Collecting Windows Events (including Sysmon-2) with Nxlog CE & Graylog

Jym
Jym
Mar 17, 2015 · 3 min read

I am going back to open-source for log management and threat detection in view of the ridiculous pricing that I am seeing while working on my day-job. Paying crazy amount for software and “Professional” Services is not a sustainable way forward. There exists Open-source + commercial support business models to consider eg; Graylog & Elastic (btw, this is NOT a paid entry).

A number of Windows Event collection guides exit, for instance Fluentd’s. But still, there is a lack in terms of an unified approach to collect Application, Security, System and Sysmon Windows Audit logs. The following notes demonstrate how it can be done with Nxlog Community Edition, a free and robust tool for forwarding logs in Windows.

Nxlog Configuration

Installing Nxlog CE is straightforward with MSI installer. What matters is the nxlog.conf (assuming Windows Audit is configured):

define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
Module xm_gelf
</Extension>

<Input inWindowsAudit>
Module im_msvistalog
ReadFromLast True

Query <QueryList>\
<Query Id=”0">\
<Select Path=”Security”>*</Select>\
<Select Path=”System”>*[System/Level=4]</Select>\
<Select Path=”Application”>*[Application/Level=2]</Select>\
<Select Path=”Setup”>*[System/Level=3]</Select>\
<Select Path=”Windows PowerShell”>*</Select>\
<Select Path=”Microsoft-Windows-Sysmon/Operational”>*</Select>\</Query>\
</QueryList>

# For windows 2003 and earlier use the following:
# Module im_mseventlog

Exec $CustomerID = ‘my_customer’;
Exec $LogType = ‘Windows Audit’;
</Input>

<Output outGraylog>
Module om_udp
Host 172.16.199.145
Port 12201
OutputType GELF
</Output>

<Route 1>
Path inWindowsAudit => outGraylog
</Route>

Explanations

  1. The important block is the QueryList which defines the Window Event Channels we are interested to retrieve from.
  2. I assume the Graylog receiver (aka Inputs) is defined. Note that Nxlog CE OutputType GELF only supports UDP and not TCP. Consider TCP syslog output transport if you are concern with possible event loss with UDP transport.
  3. Reconfigure the Nxlog Windows service to “Automatic (Delayed Start)”. It seems like there are other windows services dependency such that there’s always network errors when Nxlog doesn’t do a delayed start.

Other use-case

Using a Windows Eventing (aka Windows Event Forwarding) to centrally consolidate logs into one or two collectors depending on the population size or there’s HA requirement, before using Nxlog to foward to a centralized log management/SIEM This will save you the pain & $$$ to install Nxlog (or Snare or whatever) for hundreds or thousands of Windows endpoints.

Related Post