This article covers the steps to configure Windows DNS logging to send event, DNS & DHCP logs to Forwarder through NXLog and then to Chronicle.
Overview
This topic describes the steps to install NXLog on the Single Windows Server and send Event logs, DNS logs & DHCP logs to Forwarder via NXLog to Chronicle.
Prerequisites
Now, download and Install the NXLog Community Edition on the Windows Server using below URL
https://nxlog.co/products/nxlog-community-edition
Configuration
Configure Windows DNS Logging Configuration
1. Type eventvwr.msc at an elevated command prompt and press ENTER to open Event Viewer
2. In Event Viewer, navigate to Applications and Services Logs->Microsoft->Windows->DNS-Server
3. Expand DNS-Server.
4. Right-click Audit and then click Properties
5. Select the Enable logging checkbox and click OK when asked if log should be enabled
6. Click OK again.
Configure Windows DHCP Logging Configuration
1. Type eventvwr.msc at an elevated command prompt and press ENTER to open Event Viewer
2. In Event Viewer, navigate to Applications and Services Logs>Microsoft>Windows> DHCP-Server
3. Expand DHCP-Server.
4. Right-click on the Admin Events and Click on the Enable log and click OK when asked if log should be enabled. Also enable other two paths FilterNotifications & Operational.
6. Click OK again.
Once NXLog Community is Installed, Copy & Paste the below Query in NXLog.Conf file.
In this Query, NXLog collects Windows Events, DNS and DHCP logs, and sends them to the Forwarder and then to Chronicle.
=================================
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define WINEVTLOG_OUTPUT_DESTINATION_ADDRESS <Forwarder IP>
define WINEVTLOG_OUTPUT_DESTINATION_PORT 11517
define WINDHCP_OUTPUT_DESTINATION_PORT 11669
define WINDNS_OUTPUT_DESTINATION_PORT 11518
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _json>
Module xm_json
</Extension>
<Input windows_security_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Application">*</Select>
<Select Path="System">*</Select>
<Select Path="Security">*</Select>
</Query>
</QueryList>
</QueryXML>
ReadFromLast True
SavePos True
</Input>
<Input dhcp_server_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="DhcpAdminEvents">*</Select>
<Select Path="Microsoft-Windows-Dhcp-Server/FilterNotifications">*</Select>
<Select Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
ReadFromLast True
SavePos True
</Input>
<Input winDNS_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-DNSServer/Audit">*</Select>
</Query>
</QueryList>
</QueryXML>
ReadFromLast True
SavePos True
</Input>
<Output out_chronicle_windevents>
Module om_tcp
Host %WINEVTLOG_OUTPUT_DESTINATION_ADDRESS%
Port %WINEVTLOG_OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000;
Exec to_json();
</Output>
<Output out_chronicle_windhcp>
Module om_tcp
Host %WINEVTLOG_OUTPUT_DESTINATION_ADDRESS%
Port %WINDHCP_OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000;
Exec to_json();
</Output>
<Output out_chronicle_windns>
Module om_tcp
Host %WINEVTLOG_OUTPUT_DESTINATION_ADDRESS%
Port %WINDNS_OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000;
Exec to_json();
</Output>
<Route r2>
Path windows_security_eventlog => out_chronicle_windevents
</Route>
<Route r3>
Path dhcp_server_eventlog => out_chronicle_windhcp
</Route>
<Route r4>
Path winDNS_eventlog => out_chronicle_windns
</Route>
Comments
0 comments
Please sign in to leave a comment.