archive-org.com » ORG » N » NXLOG.ORG

Total: 215

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Structured logging - why should you do that? | nxlog.co
    section Discarding meta data and structure about some key points why this is important So event metadata is important Period Our document titled Collecting Windows Security Audit Log data with NXLog and Sysmon has some examples on what the EventLog data generated by Sysmon looks like Below is the sample Sysmon generated event converted to JSON showing the basic set of eventlog fields the Message and addtional Sysmon metadata EventTime 2015 04 27 15 23 46 Hostname WIN OUNNPISDHIG Keywords 9223372036854775808 EventType INFO SeverityValue 2 Severity INFO EventID 1 SourceName Microsoft Windows Sysmon ProviderGuid 5770385F C22A 43E0 BF4C 06F5698FFBD9 Version 3 Task 1 OpcodeValue 0 RecordNumber 2335906 ProcessID 1680 ThreadID 1728 Channel Microsoft Windows Sysmon Operational Domain NT AUTHORITY AccountName SYSTEM UserID SYSTEM AccountType Well Known Group Message Process Create r nUtcTime 2015 04 27 13 23 r nProcessGuid 00000000 3862 553E 0000 001051D40527 r nProcessId 25848 r nImage c Program Files x86 nxlog nxlog exe r nCommandLine c Program Files x86 nxlog nxlog exe f r nUser WIN OUNNPISDHIG Administrator r nLogonGuid 00000000 568E 5453 0000 0020D5ED0400 r nLogonId 0x4edd5 r nTerminalSessionId 2 r nIntegrityLevel High r nHashType SHA1 r nHash 1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94 r nParentProcessGuid 00000000 3862 553E 0000 001088D30527 r nParentProcessId 26544 r nParentImage C msys 1 0 bin sh exe r nParentCommandLine C msys 1 0 bin sh exe Opcode Info UtcTime 2015 04 27 13 23 ProcessGuid 00000000 3862 553E 0000 001051D40527 Image c Program Files x86 nxlog nxlog exe CommandLine c Program Files x86 nxlog nxlog exe f User WIN OUNNPISDHIG Administrator LogonGuid 00000000 568E 5453 0000 0020D5ED0400 LogonId 0x4edd5 TerminalSessionId 2 IntegrityLevel High HashType SHA1 Hash 1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94 ParentProcessGuid 00000000 3862 553E 0000 001088D30527 ParentProcessId 26544 ParentImage C msys 1 0 bin sh exe ParentCommandLine C msys 1 0 bin sh exe EventReceivedTime 2015 04 27 15 23 47 SourceModuleName in SourceModuleType im msvistalog Now if you look closer you will notice that Message basically contains all the additional set of fields dumped into the string There are still a lot of eventlog collector tools out there such as Snare eventlog to syslog etc that simply convert this data and format the output as a string by taking the basic set of fields and create a syslog message by adding a header using these timestamp event id hostname user id and message The rest of the fields are simply discarded While it is true that the Message contains most of this if you are lucky The problem with this is that this data then will need to be parsed and the fields have to be extracted with regular expressions Josh Brower published a paper very recently titled Using Sysmon To Enrich Security Onion s Host Level Capabilities The paper and the concepts outlined there are a good read for the security minded Unfortunately it goes on to parse received eventlog data using regular expressions a practice that is not recommeded now that the world has finally started to realize that structured logging is great Go read

    Original URL path: http://nxlog.org/why-use-structured-logging (2016-02-01)
    Open archived version from archive


  • Using NXLog with Elasticsearch and Kibana | nxlog.co
    ELK stack is steadily rising many NXLog users send their event data to Elasticsearch and Kibana for log monitoring and analytics There are many tutorials and configurations scattered around on the web some come with configuration samples that will likely not work properly For this reason we have written a short document introducing different options on how to use NXLog with Elasticsearch and Kibana it s available under the documentation

    Original URL path: http://nxlog.org/using-nxlog-elasticsearch-and-kibana (2016-02-01)
    Open archived version from archive

  • Windows as a First-Class Centralized Logging Citizen | nxlog.co
    Support tickets Contact us Home News Windows as a First Class Centralized Logging Citizen 06 Aug Windows as a First Class Centralized Logging Citizen By adm Windows Centralized logging 0 Comments Paul Nelson from Opsbot has written an excellent article titled Windows as a First Class Centralized Logging Citizen discussing centralized logging using open source tools Well worth the read Leave a comment Share this post Author adm Tags in

    Original URL path: http://nxlog.org/windows-first-class-centralized-logging-citizen (2016-02-01)
    Open archived version from archive

  • Better Snare compatibility and enhanced regular expressions in 2.8.1248 | nxlog.co
    operators can now be used as statements i e Exec Message s aaa bbb Regular expressions now support the m modifier to do multiline matching Regular expressions now support the i modifier to do caseless matching Regular expressions now support the s modifier to make the match newline characters Fixed a regression introduced with the ActiveFiles directive in im file when more than one truncation did not get noticed ticket 40 sf Credits go to savionat Implemented missing parser support for IPv4 literals Added a host ip function to return the IP address associated with the hostname Using exec async could have exhausted the memory if it was called at a very high rate om udp would stop sending messages in some cases after logging apr socket send failed Connection refused e g when graylog2 was not accepting udp packets It should properly resume now The to syslog snare formatter should now produce better snare compliant output Replace space and with underscore in IETF syslog structured data field names Context cleaning would result in a segfault in pm evcorr s thresholded rule if there was no triggering im tcp and im ssl on windows is not limited to 500 connections

    Original URL path: http://nxlog.org/enhanced-snare-compatibility (2016-02-01)
    Open archived version from archive

  • The new release brings a WTMP parser | nxlog.co
    to determine FQDN hostname error message The to syslog procedures can now use raw event if Message is unset to make it easier to convert to syslog Added a fix to im msvistalog to handle the EvtNext failed with error 13 The data is invalid error better The im file module now emits the last event when using with the xm multiline extension Fixed the issue with more than 20 fiels and xm multiline reported in ticket 33 Json parse errors in raw event could cause a double free resulting in a crash or undefined behavior It is now possible to use multiple instances of xm perl Disallow using a single processor module instance in multiple routes The file chown procedure in xm fileop works with user group names in addtion to uid gid values CloseWhenIdle directive for im file File removal in some circumstances caused im file to emit input file does not exist messages on windows In same rare cases im file would give a panic on windows with im file got EAGAIN for read The regexp replacement operator s was leaking memory In some circumstances excess CPU was used when im file watched several files Added some

    Original URL path: http://nxlog.org/new-release-brings-wtmp-parser (2016-02-01)
    Open archived version from archive

  • Site Map | nxlog.co
    Log4ensics About Features Download Services Resources Documentation Community Forum IRC Mailing list Support tickets Contact us Home Site Map Main menu Home News Company About Us Careers Contact Us Products NXLog Community Edition About Resources Why Features Download NXLog Enterprise

    Original URL path: http://nxlog.org/sitemap (2016-02-01)
    Open archived version from archive

  • DNS | nxlog.co
    Forum IRC Mailing list Support tickets Contact us Home News DNS 29 Jan The disappearing Windows DNS debug log TD LR The Windows DNS service may not recreate the debug log file after rollover If you get hit by the issue make sure to use the C drive for the debug log path By adm DNS Windows debug log 0 Comments Read more Tags in News AIX Elasticsearch New release

    Original URL path: http://nxlog.org/news-tags/dns (2016-02-01)
    Open archived version from archive

  • Windows | nxlog.co
    service may not recreate the debug log file after rollover If you get hit by the issue make sure to use the C drive for the debug log path By adm DNS Windows debug log 0 Comments Read more 06 Aug Windows as a First Class Centralized Logging Citizen Paul Nelson from Opsbot has written an excellent article titled Windows as a First Class Centralized Logging Citizen discussing centralized logging

    Original URL path: http://nxlog.org/news-tags/windows (2016-02-01)
    Open archived version from archive