neil0314
March 11, 2023, 3:16am
1
1. Describe your incident:
2. Describe your environment:
OS Information:
Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
define IISLOG "C:\inetpub\logs\LogFiles\W3SVC2\u_ex*.log"
<Extension _gelf>
Module xm_gelf
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Extension fileop>
Module xm_fileop
</Extension>
<Extension w3c>
Module xm_csv
Fields $date, $time, $s_ip
FieldTypes string, string, string
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>
<Input iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC2\u_ex*.log"
SavePos TRUE
Exec if $raw_event =~/^#/ drop();\
else\
{\
w3c->parse_csv();\
$EventTime = parsedate($date + " " + $time);\
$EventTime = parsedate($date + " " + $time + "Z");\
$SourceName = "IIS";\
$raw_event = to_json();\
}
</Input> <Output graylog>
Module om_udp
Host 192.168.3.250
Port 13221
OutputType GELF Exec $Hostname = hostname_fqdn();
Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event;
#Use the following line for debugging (uncomment the fileop extension above as well)
# Exec file_write("C:\\Program Files\\nxlog\\data\\nxlog_output.log", $raw_eventt );
</Output>
<Route iis-to-graylog>
Path iis => graylog
</Route>
gsmith
March 11, 2023, 3:37am
2
Hey @neil0314
By using tcpdump do you see any logs arriving to Graylog Server?
Was this working before?
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO
########################################
# Modules #
########################################
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
<Extension _gelf>
Module xm_gelf
</Extension>
<Input this_is_not_the_droid_your_looking_for>
Module im_file
File "/var/log/test.log"
SavePos TRUE
ReadFromLast TRUE
PollInterval 1
</Input>
<Output fileout1>
Module om_udp
Host 8.8.8.8
Port 12201
OutputType GELF
Exec $ShortMessage = $raw_event;
#Exec to_syslog_snare();
</Output>
########################################
# Routes #
########################################
<Route 1>
Path this_is_not_the_droid_your_looking_for => fileout1
</Route>
neil0314
March 13, 2023, 3:56am
3
I haven’t used tcpdump before, can I use Wireshark instead? I followed this method and saw the result from Wireshark as shown in the image. It looks like it was sent, right?
gsmith
March 13, 2023, 9:47pm
4
Hey,
Source 192.168.1.47 → to 8.8.8.8 ( AKA Google DNS server).
TCPDUMP
sudo tcpdump -i eth0 host <some_host_ipaddress>
I guess the first thing would be to identify if logs are even being sent. Looking over your nxlog config file not sure if those settings are correct, by chance did that nxlog configuration work before?
Did you copy and paste my configuration? if so I used a googles DNS server as an example
neil0314
March 14, 2023, 10:17am
5
After starting nxlog, I entered some test data into test.log. As I am in a Windows environment, I don’t have tcpdump, but I used Wireshark and did not see any messages with 192.168.1.100 or UDP 13333 appear.
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
<Extension _gelf>
Module xm_gelf
</Extension>
<Input this_is_not_the_droid_your_looking_for>
Module im_file
File "C:\\Program Files\\nxlog\\data\\test.log"
SavePos TRUE
ReadFromLast TRUE
PollInterval 1
</Input>
<Output fileout1>
Module om_udp
Host 192.168.1.100
Port 13333
OutputType GELF
Exec $ShortMessage = $raw_event;
#Exec to_syslog_snare();
</Output>
<Route 1>
Path this_is_not_the_droid_your_looking_for => fileout1
</Route>
gsmith
March 14, 2023, 10:03pm
6
Hello @neil0314
Because this section is incorrect
You need this section for windows.
<Input in>
Module im_msvistalog
</Input>
So the completed config should look like this.
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
<Extension _gelf>
Module xm_gelf
</Extension>
<Input event_logs>
Module im_msvistalog
</Input>
<Output fileout1>
Module om_udp
Host 192.168.1.100
Port 13333
OutputType GELF
Exec $ShortMessage = $raw_event;
#Exec to_syslog_snare();
</Output>
<Route 1>
Path event_logs => fileout1
</Route>
EDIT Make sure you have the correct IP address for your Graylog server, Double check your configurations.
neil0314
March 15, 2023, 1:06am
7
Hello gsmith,
Thank you for your assistance. Following your instructions, I was able to see the data output in Wireshark and also saw the data in the Graylog input.
Can you please explain what happened with the part where I wanted to get the IIS LOG output to Graylog?
gsmith
March 15, 2023, 1:51am
8
Hey @neil0314
Im glad it started working for you.
For IIS logs you will need a couple setttings configured.
<Extension w3c_parser>
Module xm_w3c
</Extension>
and either a new input or added input its up to you.
<Input iis_w3c>
Module im_file
File 'C:\inetpub\logs\LogFiles\W3SVC*\u_ex*.log'
InputType w3c_parser
</Input>
This is just an example you need to find you own full path for you ISS logs.
IIS can write logs in the W3C format,W3C is the recommended format for use with NXLog.
Here is the documentation for this.
system
March 29, 2023, 1:52am
9
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
You would need to put your Graylog Server address.
