Collect data from NXLog for Windows

See the changelog of the Syslog Listener here.

Overview

The following article outlines a basic data flow from your activity and events generated by NXLog for Windows to Onum using the Syslog Listener.

Prerequisites

If you're using TLS authentication, contact Onum to get the cert information needed for TLS communication.

The NXLog configuration file (nxlog.conf) requires specific modules and directives to properly format and forward Windows events to the Syslog Listener:

Key Components:

Input Module (im_msvistalog): Collects Windows Event Logs from specified channels
Output Module (om_tcp/om_udp): Sends formatted logs to Onum's Syslog Listener
Processor Module (pm_transformer): Converts Windows events to Syslog format
Extension Modules: Provides additional functionality (xm_syslog, xm_json)

Onum Setup

Double-click the Syslog Listener.

Enter a Name for the new Listener. Optionally, add a Description and some Tags to identify the Listener.

Enter the required

Port - The standard ports are 514 (for both UDP and TCP Syslog) or 6514 (for TLS-encrypted Syslog).
- NXLog connects outbound to the port specified in the configuration file. If you need to change the port, modify the Port directive in the <Output> section of your nxlog.conf file.
Protocol (TCP or UDP).

Choose the required Framing Method, which refers to how characters are handled in log messages sent via the Syslog protocol. Select Non-Transparent Framing (newline) for Windows events.

If you're using TLS authentication, enter the data you received from the Onum team in the TLS configuration section (Certificate, Private key and CA chain). Choose your Client authentication method and Minimum TLS version.

Finally, click Create labels. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as Unlabeled. Click Create listener when you're done.

Learn more about labels in this article.

NXLogs setup

Once you have downloaded NXLog Community Edition or Enterprise Edition from the NXLog website, run the installer with administrative privileges and complete the installation using the default options.

Configure NXLog to Forward to Onum

Navigate to the NXLog configuration directory:
- Typically C:\Program Files\nxlog\conf\
Create a backup of the existing configuration:
- Copy nxlog.conf to nxlog.conf.bak
Edit nxlog.conf with a text editor (run as administrator)
Replace the contents with the following configuration, adjusting as needed:

define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log

Panic Soft
#NoFreeOnExit TRUE

<Extension json>
    Module      xm_json
</Extension>

<Extension syslog>
    Module      xm_syslog
</Extension>

<Input windows_events>
    Module      im_msvistalog
    # Collect from these Windows Event channels
    Channel     Application, System, Security
    # Uncomment for additional channels as needed
    # Channel     Microsoft-Windows-Sysmon/Operational
</Input>

<Processor transform_to_syslog>
    Module      pm_transformer
    # Convert Windows events to Syslog format
    Exec        $SourceName = $Channel;
    Exec        $Message = to_json();
    Exec        $SyslogFacilityValue = 16;
    Exec        $SyslogSeverityValue = 6;
    Exec        $hostname = hostname_fqdn();
</Processor>

<Output onum_syslog>
    Module      om_tcp  # Change to om_udp if using UDP in Onum
    Host        YOUR_ONUM_LISTENER_ADDRESS  # Replace with your Onum listener address
    Port        514  # Match the port configured in Onum
    OutputType  Syslog_RFC5424
    
    # For TLS configuration (if enabled in Onum)
    # SSL_CAFile  %CERTDIR%\ca.pem
    # SSL_CertFile %CERTDIR%\client-cert.pem
    # SSL_CertKeyFile %CERTDIR%\client-key.pem
    # SSL_AllowUntrusted TRUE
</Output>

<Route windows_to_onum>
    Path        windows_events => transform_to_syslog => onum_syslog
</Route>

Replace YOUR_ONUM_LISTENER_ADDRESS with your Onum Syslog Listener address
Ensure the Port matches what you configured in Onum
If using UDP instead of TCP, change om_tcp to om_udp
If using TLS, uncomment and configure the SSL parameters.

PreviousCollect data from ManageEngine NextCollect data from Palo Alto NGFW

Last updated 21 days ago

Was this helpful?

hashtagOverview

hashtagPrerequisites

hashtagKey Components:

hashtagOnum Setup

hashtagNXLogs setup

hashtagConfigure NXLog to Forward to Onum