# Blumira : Windows NXLog to Blumira Sensor or SIEM
#
# Version: 2.0
#
# NXLog configuration for converting and sending Windows logs to Blumira.
# Both Community (CE) and Enterprise (EE) Editions of NXLog are supported.
# If you intend to collect WEF logs, you must use Enterprise Edition which
# you will need to license internally due to limitations with CE.
#####################################################
################# Directions ##################
#####################################################
# 1) Install NXLog Community Edition
# 2) Copy this config to the proper location.
# Most likely at C:\Program Files (x86)\nxlog\conf
# 3) Below, update `define SIEM A.B.C.D` to the IP address of your sensor
# 4) If troubleshooting, set `Loglevel` to DEBUG. (INFO is default when not specified)
# 5) Review each section you intend to use!
# There are actions required for some to allow data collection to start.
# 6) Restart your nxlog service after every change that could add new data
# net stop nxlog && net start nxlog
# 7) Verify the connection has been made by viewing the nxlog.log file in C:\Program Files(x86)\data
#####################################################
#####################################################
################# Notes ##################
#####################################################
# Issues: Report Issues at https://github.com/Blumira/Flowmira/issues
# Changelog at https://github.com/Blumira/Flowmira/commits/master/nxlog.conf
# License: MIT
#####################################################
################# Definitions ##################
################# 2 tasks ##################
#####################################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Tasks:
# 1) Update `define SIEM A.B.C.D` to the IP address of your sensor
# 2) If troubleshooting, set `Loglevel` to DEBUG. (INFO is default when not specified)
# 3) If 64bit is used, comment out (#) x86 and uncomment C:\Program Files\nxlog lines
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#Define logging level (aka "Unleash the Kraken?")
#LogLevel DEBUG
# Please set SIEM to the IP address of your Blumira sensor or SIEM
define SIEM A.B.C.D
define PORT 514
# Please set ROOT to the folder your nxlog was installed into
#define ROOT C:\Program Files\nxlog
#define ROOT_STRING C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define ROOT_STRING C:\Program Files (x86)\nxlog
# Define certs if used during Sensor Logger creation
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\\conf
# Define internal log details for NXLog
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
#LogFile %ROOT%\data\nxlog.log
LogFile %LOGFILE%
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
# Rotate our log file every week on Sunday at midnight
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
Module xm_json
Module xm_syslog
Module xm_fileop
#####################################################
################# Definitions ##################
################# END ##################
#####################################################
#####################################################
############## Internal NXLog Logs #############
################# START ##################
################# 0 tasks ##################
#####################################################
Module im_internal
# Drop if a log file is not found, likely IIS or FW are not configured
Exec if ($Message =~ /does not exist/) drop();
# Drop if IIS or old Windows logs are not found
# If you're using Win 2k3 or lower, please reach out to support@blumira.com
Exec if ($Message =~ /failed to subscribe to msvistalog/) drop();
Exec $Message = to_json();
Path blu_internal => blu_out_internal
#####################################################
############## Internal NXLog Logs #############
################# END ##################
#####################################################
#####################################################
############ Windows Core Event Logs ###########
################# START ##################
################# 0 tasks ##################
#####################################################
Module im_msvistalog
# Prevent endless loop due to 5156 logging nxlog.exe connections
Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing' and $EventID IN (5156, 5157) and $Application =~ /\\nxlog\.exe$/i) drop();
# Define Queries
Query \
\
\
\
\
\
\
*[System[(EventID=4689 or EventID=5158 or EventID=5440 or EventID=5444)]] \
*[System[(EventID=501 or EventID=400 or EventID=600)]] \
\
# Filter out by Application
Exec if ($Application =~ /nxlog\\nxlog.exe/) drop();
# Filter out by Source and Destination IP
Exec if ($SourceAddress =~ /224.0.0.252/) drop();
Exec if ($SourceAddress =~ /192.168.1.255/) drop();
Exec if ($SourceAddress =~ /224.0.0.1/) drop();
Exec if ($SourceAddress =~ /239.255.255.250/) drop();
Exec if ($DestAddress =~ /224.0.0.22/) drop();
# Filter out by Command Line
Exec if ($CommandLine =~ /"C:\\Program Files \(x86\)\\nxlog\\nxlog.exe" -c "C:\\Program Files \(x86\)\\nxlog\\conf\\nxlog.conf"/) drop();
# Dropping non-security but often-loud logs for DFS and failed ISATAP issues
Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004) drop();\
# Workaround for local time so as to standardize to absolute microseconds since epoch
Exec $EventTime = integer($EventTime);
# JSON is required because some Windows logs contain new-line characters.
Exec $Message = to_json();
Path blu_eventlog => blu_out_eventlog
#####################################################
############ Windows Core Event Logs ###########
################# END ##################
#####################################################
#####################################################
#### Windows Priority 1 Supplemental Event Logs ####
################# START ##################
################# 0 tasks ##################
#####################################################
Module im_msvistalog
# Prevent endless loop due to 5156 logging nxlog.exe connections
Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing' and $EventID IN (5156, 5157) and $Application =~ /\\nxlog\.exe$/i) drop();
# Define Queries
Query \
\
\
\
\
\
\
\
\
\
\
\
\
\
# Filter out by Application
Exec if ($Application =~ /nxlog\\nxlog.exe/) drop();
# Filter out by Source and Destination IP
Exec if ($SourceAddress =~ /224.0.0.252/) drop();
Exec if ($SourceAddress =~ /192.168.1.255/) drop();
Exec if ($SourceAddress =~ /224.0.0.1/) drop();
Exec if ($SourceAddress =~ /239.255.255.250/) drop();
Exec if ($DestAddress =~ /224.0.0.22/) drop();
# Filter out by Command Line
Exec if ($CommandLine =~ /"C:\\Program Files \(x86\)\\nxlog\\nxlog.exe" -c "C:\\Program Files \(x86\)\\nxlog\\conf\\nxlog.conf"/) drop();
# Dropping non-security but often-loud logs for DFS and failed ISATAP issues
Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004) drop();\
# Workaround for local time so as to standardize to absolute microseconds since epoch
Exec $EventTime = integer($EventTime);
# JSON is required because some Windows logs contain new-line characters.
Exec $Message = to_json();
Path blu_eventlog_sup => blu_out_eventlog_sup
#####################################################
#### Windows Priority 1 Supplemental Event Logs ####
################# END ##################
#####################################################
#####################################################
#### Windows Priority 2 Supplemental Event Logs ####
################# START ##################
################# 2 tasks ##################
#####################################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Tasks:
# 1) Many of these event channels can cause issues with the CE version of nxlog when not present
# Ensure all event channels are present on the host prior to uncommenting this section for logflow to continue working
#
# 2) If you want to utilize extra windows event channel logging
# remove all # at the beginning of lines from
# to after route_eventlog_sup2 in this section
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
# Module im_msvistalog
# # Prevent endless loop due to 5156 logging nxlog.exe connections
# Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing' and $EventID IN (5156, 5157) and $Application =~ /\\nxlog\.exe$/i) drop();
# # Define Queries
# Query \
# \
# \
# \
# \
# \
# \
# \
# \
# \
# \
# \
# \
# \
# \
# \
# \
# \
# \
# \
# \
#
#
# # Filter out by Application
# Exec if ($Application =~ /nxlog\\nxlog.exe/) drop();
# # Filter out by Source and Destination IP
# Exec if ($SourceAddress =~ /224.0.0.252/) drop();
# Exec if ($SourceAddress =~ /192.168.1.255/) drop();
# Exec if ($SourceAddress =~ /224.0.0.1/) drop();
# Exec if ($SourceAddress =~ /239.255.255.250/) drop();
# Exec if ($DestAddress =~ /224.0.0.22/) drop();
# # Filter out by Command Line
# Exec if ($CommandLine =~ /"C:\\Program Files \(x86\)\\nxlog\\nxlog.exe" -c "C:\\Program Files \(x86\)\\nxlog\\conf\\nxlog.conf"/) drop();
# # Dropping non-security but often-loud logs for DFS and failed ISATAP issues
# Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004) drop();\
#
# # Workaround for local time so as to standardize to absolute microseconds since epoch
# Exec $EventTime = integer($EventTime);
# # JSON is required because some Windows logs contain new-line characters.
# Exec $Message = to_json();
#
#
#
# Path blu_eventlog_sup2 => blu_out_eventlog_sup2
#
#####################################################
#### Windows Priority 2 Supplemental Event Logs ####
################# END ##################
#####################################################
#####################################################
########### Windows Defender Event Logs ############
################# START ##################
################# 0 tasks ##################
#####################################################
Module im_msvistalog
# Prevent endless loop due to 5156 logging nxlog.exe connections
Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing' and $EventID IN (5156, 5157) and $Application =~ /\\nxlog\.exe$/i) drop();
# Define Queries
Query \
\
\
\
*[System[(EventID=4689 or EventID=5158 or EventID=5440 or EventID=5444)]] \
*[System[(EventID=501 or EventID=400 or EventID=600)]] \
\
# Filter out by Application
Exec if ($Application =~ /nxlog\\nxlog.exe/) drop();
# Filter out by Source and Destination IP
Exec if ($SourceAddress =~ /224.0.0.252/) drop();
Exec if ($SourceAddress =~ /192.168.1.255/) drop();
Exec if ($SourceAddress =~ /224.0.0.1/) drop();
Exec if ($SourceAddress =~ /239.255.255.250/) drop();
Exec if ($DestAddress =~ /224.0.0.22/) drop();
# Filter out by Command Line
Exec if ($CommandLine =~ /"C:\\Program Files \(x86\)\\nxlog\\nxlog.exe" -c "C:\\Program Files \(x86\)\\nxlog\\conf\\nxlog.conf"/) drop();
# Dropping non-security but often-loud logs for DFS and failed ISATAP issues
Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004) drop();\
# Workaround for local time so as to standardize to absolute microseconds since epoch
Exec $EventTime = integer($EventTime);
# JSON is required because some Windows logs contain new-line characters.
Exec $Message = to_json();
Path blu_eventlog_def => blu_out_eventlog_def
#####################################################
########### Windows Defender Event Logs ############
################# END ##################
#####################################################
#####################################################
################# SYSMON Event Logs ################
################# START ##################
################# 2 tasks ##################
#####################################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Tasks:
# 1) Install Sysmon on your endpoints if you intend to use this feature
#
# https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
# https://www.blumira.com/enable-sysmon/
#
# 2) If you want to utilize Sysmon Logging
# remove all # at the beginning of lines from
# to after route_eventlog_sysmon in this section
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
Module im_msvistalog
Query \
\
\
\
# Workaround for local time so as to standardize to absolute microseconds since epoch
Exec $EventTime = integer($EventTime);
# JSON is required because some Windows logs contain new-line characters.
Exec $Message = to_json();
Path blu_eventlog_sysmon => blu_out_eventlog_sysmon
#####################################################
################# SYSMON Event Logs ################
################# END ##################
#####################################################
#####################################################
############## Windows IIS Event Logs ##############
################# VIA Event Viewer #################
################# START ##################
################# 3 tasks ##################
#####################################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Tasks:
# 1) If you want to utilize IIS Logging through the Log Files,
# remove all # at the beginning of lines from
# to after route_eventlog_iis in this section
#
# 2) Run the following commands on the host(s) you want to collect
# logs from via Event Viewer, this will enable the logs. Running this
# command in your deployment script is OK. You will get errors on hosts
# that do not have IIS, they can be ignored.
#
# From an administrative command shell prompt
# - wevtutil sl Microsoft-IIS-Configuration/Administrative /e:true
# - wevtutil sl Microsoft-IIS-Configuration/Operational /e:true
# - wevtutil sl Microsoft-IIS-Logging/Logs /e:true
#
# 3) Go to your IIS Manager, Server Configuration, select Logging and select "Both log file and ETW event"
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
# Module im_msvistalog
# Query \
# \
# \
# \
# \
# \
#
#
# # Filter noise from IIS schema issues
# Exec if ($Message =~ /Unable to find schema/) drop();
#
# # Workaround for local time so as to standardize to absolute microseconds since epoch
# Exec $EventTime = integer($EventTime);
# # JSON is required because some Windows logs contain new-line characters.
# Exec $Message = to_json();
#
#
#
# Path blu_eventlog_iis => blu_out_eventlog_iis
#
#####################################################
############## Windows IIS Event Logs ##############
################# VIA Event Viewer #################
################# END ##################
#####################################################
#####################################################
############## Windows IIS Event Logs ##############
################## VIA Log Files ###################
################# START ##################
################# 2 tasks ##################
#####################################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# NOTE: This is the non-Event Viewer method, only use this method if you have a reason to not use Event Viewer
# ------------
# Tasks:
# 1) If you want to utilize IIS Logging through the Log Files, remove all # at the beginning of lines from
# to after route_iis in this section
# 2) You will need to ensure that logging is enabled per site for IIS in this configuration section
# Task note: If you are storing logs in a different location than default, change File below to the appropriate path.
# If you're unsure what to change it to, or, if you have more than one and are unsure
# what the final output should be, please reach out to support@blumira.com with your configuration details.
#
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
# Module xm_csv
#
# Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $csReferer $sc-status, $sc-substatus, $sc-win32-status, $time-taken
# FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
# Delimiter ' '
# UndefValue -
#
#
# Module im_file
# File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
# SavePos TRUE
#
# Exec $Hostname = hostname_fqdn();
# Exec if $raw_event =~ /^#/ drop(); \
# else \
# { \
# w3c->parse_csv(); \
# $EventTime = parsedate($date + " " + $time); \
# $raw_event = to_json(); \
# }
#
#
#
# Path blu_iis_logs => blu_out_iis
#
#####################################################
############## Windows IIS Event Logs ##############
################## VIA Log Files ###################
################# END ##################
#####################################################
#####################################################
########### Windows Firewall Event Logs ############
################# START ##################
################# 2 tasks ##################
#####################################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Tasks:
# 1) If you want to utilize this section, remove all # at the beginning of lines from
# to after route_windows_fw in this section
#
# 2) You will need to ensure that logging is enabled for the Windows FW via GPO for Dropped packets only.
# Adding successful packets will most likely be unnecessarily verbose unless you require visibility
# due to lack of segmentation.
#
# Recommended Powershell Command - Requires FW to be configured to at least generally functional state
# - Set-NetFirewallProfile -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed False -LogIgnored True
#
# If SIGNIFICANT verbosity is required, use this command which will log Allowed connections as well:
# - Set-NetFirewallProfile -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed True -LogIgnored True
#
# --- Manual Setup ---
# https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
# Module xm_csv
# Fields date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, info, path
# FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
# Delimiter ' '
#
#
# Module im_file
# File "C:\Windows\System32\LogFiles\Firewall\pfirewall.log"
# Exec if $raw_event =~ /^#/ drop();\
# {\
# csv_windows_fw->parse_csv();\
# $EventTime = parsedate($date + " " + $time);\
# $raw_event = to_json();\
# }
#
#
#
# Path blu_windows_fw => out_windows_firewall
#
#####################################################
########### Windows Firewall Event Logs ############
################# END ##################
#####################################################
#####################################################
##### Azure AD Password Protection Event Logs ######
################# START ##################
################# 2 tasks ##################
#####################################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Tasks:
# 1) If you want to utilize IIS Logging through the Log Files,
# remove all # at the beginning of lines from
# to after route_eventlog_azuread_pwpro in this section
# 2) Enable Azure PP and deploy agent
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
# Module im_msvistalog
# Query \
# \
# \
# \
# \
# \
# \
# \
# \
#
#
# # Workaround for local time so as to standardize to absolute microseconds since epoch
# Exec $EventTime = integer($EventTime);
# # JSON is required because some Windows logs contain new-line characters.
# Exec $Message = to_json();
#
#
#
# Path blu_eventlog_azuread_pwpro => blu_out_azuread_pwpro
#
#####################################################
##### Azure AD Password Protection Event Logs ######
################# END ##################
#####################################################