Microsoft Windows Server NXLog

Instructions for forwarding Microsoft Windows Server logs to your Log Management device using NXLog

PREREQUISITES

Microsoft Windows Server
  • NXLog Community or Enterprise Edition
  • Credentials to access the Windows Server
Clone Systems Log Management Device
  • The IP Address for the Clone Systems Log Management device
Instructions

1. An additional third party agent is required to configure your Microsoft Windows Server to send syslog. The following instructions will detail how to configure the open source NXLog Community Edition agent. Navigate a browser to the NXLog Community Edition download page.

2. Locate the Windows version and download the MSI installer file to your server. Once the file has successfully downloaded, navigate to the downloaded file by clicking the View Downloads button and then Run the NXLog Community Edition MSI installer.

3. On the Welcome to the nxLog-CE Setup Wizard step, click the Next button.

4. On the End-User License Agreement step, click the I accept the terms in the License Agreement checkbox and then click the Next button.

5. On the Destination Folder step, customize the installation directory, if desired, then click the Next button.

Note: If you chose a custom installation directory, please note the path as you will need to make a modification to the NXLog configuration file.

6. On the Ready to install NXLog-CE step, click the Install button.

7. On the Completed the NXLog-CE Setup Wizard step, click the Finish button and the README.txt file will be opened in Notepad.

8. Next, we need to edit the NXLog configuration file to configure the log forwarding. The default location for the NXLog configuration file is: C:\Program Files (x86)\nxlog\conf\nxlog.conf

Note: If you chose a custom installation directory, you will need to navigate to that directory to locate the NXLog configuration file. You will also need to update the ROOT directory specified in the configuration file before the NXLog service will start.

9. Edit, the NXLog configuration file using an editor, such as Notepad, and paste the following configurations detailed in this section to the bottom of the NXLog configuration file.

Note: In the <Output tcp> section, replace the Host setting with the IP Address of SIEM / Log Collector and exclude the <brackets>.

EXAMPLE: Host 10.1.1.1

  • <Extension syslog>
    Module xm_syslog
    </Extension>
  • # Windows Event Log
    <Input eventlog>
    Module im_msvistalog
    </Input>
  • <Output tcp>
    Module om_tcp
    Host <IP Address of SIEM / Log Collector without <brackets> >
    Port 514
    Exec to_syslog_snare();
    </Output>
  • <Route eventlog_to_tcp>
    Path eventlog => tcp
    </Route>

10. Save the NXLog configuration file.

11. Open the Services tool in the Windows Start menu, find the service named nxlog in the list, and then Start the service. Start the Services tool by clicking the Windows Start button and entering services.msc in the Search programs and files field and then click the Enter button.