Configuring NXLog for HostIP Field
For NXLog, some configuration is needed to create the HostIP
field from the Hostname
field. This configuration in NXLog enables the collection of the host or source IP address when Windows events are ingested from NXLog.
The NXLog version must be 5.5 or later.
To configure NXLog:
- Import Extension Modules
- Configure NXLog
- Refer to the Sample NXLog Configuration File
- Refer to the Alert Types Received
Import Extension Modules
To import two extension modules, Resolver (xm_resolver) and Syslog (xm_syslog), you can refer to the following NXLog documentation:
Then import the extension modules:
Configuring NXLog
For rewriting and modifying logs, you can refer to the following NXLog documentation: https://docs.nxlog.co/userguide/configure/rewriting.html.
To configure NXLog to create the HostIP
field:
-
In the input module, configure the listening host:
-
In the output module, create the
HostIP
from theHostname
and rewriteHostIP
to get the output:
Sample NXLog Configuration File
Panic Soft define INSTALLDIR C:\Program Files\nxlog #ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d # Note that these two lines define constants only; the log file location # is ultimately set by the `LogFile` directive (see below). The # `MYLOGFILE` define is also used to rotate the log file automatically # (see the `_fileop` block). define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log # If you are not using NXLog Manager, disable the `include` line # and enable LogLevel and LogFile. include %CONFDIR%\*.conf #LogLevel INFO #LogFile %MYLOGFILE% <Extension _syslog> Module xm_syslog </Extension> # This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile` # is changed in managed.conf via NXLog Manager, rotation of the new # file should also be configured there. <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour <Exec> if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') >= 5M) ) { file_cycle('%MYLOGFILE%', 8); } </Exec> </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); </Schedule> </Extension> <Extension syslog> Module xm_syslog </Extension> <Extension _json> Module xm_json </Extension> <Extension xml> Module xm_xml </Extension> <Extension _resolver> Module xm_resolver </Extension> <Input in_eventlog> # For windows 2008/vista/7/8/2012/2012R2/2016 and latter use the following: Module im_msvistalog ReadFromLast TRUE SavePos TRUE Query <QueryList> \ <Query Id="0"> \ <Select Path="Security">*[System[(EventID=1100)]]</Select> \ <Select Path="Security">*[System[(EventID=4768)]]</Select> \ <Select Path="Security">*[System[(EventID=4769)]]</Select> \ <Select Path="Security">*[System[(EventID=4771)]]</Select> \ <Select Path="Security">*[System[(EventID=4616)]]</Select> \ <Select Path="Security">*[System[(EventID=4104)]]</Select> \ <Select Path="Security">*[System[(EventID=4624)]]</Select> \ <Select Path="Security">*[System[(EventID=4625)]]</Select> \ <Select Path="Security">*[System[(EventID=4634)]]</Select> \ <Select Path="Security">*[System[(EventID=4647)]]</Select> \ <Select Path="Security">*[System[(EventID=4648)]]</Select> \ <Select Path="Security">*[System[(EventID=4656)]]</Select> \ <Select Path="Security">*[System[(EventID=4688)]]</Select> \ <Select Path="Security">*[System[(EventID=4719)]]</Select> \ <Select Path="Security">*[System[(EventID=4720)]]</Select> \ <Select Path="Security">*[System[(EventID=4722)]]</Select> \ <Select Path="Security">*[System[(EventID=4723)]]</Select> \ <Select Path="Security">*[System[(EventID=4724)]]</Select> \ <Select Path="Security">*[System[(EventID=4725)]]</Select> \ <Select Path="Security">*[System[(EventID=4726)]]</Select> \ <Select Path="Security">*[System[(EventID=4727)]]</Select> \ <Select Path="Security">*[System[(EventID=4728)]]</Select> \ <Select Path="Security">*[System[(EventID=4729)]]</Select> \ <Select Path="Security">*[System[(EventID=4730)]]</Select> \ <Select Path="Security">*[System[(EventID=4731)]]</Select> \ <Select Path="Security">*[System[(EventID=4732)]]</Select> \ <Select Path="Security">*[System[(EventID=4733)]]</Select> \ <Select Path="Security">*[System[(EventID=4734)]]</Select> \ <Select Path="Security">*[System[(EventID=4735)]]</Select> \ <Select Path="Security">*[System[(EventID=4737)]]</Select> \ <Select Path="Security">*[System[(EventID=4738)]]</Select> \ <Select Path="Security">*[System[(EventID=4739)]]</Select> \ <Select Path="Security">*[System[(EventID=4740)]]</Select> \ <Select Path="Security">*[System[(EventID=4741)]]</Select> \ <Select Path="Security">*[System[(EventID=4742)]]</Select> \ <Select Path="Security">*[System[(EventID=4743)]]</Select> \ <Select Path="Security">*[System[(EventID=4744)]]</Select> \ <Select Path="Security">*[System[(EventID=4745)]]</Select> \ <Select Path="Security">*[System[(EventID=4748)]]</Select> \ <Select Path="Security">*[System[(EventID=4749)]]</Select> \ <Select Path="Security">*[System[(EventID=4750)]]</Select> \ <Select Path="Security">*[System[(EventID=4753)]]</Select> \ <Select Path="Security">*[System[(EventID=4754)]]</Select> \ <Select Path="Security">*[System[(EventID=4755)]]</Select> \ <Select Path="Security">*[System[(EventID=4756)]]</Select> \ <Select Path="Security">*[System[(EventID=4758)]]</Select> \ <Select Path="Security">*[System[(EventID=4759)]]</Select> \ <Select Path="Security">*[System[(EventID=4760)]]</Select> \ <Select Path="Security">*[System[(EventID=4763)]]</Select> \ <Select Path="Security">*[System[(EventID=4764)]]</Select> \ <Select Path="Security">*[System[(EventID=4767)]]</Select> \ <Select Path="Security">*[System[(EventID=4776)]]</Select> \ <Select Path="Security">*[System[(EventID=4778)]]</Select> \ <Select Path="Security">*[System[(EventID=4783)]]</Select> \ <Select Path="Security">*[System[(EventID=4800)]]</Select> \ <Select Path="Security">*[System[(EventID=4801)]]</Select> \ <Select Path="System">*[System[(EventID=7036)]]</Select> \ <Select Path="Setup">*[System[(EventID=1)]]</Select> \ <Select Path="Application">*[System[(EventID=18454)]]</Select> \ <Select Path="Application">*[System[(EventID=18456)]]</Select> \ </Query> \ </QueryList> </Input> <Input tcp> Module im_tcp ListenAddr 10.xx.xx.xx <Exec> syslog->parse_syslog(); </Exec> </Input> <Output out_eventlog> Module om_udp Host 10.xx.xx.xx:5601 <Exec> if $raw_event =~ s/^(\S+)// { $HostIP = $Hostname; $HostIP = name_to_ipaddr($Hostname); if not defined $Hostname $HostIP= $Hostname; $raw_event = $HostIP + $raw_event; } to_json(); </Exec> </Output> <Route eventlog> Path in_eventlog, tcp => out_eventlog </Route>
Alert Types Received
Data from NXlog will undergo an identical process of normalization and enrichment. This ensures that it will provide the same level of alert coverage as our existing Windows sensor.
The following alert types are received when using this NXLog configuration:
- Abnormal Parent / Child Process
- Backup Catalogs Deleted by Ransomware
- Bad Reputation Login
- Command Anomaly
- Encoded PowerShell
- External Account Login Failure Anomaly
- External Brute-Forced Successful User Login
- External Credential Stuffing
- External Password Spraying
- External RDP BlueKeep
- External RDP Suspicious Outbound
- External User Login Failure Anomaly
- Hydra Password Guessing Hack Tool
- Impossible Travel Anomaly
- Internal Account Login Failure Anomaly
- Internal Brute-Forced Successful User Login
- Internal Credential Stuffing
- Internal Password Spraying
- Internal RDP BlueKeep
- Internal RDP Suspicious Outbound
- Internal User Login Failure Anomaly
- Login Time Anomaly
- Malware on Disk
- Mimikatz Credential Dump
- Mimikatz DCSync
- Password Cracking with Hashcat
- Password Spraying Attempts Using Dsacls
- Potentially Malicious Windows Event
- PowerShell Remote Access
- Process Anomaly
- RDP Port Opening
- RDP Registry Modification
- RDP Reverse Tunnel
- RDP Session Hijacking
- RDP Settings Hijacking
- RDP Suspicious Logon
- RDP Suspicious Logon Attempt
- Scanner Reputation Anomaly
- Sensitive Windows Active Directory Attribute Modification
- Sensitive Windows Network Share File or Folder Accessed
- SMB Impacket Lateralization
- SMB Specific Service Installation
- SMB Suspicious Copy
- Suspicious Access Attempt to Windows Object
- Suspicious Activity Related to Security-Enabled Group
- Suspicious Connection to Another Process
- Suspicious Handle Request to Sensitive Object
- Suspicious Powershell Script
- Suspicious Process Creation Commandline
- Suspicious Windows Active Directory Operation
- Suspicious Windows Logon Event
- Suspicious Windows Process Creation
- Suspicious Windows Service Installation
- Uncommon Process Anomaly
- User Asset Access Anomaly
- User Login Location Anomaly
- User Process Usage Anomaly
- Volume Shadow Copy Deletion via VssAdmin
- Volume Shadow Copy Deletion via WMIC