Device | Details |
---|---|
Vendor | NXLog |
Device Type | Operating System |
Connection Type | Syslog |
Data Source Name | nxlog |
Data Source ID | 1817 |
C:\Program Files (x86)\nxlog\conf
on your Windows machine. The patterndb.xml
file defines which events are collected and sent to Sheriff CSM. Any Windows Event IDs not present in this file are not forwarded, excluding events not relevant to security and improving the overall performance of the plugin.
The nxlog.conf
file contains general NXLog configurations as well as settings that are specific to Sheriff CSM:
<Input in_nxlog_internal> — specifies to send a warning message when an event storm occurs.
An event storm is a massive event generation in a short period of time. This might cause bandwidth issues on the network and/or performance issues on the Windows server.
<Extension transform_sheriff_csv> — specifies that the Windows events forwarded to Sheriff CSM appear as strings in double quotes separated by a semicolon. For example,
*"<event_time>";"<event_type>";"<severity>";"<channel>";"<hostname>";<event_id>;"<source_name>";"<account_name>";"<account_type>";"<domain>";"<raw_message_without_linefeeds>"*
<Output out_sherf_csv> — specifies some unique handling of Windows events to improve the efficiency of the nxlog
plugin. These include:
patterndb.xml
file are not forwarded to Sheriff CSM.
Note: See Disabling Event Storm Execution if you want to keep the events instead.
\t, \n,
and \r
are replaced by a blank space.
<account_name>, <account_type>,
or <domain>
fields are empty, they will be replaced by a hyphen ("-").
nxlog.conf
file, Sheriff CSM configures NXLog to drop Windows events when the events per second (EPS) is 200 or higher. It will resume forwarding events as soon as the EPS returns to below 200.
If you want NXLog to forward all events, you can disable the event storm handling by editing the nxlog.conf file and commenting out the following section with #.
Exec \ {\ if not defined get_var('rate') { create_var('rate'); set_var('rate',1); }\ if not defined get_var('stormed'){ create_var('stormed',2); set_var('stormed',0); set_var('rate',1); }\ set_var('rate',get_var('rate')+1);\ if not defined get_var('sec')\ {\ create_var('sec',1);\ set_var('sec',1);\ if get_var('rate') >= 200 { delete_var('stormed'); create_var('stormed',2); set_var('stormed',1); set_var('rate',1); drop(); } else { set_var('stormed',0); set_var('rate',1); }\ }\ else if get_var('stormed') == 1\ {\ drop();\ }\ if get_var('rate') >= 200\ {\ if not defined get_var('warning')\ {\ log_warning("Eventstorm detected.");\ create_var('warning',60);\ set_var('warning',1);\ }\ drop();\ }\ }
If not done already, download patterndb.xml and nxlog.conf, and then place it in the conf directory of your NXLog installation. Depending on which version you use, the directory can be C:\Program Files (x86)\nxlog\conf
for the 32-bit version or C:\Program Files\nxlog\conf
for the 64-bit version.
Note: This step overwrites the default nxlog.conf file. You may want to back up the original copy before placing the one provided by AT&T Cybersecurity.
nxlog.conf
file in a text editor.
Update the root path of your NXLog installation.
Locate the following lines:
#define ROOT C:\Program Files\nxlog #define ROOT C:\Program Files (x86)\nxlog
Enter the Sheriff CSM Sensor IP address.
Locate the following line:
define OUTPUT_DESTINATION_ADDRESS <Sheriff-CSM-Sensor-IP>
Uncomment the section between NXLOG
and /NXLOG.
Important: Only remove the first # symbol in each line when uncommenting the sections. The remaining # symbol indicates that the line is either a comment or optional.
Save the file.