Windows NPS + NXlog to Graylog

Andrew CheremisovSecurity, UncategorizedLeave a Comment

Saving Windows NPS logs to any folder

Downloading NXlog Community Edition from hereĀ https://nxlog.co/products/nxlog-community-edition/download

Changing NXlog config file at C:\Program Files (x86)\nxlog\conf\nslog.conf

#NoFreeOnExit TRUE

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\\cert
define CONFDIR  %ROOT%\\conf
define LOGDIR   %ROOT%\\data
define LOGFILE  %ROOT%\\logs\\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\\modules
CacheDir  %ROOT%\\data
Pidfile   %ROOT%\\data\nxlog.pid
SpoolDir  %ROOT%\\data

<Extension _fileop>
    Module      xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>

<Extension multiline>
    Module          xm_multiline
    HeaderLine      /^<Event>/
    EndLine         /^</Event>/
</Extension>

<Extension xmlparser>
    Module          xm_xml
</Extension>

<Extension json>
    Module          xm_json
</Extension>

#Configuring from where to take the information
#Change folder to where you store NPS logs
<Input NPS>
    Module          im_file
    File "C:\Logs\IN*.log"
    InputType LineBased
  Exec $Message = $raw_event;
  SavePos TRUE    
  ReadFromLast TRUE
    <Exec>
        # Discard everything that doesn't seem to be an xml event
        if $raw_event !~ /^<Event>/ drop();

        # Parse the xml event
        parse_xml();

        # Rewrite some fields
        #$EventTime = parsedate($timestamp);
        #delete($timestamp);
        #delete($EventReceivedTime);

        # Convert to JSON
        to_json();
    </Exec>
</Input>

# Where you want to send. In my case 10.10.10.1 port TCP 9000
<Output Graylog>
    Module      om_tcp
    Host        10.10.10.1
    Port        9000
</Output>

<Route 1>
    Path        NPS => Graylog
</Route>

Configure input in Graylog to accept syslog messages on port 9000 (or any other port that you configured in NXlog)

Configure Graylog JSON extractor

Enjoy

 

Leave a Reply

Your email address will not be published. Required fields are marked *