---
tags: ccdc, NCCDC2019
---
# NXLOG Config
``` xml
# NXLog configuration for converting and sending Windows logs to AlienVault
define ROOT C:\Program Files (x86)\nxlog
define LOGFILE %ROOT%\data\nxlog.log
define OUTPUT_DESTINATION_ADDRESS 192.168.5.209
define OUTPUT_DESTINATION_PORT 514
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
##############################################################################################
#### NXLOG #####
#### Uncomment the following lines for Windows Security and Application log forwarding #####
##############################################################################################
<Extension charconv>
Module xm_charconv
</Extension>
<Input in_nxlog_heartbeat>
Module im_mark
MarkInterval 10
Mark The nxlog service is alive.
Exec $EventType = 'Application'; $Channel = 'nxlog-ce'; $EventID = 8347;
</Input>
<Input in_nxlog_internal>
Module im_internal
Exec if not ($Message == "Eventstorm detected.") drop();
Exec $EventType = 'Application'; $Channel = 'nxlog-ce'; $EventID = 8103;
</Input>
<Input in_windows_events>
Module im_msvistalog
SavePos FALSE
ReadFromLast TRUE
Query <QueryList> \
<Query Id="0"> \
<Select Path="Security">*</Select> \
<Select Path="System">*</Select> \
<Select Path="Application">*</Select> \
<Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select> \
</Query> \
</QueryList>
</Input>
<Extension transform_alienvault_csv>
Module xm_csv
Fields $EventTime, $EventType, $Severity, $Channel, $Hostname, $EventID, $SourceName, $AccountName, $AccountType, $Domain, $Message, $Task, $Category, $Keywords, $UserID, $SeverityValue, $ProviderGuid, $Version, $OpcodeValue, $Opcode, $ActivityID, $RelatedActivityID, $ProcessID, $ThreadID, $RecordNumber
FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
Delimiter ;
</Extension>
<Processor match_events>
Module pm_pattern
PatternFile %ROOT%\conf\patterndb.xml
</Processor>
<Output out_alienvault_csv>
Module om_udp
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000000;
Exec if not defined $PatternID or not defined $Message { drop(); }
Exec if not defined $Message { drop(); }
Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
Exec if not defined $AccountName { $AccountName = "-"; }
Exec if not defined $AccountType { $AccountType = "-"; }
Exec if not defined $Domain { $Domain = "-"; }
Exec transform_alienvault_csv->to_csv(); $raw_event = $Hostname + ' WIN-NXLOG ' + $raw_event + ' Task: ' + $Task + ' Category: '+ $Category + ' Keywords: ' + $Keywords + ' UserID: ' + $UserID + ' Severity: ' + $SeverityValue + ' ProviderGuid: ' + $ProviderGuid + ' Version: ' + $Version + ' OpcodeValue: ' + $OpcodeValue + ' Opcode: ' + $Opcode + ' ActivityID: ' + $ActivityID + ' RelatedActivityID: ' + $RelatedActivityID + ' ProcessID: ' + $ProcessID + ' ThreadID: ' + $ThreadID + ' RecordNumber: ' + $RecordNumber;
</Output>
<Output out_alienvault_nxlog_csv>
Module om_udp
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
Exec if not defined $Message { drop(); }
Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
Exec if not defined $AccountName { $AccountName = "-"; }
Exec if not defined $AccountType { $AccountType = "-"; }
Exec if not defined $Domain { $Domain = "-"; }
Exec transform_alienvault_csv->to_csv(); $raw_event = $Hostname + ' WIN-NXLOG ' + $raw_event + ' Task: ' + $Task + ' Category: '+ $Category + ' Keywords: ' + $Keywords + ' UserID: ' + $UserID + ' Severity: ' + $SeverityValue + ' ProviderGuid: ' + $ProviderGuid + ' Version: ' + $Version + ' OpcodeValue: ' + $OpcodeValue + ' Opcode: ' + $Opcode + ' ActivityID: ' + $ActivityID + ' RelatedActivityID: ' + $RelatedActivityID + ' ProcessID: ' + $ProcessID + ' ThreadID: ' + $ThreadID + ' RecordNumber: ' + $RecordNumber;
</Output>
<Route route_windows_logs>
Path in_windows_events => match_events => out_alienvault_csv
Path in_windows_events => out_alienvault_csv
</Route>
<Route route_nxlog_messages>
Path in_nxlog_internal, in_nxlog_heartbeat => out_alienvault_nxlog_csv
</Route>
#######################################################################
#### /NXLOG #####
#######################################################################
<Extension json>
Module xm_json
</Extension>
#######################################################################
#### /SYSMON-NXLOG #####
#######################################################################
<Input in_sysmon_events>
Module im_msvistalog
SavePos FALSE
ReadFromLast TRUE
Query <QueryList>\
<Query Id="0">\
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>\
</Query>\
</QueryList>
</Input>
<Output out_sysmon_events>
Module om_udp
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
Exec if not defined $AccountName { $AccountName = "-"; }
Exec if not defined $AccountType { $AccountType = "-"; }
Exec if not defined $Domain { $Domain = "-"; }
Exec transform_alienvault_csv->to_csv(); $raw_event = $Hostname + ' SYSMON-NXLOG ' + $raw_event;
</Output>
<Route route_sysmon_logs>
Path in_sysmon_events => out_sysmon_events
</Route>
#######################################################################
#### /SYSMON-NXLOG #####
#######################################################################
############################################################################
#### WINDOWS-FW-NXLOG #####
#### Uncomment the following lines for WINDOWS FIREWALL log forwarding #####
############################################################################
<Extension transform_alienvault_csv_windows_firewall>
Module xm_csv
Fields date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, info, path
FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
Delimiter ' '
</Extension>
<Input WINDOWS-FW_Logs>
Module im_file
File "C:\\Windows\\shortcut.lnk"
{\
transform_alienvault_csv_windows_firewall->parse_csv();\
$EventTime = parsedate($date + " " + $time);\
$SourceName = "WINDOWS-FW";\
$raw_event = to_json();\
}
</Input>
<Output out_alienvault_windows_firewall_nxlog>
Module om_udp
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
Exec $Hostname = hostname_fqdn();
Exec $raw_event = $Hostname + ' WIN-FW-NXLOG: ' + $raw_event;
</Output>
<Route route_windows_fw_nxlog>
Path WINDOWS-FW_Logs => out_alienvault_windows_firewall_nxlog
</Route>
#######################################################################
#### /WINDOWS-FW-NXLOG #####
#######################################################################
```
Sign in with Wallet
Connect another wallet