With the installation of your BaselineStack you are ready to receive windows syslog messages on port TCP 513.
This guide will help you configure the Windows systems you want to monitor to send syslog traffic to the listener on the IP of you ClientStack.
Download and install nxlog from here: http://nxlog.org/products/nxlog-community-edition
Run the nxlog installer using the MSI package, accept the license agreement and click finish.
Verify the ROOT path in nxlog.conf
The windows installer uses the C:Program Filesnxlog directory for the installation.
On 64bit machines this is C:Program Files (x86)nxlog.
We refer to this as the ROOT path. You must verify the nxlog.conf configuration file and use the appropriate ROOT path:
define ROOT C:Program Filesnxlog
or
define ROOT C:Program Files (x86)nxlog
Configure nxlog
The most common use-case for nxlog on windows is to collect logs from the EventLog subsystem and forward it over the network. Below is how to configure nxlog to forward these in json format on port 513. You can download the file from here. These logs will then be forwarded and searchable in your cloud dashboard.
The nxlog configuration file nxlog.conf is put under C:Program Filesnxlogconf or C:Program Files (x86)nxlogconf on 64bit architectures. Using a text editor such as notepad.exe, open C:Program Files (x86)nxlogconfnxlog.conf. Edit the file and save it, see example below.
## TCP Port 513 v1.0 SS define ROOT C:Program Files (x86)nxlog define ROOT_STRING C:Program Files (x86)\nxlog Moduledir %ROOT%modules CacheDir %ROOT%data Pidfile %ROOT%datanxlog.pid SpoolDir %ROOT%data LogFile %ROOT%datanxlog.log # Enable json extension <Extension json> Module xm_json </Extension> <Input in> Module im_msvistalog Exec to_json();
ReadFromLast FALSE SavePos FALSE Query <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="System">*</Select> <Select Path="Security">*</Select> </Query> </QueryList>
</Input>
<Output out> Module om_tcp Host SET.IP.OF.YOUR.CLIENT Port 513 </Output>
<Route 1> Path in => out </Route>
Start nxlog
nxlog can be started using the following methods:
Start the Service Manager, find ‘nxlog’ in the list. Select it and start the service.
Double-click on nxlog.exe and set the service to start up Automatically.
Check the logs
The default configuration instructs nxlog to write its own logs to the file located at C:Program Filesnxlogdatanxlog.log or C:Program Files (x86)nxlogdatanxlog.log. Open it with notepad.exe and check for errors. Note that some text editors (such as wordpad) need exclusive locking and will refuse to open the log file while nxlog is running. You should see that the it is
Started
Check logs in your Cloud Dashboard.
Go to https://securitystacks.com and log in. Go to My Security
You should that the number of logging hosts has increased by one.
Click on Logging Hosts and find the Windows System you just configured.
If you have the paid version, you can also now view and query these logs in a Kibana dashboard by going to ‘Logs and Stats’ page and click Advanced Log Searching with Kibana .
Sign up for a demo and we will show you how fast and easy it is.
NOTE: Sometimes our code changes faster than our documentation so there may be some differences between what you see and this document.
The post How to view Windows 10 SYSLOG with BaselineStack’s Kibana Dashboard appeared first on Solidify Security.