# Please set SIEM to the IP address of your Logsign SIEM
define SIEM 10.10.2.51
define PORT 514
# Please set ROOT to the folder your nxlog was installed into
#define ROOT C:\Program Files\nxlog
#define ROOT_STRING C:\Program Files\nxlog
define ROOT C:\Program Files\nxlog
define ROOT_STRING C:\Program Files\nxlog
# Define certs if used during Sensor Logger creation
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\\conf
# Define internal log details for NXLog
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
#LogFile %ROOT%\data\nxlog.log
LogFile %LOGFILE%
Module xm_json
Module xm_syslog
Module xm_fileop
#####################################################
############ Windows Core Event Logs ###########
################# START ##################
################# 0 tasks ##################
#####################################################
Module im_msvistalog
# Prevent endless loop due to 5156 logging nxlog.exe connections
Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing' and $EventID IN (5156, 5157) and $Application =~ /\\nxlog\.exe$/i) drop();
# Define Queries
Query \
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
\
*[System[(EventID=4689 or EventID=5158 or EventID=5440 or EventID=5444)]] \
*[System[(EventID=501 or EventID=400 or EventID=600)]] \
\
# Filter out by Application
Exec if ($Application =~ /nxlog\\nxlog.exe/) drop();
# Filter out by Source and Destination IP
Exec if ($SourceAddress =~ /224.0.0.252/) drop();
Exec if ($SourceAddress =~ /192.168.1.255/) drop();
Exec if ($SourceAddress =~ /224.0.0.1/) drop();
Exec if ($SourceAddress =~ /239.255.255.250/) drop();
Exec if ($DestAddress =~ /224.0.0.22/) drop();
# Filter out by Command Line
Exec if ($CommandLine =~ /"C:\\Program Files \(x86\)\\nxlog\\nxlog.exe" -c "C:\\Program Files \(x86\)\\nxlog\\conf\\nxlog.conf"/) drop();
# Dropping non-security but often-loud logs for DFS and failed ISATAP issues
Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004) drop();\
# Workaround for local time so as to standardize to absolute microseconds since epoch
# Filtering \r\n\t characters and commas from 4656 logs.
Exec if ($EventID == 33205 ) drop();
Exec if ($EventID == 4656 or $EventID == 4663 or $EventID == 5140 or $EventID == 5145 ) $AccessList = replace($AccessList, "\r\n\t\t\t\t", ",");
Exec if ($EventID == 4656 or $EventID == 4663 or $EventID == 5140 or $EventID == 5145 ) $AccessList = replace($AccessList, "%%", "");
Exec $EventTime = integer($EventTime);
# JSON is required because some Windows logs contain new-line characters.
$Message = replace($Message, "\t", " ");
$Message = replace \
($Message, "\n", " "); $Message = replace($Message, "\r", " ");
$Message = to_json();
$raw_event = $Message;
to_syslog_bsd();
Path lgs_eventlog => lgs_out_eventlog
#####################################################
############ Windows Core Event Logs ###########
################# END ##################
#####################################################
#####################################################
################# SYSMON Event Logs ################
################# START ##################
################# 2 tasks ##################
#####################################################
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Tasks:
# 1) Install Sysmon on your endpoints if you intend to use this feature
#
# https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
#
#
# 2) If you want to utilize Sysmon Logging
# remove all # at the beginning of lines from
# to after route_eventlog_sysmon in this section
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
Module im_msvistalog
Query \
\
\
\
# Workaround for local time so as to standardize to absolute microseconds since epoch
Exec $EventTime = integer($EventTime);
# JSON is required because some Windows logs contain new-line characters.
$Message = replace($Message, "\t", " "); $Message = replace \
($Message, "\n", " "); $Message = replace($Message, "\r", " ");
$Message = to_json();
$raw_event = $Message;
to_syslog_bsd();
Path lgs_eventlog_sysmon => lgs_out_eventlog_sysmon
#####################################################
################# SYSMON Event Logs ################
################# END ##################
#####################################################
#####################################################
################# DHCP Event Logs ##################
################# START ##################
#####################################################
# This section will be used for forwading DHCP logs
Module im_file
# The following line should be edited for the path where the DHCP logs are kept.
File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log"
Exec $Message=$raw_event; $SyslogFacility = 'LOCAL1';
Path dhcp_input => dhcp_out
#####################################################
################# DHCP Event Logs ##################
################# END ##################
#####################################################
#####################################################
################# IIS Event Logs ##################
################# START ##################
#####################################################
# This section will be used for forwad IIS logs
# Parcel rule definition for IIS logs. The fields content should be updated according to the columns opened in the IIS file.
Module xm_csv
Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken, $X-Forwarded-For
FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer, string
Delimiter ' '
# Lines starting with hash are not imported in IIS files
Module im_file
# The following line must be edited for the IIS file path
File "C:\\inetpub\\logs\\LogFiles\\\\u_ex*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "IIS"; \
$raw_event = to_json(); \
}
Path IIS_Site1 => IIS_Site1_out
#####################################################
################# IIS Event Logs ##################
################# END ##################
#####################################################
#####################################################
################# Exchange Event Logs #############
################# START ##################
#####################################################
# This section will be used for forwarding Exchange Message Tracking logs
# Parcel rule definition for Message Tracking logs. The content of fields should be updated according to the columns opened in the Message Tracking file. The definition below is the definition for Exchange 2016
Module xm_csv
Fields $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version
Delimiter ,
# Lines starting with a hash are dropped
Module im_file
# The following path definition should be arranged for Message Tracking log files
File 'D:\\TransportRoles\\Logs\MessageTracking\\MSGTRK*'
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
exchange->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "EXCHANGE"; \
$raw_event = to_json(); \
}
Path Exchange_Site1 => Exchange_Site1_out
#####################################################
################# Exchange Event Logs #############
################# END ##################
#####################################################
#####################################################
################# DNS Event Logs #################
################# START ################
#####################################################
# This section will be used for routing DNS logs
define EMPTY_EVENT_REGEX /(^$|^\s+$)/
define NOT_STARTING_WITH_DATE_REGEX /^(?!\d+\/\d+\/\d+).+/
Module im_file
# Edit the following line for the DNS file path
File "C:\\Windows\\Sysnative\\dns\\dns.log"
SavePos TRUE
ReadFromLast TRUE
PollInterval 1
# empty lines are dropped
if $raw_event =~ %EMPTY_EVENT_REGEX% drop();
# date ile baslamayan satirlar droplanir
if $raw_event =~ %NOT_STARTING_WITH_DATE_REGEX% drop();
Path dns => out_dns
#####################################################
################# DNS Event Logs #################
################# END ##################
#####################################################
#####################################################
################# FTP Event Logs #################
################# START ################
#####################################################
Module im_file
File "C:\Program Files (x86)\FileZilla Server\Logs\fzs*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "powershell"; \
$raw_event = to_json(); \
}
Path ftp => ftp_out
#####################################################
################# FTP Event Logs #################
################# END ################
#####################################################
#####################################################
################# WAMP Event Logs #################
################# START ################
#####################################################
Module im_file
File "C:\\wamp64\\logs\\*log*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "wamp"; \
$raw_event = to_json(); \
}
Path wamp => wamp_out
#####################################################
################# WAMP Event Logs #################
################# END ################
#####################################################
#####################################################
################# TOMCAT Event Logs ###############
################# START ################
#####################################################
Module im_file
File "C:\\apachetomcat8\\logs\\*access*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$SourceName = "tomcat"; \
$raw_event = to_json(); \
}
Path tomcat => tomcat_out
#####################################################
################# TOMCAT Event Logs ###############
################# END ################
#####################################################
#####################################################
################# MSSQL Logs #####################
################# START #####################
#####################################################
Module im_msvistalog
SavePos FALSE
ReadFromLast TRUE
Query \
\
\
\
Exec $Message = $raw_event;
Exec if $raw_event =~ /^#/ drop();\
Else\
{\
$SourceName = "MSSQL-NXLOG";\
}
Exec if $raw_event =~ /action_id:(\S+)/ $Action_ID = $1;
Exec if $raw_event =~ /database_name:(\S+)/ $DataBase = $1;
Exec if $raw_event =~ /server_instance_name:(\S+)/ $SV_Instace = $1;
Exec if $raw_event =~ /session_server_principal_name:(\S+)/ $User = $1;
Exec if $raw_event =~ /AUDIT_SUCCESS/\
{\
$Result = 'Success';\
}\
else\
$Result = 'Failure';
Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
Exec $Message = to_json();
Path MSSQL_IN => MSSQL_OUT
#####################################################
################# MSSQL Logs #####################
################# END #####################
#####################################################