## Secureworks Taegis XDR - Log Microsoft Windows logs to Taegis XDR
##
## Version 1.6
##
## NOTE: This configuration template is provided as a convenience to Taegis customers.
## Secureworks provides best-effort troubleshooting for our customers but questions
## around advanced configuration or issues should be resolved with the vendor.
##
## In the event of issues, please refer to the Troubleshooting nxlog section below prior
## to engaging Taegis support.
##
############################################################
## Troubleshooting nxlog:
##
## 1) Verify nxlog is running via the windows cli you can just type
## sc query nxlog
## 2) Ensure XDR and PORT definitions are correct.
## 3) Perform manual configuration validation by shutting down nxlog and running nxlog manually with the -v switch.
## net stop nxlog && "c:\Program Files\nxlog\nxlog" -v
## 4) Temporarily uncomment the "LogLevel Debug" line and restart nxlog:
## net stop nxlog && net start nxlog
## 5) Review nxlog detailed logs typically found in: C:\Program Files\nxlog\data\nxlog.log
## NOTE: It is advisable to revert Debug Logging by commenting out the "LogLevel Debug" definition and restart nxlog: net stop nxlog && net start nxlog
#############################################################
## Definitions #
## 1 Task: #
## 1) Update "define XDR A.B.C.D" to your XDR Collector IP. #
#############################################################
## Set XDR to the IP address of your XDR Collector. Supported ports are 601/TCP or 514/UDP
## XDR Collector Syslog - https://docs.ctpx.secureworks.com/integration/localCollectors/on_prem_data_collection/#inboundsyslog
define XDR A.B.C.D
define PORT 601
Panic Soft
#NoFreeOnExit TRUE
## Please set ROOT to the folder NXLog is installed in.
## - if 64bit NxLog is used, comment out (#) x86 and uncomment C:\Program Files\nxlog lines
define ROOT C:\Program Files\nxlog
define ROOT_STRING C:\Program Files\nxlog
## - if 32bit NxLog is used, comment out (#) "C:\Program Files\nxlog" and uncomment x86 lines
#define ROOT C:\Program Files (x86)\nxlog
#define ROOT_STRING C:\Program Files (x86)\nxlog
## Define certs if used during XDR Collector creation
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
## Define internal log details for NXLog
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
## Uncomment for verbose logging for troubleshooting purposes.
# LogLevel Debug
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %LOGFILE%
#####################
# Definitions - END #
#####################
##############
# Extensions #
##############
Module xm_syslog
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
Module xm_exec
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
# Rotate our log file every week on Sunday at midnight
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
####################
# Extensions - END #
####################
######################
# Windows Event Logs #
######################
##
## README: By default we collect Windows Event Logs. If this is not desired, comment out the below section.
##
## Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
## For windows 2003 and earlier use the following:
# Module im_mseventlog
## Prevent endless loop due to 5156 logging NXLog connections
Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing' and $EventID IN (5156, 5157) and $Application =~ /\\nxlog\.exe$/i) drop();
Path MSWINEVENTLOGIN => MSWINEVENTLOGOUT
############################
# Windows Event Logs - END #
############################
############################
# Microsoft DNS Debug Logs #
############################
###
### README: If Microsoft DNS Debug Log collection is desired, follow the Taegis XDR docs instructions for configuring Microsoft DNS and then uncomment the below section.
###
#
# Module im_file
### README: If DNS logging collection does not seem to be working please refer to the troubleshooting section at the beginning of this configuration example.
### 32-bit applications can access the native system directory by substituting %windir%\Sysnative for %windir%\System32. WOW64 recognizes Sysnative as a special alias used to indicate that the file system should not redirect the access. This mechanism is flexible and easy to use, therefore, it is the recommended mechanism to bypass file system redirection. Note that 64-bit applications cannot use the Sysnative alias as it is a virtual directory not a real one.
## Ensure the file path listed below matches the DNS log file configuration.
# File 'C:\Windows\System32\dns\dns.log'
# InputType LineBased
# SavePos TRUE
# ReadFromLast FALSE
# PollInterval 1
### The input is assumed to contain log messages separated by newlines. Thus if an LF (\n) or CRLF (\r\n) is found, the function considers that it has reached the end of the log message.
# Exec if $raw_event == '' drop(); ##drops blank messages
# Exec $Hostname = hostname_fqdn();$SourceName = "MSDNSLog";$Message = $raw_event;
#
#
#
#
#
# Path MSDNSLOGIN => MSDNSLOGOUT
#
##################################
# Microsoft DNS Debug Logs - END #
##################################
#######################
# Microsoft DHCP Logs #
#######################
### README: If Microsoft DHCP Log collection is desired, follow the Taegis XDR docs instructions for configuring Microsoft DHCP and then uncomment the below section.
### If DNS logging collection does not seem to be working please refer to the troubleshooting section at the beginning of this configuration example.
### 32-bit applications can access the native system directory by substituting %windir%\Sysnative for %windir%\System32. WOW64 recognizes Sysnative as a special alias used to indicate that the file system should not redirect the access. This mechanism is flexible and easy to use, therefore, it is the recommended mechanism to bypass file system redirection. Note that 64-bit applications cannot use the Sysnative alias as it is a virtual directory not a real one.
## Ensure the file path listed below matches the DHCP audit log file configuration.
#
# Module im_file
# File 'C:\Windows\System32\dhcp\DhcpSrvLog-*.log'
# SavePos TRUE
# InputType LineBased
# Exec if $raw_event == '' drop();
# Exec $Hostname = hostname_fqdn();$SourceName = "DHCPLog";$Message = $raw_event;
#
#
#
#
#
# Path MSDHCPLOGIN => MSDHCPLOGOUT
#
#############################
# Microsoft DHCP Logs - END #
#############################
#############################
# Microsoft IIS Access Logs #
#############################
### README: If Microsoft IIS Access Log collection is desired, follow the Taegis XDR docs instructions for configuring Microsoft IIS and then uncomment the below section.
### If IIS logging collection does not seem to be working please refer to the troubleshooting section at the beginning of this configuration example.
#
# Module im_file
### By using the recursive directive, we'll monitor all directories under LogFiles for file u_ex*.log
## Ensure the file path listed below matches the IIS log file configuration.
# File 'C:\inetpub\logs\LogFiles\u_ex*.log'
# SavePos TRUE
# Recursive TRUE
# ReadFromLast TRUE
# PollInterval 1
# Exec if $raw_event =~ /^#/ drop(); \
# else \
# { \
# $Hostname = hostname_fqdn(); \
# $SourceName = "IISWebLog"; \
# $Message = $raw_event; \
# }
#
#
#
#
#
# Path W3SVCIN => W3SVCOUT
#
###################################
# Microsoft IIS Access Logs - END #
###################################