Configuring NXLog for HostIP Field
For NXLog, some configuration is needed to create the HostIP field from the Hostname field. This configuration in NXLog enables the collection of the host or source IP address when Windows events are ingested from NXLog.
The NXLog version must be 5.5 or later.
To configure NXLog:
Import Extension Modules
To import two extension modules, Resolver (xm_resolver) and Syslog (xm_syslog), you can refer to the following NXLog documentation:
Then import the extension modules:
Configuring NXLog
For rewriting and modifying logs, you can refer to the following NXLog documentation: https://docs.nxlog.co/userguide/configure/rewriting.html.
To configure NXLog to create the HostIP field:
-
In the input module, configure the listening host:
-
Use
parse_syslog(). Parse the$raw_eventfield as either BSD Syslog (RFC 3164) or IETF Syslog (RFC 5424) format. -
If there is more than one instance of xm_syslog, reference the module instance with
INSTANCENAME->parse_syslog(), otherwise useparse_syslog().
-
-
In the output module, create the
HostIPfrom theHostnameand rewriteHostIPto get the output:-
Use
ipaddr name_to_ipaddr(string name)to change the value ofHostnameto the value ofHostIP.
The
HostIPis added to theraw_eventfield to display the output.
-
Sample NXLog Configuration File
Panic Soft
define INSTALLDIR C:\Program Files\nxlog
#ModuleDir %INSTALLDIR%\modules
#CacheDir %INSTALLDIR%\data
#SpoolDir %INSTALLDIR%\data
define CERTDIR %INSTALLDIR%\cert
define CONFDIR %INSTALLDIR%\conf\nxlog.d
# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR %INSTALLDIR%\data
define MYLOGFILE %LOGDIR%\nxlog.log
# If you are not using NXLog Manager, disable the `include` line
# and enable LogLevel and LogFile.
include %CONFDIR%\*.conf
#LogLevel INFO
#LogFile %MYLOGFILE%
<Extension _syslog>
Module xm_syslog
</Extension>
# This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`
# is changed in managed.conf via NXLog Manager, rotation of the new
# file should also be configured there.
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
<Exec>
if ( file_exists('%MYLOGFILE%') and
(file_size('%MYLOGFILE%') >= 5M) )
{
file_cycle('%MYLOGFILE%', 8);
}
</Exec>
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Extension xml>
Module xm_xml
</Extension>
<Extension _resolver>
Module xm_resolver
</Extension>
<Input in_eventlog>
# For windows 2008/vista/7/8/2012/2012R2/2016 and latter use the following:
Module im_msvistalog
ReadFromLast TRUE
SavePos TRUE
Query <QueryList> \
<Query Id="0"> \
<Select Path="Security">*[System[(EventID=1100)]]</Select> \
<Select Path="Security">*[System[(EventID=4768)]]</Select> \
<Select Path="Security">*[System[(EventID=4769)]]</Select> \
<Select Path="Security">*[System[(EventID=4771)]]</Select> \
<Select Path="Security">*[System[(EventID=4616)]]</Select> \
<Select Path="Security">*[System[(EventID=4104)]]</Select> \
<Select Path="Security">*[System[(EventID=4624)]]</Select> \
<Select Path="Security">*[System[(EventID=4625)]]</Select> \
<Select Path="Security">*[System[(EventID=4634)]]</Select> \
<Select Path="Security">*[System[(EventID=4647)]]</Select> \
<Select Path="Security">*[System[(EventID=4648)]]</Select> \
<Select Path="Security">*[System[(EventID=4656)]]</Select> \
<Select Path="Security">*[System[(EventID=4688)]]</Select> \
<Select Path="Security">*[System[(EventID=4719)]]</Select> \
<Select Path="Security">*[System[(EventID=4720)]]</Select> \
<Select Path="Security">*[System[(EventID=4722)]]</Select> \
<Select Path="Security">*[System[(EventID=4723)]]</Select> \
<Select Path="Security">*[System[(EventID=4724)]]</Select> \
<Select Path="Security">*[System[(EventID=4725)]]</Select> \
<Select Path="Security">*[System[(EventID=4726)]]</Select> \
<Select Path="Security">*[System[(EventID=4727)]]</Select> \
<Select Path="Security">*[System[(EventID=4728)]]</Select> \
<Select Path="Security">*[System[(EventID=4729)]]</Select> \
<Select Path="Security">*[System[(EventID=4730)]]</Select> \
<Select Path="Security">*[System[(EventID=4731)]]</Select> \
<Select Path="Security">*[System[(EventID=4732)]]</Select> \
<Select Path="Security">*[System[(EventID=4733)]]</Select> \
<Select Path="Security">*[System[(EventID=4734)]]</Select> \
<Select Path="Security">*[System[(EventID=4735)]]</Select> \
<Select Path="Security">*[System[(EventID=4737)]]</Select> \
<Select Path="Security">*[System[(EventID=4738)]]</Select> \
<Select Path="Security">*[System[(EventID=4739)]]</Select> \
<Select Path="Security">*[System[(EventID=4740)]]</Select> \
<Select Path="Security">*[System[(EventID=4741)]]</Select> \
<Select Path="Security">*[System[(EventID=4742)]]</Select> \
<Select Path="Security">*[System[(EventID=4743)]]</Select> \
<Select Path="Security">*[System[(EventID=4744)]]</Select> \
<Select Path="Security">*[System[(EventID=4745)]]</Select> \
<Select Path="Security">*[System[(EventID=4748)]]</Select> \
<Select Path="Security">*[System[(EventID=4749)]]</Select> \
<Select Path="Security">*[System[(EventID=4750)]]</Select> \
<Select Path="Security">*[System[(EventID=4753)]]</Select> \
<Select Path="Security">*[System[(EventID=4754)]]</Select> \
<Select Path="Security">*[System[(EventID=4755)]]</Select> \
<Select Path="Security">*[System[(EventID=4756)]]</Select> \
<Select Path="Security">*[System[(EventID=4758)]]</Select> \
<Select Path="Security">*[System[(EventID=4759)]]</Select> \
<Select Path="Security">*[System[(EventID=4760)]]</Select> \
<Select Path="Security">*[System[(EventID=4763)]]</Select> \
<Select Path="Security">*[System[(EventID=4764)]]</Select> \
<Select Path="Security">*[System[(EventID=4767)]]</Select> \
<Select Path="Security">*[System[(EventID=4776)]]</Select> \
<Select Path="Security">*[System[(EventID=4778)]]</Select> \
<Select Path="Security">*[System[(EventID=4783)]]</Select> \
<Select Path="Security">*[System[(EventID=4800)]]</Select> \
<Select Path="Security">*[System[(EventID=4801)]]</Select> \
<Select Path="System">*[System[(EventID=7036)]]</Select> \
<Select Path="Setup">*[System[(EventID=1)]]</Select> \
<Select Path="Application">*[System[(EventID=18454)]]</Select> \
<Select Path="Application">*[System[(EventID=18456)]]</Select> \
</Query> \
</QueryList>
</Input>
<Input tcp>
Module im_tcp
ListenAddr 10.xx.xx.xx
<Exec>
syslog->parse_syslog();
</Exec>
</Input>
<Output out_eventlog>
Module om_udp
Host 10.xx.xx.xx:5601
<Exec>
if $raw_event =~ s/^(\S+)//
{
$HostIP = $Hostname;
$HostIP = name_to_ipaddr($Hostname);
if not defined $Hostname $HostIP= $Hostname;
$raw_event = $HostIP + $raw_event;
}
to_json();
</Exec>
</Output>
<Route eventlog>
Path in_eventlog, tcp => out_eventlog
</Route>
