# # NXLog configuration for converting and sending Windows logs to AlienVault # USM Appliance. Both Community and Enterprise Editions of NXLog are supported. # # Version: 0.1.0 # Last modification: 2019-07-03 # # # Core features: # - only forward specific Windows event IDs # - only forward logs collected via WinRM # - protect against event storms # - transform messages to a "common" CSV format for AV # # 20140711 - tested for windows 2008r2 # 20140714 - tested for windows 2012r2 # # # Configuration available: # - NXLOG # - ClAMWIN-NXLOG # - DHCP-NXLOG # - DNS-NXLOG # - EXCHANGE-NXLOG # - FTP-NXLOG # - IIS-NXLOG # - IIS-SMTP-NXLOG # - MSSQL-NXLOG # - NETWRIX-NXLOG # - NPS-NXLOG # - OBSERVEIT-NXLOG # - ORACLE-NXLOG # - SCOM-NXLOG # - SECUREAUTH-NXLOG # - SOPHOSEC-NXLOG # - SYSMON-NXLOG # - WINDOWS-FW-NXLOG # - WINGFTP-NXLOG # # # Common values: # # Uncomment the proper path depending on whether your NXLog is the 32-bit or 64-bit version #define ROOT C:\Program Files\nxlog #define ROOT C:\Program Files (x86)\nxlog define LOGFILE %ROOT%\data\nxlog.log define OUTPUT_DESTINATION_ADDRESS define OUTPUT_DESTINATION_PORT 514 Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log ############################################################################################## #### NXLOG ##### #### Uncomment the following lines for Windows Security and Application log forwarding ##### ############################################################################################## ## ## Extensions: ## ## Support character conversions: ## ## Module xm_charconv ## ## ## Inputs: ## ## This nxlog servers heartbeat: ## MarkInterval defines the interval in minutes of the heartbeat-messages. ## Mark defines the text which is sent. # # Module im_mark # MarkInterval 10 # Mark The nxlog service is alive. # Exec $EventType = 'Application'; $Channel = 'nxlog-ce'; $EventID = 8347; # ## Eventstorm warning message: ## The module im_internal forwards internal log messages. # # Module im_internal # Exec if not ($Message == "Eventstorm detected.") drop(); # Exec $EventType = 'Application'; $Channel = 'nxlog-ce'; $EventID = 8103; # ## Windows event log: # # Module im_msvistalog # SavePos FALSE # ReadFromLast TRUE # # # Limit the log forwarding to collected events: # #Query \ # # \ # # \ # # \ # # # # # Another example for limiting events: # #Query \ # # \ # # \ # # \ # # \ # # \ # # \ # # # ## ## Transformation: ## ## Custom CSV format for nxlog and sysmon-nxlog plugin. # # Module xm_csv # Fields $EventTime, $EventType, $Severity, $Channel, $Hostname, $EventID, $SourceName, $AccountName, $AccountType, $Domain, $Message, $Task, $Category, $Keywords, $UserID, $SeverityValue, $ProviderGuid, $Version, $OpcodeValue, $Opcode, $ActivityID, $RelatedActivityID, $ProcessID, $ThreadID, $RecordNumber # FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string # Delimiter ; # ## ## Filters: ## ## Match events by Windows event ID. ## This sets $PatternID in case it matches. # # Module pm_pattern # PatternFile %ROOT%\conf\patterndb.xml # ## ## Outputs: ## ## Process and forward Windows logs: # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # Exec $EventTime = integer($EventTime) / 1000000; # # If the EventID doesn't exist in 'patterndb.xml' it gets dropped: # Exec if not defined $PatternID or not defined $Message { drop(); } # #Exec if not defined $Message { drop(); } # # Eventstorm handling: # # While nxlog processes more than 200 events per second (EPS) it drops all windows logs. # # If the rate in the next second is lower than 200 EPS it stops dropping. # # If a new eventstorm is detected it sends a warning and if the storm lasts longer than a minute it sends a warning every minute # # # # Variables: # # rate: this variable is used to count the events and gets reset every second # # stormed: this variable is '1' if there was an eventstorm a second before else '0' # # sec: this variable has a lifetime of one second and is used to calculate the rate (EPS) # # warning: this wariable has a lifetime of 60 seconds and is used to limit the eventstorm-warnings to one per second # Exec \ # {\ # if not defined get_var('rate') { create_var('rate'); set_var('rate',1); }\ # if not defined get_var('stormed'){ create_var('stormed',2); set_var('stormed',0); set_var('rate',1); }\ # set_var('rate',get_var('rate')+1);\ # if not defined get_var('sec')\ # {\ # create_var('sec',1);\ # set_var('sec',1);\ # if get_var('rate') >= 200 { delete_var('stormed'); create_var('stormed',2); set_var('stormed',1); set_var('rate',1); drop(); } else { set_var('stormed',0); set_var('rate',1); }\ # }\ # else if get_var('stormed') == 1\ # {\ # drop();\ # }\ # if get_var('rate') >= 200\ # {\ # if not defined get_var('warning')\ # {\ # log_warning("Eventstorm detected.");\ # create_var('warning',60);\ # set_var('warning',1);\ # }\ # drop();\ # }\ # } # # Replace newlines, tabs and carriage returns with blanks: # Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " "); # # Ensure that commonly undefined values are set: # Exec if not defined $AccountName { $AccountName = "-"; } # Exec if not defined $AccountType { $AccountType = "-"; } # Exec if not defined $Domain { $Domain = "-"; } # # Ensure we send in the proper format: # Exec transform_alienvault_csv->to_csv(); $raw_event = $Hostname + ' WIN-NXLOG ' + $raw_event + ' Task: ' + $Task + ' Category: '+ $Category + ' Keywords: ' + $Keywords + ' UserID: ' + $UserID + ' Severity: ' + $SeverityValue + ' ProviderGuid: ' + $ProviderGuid + ' Version: ' + $Version + ' OpcodeValue: ' + $OpcodeValue + ' Opcode: ' + $Opcode + ' ActivityID: ' + $ActivityID + ' RelatedActivityID: ' + $RelatedActivityID + ' ProcessID: ' + $ProcessID + ' ThreadID: ' + $ThreadID + ' RecordNumber: ' + $RecordNumber; # ## Output internal nxlog messages: # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # Exec if not defined $Message { drop(); } # # Replace newlines, tabs and carriage returns with blanks: # Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " "); # # Ensure that commonly undefined values are set: # Exec if not defined $AccountName { $AccountName = "-"; } # Exec if not defined $AccountType { $AccountType = "-"; } # Exec if not defined $Domain { $Domain = "-"; } # # Ensure we send in the proper format: # Exec transform_alienvault_csv->to_csv(); $raw_event = $Hostname + ' WIN-NXLOG ' + $raw_event + ' Task: ' + $Task + ' Category: '+ $Category + ' Keywords: ' + $Keywords + ' UserID: ' + $UserID + ' Severity: ' + $SeverityValue + ' ProviderGuid: ' + $ProviderGuid + ' Version: ' + $Version + ' OpcodeValue: ' + $OpcodeValue + ' Opcode: ' + $Opcode + ' ActivityID: ' + $ActivityID + ' RelatedActivityID: ' + $RelatedActivityID + ' ProcessID: ' + $ProcessID + ' ThreadID: ' + $ThreadID + ' RecordNumber: ' + $RecordNumber; # ## ## Routes: ## ## Route for Windows logs: # # Path in_windows_events => match_events => out_alienvault_csv # #Path in_windows_events => out_alienvault_csv # ## Route for internal nxlog messages (eventstorm, heartbeat): # # Path in_nxlog_internal, in_nxlog_heartbeat => out_alienvault_nxlog_csv # ####################################################################### #### /NXLOG ##### ####################################################################### ####################################################################### #### CLAMWIN-NXLOG ##### #### Uncomment the following lines for CLAMWIN log forwarding ##### ####################################################################### # # Module im_file # # REPLACE THE PATH IN THE FOLLOWING INPUT TO THE STORING PATH OF YOUR CLAMWIN LOGS: # File "C:\\ProgramData\\.clamwin\\log\\ClamScanLog.txt" # InputType LineBased # SavePos FALSE # Exec $Message = $raw_event; # # Replace white spaces # Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " "); # ## Output internal CLAMWIN nxlog messages: # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # Exec $Hostname = hostname_fqdn(); # Exec $raw_event =$Hostname + ' CLAM-NXLOG ' + $raw_event; # ## Route for CLAMWIN nxlog logs: # # Path CLAMWIN_Logs => out_alienvault_CLAMWIN_nxlog # ####################################################################### #### /CLAMWIN-NXLOG ##### ####################################################################### ###################################################################################################################### #### DHCP-NXLOG / DNS-NXLOG / FTP-NXLOG / IIS-NXLOG / IIS-SMTP-NXLOG / WINDOWS-FW-NXLOG ##### #### Uncomment the following lines for DNS, DHCP, FTP, IIS, IIS-SMTP, and/or Windows Firewall log forwarding ##### ###################################################################################################################### # # Module xm_json # ####################################################################### #### DHCP-NXLOG ##### #### Uncomment the following lines for DHCP log forwarding ##### ####################################################################### # # # Module xm_csv # Fields $EventReceivedTime, $Message # FieldTypes string, string # Delimiter ; # # ## DHCP logs assumed they are located in default location ## Use "sysnative" for DHCP Log location for 32-bit applications to access the SYSTEM32 directory on a 64 Bit System ## Use "system32" for DHCP Log location on 32 Bit systems # # Module im_file # File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log" # SavePos TRUE # InputType LineBased # Exec if $raw_event =~ /^[0-3][0-9],/\ # {\ # $Message = $raw_event;\ # if $Message =~ s/^00/1000/;\ # $raw_event = to_json();\ # }\ # else\ # drop(); # # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # Exec $Hostname = hostname_fqdn(); # Exec transform_alienvault_dhcp_csv->to_csv(); $raw_event = $Hostname + ' DHCP-NXLOG: ' + $raw_event; # # # Path DHCP_IN => DHCP_OUT # ####################################################################### #### /DHCP-NXLOG ##### ####################################################################### ####################################################################### #### DNS-NXLOG ##### #### Uncomment the following lines for DNS log forwarding ##### ####################################################################### ## Custom CSV format for the windns-nxlog AlienVault plugin. # # Module xm_csv # Fields $Hostname, $SourceName, $Message # FieldTypes string, string, string # Delimiter , # # # Module im_file # File "C:\\Windows\\Sysnative\\dns\\dns.log" # SavePos TRUE # InputType LineBased # Exec if ($raw_event =~ /^#/) OR ($raw_event == '') drop();\ # else\ # {\ # $Message = $raw_event;\ # $SourceName = "DNS";\ # $raw_event = to_json();\ # } # # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # Exec if not defined $Message { drop(); } ## Replace newlines, tabs and carriage returns with blanks: # Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " "); ## Ensure that commonly undefined values are set: # Exec if not defined $AccountName { $AccountName = "-"; } # Exec if not defined $AccountType { $AccountType = "-"; } # Exec if not defined $Domain { $Domain = "-"; } ## Ensure we send in the proper format: # Exec $Hostname = hostname_fqdn(); # Exec transform_alienvault_csv_dns->to_csv(); $raw_event = $Hostname + ' DNS-NXLOG: ' + $raw_event; # ## Route for dns nxlog logs: # # Path DNS_Logs => out_alienvault_dns_nxlog # ####################################################################### #### /DNS-NXLOG ##### ####################################################################### ####################################################################### #### EXCHANGE-NXLOG ##### #### Uncomment the following lines for Exchange log forwarding ##### ####################################################################### # # Module xm_syslog # # # Module im_file # # Modify the file path as needed # File "C:\\Program Files\\Microsoft\\Exchange Server\\V14\\TransportRoles\\Logs\\MessageTracking\\MSGTRK????????*-*.LOG" # SavePos TRUE # Exec if $raw_event =~ /HealthMailbox/ drop(); # Exec if $raw_event =~ /^#/ drop(); # # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # Exec $Hostname = hostname_fqdn(); # Exec $SyslogFacility = 2; # Exec $SourceName = 'EXCHANGE-NXLOG'; # Exec to_syslog_bsd(); # # # Path EXCHANGE_IN => EXCHANGE_OUT # ####################################################################### #### /EXCHANGE-NXLOG ##### ####################################################################### ####################################################################### #### FTP-NXLOG ##### #### Uncomment the following lines for FTP log forwarding ##### ####################################################################### ## # Module xm_csv # Fields date, time, cs-username, s-ip, s-port, cs-method, cs-uri-stem, sc-status, sc-win32-status, sc-substatus, x-session, x-fullpath # FieldTypes string, string, string, string, string, string, string, string, string, string, string, string # Delimiter ' ' # ## Windows FTP events log: # # Module im_file # File "C:\\inetpub\\logs\\LogFiles\\FTPSVC\\u_ex*" # SavePos TRUE # # Exec if $raw_event =~/^#/ drop();\ # else\ # {\ # w3c_ftp->parse_csv();\ # $EventTime = parsedate($date + " " + $time);\ # $SourceName = "WINFTP";\ # $raw_event = to_json();\ # } # ## Output internal ftp nxlog messages: # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # Exec $Hostname = hostname_fqdn(); # Exec $raw_event =$Hostname + ' WINFTP-NXLOG ' + $raw_event; # ## Route for ftp nxlog logs: # # Path FTP_Logs => out_alienvault_ftp_nxlog # ####################################################################### #### /FTP-NXLOG ##### ####################################################################### ####################################################################### #### IIS-NXLOG ##### #### Uncomment the following lines for IIS log forwarding ##### ####################################################################### # # Module xm_csv # Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken # FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string # Delimiter ' ' # ## Windows IIS events log: # # Module im_file # File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*" # SavePos TRUE # Exec if $raw_event =~/^#/ drop();\ # else\ # {\ # w3c->parse_csv();\ # $EventTime = parsedate($date + " " + $time);\ # $SourceName = "IIS";\ # $raw_event = to_json();\ # } # ## Output internal iis nxlog messages: # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # Exec $Hostname = hostname_fqdn(); # Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event; # ## Route for iis nxlog logs: # # Path IIS_Logs => out_alienvault_iis_nxlog # ####################################################################### #### /IIS-NXLOG ##### ####################################################################### ####################################################################### #### IIS-SMTP-NXLOG ##### #### Uncomment the following lines for IIS SMTP log forwarding ##### ####################################################################### # # Module xm_csv # Fields $date, $time, $c-ip, $cs-username, $s-sitename, $s-computername, $s-ip, $s-port, $cs-method, $cs-uri-stem, $cs-uri-query, $sc-status, $sc-win32-status, $sc-bytes, $cs-bytes, $time-taken, $cs-version, $cs-host, $cs(User-Agent), $cs(Cookie), $cs(Referer) # FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string # Delimiter ' ' # ## Windows IIS SMTP events log: # # Module im_file # File "C:\\Windows\\System32\\LogFiles\\SmtpSvc1\\ex*" # SavePos TRUE # Exec if $raw_event =~/^#/ drop();\ # else\ # {\ # w3c_smtp->parse_csv();\ # $EventTime = parsedate($date + " " + $time);\ # $SourceName = "IIS_SMTP";\ # $raw_event = to_json();\ # } # ## Output internal iis nxlog messages: # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # Exec $Hostname = hostname_fqdn(); # Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event; # ## Route for iis nxlog logs: # # Path IIS_SMTP_Logs => out_alienvault_iis_smtp_nxlog # ####################################################################### #### /IIS-SMTP-NXLOG ##### ####################################################################### ####################################################################### #### MSSQL-NXLOG ##### #### Uncomment the following lines for MSSQL log forwarding ##### ####################################################################### #### NOTE: You must enable SQL Server Audit and send results to the Windows application log # # Module im_msvistalog # SavePos FALSE # ReadFromLast TRUE # # Query \ # \ # \ # \ # # Exec $Message = $raw_event; # # # Finding some values: # Exec if $raw_event =~ /action_id:(\S+)/ $Action_ID = $1; # Exec if $raw_event =~ /database_name:(\S+)/ $DataBase = $1; # Exec if $raw_event =~ /server_instance_name:(\S+)/ $SV_Instace = $1; # Exec if $raw_event =~ /session_server_principal_name:(\S+)/ $User = $1; # Exec if $raw_event =~ /AUDIT_SUCCESS/\ # {\ # $Result = 'Success';\ # }\ # else\ # $Result = 'Failure'; # # Replace white spaces # Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " "); # # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # # # Ensure we send in the proper format: # Exec $Hostname = hostname_fqdn(); # Exec mssql_csv->to_csv(); $raw_event = $Hostname + ' MSSQL-NXLOG: ' + $raw_event; # # # Module xm_csv # Fields $Hostname, $SourceName, $Action_ID, $Result, $DataBase, $SV_Instace, $User, $Message # FieldTypes string, string, string, string, string, string, string, string # Delimiter ; # # # Path in_mssql => out_mssql # ####################################################################### #### /MSSQL-NXLOG ##### ####################################################################### ############################################################################ #### NETWRIX-NXLOG ##### #### Uncomment the following lines for NETWRIX log forwarding ##### ############################################################################ # # Module xm_csv # Fields $EventTime, $EventType, $Severity, $Channel, $Hostname, $EventID, $SourceName, $Task, $Keywords, $Message # FieldTypes string, string, string, string, string, string, string, string, string, string # Delimiter ; # ## Netwrix events log # # Module im_msvistalog # SavePos FALSE # ReadFromLast TRUE # Query \ # \ # \ # \ # # ## Output internal Netwrix nxlog messages: # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% ##Replace newlines with ">>" # Exec $Message = replace($Message, "\n", ">>"); # # Exec $Hostname = hostname_fqdn(); # Exec transform_alienvault_csv_netwrix->to_csv(); $raw_event = $Hostname + ' NETWRIX-NXLOG: ' + $raw_event; # ## Route for Netwrix nxlog logs: # # Path NETWRIX_Logs => out_alienvault_netwrix_nxlog # ####################################################################### #### /NETWRIX-NXLOG ##### ####################################################################### ####################################################################### #### NPS-NXLOG ##### #### Uncomment the following lines for NPS log forwarding ##### ####################################################################### # # Module xm_nps # ## Assumed NPS logs are located in default location # # Module im_file # File "C:\\Windows\\System32\\LogFiles\\IN*" # # Exec if $raw_event =~ /([^,]*,){20}("[^"]*")?([^,]*,){5}(\d+)/ $SID = $4; # Exec if $SID =~ /0/ $SID = 1000; # Exec parse_nps(); # # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # Exec $Hostname = hostname_fqdn(); # Exec to_json(); # Exec $raw_event = $Hostname + ' NPS-NXLOG: ' + 'SID: ' + $SID + ' ' +$raw_event; # # # Path NPS_IN => NPS_OUT # ####################################################################### #### /NPS-NXLOG ##### ####################################################################### ####################################################################### #### OBSERVEIT-NXLOG ##### #### Uncomment the following lines for ObserveIT log forwarding ##### ####################################################################### # # Module im_file # File "C:\\Program Files (x86)\\ObserveIT\\NotificationService\\LogFiles\\ArcSight\\Observeit_activity_log.cef" # SavePos TRUE # InputType LineBased # Exec if $raw_event =~ /(CEF:.*)/ $Message = $1; # # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # Exec $Hostname = hostname_fqdn(); # Exec $raw_event = $Hostname + ' OBSERVEIT-NXLOG: ' + $raw_event; # # # Path ObserveITin => ObserveITout # ####################################################################### #### /OBSERVEIT-NXLOG ##### ####################################################################### ####################################################################### #### ORACLE-NXLOG ##### ####################################################################### ## Oracle events log # # Module im_msvistalog # SavePos FALSE # ReadFromLast TRUE # Query \ # \ # \ # \ # # ## Output internal Oracle nxlog messages: # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # # # Ensure that commonly undefined values are set: # Exec if not defined $AccountName { $AccountName = "-"; } # Exec if not defined $AccountType { $AccountType = "-"; } # Exec if not defined $Domain { $Domain = "-"; } # Exec $Hostname = hostname_fqdn(); # Exec transform_alienvault_csv->to_csv(); $raw_event = $Hostname + ' ORACLE-NXLOG: ' + $raw_event; # ## Route for Oracle nxlog logs: # # Path ORACLE_IN => ORACLE_OUT # ####################################################################### #### /ORACLE-NXLOG ##### ####################################################################### ####################################################################### #### SCOM-NXLOG ##### #### Uncomment the following lines for SCOM log forwarding ##### ####################################################################### # # Module xm_csv # Fields $EventTime, $EventType, $Severity, $Channel, $Hostname, $EventID, $SourceName, $AccountName, $AccountType, $Domain, $Message # FieldTypes string, string, string, string, string, string, string, string, string, string, string # Delimiter , # ## Windows SCOM events log: # # Module im_msvistalog # Query \ # \ # \ # \ # # # Exec if $raw_event =~ /^#/ drop();\ # else\ # {\ # $Message = $raw_event;\ # } # Exec if $raw_event =~ /User name:\s*(.*?)\s+Session/i $AccountName = $1; # Exec if $raw_event =~ /RunAs account\s*(.*?)\s+for/i $AccountName = $1; # Exec if $raw_event =~ /CurrentUser=(.*?)\)/i $AccountName = $1; # # ## Output internal scom nxlog messages: # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # # Exec if not defined $Message { drop(); } # # Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " "); # Exec if not defined $AccountName { $AccountName = "-"; } # Exec if not defined $AccountType { $AccountType = "-"; } # Exec if not defined $Domain { $Domain = "-"; } # # Exec $Hostname = hostname_fqdn(); # Exec transform_alienvault_csv_scom->to_csv(); $raw_event = $Hostname + ' SCOM-NXLOG: ' + $raw_event; # ## Route for scom nxlog logs: # # Path SCOM_Logs => out_alienvault_scom_nxlog # ####################################################################### #### /SCOM-NXLOG ##### ####################################################################### ############################################################################## #### SECUREAUTH-NXLOG ##### #### Uncomment the following lines for SecureAuth audit log forwarding ##### ############################################################################## # # Module xm_xml # # # Module xm_syslog # ### Windows 2FA audit log: # # Module im_file # # Modify the file path as needed # File "D:\\Secureauth\\SecureAuth2\\AuditLogs\\*Audit*" # # SavePos FALSE # ReadFromLast FALSE # PollInterval 5 # Exec if $raw_event !~ /^/ drop(); # ## Parse the xml event see https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html and see if you can do the same for non-multi-line xml # Exec parse_xml();\ # Exec if $raw_event =~ /\(.+)\<\/TimeStamp\>/ $EventTime = parsedate($1);\ # Exec $SourceName = "2FA";\ # Exec $raw_event = to_syslog_bsd();\ # ## Output internal 2FA nxlog messages: # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # Exec $Hostname = hostname_fqdn(); # Exec $raw_event =$Hostname + ' 2FA-NXLOG ' + $raw_event; # ## Route for 2fa nxlog logs: # # Path 2FA_Logs => out_alienvault_2fa_nxlog # ############################################################################## #### /SECUREAUTH-NXLOG ##### ############################################################################## ####################################################################### #### SOPHOSEC-NXLOG ##### #### Uncomment the following lines for Sophos-EC log forwarding ##### ####################################################################### # # Module xm_kvp # KVPDelimiter ; # KVDelimiter = # # # Module xm_syslog # ##Sophosec logs assumed they are located in default location # # Module im_file # File "C:\\Program Files (x86)\\Sophos\\Reporting Interface\\Log Files\\DefaultCommonEvents.txt" # SavePos TRUE # InputType LineBased # Exec if $raw_event =~ /^#/ drop();\ # else\ # {\ # kvp->parse_kvp();\ # $Message = $raw_event;\ # } # # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # Exec $Hostname = hostname_fqdn(); # Exec to_syslog_bsd(); # Exec $raw_event = '<13>' + $Hostname + ' SOPHOSEC-NXLOG: ' + 'InsertedAt="' +$InsertedAt + '"; ' + 'EventID="' +$EventID + '"; ' + 'EventTime="' +$EventTime + '"; ' + 'EventTypeID="' +$EventTypeID + '"; ' + 'EventType="' +$EventType + '"; ' + 'Name="' +$Name + '"; ' + 'ReportingName="' +$ReportingName + '"; ' + 'UserName="' +$UserName + '"; ' + 'ActionID="' +$ActionID + '"; ' + 'Action="' +$Action + '"; ' + 'ScanType="' +$ScanType + '"; ' + 'SubTypeID="' +$SubTypeID + '"; ' + 'SubType="' +$SubType + '"; ' + 'ComputerName="' +$ComputerName + '"; ' + 'ComputerDomain="' +$ComputerDomain + '"; ' + 'ComputerIPAddress="' + $ComputerIPAddress + '"'; # # # Path SOPHOS_IN => SOPHOS_OUT # ####################################################################### #### /SOPHOSEC-NXLOG ##### ####################################################################### ####################################################################### #### /SYSMON-NXLOG ##### ####################################################################### # # Module im_msvistalog # SavePos FALSE # ReadFromLast TRUE # # Query \ # \ # \ # \ # # # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # # # Replace newlines, tabs and carriage returns with blanks: # Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " "); # # # Ensure that commonly undefined values are set: # Exec if not defined $AccountName { $AccountName = "-"; } # Exec if not defined $AccountType { $AccountType = "-"; } # Exec if not defined $Domain { $Domain = "-"; } # # # Ensure we send in the proper format: # Exec transform_alienvault_csv->to_csv(); $raw_event = $Hostname + ' SYSMON-NXLOG ' + $raw_event; # # # Path in_sysmon_events => out_sysmon_events # ####################################################################### #### /SYSMON-NXLOG ##### ####################################################################### ############################################################################ #### WINDOWS-FW-NXLOG ##### #### Uncomment the following lines for WINDOWS FIREWALL log forwarding ##### ############################################################################ # # Module xm_csv # Fields date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, info, path # FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string # Delimiter ' ' # ## Windows firewall events log: # # Module im_file # File "C:\\Windows\\System32\\LogFiles\\Firewall\\pfirewall.log" # # Exec if $raw_event =~ /^#/ drop();\ # {\ # transform_alienvault_csv_windows_firewall->parse_csv();\ # $EventTime = parsedate($date + " " + $time);\ # $SourceName = "WINDOWS-FW";\ # $raw_event = to_json();\ # } # # ## Output internal windows firewall nxlog messages: # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # Exec $Hostname = hostname_fqdn(); # Exec $raw_event = $Hostname + ' WIN-FW-NXLOG: ' + $raw_event; # ## Route for windows firewall nxlog logs: # # Path WINDOWS-FW_Logs => out_alienvault_windows_firewall_nxlog # ####################################################################### #### /WINDOWS-FW-NXLOG ##### ####################################################################### ####################################################################### #### WINGFTP-NXLOG ##### ####################################################################### #define WING_DOMAIN # # Module im_file # # Modify the file path as needed # File "C:\\Program Files (x86)\\Wing FTP Server\\Log\\Admin\\Admin-*.log" # SavePos TRUE # # # Module im_file # # Modify the file path as needed # File "C:\\Program Files (x86)\\Wing FTP Server\\Log\\System\\System-*.log" # SavePos TRUE # # # Module im_file # # Modify the file path as needed # File "C:\\Program Files (x86)\\Wing FTP Server\\Log\\Domains\\%WING_DOMAIN%\\AV-*.log" # SavePos TRUE # # # Module om_udp # Host %OUTPUT_DESTINATION_ADDRESS% # Port %OUTPUT_DESTINATION_PORT% # # Ensure we send in the proper format: # Exec $Hostname = hostname_fqdn(); # Exec $raw_event = $Hostname + ' WINGFTP-NXLOG: ' + $raw_event; # # # Path in_wingftp_admin,in_wingftp_system,in_wingftp_domain => out_wingftp # ####################################################################### #### /WINGFTP-NXLOG ##### #######################################################################