archive-org.com » ORG » N » NXLOG.ORG

Total: 215

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • debug log | nxlog.co
    Forum IRC Mailing list Support tickets Contact us Home News debug log 29 Jan The disappearing Windows DNS debug log TD LR The Windows DNS service may not recreate the debug log file after rollover If you get hit by the issue make sure to use the C drive for the debug log path By adm DNS Windows debug log 0 Comments Read more Tags in News XML Perl Windows

    Original URL path: http://nxlog.org/news-tags/debug-log (2016-02-01)
    Open archived version from archive


  • The disappearing Windows DNS debug log | nxlog.co
    would be to blame the log monitoring tool The im file module in NXLog does not delete files and it does not lock log files Files are opened with READ access only NXLog and most other log collectors work fine collecting log files being written by most other software Some software requests exclusive locking on a log file that it writes this of course will prevent the file from being opened and monitored Locking isn t the problem in this case as the DNS service does not lock the debug log file The default behavior of NXLog s im file module is to keep the monitored file open The CloseWhenIdle configuration option can be used to instruct it to close the log file after it s done reading the file Unfortunately this does not solve the disappearing DNS log file issue Why does the DNS debug log disappear We used Windows Sysinternals Process Monitor to check what s going on Below is a screenshot showing the operations from both dns exe and nxlog exe When the rollover occurs dns exe creates a backup of the debug log file under C Windows System32 dns backup dns log and then recreates the debug log file by deleting and opening it for read write Unfortunately NXLog is still reading data from the file and holds an open handle thus the delete operation does not complete until NXLog is done reading the file and closes it The DNS service tries to create the new file but receives a DELETE PENDING error and this causes the debug log file to disappear Microsoft s recommendation Unfortunately the only solution at this point looked like to fix the DNS service The DNS service should tolerate the DELETE PENDING error and wait until this completes Better yet it should create a different file as some other services are capable of doing this Having contacted Microsoft support about the issue and providing them the procmon traces yielded the following Date Mon 11 Jan 2016 19 16 57 0000 From xxxxx xxxxxx microsoft com Subject RE RE RE RE Re 115121713506095 Enabling DNS debug logging is designed for temporary troubleshooting This component is not designed to be turned on and left running 24x7 The server component DNS exe may be designed and need exclusive access to its own debug log Microsoft is prepared to tell you this as a resolution Also when it comes to monitoring DNS traffic for security threats monitoring at your resolver is not a best practice We recommend you purchase a HSA Hardware Security Appliance Third party content filters are available from a variety of manufacturers Microsoft looked at the threads stack handles and DLL s this program calls this morning The processes nxlog exe maintains an open handle on the dnslog txt file and this is causing your issue Please see the attached screen shot Regards xxxxxxxxxx xxxxxx Support Professional xxxxx Windows Networking T3 Office 866 425 9899 x2236319 xxxxxxx microsoft com mailto xxxxxxx microsoft

    Original URL path: http://nxlog.org/disappearing-windows-dns-debug-log/ (2016-02-01)
    Open archived version from archive

  • structured logging | nxlog.co
    is on the rise A lot of tools and logging services are finally moving towards structured logging and JSON seems to be the format of choice for this But what is structured logging Traditionally logs were generated in the form of free form text messages prepended with some basic metadata such as the time of the event severity and the source of the event This is what the old RFC3164

    Original URL path: http://nxlog.org/news-tags/structured-logging (2016-02-01)
    Open archived version from archive

  • JSON | nxlog.co
    metadata such as the time of the event severity and the source of the event This is what the old RFC3164 style Syslog format looks like By adm structured logging JSON security onion sysmon 0 Comments Read more 08 Mar The first to support both XML and JSON XML and JSON is now supported as of version 1 4 615 nxlog can parse and generate both of these formats with

    Original URL path: http://nxlog.org/news-tags/json (2016-02-01)
    Open archived version from archive

  • security onion | nxlog.co
    is on the rise A lot of tools and logging services are finally moving towards structured logging and JSON seems to be the format of choice for this But what is structured logging Traditionally logs were generated in the form of free form text messages prepended with some basic metadata such as the time of the event severity and the source of the event This is what the old RFC3164

    Original URL path: http://nxlog.org/news-tags/security-onion (2016-02-01)
    Open archived version from archive

  • sysmon | nxlog.co
    on the rise A lot of tools and logging services are finally moving towards structured logging and JSON seems to be the format of choice for this But what is structured logging Traditionally logs were generated in the form of free form text messages prepended with some basic metadata such as the time of the event severity and the source of the event This is what the old RFC3164 style

    Original URL path: http://nxlog.org/news-tags/sysmon (2016-02-01)
    Open archived version from archive

  • Structured logging - why should you do that? | nxlog.co
    section Discarding meta data and structure about some key points why this is important So event metadata is important Period Our document titled Collecting Windows Security Audit Log data with NXLog and Sysmon has some examples on what the EventLog data generated by Sysmon looks like Below is the sample Sysmon generated event converted to JSON showing the basic set of eventlog fields the Message and addtional Sysmon metadata EventTime 2015 04 27 15 23 46 Hostname WIN OUNNPISDHIG Keywords 9223372036854775808 EventType INFO SeverityValue 2 Severity INFO EventID 1 SourceName Microsoft Windows Sysmon ProviderGuid 5770385F C22A 43E0 BF4C 06F5698FFBD9 Version 3 Task 1 OpcodeValue 0 RecordNumber 2335906 ProcessID 1680 ThreadID 1728 Channel Microsoft Windows Sysmon Operational Domain NT AUTHORITY AccountName SYSTEM UserID SYSTEM AccountType Well Known Group Message Process Create r nUtcTime 2015 04 27 13 23 r nProcessGuid 00000000 3862 553E 0000 001051D40527 r nProcessId 25848 r nImage c Program Files x86 nxlog nxlog exe r nCommandLine c Program Files x86 nxlog nxlog exe f r nUser WIN OUNNPISDHIG Administrator r nLogonGuid 00000000 568E 5453 0000 0020D5ED0400 r nLogonId 0x4edd5 r nTerminalSessionId 2 r nIntegrityLevel High r nHashType SHA1 r nHash 1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94 r nParentProcessGuid 00000000 3862 553E 0000 001088D30527 r nParentProcessId 26544 r nParentImage C msys 1 0 bin sh exe r nParentCommandLine C msys 1 0 bin sh exe Opcode Info UtcTime 2015 04 27 13 23 ProcessGuid 00000000 3862 553E 0000 001051D40527 Image c Program Files x86 nxlog nxlog exe CommandLine c Program Files x86 nxlog nxlog exe f User WIN OUNNPISDHIG Administrator LogonGuid 00000000 568E 5453 0000 0020D5ED0400 LogonId 0x4edd5 TerminalSessionId 2 IntegrityLevel High HashType SHA1 Hash 1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94 ParentProcessGuid 00000000 3862 553E 0000 001088D30527 ParentProcessId 26544 ParentImage C msys 1 0 bin sh exe ParentCommandLine C msys 1 0 bin sh exe EventReceivedTime 2015 04 27 15 23 47 SourceModuleName in SourceModuleType im msvistalog Now if you look closer you will notice that Message basically contains all the additional set of fields dumped into the string There are still a lot of eventlog collector tools out there such as Snare eventlog to syslog etc that simply convert this data and format the output as a string by taking the basic set of fields and create a syslog message by adding a header using these timestamp event id hostname user id and message The rest of the fields are simply discarded While it is true that the Message contains most of this if you are lucky The problem with this is that this data then will need to be parsed and the fields have to be extracted with regular expressions Josh Brower published a paper very recently titled Using Sysmon To Enrich Security Onion s Host Level Capabilities The paper and the concepts outlined there are a good read for the security minded Unfortunately it goes on to parse received eventlog data using regular expressions a practice that is not recommeded now that the world has finally started to realize that structured logging is great Go read

    Original URL path: http://nxlog.org/why-use-structured-logging/ (2016-02-01)
    Open archived version from archive

  • Elasticsearch | nxlog.co
    Download Services Resources Documentation Community Forum IRC Mailing list Support tickets Contact us Home News Elasticsearch 23 Apr Using NXLog with Elasticsearch and Kibana The popularity of the ELK stack is steadily rising many NXLog users send their event data to Elasticsearch and Kibana for log monitoring and analytics By adm Elasticsearch Kibana ELK 0 Comments Read more Tags in News Scaling debug log DNS REGEXP JSON Elasticsearch nxlog Perl

    Original URL path: http://nxlog.org/news-tags/elasticsearch (2016-02-01)
    Open archived version from archive