Table of Contents:
Overview
This topic describes the steps to send Windows PowerShell logs to Forwarder via NXLog to Chronicle.
Prerequisites
Now, download and install the NXLog Community Edition on the Windows
https://nxlog.co/products/nxlog-community-edition.
Configuration
Once NXLog Community is Installed, Copy & Paste the below Query in NXLog.Conf file.
In this Query, the Windows PowerShell logs will be sent to the Forwarder and to Chronicle.
=================================
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define WINEVTLOG_OUTPUT_DESTINATION_ADDRESS <Forwarder IP>
define WINPOWERSHELL_OUTPUT_DESTINATION_PORT 11614
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _json>
Module xm_json
</Extension>
<Input winPowerShell_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
<Select Path="Windows PowerShell">*</Select>
</Query>
</QueryList>
</QueryXML>
ReadFromLast TRUE
SavePos TRUE
</Input>
<Output out_chronicle_winPowerShell>
Module om_tcp
Host %WINEVTLOG_OUTPUT_DESTINATION_ADDRESS%
Port %WINPOWERSHELL_OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000;
Exec to_json();
</Output>
<Route r2>
Path winPowerShell_eventlog => out_chronicle_winPowerShell
</Route>
Please add the below Syslog Collector in Forwarder Config File,
- syslog:
common:
enabled: true
data_type: POWERSHELL
data_hint:
batch_n_seconds: 10
batch_n_bytes: 1048576
tcp_address: 0.0.0.0:11614
udp_address: 0.0.0.0:11614
Comments
0 comments
Please sign in to leave a comment.