-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathlegacysystems-nxlog.conf
305 lines (291 loc) · 12 KB
/
legacysystems-nxlog.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
# Blumira : Windows NXLog to Blumira Sensor or SIEM
#
# Version: 1.2
#
# NXLog configuration for converting and sending Windows logs to Blumira.
# Both Community and Enterprise Editions of NXLog are supported. If you
# intend to collect WEF logs, you must use Enterprise Edition which you
# will need to license internally due to limitations with CE.
#
# Issues: Report Issues at https://github.com/Blumira/Flowmira/issues
#
# Core features:
# - Only captures useful Windows Event IDs
# - Avoids significant packet volume taking down Blumira Sensor
# - Handles message sending to Sensor/SIEM and time conversion
# - Supports Sysmon
# - Supports IIS (Event Viewer and File Based)
# - Supports FW
# - Supports Azure AD Password Protection
#
# Last Test: 20210208 - Tested on Server 2008/2012
#
# Changelog:
# 1.3
# - Removed query block to catch all event channels
# - Removed redundant im_msvistalog routes as they're now handled by the blu_eventlog route
# - Commented out Windows Firewall logging
# - Forked existing nxlog.conf to legacysystems-nxlog.conf for Server2k8 and Server2k12 event handling
# 1.2
# - Added Azure AD Password Protection support
# - Isolated 15001/15007 errors specific to 2k12/2k16/2k19 and added related "Potential Tasks" and notes
# - Added DEBUG LogLevel option
# 1.1
# - Added Sysmon Support
# - Updated Query list for Windows Event Logs
# 1.0
# - Added IIS Support - Event Viewer default to On, polling non-existent is non-impacting to hosts
# - Added FW Support
# - Improved time handling to force UTC time on host
#
# Notes:
# - Remember to restart your nxlog service after every change that could add new data
# net stop nxlog && net start nxlog
# - Times take the form of UTC timestamp (seconds) format
# - Make sure you review each section you intend to use, there are actions required
# for some to allow data collection to start.
#
# License: MIT
#####################
# Definitions
# 2 Tasks:
# 1) update define SIEM A.B.C.D to your IP
# 2) set Loglevel to either INFO or DEBUG
#####################
#Define logging level (aka "Unleash the Kraken?")
#LogLevel DEBUG
# Please set SIEM to the IP address of your Blumira sensor or SIEM
define SIEM 192.168.1.5
define PORT 514
# Please set ROOT to the folder your nxlog was installed into
# - if 64bit is used, comment out (#) x86 and uncomment C:\Program Files\nxlog lines
#define ROOT C:\Program Files\nxlog
#define ROOT_STRING C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define ROOT_STRING C:\Program Files (x86)\nxlog
# Define certs if used during Sensor Logger creation
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\\conf
# Define internal log details for NXLog
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
#LogFile %ROOT%\data\nxlog.log
LogFile %LOGFILE%
#####################
# Definitions
# 0 Tasks
#####################
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Extension File operations>
Module xm_fileop
</Extension>
#############################
# Internal NXLog Logs START #
#############################
<Input blu_internal>
Module im_internal
# Drop if a log file is not found, likely IIS or FW are not configured
Exec if ($Message =~ /does not exist/) drop();
# Drop if IIS or old Windows logs are not found
# If you're using Win 2k3 or lower, please reach out to [email protected]
Exec if ($Message =~ /failed to subscribe to msvistalog/) drop();
Exec $Message = to_json();
</Input>
<Output blu_out_internal>
Module om_tcp
Host %SIEM%
Port %PORT%
Exec to_syslog_bsd();
</Output>
<Route route_internal>
Path blu_internal => blu_out_internal
</Route>
#############################
# Internal NXLog Logs END #
#############################
############################
# Windows Event Logs START #
############################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!
# 2 Potential Tasks:
# 1) If on XP/2000/2003 (see below regarding im_mseventlog line)
# 2) If on 2K12 (remove the following 2 lines from QueryList below)
# <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>\
# <Select Path="Microsoft-Windows-Windows Defender/WHC">*</Select>\
#!!!!!!!!!!!!!!!!!!!!!!!!!!!
<Input blu_eventlog>
# Comment if on XP/2000/2003
Module im_msvistalog
# Uncomment im_mseventlog line for Windows XP/2000/2003 - You may need to modify some queries below as well
#Module im_mseventlog
# Prevent endless loop due to 5156 logging nxlog.exe connections
Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing' and $EventID IN (5156, 5157) and $Application =~ /\\nxlog\.exe$/i) drop();
# Filter out by Application
Exec if ($Application =~ /nxlog\\nxlog.exe/) drop();
# Filter out by Source and Destination IP
Exec if ($SourceAddress =~ /224.0.0.252/) drop();
Exec if ($SourceAddress =~ /192.168.1.255/) drop();
Exec if ($SourceAddress =~ /224.0.0.1/) drop();
Exec if ($SourceAddress =~ /239.255.255.250/) drop();
Exec if ($DestAddress =~ /224.0.0.22/) drop();
# Filter out by Command Line
Exec if ($CommandLine =~ /"C:\\Program Files \(x86\)\\nxlog\\nxlog.exe" -c "C:\\Program Files \(x86\)\\nxlog\\conf\\nxlog.conf"/) drop();
# Dropping non-security but often-loud logs for DFS and failed ISATAP issues
Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004) drop();\
# Workaround for local time so as to standardize to absolute microseconds since epoch
Exec $EventTime = integer($EventTime);
# JSON is required because some Windows logs contain new-line characters.
Exec $Message = to_json();
</Input>
<Output blu_out_eventlog>
Module om_tcp
Host %SIEM%
Port %PORT%
Exec to_syslog_bsd();
</Output>
<Route route_eventlog>
Path blu_eventlog => blu_out_eventlog
</Route>
############################
# Windows Event Logs END #
############################
#################################
# Windows IIS Event Viewer Logs #
#################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!
# If you want to utilize IIS Logging through the Log Files, remove all # at the beginning of lines from <Input blu_eventlog_iis> to </Route> after route_eventlog_iis. If you want to use Log Files
#
# 1 Potential Task - Run the following commands on the host(s) you want to collect
# logs from via Event Viewer, this will enable the logs. Running this
# command in your deployment script is OK. You will get errors on hosts
# that do not have IIS, they can be ignored.
#
# From an administrative command shell prompt
# - wevtutil sl Microsoft-IIS-Configuration/Administrative /e:true
# - wevtutil sl Microsoft-IIS-Configuration/Operational /e:true
# - wevtutil sl Microsoft-IIS-Logging/Logs /e:true
# Go to your IIS Manager, Server Configuration, select Logging and select "Both log file and ETW event"
###################################
# Windows IIS Event Viewer Logs #
###################################
###############################
# Windows Firewall Logs START #
###############################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# If you want to utilize this section, remove all # at the beginning of lines from <Extension csv_windows_fw> to </Route> after route_windows_fw
#
# Task: You will need to ensure that logging is enabled for the Windows FW via GPO for Dropped packets only.
# Adding successful packets will most likely be unnecessarily verbose unless you require visibility due to lack of segmentation.
# Recommended Powershell Command - Requires FW to be configured to at least generally functional state
# - Set-NetFirewallProfile -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed False -LogIgnored True
# If _significant_ verbosity is required, use this command which will log Allowed connections as well:
# - Set-NetFirewallProfile -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed True -LogIgnored True
# --- Manual Setup ---
# https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#<Extension csv_windows_fw>
# Module xm_csv
# Fields date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, info, path
# FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
# Delimiter ' '
#</Extension>
#<Input blu_windows_fw>
# Module im_file
# File "C:\Windows\System32\LogFiles\Firewall\pfirewall.log"
# Exec if $raw_event =~ /^#/ drop();\
# {\
# csv_windows_fw->parse_csv();\
# $EventTime = parsedate($date + " " + $time);\
# $raw_event = to_json();\
# }
#</Input>
#<Output out_windows_firewall>
# Module om_tcp
# Host %SIEM%
# Port 514
# Exec $raw_event = 'BLU_WIN_FW: ' + $raw_event;
#
# Exec to_syslog_bsd();
#</Output>
#<Route route_windows_fw>
# Path blu_windows_fw => out_windows_firewall
#</Route>
###############################
# Windows Firewall Logs END #
###############################
################################
# Windows IIS Event Logs START #
################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# This is the non-Event Viewer method, only use this method if you have a reason to not use Event Viewer
# ------------
# If you want to utilize IIS Logging through the Log Files, remove all # at the beginning of lines from <Extension w3c> to </Route> after route_iis.
#
# Warning: This should be duplicated for every additional site, e.g., W3SVC2, W3SVC3
# -----------
# Task: You will need to ensure that logging is enabled per site for IIS
# Task note: If you are storing logs in a different location than default, change File below to the appropriate path.
# If you're unsure what to change it to, or, if you have more than one and are unsure
# what the final output should be, please reach out to [email protected] with your configuration details.
#
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#<Extension w3c>
# Module xm_csv
#
# Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $csReferer $sc-status, $sc-substatus, $sc-win32-status, $time-taken
# FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
# Delimiter ' '
# UndefValue -
#</Extension>
#<Input blu_iis_logs>
# Module im_file
# File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
# SavePos TRUE
#
# Exec $Hostname = hostname_fqdn();
# Exec if $raw_event =~ /^#/ drop(); \
# else \
# { \
# w3c->parse_csv(); \
# $EventTime = parsedate($date + " " + $time); \
# $raw_event = to_json(); \
# }
#</Input>
#<Output blu_out_iis>
# Module om_udp
# Host %SIEM%
# Port 514
# Exec $raw_event = 'BLU_IIS: ' + $raw_event;
#
# Exec to_syslog_bsd();
#</Output>
#<Route route_iis>
# Path blu_iis_logs => blu_out_iis
#</Route>
################################
# Windows IIS Event Logs END #
################################