I am going back to open-source for log management and threat detection in view of the ridiculous pricing that I am seeing while working on my day-job. Paying crazy amount for software and “Professional” Services is not a sustainable way forward. There exists Open-source + commercial support business models to consider eg; Graylog & Elastic (btw, this is NOT a paid entry).
A number of Windows Event collection guides exit, for instance Fluentd’s. But still, there is a lack in terms of an unified approach to collect Application, Security, System and Sysmon Windows Audit logs. The following notes demonstrate how it can be done with Nxlog Community Edition, a free and robust tool for forwarding logs in Windows.
Installing Nxlog CE is straightforward with MSI installer. What matters is the nxlog.conf (assuming Windows Audit is configured):
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
<Select Path=”Windows PowerShell”>*</Select>\
# For windows 2003 and earlier use the following:
# Module im_mseventlog
Exec $CustomerID = ‘my_customer’;
Exec $LogType = ‘Windows Audit’;
Path inWindowsAudit => outGraylog
- The important block is the QueryList which defines the Window Event Channels we are interested to retrieve from.
- I assume the Graylog receiver (aka Inputs) is defined. Note that Nxlog CE OutputType GELF only supports UDP and not TCP. Consider TCP syslog output transport if you are concern with possible event loss with UDP transport.
- Reconfigure the Nxlog Windows service to “Automatic (Delayed Start)”. It seems like there are other windows services dependency such that there’s always network errors when Nxlog doesn’t do a delayed start.
Using a Windows Eventing (aka Windows Event Forwarding) to centrally consolidate logs into one or two collectors depending on the population size or there’s HA requirement, before using Nxlog to foward to a centralized log management/SIEM This will save you the pain & $$$ to install Nxlog (or Snare or whatever) for hundreds or thousands of Windows endpoints.