_udp
   #This is the IP address of the InsightIDR Collector
   Host            192.168.0.46
   #This is the port configured on the Event Source
   Port        10101
</Output>

<Output out_dns>
   Module      om_udp
   #This is the IP address of the InsightIDR Collector
   Host            192.168.0.46
   #This is the port configured on the Event Source
   Port        10201
</Output>

<Route 1>
   Path        in_securitylog=> out_securitylog
</Route>

<Route 2>
   Path        in_dhcp=> out_dhcp
</Route>

<Route 3>
   Path        in_dns=> out_dns
</Route>