Overview
This topic describes the steps to install NXLog on the Server and send Windows Sysmon logs to Forwarder via NXLog to Chronicle.
Prerequisites
Now, download and Install the NXLog Community Edition on the Windows Server
https://nxlog.co/products/nxlog-community-edition.
Configuration
Configure Sysmon on theWindows Server
1. Download the Sysmon using the URL below. It will be in the Zip format
https://download.sysinternals.com/files/Sysmon.zip
2. Once downloaded, extract the Sysmon. After extracting, there will be four files in the folder.
3. Now Open the Command Prompt as Administrator and go to the Symon folder where it is downloaded and install the Sysmon using the commands below.
> sysmon64.exe -accepteula -i
4. Now check the Sysmon64 Service is running or not in the Services.
Now, Copy & Paste the below Query in NXLog.Conf file. In this Query, the Windows Sysmon logs will be sent to the Forwarder and to Chronicle.
=================================
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define WINEVTLOG_OUTPUT_DESTINATION_ADDRESS <Forwarder IP>
define WINESYS_OUTPUT_DESTINATION_PORT 11664
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _json>
Module xm_json
</Extension>
<Input winSys_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
ReadFromLast TRUE
SavePos TRUE
</Input>
<Output out_chronicle_winSys>
Module om_tcp
Host %WINEVTLOG_OUTPUT_DESTINATION_ADDRESS%
Port % WINESYS_OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000;
Exec to_json();
</Output>
<Route r2>
Path winSys_eventlog => out_chronicle_winSys
</Route>
Please add the below Syslog Collector in Forwarder Config File,
- syslog:
common:
enabled: true
data_type: WINDOWS_SYSMON
data_hint:
batch_n_seconds: 10
batch_n_bytes: 1048576
tcp_address: 0.0.0.0:11664
udp_address: 0.0.0.0:11664
Comments
0 comments
Please sign in to leave a comment.