Using NXLOG to ship Windows events to SO ELK stack

[dpmor...@gmail.com]

Due to local requirements/policies, I have to use NXLog to ship Windows events. I’ve configured my NXLog to ship to TCP 6052 so it flows through Logstash’s sweet Windows enrichment CONF files, I’ve added a UFW exception for TCP 6052, but the logs never make it to logstash. My NXLog.log on the clients says a connection is never made. On the SO server, a netstat -nlp says that docker-proxy is listening on 6052 but nothing is actually making it to logstash. Admittedly, this is the first time I’m using anything through Docker, so I’m a bit confused as to what I may be missing. Can anyone point me in a direction to solve this?

[Wes Lambert]

You'll want to try using so-allow on the SO box to allow NXLog in.

Thanks,

Wes

On Tue, Jul 3, 2018 at 10:53 AM <dpmor...@gmail.com> wrote:

Due to local requirements/policies, I have to use NXLog to ship Windows events.  I’ve configured my NXLog to ship to TCP 6052 so it flows through Logstash’s sweet Windows enrichment CONF files, I’ve added a UFW exception for TCP 6052, but the logs never make it to logstash. My NXLog.log on the clients says a connection is never made. On the SO server, a netstat -nlp says that docker-proxy is listening on 6052 but nothing is actually making it to logstash. Admittedly, this is the first time I’m using anything through Docker, so I’m a bit confused as to what I may be missing. Can anyone point me in a direction to solve this?

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[dpmor...@gmail.com]

I had looked at so-allow earlier, but it didn’t have the option I wanted (so I thought). I used the logstash forwarder json option and when it told me the iptables rule it was about to add, everything clicked. I was able to copy that rule, change the dport to 6052 and everything worked exactly as I needed it to and now Windows logs are being enriched properly without having to edit the logstash conf files.

For anyone in a similar situation, run the following command:

sudo iptables -I DOCKER-USER ! -i docker0 -o docker0 -s 0.0.0.0/0 -p tcp - -dport 6052 -j ACCEPT

[Dan Hoyle]

Thanks for this.  I was fighting with the same thing and copying the rule from so-allow and changing the port to 6052 worked for me as well.  Would you be willing to share your nxlog config?  I can see the events are being ingested, but in Kibana I don't see all the fields being indexed properly so that I can perform searches. 

[dpmor...@gmail.com]

Dan, I will get you my NXLog configs this weekend. I’m on the road right now and only have my phone.

[dpmor...@gmail.com]

Dan,

Pasted below is my NXlog.conf file, it's fairly basic and straight forward. It's an imperfect attempt at forwarding only logs of interest so we don't flood the wire with entire event logs. I hope this helps. If you have any questions on it, feel free to ask.:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension json>
Module xm_json
</Extension>

<Input eventlog>
Module im_msvistalog
# Uncomment if you want only specific logs
Exec if $EventID NOT IN (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 225, 1022, 1033, 1102, 4624, 4625, 4657, 4672, 4688, 4698, 4700, 4720, 4724, 4728, 4732, 4756, 7036, 7045, 8004) drop();
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>\
</Query>\
</QueryList>
</Input>

<Output logstash>
Module om_tcp
Host 192.168.30.16
Port 6052
Exec to_json();
</Output>

<Route 66>
Path eventlog => logstash
</Route>

[Dan Hoyle]

Thanks!!  It looks very similar to my config.  I am using a Windows Event Forwarding (WEF) server so the event filtering is done in WEF instead of NXlog.  I can see the events in Kibana, but the fields aren't indexed so I can't search on certain fields such as 'user'.  I think I need to look at the SO configuration instead of NXlog as that appears to be working.  Thanks for your input.