[nxlog-ce-users] Fw: Nxlog-ce On a Active Directory server

Tim Washburn Fri, 13 Dec 2013 17:06:28 -0800

From:   Tim Washburn/Hercules/US/BIO-RAD
To:     nxlog-ce-users@lists.sourceforge.net
Date:   12/13/2013 08:42 AM
Subject:        Nxlog-ce



Hi All,

I using  the following version of nxlog - --   nxlog-ce-2.6.1131
With the following config file. This work great on a stand alone windows 
2008R2 server but not on a Windows 2008R2 Domain 
Controller. See bottom of message for log output from the DC. 

################# begin config#########################
## This is a sample configuration file. See the nxlog reference manual 
about the
## configuration options. It should be installed locally and is also 
available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#foofbar

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir D:\syslog_data\data
LogFile  D:\syslog_data\data\nxlog.log

<Extension kvp>
    Module      xm_kvp
    KVDelimiter =
    KVPDelimiter \t
</Extension>

<Extension syslog>
    Module      xm_syslog
</Extension>

<Input in> 
    Module      im_msvistalog 
    Exec        if ($EventType == 'VERBOSE') OR ($Channel == 'SYSTEM') OR 
($Channel == 'APPLICATION') OR ($EventID == 1111) OR ($EventID == 102) OR 
($EventID == 200)OR ($EventID == 5857) OR ($EventID == 5315) drop(); 
    ReadFromLast TRUE 
</Input> 

<Output qradar>
    Module      om_tcp
    Host        10.x.x.x.
    Port        514
    Exec        kvp->to_kvp(); $Message = $raw_event; to_syslog_snare();
</Output>

<Route 1>
    Path        in => qradar
</Route>
################# end config######################

Event samples as seen in Q-Radar 
++++++++++++++++++++++++++++++++++++++++
-1e2f-11d0-9819-00aa0040529b}  %%1537  %%1538  %%1539  %%1540  %%5440 
 %%5441  %%5442  %%5443  %%5444  %%5445  %%5446  %%5447  %%5448     
{bf967938-0de6-11d0-a285-00aa003049e2}     
{5fd42471-1262-11d0-a060-00aa006c33ed}     
{bf9679e8-0de6-11d0-a285-00aa003049e2}     
{bf967a00-0de6-11d0-a285-00aa003049e2}     
{3e0abfd0-126a-11d0-a060-00aa006c33ed}     
{bf967a6a-0de6-11d0-a285-00aa003049e2}     
{bf967953-0de6-11d0-a285-00aa003049e2}   
 {4c164200-20c0-11d0-a768-00aa006e0529}     
{bf967915-0de6-11d0-a285-00aa003049e2}     
{bf967a0a-0de6-11d0-a285-00aa003049e2}     
{bf967a68-0de6-11d0-a285-00aa003049e2}     
{bf967a6d-0de6-11d0-a285-00aa003049e2}   
 {5f202010-79a5-11d0-9020-00c04fc2d4cf}   
 {59ba2f42-79a2-11d0-9020-00c04fc2d3cf}     
{bf967985-0de6-11d0-a285-00aa003049e2}     
{bf967986-0de6-11d0-a285-00aa003049e2}     
{bf967996-0de6-11d0-a285-00aa003049e2}     
{bf967997-0de6-11d0-a285-00aa003049e2}     
{bf9679aa-0de6-11d0-a285-00aa003049e2}     
{bf9679ab-0de6-11d0-a285-00aa003049e2}     
{bf9679ac-0de6-11d0-a285-00aa003049e2}     
{bf967a05-0de6-11d0-a285-00aa003049e2}     
{bf9679a8-0de6-11d0-a285-00aa003049e2}   
 {e48d0154-bcf8-11d1-8702-00c04fb96050}     
{bf967950-0de6-11d0-a285-00aa003049e2}   
 {bc0ac240-79a9-11d0-9020-00c04fc2d4cf}     
{bf967991-0de6-11d0-a285-00aa003049e2}     
{bf96792e-0de6-11d0-a285-00aa003049e2}   
 {00299570-246d-11d0-a768-00aa006e0529}   
 {7ed84960-ad10-11d0-8a92-00aa006e0529}  ' RestrictedSidCount=0 
ProcessName=C:\Windows\System32\lsass.exe EventReceivedTime=2013-12-13 
16:30:12 SourceModuleName=in SourceModuleType=im_msvistalog     N/A 

+++++++++++++++++++++++++++++++++++++++++
t;Version&gt;393222&lt;/Version&gt;&lt;SOM&gt;LDAP://DC=Global,DC=Foo-Rad,DC=com&lt;/SOM&gt;&lt;FSPath&gt;\\Global.Foo-Rad.com\SysVol\Global.Foo-Rad.com\Policies\{BF118E22-7352-4AFF-81C6-F1A71201997D}\Machine&lt;/FSPath&gt;&lt;Extensions&gt;[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]&lt;/Extensions&gt;&lt;/GPO&gt;&lt;GPO
 
ID="{BA3D810A-A186-4A28-B191-007546F90A73}"&gt;&lt;Name&gt;Global - Domain 
Controller 
Environment&lt;/Name&gt;&lt;Version&gt;524296&lt;/Version&gt;&lt;SOM&gt;LDAP://OU=Domain
 
Controllers,DC=Global,DC=Foo-Rad,DC=com&lt;/SOM&gt;&lt;FSPath&gt;\\Global.Foo-Rad.com\SysVol\Global.Foo-Rad.com\Policies\{BA3D810A-A186-4A28-B191-007546F90A73}\Machine&lt;/FSPath&gt;&lt;Extensions&gt;[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]&lt;/Extensions&gt;&lt;/GPO&gt;&lt;GPO
 
ID="{CFDD0D69-C5DA-4D26-A673-835CFC480550}"&gt;&lt;Name&gt;Global - 
Scheduled DSRMRW Password 
Sync&lt;/Name&gt;&lt;Version&gt;6422626&lt;/Version&gt;&lt;SOM&gt;LDAP://OU=Domain
 

+++++++++++++++++++++++++++++++++++++++++++++++

t;/Version&gt;&lt;SOM&gt;LDAP://OU=Domain 
Controllers,DC=Global,DC=Foo-Rad,DC=com&lt;/SOM&gt;&lt;FSPath&gt;\\Global.Foo-Rad.com\sysvol\Global.Foo-Rad.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine&lt;/FSPath&gt;&lt;Extensions&gt;[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]&lt;/Extensions&gt;&lt;/GPO&gt;'
 
EventReceivedTime=2013-12-13 16:30:06 SourceModuleName=in 
SourceModuleType=im_msvistalog     N/A 
+++++++++++++++++++++++++++++++++++++++++++

Event samples decode from tcpdump on eth0 as Q-radar recieves the message:
+++++++++++++++++++++++++++++++++++++++++++++++++++++
<14>Dec 12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
RABBITDC102.Global.Foo-sactionId={00000000-0000-0000-0000-0000000<14>Dec 
12 23:41:07 
+++++++++++++++++++++++++++++++++++++++++++++++++

<14>Dec 12 23:41:14 RABBITDC102.Global.Foo-<14>Dec 12 23:41:14 
RABBITDC102.Global.Foo-<14>Dec 12 23:41:14 RABBITDC102.Global.Foo-<14>Dec 
12 23:41:14 RABBITDC102.Global.Foo-<14>Dec 12 23:41:14 
RABBITDC102.Global.Foo-<14>Dec 12 23:41:14  RABBITDC102.Global.Foo-<14>Dec 
12 23:41:14 RABBITDC102.Global.Foo-<14>Dec 12 23:41:14 
RABBITDC102.Global.Foo-<14>Dec 12 23:41:14  RABBITDC102.Global.Foo-istalog 
.N/A
++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Thoughts?

Regards
Tim Washburn
Global IT Security
Bio-Rad Laboratories, Inc
(510)741-6888

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk

_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users

[nxlog-ce-users] Fw: Nxlog-ce On a Active Directory server

Reply via email to