# Blumira : Windows NXLog to Blumira Sensor or SIEM # # Version: 2.0 # # NXLog configuration for converting and sending Windows logs to Blumira. # Both Community (CE) and Enterprise (EE) Editions of NXLog are supported. # If you intend to collect WEF logs, you must use Enterprise Edition which # you will need to license internally due to limitations with CE. ##################################################### ################# Directions ################## ##################################################### # 1) Install NXLog Community Edition # 2) Copy this config to the proper location. # Most likely at C:\Program Files (x86)\nxlog\conf # 3) Below, update `define SIEM A.B.C.D` to the IP address of your sensor # 4) If troubleshooting, set `Loglevel` to DEBUG. (INFO is default when not specified) # 5) Review each section you intend to use! # There are actions required for some to allow data collection to start. # 6) Restart your nxlog service after every change that could add new data # net stop nxlog && net start nxlog # 7) Verify the connection has been made by viewing the nxlog.log file in C:\Program Files(x86)\data ##################################################### ##################################################### ################# Notes ################## ##################################################### # Issues: Report Issues at https://github.com/Blumira/Flowmira/issues # Changelog at https://github.com/Blumira/Flowmira/commits/master/nxlog.conf # License: MIT ##################################################### ################# Definitions ################## ################# 2 tasks ################## ##################################################### #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Tasks: # 1) Update `define SIEM A.B.C.D` to the IP address of your sensor # 2) If troubleshooting, set `Loglevel` to DEBUG. (INFO is default when not specified) # 3) If 64bit is used, comment out (#) x86 and uncomment C:\Program Files\nxlog lines #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #Define logging level (aka "Unleash the Kraken?") #LogLevel DEBUG # Please set SIEM to the IP address of your Blumira sensor or SIEM define SIEM A.B.C.D define PORT 514 # Please set ROOT to the folder your nxlog was installed into #define ROOT C:\Program Files\nxlog #define ROOT_STRING C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog define ROOT_STRING C:\Program Files (x86)\nxlog # Define certs if used during Sensor Logger creation define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\\conf # Define internal log details for NXLog define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data #LogFile %ROOT%\data\nxlog.log LogFile %LOGFILE% Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); # Rotate our log file every week on Sunday at midnight When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); Module xm_json Module xm_syslog Module xm_fileop ##################################################### ################# Definitions ################## ################# END ################## ##################################################### ##################################################### ############## Internal NXLog Logs ############# ################# START ################## ################# 0 tasks ################## ##################################################### Module im_internal # Drop if a log file is not found, likely IIS or FW are not configured Exec if ($Message =~ /does not exist/) drop(); # Drop if IIS or old Windows logs are not found # If you're using Win 2k3 or lower, please reach out to support@blumira.com Exec if ($Message =~ /failed to subscribe to msvistalog/) drop(); Exec $Message = to_json(); Module om_tcp Host %SIEM% Port %PORT% Exec to_syslog_bsd(); Path blu_internal => blu_out_internal ##################################################### ############## Internal NXLog Logs ############# ################# END ################## ##################################################### ##################################################### ############ Windows Core Event Logs ########### ################# START ################## ################# 0 tasks ################## ##################################################### Module im_msvistalog # Prevent endless loop due to 5156 logging nxlog.exe connections Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing' and $EventID IN (5156, 5157) and $Application =~ /\\nxlog\.exe$/i) drop(); # Define Queries Query \ \ \ \ \ \ \ *[System[(EventID=4689 or EventID=5158 or EventID=5440 or EventID=5444)]] \ *[System[(EventID=501 or EventID=400 or EventID=600)]] \ \ # Filter out by Application Exec if ($Application =~ /nxlog\\nxlog.exe/) drop(); # Filter out by Source and Destination IP Exec if ($SourceAddress =~ /224.0.0.252/) drop(); Exec if ($SourceAddress =~ /192.168.1.255/) drop(); Exec if ($SourceAddress =~ /224.0.0.1/) drop(); Exec if ($SourceAddress =~ /239.255.255.250/) drop(); Exec if ($DestAddress =~ /224.0.0.22/) drop(); # Filter out by Command Line Exec if ($CommandLine =~ /"C:\\Program Files \(x86\)\\nxlog\\nxlog.exe" -c "C:\\Program Files \(x86\)\\nxlog\\conf\\nxlog.conf"/) drop(); # Dropping non-security but often-loud logs for DFS and failed ISATAP issues Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004) drop();\ # Workaround for local time so as to standardize to absolute microseconds since epoch Exec $EventTime = integer($EventTime); # JSON is required because some Windows logs contain new-line characters. Exec $Message = to_json(); Module om_tcp Host %SIEM% Port %PORT% Exec to_syslog_bsd(); Path blu_eventlog => blu_out_eventlog ##################################################### ############ Windows Core Event Logs ########### ################# END ################## ##################################################### ##################################################### #### Windows Priority 1 Supplemental Event Logs #### ################# START ################## ################# 0 tasks ################## ##################################################### Module im_msvistalog # Prevent endless loop due to 5156 logging nxlog.exe connections Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing' and $EventID IN (5156, 5157) and $Application =~ /\\nxlog\.exe$/i) drop(); # Define Queries Query \ \ \ \ \ \ \ \ \ \ \ \ \ \ # Filter out by Application Exec if ($Application =~ /nxlog\\nxlog.exe/) drop(); # Filter out by Source and Destination IP Exec if ($SourceAddress =~ /224.0.0.252/) drop(); Exec if ($SourceAddress =~ /192.168.1.255/) drop(); Exec if ($SourceAddress =~ /224.0.0.1/) drop(); Exec if ($SourceAddress =~ /239.255.255.250/) drop(); Exec if ($DestAddress =~ /224.0.0.22/) drop(); # Filter out by Command Line Exec if ($CommandLine =~ /"C:\\Program Files \(x86\)\\nxlog\\nxlog.exe" -c "C:\\Program Files \(x86\)\\nxlog\\conf\\nxlog.conf"/) drop(); # Dropping non-security but often-loud logs for DFS and failed ISATAP issues Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004) drop();\ # Workaround for local time so as to standardize to absolute microseconds since epoch Exec $EventTime = integer($EventTime); # JSON is required because some Windows logs contain new-line characters. Exec $Message = to_json(); Module om_tcp Host %SIEM% Port %PORT% Exec to_syslog_bsd(); Path blu_eventlog_sup => blu_out_eventlog_sup ##################################################### #### Windows Priority 1 Supplemental Event Logs #### ################# END ################## ##################################################### ##################################################### #### Windows Priority 2 Supplemental Event Logs #### ################# START ################## ################# 2 tasks ################## ##################################################### #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Tasks: # 1) Many of these event channels can cause issues with the CE version of nxlog when not present # Ensure all event channels are present on the host prior to uncommenting this section for logflow to continue working # # 2) If you want to utilize extra windows event channel logging # remove all # at the beginning of lines from # to after route_eventlog_sup2 in this section #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # # Module im_msvistalog # # Prevent endless loop due to 5156 logging nxlog.exe connections # Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing' and $EventID IN (5156, 5157) and $Application =~ /\\nxlog\.exe$/i) drop(); # # Define Queries # Query \ # \ # \ # \ # \ # \ # \ # \ # \ # \ # \ # \ # \ # \ # \ # \ # \ # \ # \ # \ # \ # # # # Filter out by Application # Exec if ($Application =~ /nxlog\\nxlog.exe/) drop(); # # Filter out by Source and Destination IP # Exec if ($SourceAddress =~ /224.0.0.252/) drop(); # Exec if ($SourceAddress =~ /192.168.1.255/) drop(); # Exec if ($SourceAddress =~ /224.0.0.1/) drop(); # Exec if ($SourceAddress =~ /239.255.255.250/) drop(); # Exec if ($DestAddress =~ /224.0.0.22/) drop(); # # Filter out by Command Line # Exec if ($CommandLine =~ /"C:\\Program Files \(x86\)\\nxlog\\nxlog.exe" -c "C:\\Program Files \(x86\)\\nxlog\\conf\\nxlog.conf"/) drop(); # # Dropping non-security but often-loud logs for DFS and failed ISATAP issues # Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004) drop();\ # # # Workaround for local time so as to standardize to absolute microseconds since epoch # Exec $EventTime = integer($EventTime); # # JSON is required because some Windows logs contain new-line characters. # Exec $Message = to_json(); # # # Module om_tcp # Host %SIEM% # Port %PORT% # Exec to_syslog_bsd(); # # # Path blu_eventlog_sup2 => blu_out_eventlog_sup2 # ##################################################### #### Windows Priority 2 Supplemental Event Logs #### ################# END ################## ##################################################### ##################################################### ########### Windows Defender Event Logs ############ ################# START ################## ################# 0 tasks ################## ##################################################### Module im_msvistalog # Prevent endless loop due to 5156 logging nxlog.exe connections Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing' and $EventID IN (5156, 5157) and $Application =~ /\\nxlog\.exe$/i) drop(); # Define Queries Query \ \ \ \ *[System[(EventID=4689 or EventID=5158 or EventID=5440 or EventID=5444)]] \ *[System[(EventID=501 or EventID=400 or EventID=600)]] \ \ # Filter out by Application Exec if ($Application =~ /nxlog\\nxlog.exe/) drop(); # Filter out by Source and Destination IP Exec if ($SourceAddress =~ /224.0.0.252/) drop(); Exec if ($SourceAddress =~ /192.168.1.255/) drop(); Exec if ($SourceAddress =~ /224.0.0.1/) drop(); Exec if ($SourceAddress =~ /239.255.255.250/) drop(); Exec if ($DestAddress =~ /224.0.0.22/) drop(); # Filter out by Command Line Exec if ($CommandLine =~ /"C:\\Program Files \(x86\)\\nxlog\\nxlog.exe" -c "C:\\Program Files \(x86\)\\nxlog\\conf\\nxlog.conf"/) drop(); # Dropping non-security but often-loud logs for DFS and failed ISATAP issues Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004) drop();\ # Workaround for local time so as to standardize to absolute microseconds since epoch Exec $EventTime = integer($EventTime); # JSON is required because some Windows logs contain new-line characters. Exec $Message = to_json(); Module om_tcp Host %SIEM% Port %PORT% Exec to_syslog_bsd(); Path blu_eventlog_def => blu_out_eventlog_def ##################################################### ########### Windows Defender Event Logs ############ ################# END ################## ##################################################### ##################################################### ################# SYSMON Event Logs ################ ################# START ################## ################# 2 tasks ################## ##################################################### #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Tasks: # 1) Install Sysmon on your endpoints if you intend to use this feature # # https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon # https://www.blumira.com/enable-sysmon/ # # 2) If you want to utilize Sysmon Logging # remove all # at the beginning of lines from # to after route_eventlog_sysmon in this section #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Module im_msvistalog Query \ \ \ \ # Workaround for local time so as to standardize to absolute microseconds since epoch Exec $EventTime = integer($EventTime); # JSON is required because some Windows logs contain new-line characters. Exec $Message = to_json(); Module om_tcp Host %SIEM% Port %PORT% Exec to_syslog_bsd(); Path blu_eventlog_sysmon => blu_out_eventlog_sysmon ##################################################### ################# SYSMON Event Logs ################ ################# END ################## ##################################################### ##################################################### ############## Windows IIS Event Logs ############## ################# VIA Event Viewer ################# ################# START ################## ################# 3 tasks ################## ##################################################### #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Tasks: # 1) If you want to utilize IIS Logging through the Log Files, # remove all # at the beginning of lines from # to after route_eventlog_iis in this section # # 2) Run the following commands on the host(s) you want to collect # logs from via Event Viewer, this will enable the logs. Running this # command in your deployment script is OK. You will get errors on hosts # that do not have IIS, they can be ignored. # # From an administrative command shell prompt # - wevtutil sl Microsoft-IIS-Configuration/Administrative /e:true # - wevtutil sl Microsoft-IIS-Configuration/Operational /e:true # - wevtutil sl Microsoft-IIS-Logging/Logs /e:true # # 3) Go to your IIS Manager, Server Configuration, select Logging and select "Both log file and ETW event" #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # # Module im_msvistalog # Query \ # \ # \ # \ # \ # \ # # # # Filter noise from IIS schema issues # Exec if ($Message =~ /Unable to find schema/) drop(); # # # Workaround for local time so as to standardize to absolute microseconds since epoch # Exec $EventTime = integer($EventTime); # # JSON is required because some Windows logs contain new-line characters. # Exec $Message = to_json(); # # # Module om_tcp # Host %SIEM% # Port %PORT% # Exec to_syslog_bsd(); # # # Path blu_eventlog_iis => blu_out_eventlog_iis # ##################################################### ############## Windows IIS Event Logs ############## ################# VIA Event Viewer ################# ################# END ################## ##################################################### ##################################################### ############## Windows IIS Event Logs ############## ################## VIA Log Files ################### ################# START ################## ################# 2 tasks ################## ##################################################### #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # NOTE: This is the non-Event Viewer method, only use this method if you have a reason to not use Event Viewer # ------------ # Tasks: # 1) If you want to utilize IIS Logging through the Log Files, remove all # at the beginning of lines from # to after route_iis in this section # 2) You will need to ensure that logging is enabled per site for IIS in this configuration section # Task note: If you are storing logs in a different location than default, change File below to the appropriate path. # If you're unsure what to change it to, or, if you have more than one and are unsure # what the final output should be, please reach out to support@blumira.com with your configuration details. # #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # # Module xm_csv # # Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $csReferer $sc-status, $sc-substatus, $sc-win32-status, $time-taken # FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string # Delimiter ' ' # UndefValue - # # # Module im_file # File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*" # SavePos TRUE # # Exec $Hostname = hostname_fqdn(); # Exec if $raw_event =~ /^#/ drop(); \ # else \ # { \ # w3c->parse_csv(); \ # $EventTime = parsedate($date + " " + $time); \ # $raw_event = to_json(); \ # } # # # Module om_udp # Host %SIEM% # Port 514 # Exec $raw_event = 'BLU_IIS: ' + $raw_event; # # Exec to_syslog_bsd(); # # # Path blu_iis_logs => blu_out_iis # ##################################################### ############## Windows IIS Event Logs ############## ################## VIA Log Files ################### ################# END ################## ##################################################### ##################################################### ########### Windows Firewall Event Logs ############ ################# START ################## ################# 2 tasks ################## ##################################################### #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Tasks: # 1) If you want to utilize this section, remove all # at the beginning of lines from # to after route_windows_fw in this section # # 2) You will need to ensure that logging is enabled for the Windows FW via GPO for Dropped packets only. # Adding successful packets will most likely be unnecessarily verbose unless you require visibility # due to lack of segmentation. # # Recommended Powershell Command - Requires FW to be configured to at least generally functional state # - Set-NetFirewallProfile -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed False -LogIgnored True # # If SIGNIFICANT verbosity is required, use this command which will log Allowed connections as well: # - Set-NetFirewallProfile -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed True -LogIgnored True # # --- Manual Setup --- # https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # # Module xm_csv # Fields date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, info, path # FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string # Delimiter ' ' # # # Module im_file # File "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" # Exec if $raw_event =~ /^#/ drop();\ # {\ # csv_windows_fw->parse_csv();\ # $EventTime = parsedate($date + " " + $time);\ # $raw_event = to_json();\ # } # # # Module om_tcp # Host %SIEM% # Port 514 # Exec $raw_event = 'BLU_WIN_FW: ' + $raw_event; # # Exec to_syslog_bsd(); # # # Path blu_windows_fw => out_windows_firewall # ##################################################### ########### Windows Firewall Event Logs ############ ################# END ################## ##################################################### ##################################################### ##### Azure AD Password Protection Event Logs ###### ################# START ################## ################# 2 tasks ################## ##################################################### #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Tasks: # 1) If you want to utilize IIS Logging through the Log Files, # remove all # at the beginning of lines from # to after route_eventlog_azuread_pwpro in this section # 2) Enable Azure PP and deploy agent #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # # Module im_msvistalog # Query \ # \ # \ # \ # \ # \ # \ # \ # \ # # # # Workaround for local time so as to standardize to absolute microseconds since epoch # Exec $EventTime = integer($EventTime); # # JSON is required because some Windows logs contain new-line characters. # Exec $Message = to_json(); # # # Module om_tcp # Host %SIEM% # Port %PORT% # Exec to_syslog_bsd(); # # # Path blu_eventlog_azuread_pwpro => blu_out_azuread_pwpro # ##################################################### ##### Azure AD Password Protection Event Logs ###### ################# END ################## #####################################################