61 / 5000 Resultados de traducción I need help sending IIS events to graylog with NXLog

Graylog Central (peer support)
, , ,
1

Hi, I’m having trouble sending the IIS logs to the Graylog server.
I have been able to send the windows logs correctly, but the IIS logs seem to not come out of the server.
I am attaching the nxlog.conf file and an excerpt from the nxlog.log to see if they can help me.

nxlog.conf:
Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

Module xm_gelf Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 Module xm_json Module xm_fileop 
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') >= 5M)) \
                file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
Module xm_csv Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs(User-Agent), $cs(Referer), $sc-status, $sc-substatus, $sc-win32-status, $time-taken FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - Module im_msvistalog Query \ \ \ \ \ \ Module im_file File "C:\\inetpub\\logs\\LogFiles\\W3SVC2\\u_ex*.log" SavePos TRUE 
Exec		if $raw_event =~ /^#/ drop(); \
            else \
            { \
                w3c_parser->parse_csv(); \
				$EventTime = parsedate($date + " " + $time); \
				$EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \
				$SourceName = "IIS"; \
				$Message = to_json(); \
            }
Module om_udp Host 172.16.20.12 Port 5146 OutputType GELF_UDP 
Exec log_info("sending data: " + $raw_event);
Path eventlog => udp Path iis_w3c => udp

nxlog.log:
2021-08-03 16:05:53 INFO nxlog-ce-2.10.2150 started
2021-08-03 16:17:21 WARNING stopping nxlog service
2021-08-03 16:17:21 WARNING nxlog-ce received a termination request signal, exiting…
2021-08-03 16:17:22 INFO nxlog-ce-2.10.2150 started
2021-08-03 16:44:55 WARNING stopping nxlog service
2021-08-03 16:44:55 WARNING nxlog-ce received a termination request signal, exiting…
2021-08-03 16:44:56 INFO nxlog-ce-2.10.2150 started
2021-08-03 16:50:52 WARNING stopping nxlog service
2021-08-03 16:50:52 WARNING nxlog-ce received a termination request signal, exiting…
2021-08-03 16:50:54 INFO nxlog-ce-2.10.2150 started
2021-08-03 16:50:55 INFO sending data: 2021-08-03 16:50:53 SD-EXTREME-BUE01.fournet.srl INFO 7036 The nxlog service entered the stopped state.
2021-08-03 16:50:55 INFO sending data: 2021-08-03 16:50:54 SD-EXTREME-BUE01.fournet.srl INFO 7036 The nxlog service entered the running state.
2021-08-03 16:52:15 INFO sending data: 2021-08-03 16:52:14 SD-EXTREME-BUE01.fournet.srl INFO 7036 The OSSEC HIDS service entered the stopped state.
2021-08-03 16:52:16 INFO sending data: 2021-08-03 16:52:15 SD-EXTREME-BUE01.fournet.srl INFO 7036 The OSSEC HIDS service entered the running state.
2021-08-03 16:53:10 INFO sending data: 2021-08-03 16:53:08 SD-EXTREME-BUE01.fournet.srl INFO 7036 The W3C Logging Service service entered the running state.
2021-08-03 16:53:14 INFO sending data: 2021-08-03 16:53:12 SD-EXTREME-BUE01.fournet.srl INFO 6200 NT AUTHORITY\SYSTEM date 2021-08-03 time 19:53:09 s-sitename W3SVC2 s-computername SD-EXTREME-BUE01 s-ip 10.0.30.10 cs-method GET cs-uri-stem / cs-uri-query - s-port 8080 cs-username - c-ip 10.34.93.2 cs-version - cs(User-Agent) Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/92.0.4515.107+Safari/537.36 cs(Cookie) - cs(Referer) - cs-host - sc-status 304 sc-substatus 0 sc-win32-status 64 sc-bytes 0 cs-bytes 545 time-taken 1312
2021-08-03 16:53:14 INFO sending data: 2021-08-03 16:53:12 SD-EXTREME-BUE01.fournet.srl INFO 6200 NT AUTHORITY\SYSTEM date 2021-08-03 time 19:53:09 s-sitename W3SVC2 s-computername SD-EXTREME-BUE01 s-ip 10.0.30.10 cs-method GET cs-uri-stem / cs-uri-query - s-port 8080 cs-username - c-ip 10.34.93.2 cs-version - cs(User-Agent) Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/92.0.4515.107+Safari/537.36 cs(Cookie) - cs(Referer) - cs-host - sc-status 200 sc-substatus 0 sc-win32-status 0 sc-bytes 903 cs-bytes 460 time-taken 609
2021-08-03 16:53:38 INFO sending data: 2021-08-03 19:53:09 10.0.30.10 GET / - 8080 - 10.34.93.2 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/92.0.4515.107+Safari/537.36 - 304 0 64 1312
2021-08-03 16:53:38 INFO sending data: 2021-08-03 19:53:09 10.0.30.10 GET / - 8080 - 10.34.93.2 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/92.0.4515.107+Safari/537.36 - 200 0 0 609
2021-08-03 16:58:59 INFO sending data: 2021-08-03 16:58:57 SD-EXTREME-BUE01.fournet.srl INFO 7036 The Sync Host_449c6b0 service entered the stopped state.
2021-08-03 16:59:00 INFO sending data: 2021-08-03 16:58:59 SD-EXTREME-BUE01.fournet.srl INFO 7036 The Sync Host_449c6b0 service entered the running state.
2021-08-03 17:04:39 INFO sending data: 2021-08-03 17:04:38 SD-EXTREME-BUE01.fournet.srl INFO 7036 The Software Protection service entered the running state.
2021-08-03 17:05:10 INFO sending data: 2021-08-03 17:05:08 SD-EXTREME-BUE01.fournet.srl INFO 7036 The Software Protection service entered the stopped state.

2

Hello && Welcome

I had troubles with specific logs (i.e. New Device Domain Join) from Windows and sending them to Graylog.
What I did to correct the situation was

Step 1: Group Policy management console → Domain policy → Computer configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy/Advanced audit policy configuration. 
Step 2: Select the events you want to audit. 
Step 3: Now to view the AD event logs for these, go to Administrative tools → Event Viewer.
Step 4: Select the type of AD audit logs that you wish to view (ex: Application, System, etc.).

If your recieving logs already from Windows Device and its not sending IIS logs these are the things to check :

  1. Check your Group Policy management console?
  2. Does you windows device have IIS logging enabled?
  3. Your envirmenomnt have any GPO’s preventing Nxlog from retrieving those logs?
  4. Nxlog have permission to acquire the IIS logs?

If the above suggestions does not work then maybe reconfigure your Nxlog conf file to something like this

<Input in>
Module im_msvistalog
     # For windows 2003 and earlier use the following:
     # Module im_mseventlog
Query <QueryList>\
     <Query Id="0">\
          <Select Path="Application">*</Select>\
          <Select Path="System">*</Select>\
          <Select Path="Security">*</Select>\
          <Select Path="ForwardedEvents">*</Select>\
          <Select Path="some_query_IIS_Logs">*</Select>\
          <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>\
        </Query>\
     </QueryList>
</Input>

If you could re-formate post that would be great, you can find more information here about that.

Format topics with Markdown

Hope that helps

3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.