This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Collecting Windows Logs Via NXLog over TLS

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2018-02-26 02:01 PM

NXlog (NXLog Community Edition | nxlog.co ) is a Windows Log Collection agent that can be used with RSA Netwitness.  In addition to being able to send logs to Netwitness over UDP/TCP, NXLog can also be configured to send logs via TLS.  There are a few steps that need to be performed in order to configure NXLog.  If you are only planning on sending the logs over tcp/udp then only steps 1 and 2 are necessary.  For TLS you must continue on..

 

Step 1. Download the NXLog community edition and install it on the Windows system of choice.

Step 2. Make sure the configure file looks like the below:

 

<Output out>
Module om_tcp
Host 192.168.31.26
Port 514
Exec to_syslog_snare();
</Output>

 

The 'Exec to_syslog_snare();' Must be present to make sure that NXLog sends in Snare format to Netwitness.

 

*********** For V11 ****************

 

Step 3. On the Log decoder that you will be sending to.. navigate to /etc/pki/nw/node directory and locate the node-cert.p7b file.  In order to prevent any possible errors copy the file to the /tmp directory

 

Step 4.  Change to the tmp directory 'cd /tmp'   Execute the following....  openssl pkcs7 -print_certs -in node-cert.p7b -out ld.crt

 

Proceed to step 5 below

 

***********  For V10.6.x 

 

Step 3. On the Log Decoder that you will be sending the logs to.. navigate to /etc/netwitness/ng/logdecoder/trustpeers

Step 4. Run '/etc/puppet/scripts/node_id.py'  Take note of the ID

Step 5. Copy the two files to /tmp and rename the extension from .0 to .cer

Step 6. run for each of the files to convert from cer to crt.  pick two different names for the output openssl x509 -inform  -in xx.cer -out xx.crt 

 

Step 7. Copy each x.crt file to the windows host

Step 8.  Double click each file and find the one that matches the node_id value from step 4

Step 9. for the file that matches the node id, rename the file to ld.crt

 

Proceed to step 5 below...

 

********************************

 

 

Step 5.   Copy the ld.crt file (or what every you named it above) to the Windows system running NXLog and place it in 'C:\Program Files (x86)\nxlog\cert' directory

 

Step 6. Navigate to 'C:\Program Files (x86)\nxlog\conf' and open the nxlog.conf file in notepad or notepad++

 

**it is important that you open notepad or notepad++ in administrator mode**

 

Step 7. Add in/replace the following lines:

 

<Output out>
Module om_ssl
Port 6514
CAFile %ROOT%\cert\ld.crt
AllowUntrusted FALSE
Host xxx.xxx.xxx.xxx
Exec to_syslog_snare();
</Output>

 

Step 8. Restart NXlog service in the Services applet

 

Hope that helps

 

Dave

1 REPLY 1

StevenDearstyne
Beginner
Beginner

‎2018-04-23 01:54 PM

Hi Dave, we are trying to open up a TLS syslog port in addition to port 514. Is there any other configuration that needs to be done besides this? I followed this procedure but get the error below. Our log collector and decoder are on the same box, so I just went in and added another line for the TLS port - 6514. When I run a netstat I see it listening on 0.0.0.0:6514.

 

But in nxlog I get this:

2018-04-23 13:51:16 ERROR couldn't connect to ssl socket on XXX.XXX.XXX.XXX:6514; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

 

 ssl.png

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.