Windows NPS + NXlog to Palo Alto User-ID

Andrew CheremisovUncategorizedLeave a Comment

NXlog configuration file Configure Palo Alto to accept User-ID Syslog Device -> Setup -> Interfaces -> Management or if you have network profile Network -> Interface Mgmt. Add syslog filter profile. Device -> User identification -> Click gear on the right side of “Palo Alto Networks User-ID Agent Setup” -> Syslog Filters Add new filter Check “Regex Identifier” Event Regex: (“Acct-Status-Type”:”1″){1} Username Regex: “User-Name”:”([a-zA-Z0-9\\\._\-]+)” Address Regex: “Framed-IP-Address”:”([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})” Disconnect event Check “Regex Identifier” Event Regex: (“Acct-Status-Type”:”2″){1} Username Regex: “User-Name”:”([a-zA-Z0-9\\\._\-]+)” Address Regex: “Framed-IP-Address”:”([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})” Save and close. Go to Device -> User Identification -> Section “Server Monitoring”. Click add … Read More

Windows NPS + NXlog to Graylog

Andrew CheremisovSecurity, UncategorizedLeave a Comment

Saving Windows NPS logs to any folder Downloading NXlog Community Edition from here Changing NXlog config file at C:\Program Files (x86)\nxlog\conf\nslog.conf #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\\cert define CONFDIR %ROOT%\\conf define LOGDIR %ROOT%\\data define LOGFILE %ROOT%\\logs\\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\\modules CacheDir %ROOT%\\data Pidfile %ROOT%\\data\ SpoolDir %ROOT%\\data <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists(‘%LOGFILE%’) and \ (file_size(‘%LOGFILE%’) >= 5M)) \ file_cycle(‘%LOGFILE%’, 8); </Schedule> # Rotate our log file every … Read More

Windows connectivity check script

Andrew CheremisovUncategorizedLeave a Comment

Wrote really simple Windows CMD script that checks connectivity to any server or Internet. Change “” to your application IP address or domain name. @ECHO OFF ECHO Checking connection to the application… SET Connected=false FOR /F “usebackq tokens=1” %%A IN (`PING`) DO ( REM Check the current line for the indication of a successful connection. IF /I “%%A”==”Reply” SET Connected=true ) REM Check if a success was found. IF “%Connected%”==”true” ( SET Internet=Application is working. ) ELSE ( SET Internet=Application is not working. Please contact #####. ) ECHO %Internet% pause … Read More