You are here: Docs>Sheriff Web>UserGuides>SheriffCSMDocumentation>DeploymentGuide>PluginManagement>ConfigureLogForwardingOnCommonlyUsedDataSources>NXLogPlugins>MicrosoftIISFTPServerThroughNXLog (06 Jul 2022, SheriffCyberSecurity)Edit Attach
Up
Previous Next

Sheriff CSMâ„¢

Microsoft IIS FTP Server through NXLog

The Microsoft Internet Information Services (IIS) Management Pack includes a FTP Server that you can configure. See vendor website for documentation.

When you configure the Microsoft IIS FTP Server to send log data to Sheriff CSM, you can use the Microsoft Windows IIS FTP Server plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information

DeviceDetails
Vendor Microsoft
Device Type Server
Connection Type Syslog
Data Source Name winftp-nxlog
Data Source ID 1916

Integrating Microsoft IIS FTP Server and NXLog

Before configuring NXLog in Sheriff CSM, you must configure FTP logging in IIS.

Configure FTP Logging

To configure FTP Logging in IIS Manager

  1. Open IIS Manager.

  2. In the Connections tab, select either the server or the site, and then click the FTP Logging icon.

  3. Under Log File, click Select W3C Fields, and then select the information you want to log.

    Make sure to select the items checked in the screenshot below and click OK.

    Configure FTP Logging in IIS Manager

  4. Select UTF8 under Encoding and Daily under Schedule.

  5. Click Apply.

  6. Restart the FTP Server for the changes to take effect.

Configure NXLog on Windows

To send log data through NXLog to Sheriff CSM

  1. If not done already, download nxlog.conf, and then place it in the conf directory of your NXLog installation. Depending on which version you use, the directory can be C:\Program Files (x86)\nxlog\conf for the 32-bit version or C:\Program Files\nxlog\conf for the 64-bit version.

    Note: This step overwrites the default nxlog.conf file. You may want to back up the original copy before placing the one provided by AT&T Cybersecurity.

  2. Open the nxlog.conf file in a text editor.

  3. Update the root path of your NXLog installation.

    1. Locate the following lines:

      #define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
    2. Uncomment the path that matches the NXLog installation on your Windows machine.

  4. Enter the Sheriff CSM Sensor (Deputy) IP address.

    1. Locate the following line:

      define OUTPUT_DESTINATION_ADDRESS <gap Sheriff-CSM-Sensor-IP>
    2. Replace <Sheriff-CSM-Sensor-IP> with the IP address of the Sheriff CSM All-in-One or Sheriff CSM Sensor that will receive the Windows events.

  5. Uncomment the section between FTP-NXLOG and /FTP-NXLOG.

    Important: Only remove the first # symbol in each line when uncommenting the sections. The remaining # symbol indicates that the line is either a comment or optional.

  6. In addition, uncomment the following lines, above the DHCP-NXLOG section:

    #<Extension json>
# Module xm_json
#</Extension>

  7. Save the file.

  8. Start or restart the NXLog service.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

If enabling the plugin on assets, you will find it listed as Microsoft : Windows IIS FTP Server : NXLog.

Enabling the winftp-nxlog plugin from asset

Additional Resources and Troubleshooting

NXLog documentation on forwarding and storing logs

For troubleshooting, refer to the vendor documentation:

NXLog documentation on troubleshooting
Edit  | Attach | Print version | History: r12 < r11 < r10 < r9 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r12 - 06 Jul 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.