Transcription
Threat Analytics Platform(TAP)Deployment GuideApril 28, 2014FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 www.FireEye.com 1 877.FIREEYE
Information provided about third-party products does not imply any recommendationfor use of that product. The information is provided as a guidelines only and is not guaranteed to be accurate. 2014 FireEye, Inc. All rights reserved.FireEye is a registered trademark of FireEye, Inc. All other brands, products, or servicenames are or may be trademarks or service marks of their respective owners. Use of thisproduct and this document are subject to the terms of your license agreement withFireEye, Inc.Document version: v1.0B
ContentsThreat Analytics Platform (TAP)Contents1iAbout the Deployment GuideDeployment Checklist11TAP Overview2TAP Architecture2Comm Broker Sender4Communications Broker Sender Configuration4Monitor Comm Broker Sender5Remove Comm Broker Sender5Troubleshoot Comm Broker Sender5Comm Broker Senders Traffic Management6Data Sources for TAP8Types of Log Data for TAP8Log Specifications for TAP9Log Aggregation System Configuration for TAP9Log Sources Supported by TAP10Cisco PIX and ASA Firewall Configuration12Juniper Secure Access Configuration13Linux Configuration13Rsyslog Configuration13Syslog-ng Configuration14McAfee Nitro Configuration14RSA Authentication Manager Configuration15Splunk Configuration15Symantec Endpoint Protection Configuration16Tomcat Configuration via Syslog16Trend Micro Control Manager Configuration17Appendix A. Windows Logging with NXLog18NXLog Installation and Configuration18Example nxlog.conf File20NXLog Troubleshooting23FireEye, Inc.Deployment Guidei
Operating System Events23DNS Query Logs23DHCP Logs24Netlogin Debug Logs24IIS Logs24Process Creation Auditing25SQL Events25FireEye, Inc.Deployment Guideii
About the Deployment GuideThis deployment guide is designed to assist you in configuring log sources and successfully transmitting them to your TAP instance. It contains information about the following:lllOverview of TAP including its architectureInformation about log sources for TAPComm Broker Sender configuration instructionsDeployment ChecklistBefore deploying TAP, you must first contact FireEye Sales to obtain the proper licensefor Threat Analytics Platform (TAP). Your data sources will not be fully functional untilyou obtain this license.To contact the TAP team, including TAP Sales, e-mail to [email protected] more information on TAP, see the FireEye Threat Analytics Platform page on theFireEye website.FireEye, Inc.Deployment Guide1
TAP OverviewThe FireEyeThreat Analytics Platform (TAP) is a security incident detection and resolution tracking platform that identifies cyber threats and improves response by layeringenterprise-generated event data with real-time threat intelligence from FireEye.TAP OverviewTAP is a cloud-based application that:llllllCollects and indexes database, security, network, and endpoint events from yourenvironmentCompares indicators in your events against FireEye intelligence in real time andgenerates alerts on hitsApplies both FireEye-defined rules and rules that you define to event data to generate alertsProvides an incident workflow for tracking both events associated with alerts andany events that you deem suspicious from investigation to remediationMakes events available for efficient searching and pivotingProvides visualizations of trending activityTAP ArchitectureYour TAP instance resides in two environments: your environment and a Virtual PrivateCloud (VPC) within Amazon World Servies (AWS). Within your environment is one ormore Communication Broker Senders that send log data to a Communications BrokerFireEye, Inc.Deployment Guide2
Receiver within TAP in the VPC. The Comm Broker Receiver and all otherTAP components within the VPC are managed by the TAP Operations Team.TAP High-Level ArchitectureThe data flow is as follows:llllThe Comm Broker sender listens receives log data in your environment and sendsit to the Comm Broker Receiver in the VPC. For security purposes, all data intransit, including all metadata, is encrypted with Twofish with a 256-bit key. Whendata is transmitted over the WAN to the Communication Broker Receiver, it isdouble-encrypted with two layers of Twofish and 512 bits of key total. The Communication Broker Sender/Receiver combination never stores any customer datain clear text.Log data is parsed according to the TAP taxonomy and then indexed to make itavailable for fast searches and pivoting. Log data that cannot be parsed is stillindexed as raw messages.Both FireEye-defined and customer defined rules are applied to the events andalerts generated if applicable.FireEye Intelligence is also applied to all events in real-time and alerts generatedfor any hits.FireEye, Inc.Deployment Guide3
Comm Broker SenderThe Communications Broker (Comm Broker) Sender is an application runs on anAmazon Machine Image. It collects logs from within your Amazon Cloud environmentand forwards them to the Communications Broker Receiver within your TAParchitecture.Communications Broker Sender ConfigurationBefore configuring the Comm Broker Sender, be sure that you have available the information provided by FireEye Product Support.To configure the Comm Broker Sender to send logs to the Comm Broker Receiver inyour TAP VPC and to listen for log data:1.2.3.4.Load the Amazon Machine Image (AMI) from the Amazon Marketplace.Enter the key provided by FireEye Product Support.Run the configuration script: ./ConfigSender.shComplete the post-install script as follows:l Welcome to the Threat Analytics Platform (TAP) Sender setup script.l Enter this Sender's identification number [38351]: (Enter the numberprovide by FireEye Support)l Enter symmetric key : (Enter thenumber provide by FireEye Support)l Configure Sender listener addressesl Enter interface IP address that sender will listen on [0.0.0.0]: 0.0.0.0 (HitEnter to select the default of 0.0.0.0)l Enter the protocol: [UDP] (Hit Enter to select the default ofUDP or enter TCP)l Enter the port: [514] 514 (Hit Enter to select the default of514)l Add another?: [no] (Hit Enter to continue; to add additionalports, enter yes.)l Listening configurations: 0.0.0.0\/514\/UDP (Hit Enter to selectthe default or modify if needed)l Configure Receivers' listener address and portl Enter interface IP address of receiver [ENTER]: (Enter the IPaddress provided by FireEye Product Support)l Enter the port: [443] 443 (Hit Enter to select the default)l Add another receiver?: [no] (Hit Enter to continue if you haveonly one receiver; enter yes if you have receivedFireEye, Inc.Deployment Guide4
information from FireEye Support for additional CommBroker Receivers)l List of receivers: (Hit Enter to select the default or makemodifications as needed)5. You should see the following messages:lReplacing senders in init fileltap-cbs stop/waitingltap-cbs start/running, process 1448lSender has successfully been initializedMonitor Comm Broker SenderTo monitor overall health, we recommend you monitor your systems in accordance withyour corporate monitoring policy.Some areas to consider:lllNetwork t/x and r/x are useful for watching trends in log trafficCPU / memory / disk spaceMonitor the host system if using virtualization for i/o performanceAs an application specific check, yhe following processes should appear with the senderhas successfully connected to a receiver.Remove Comm Broker SenderYou must remove all the tap-cbs files manually in order to reinstall a CB.l service tap-cbs stopl yum remove tap-cbsl rm /etc/init.d/tap-cbsl rmdir /opt/tap-cbsTroubleshoot Comm Broker SenderThe following are potential actions for troubleshooting the Comm Broker Sender.Step1. Verify the process is running (e.g. ps aux grep sender)FireEye, Inc.Deployment Guide5
Step 2. Verify network connectivity between the Communications Broker and the customer instance (e.g. netstat –anp grep sender)Step 3. Use tcpdump to verify the Communication Broker is receiving syslog traffic fromlog sources (e.g. tcpdump –ni eth1 –c 50 –s0 –A udp port 514)Alternatively, you can verify the Communication Broker is listening and receiving logtraffic on the configured ports.Use the Netcat utility to send traffic from another device to the Communication Broker(e.g. echo -n "TEST TEST TEST" nc -4u -w1 ip address of sender 514 )Look for this traffic on the Communication Broker (e.g., tcpdump –ni eth1 –c 50 –s0 –Audp port 514 )Comm Broker Senders Traffic ManagementTo manage large streams of data both to the Comm Broker Sender and between theComm Broker Sender and Comm Broker Receiver, TAP supports multiple options:lllMultiple Comm Broker SendersLoad BalancersDomain Name Servers (DNS)FireEye, Inc.Deployment Guide6
TAP supports the use of multiple Comm Brokers Senders and Comm Broker Receivers.One Comm Broker Receiver can receive traffic from multiple Comm Broker Senders.Comm Broker Senders operate independently.Installing Comm Broker Senders closer to the log source conserves bandwidth. If yourenvironment includes data centers that are regional, you could deploy one or moreComm Broker Senders within each data center.Comm Broker Senders can be deployed in arrays with load balancers for redundancyand load sharing.Load balancers can be used to detect when systems are in need of maintenance orrepair, share the load across multiple systems, and provide redundancy.A Domain Name System (DNS) round robin can also be used to provide redundancy.Some system may not have the ability to syslog to a DNS and are limited to an IP destination only. Low TTL DNS can be used to help automatically fail over devices that usefull qualified domain names (FQDN) for their syslog destinations.FireEye, Inc.Deployment Guide7
Data Sources for TAPTAP’s effectiveness is dependent on the data sources available for analysis. What logdata you send into TAP determines TAP’s detection capability (i.e., use cases available). From the perspective of effective use of TAP, there are varying types of log data.The TAP Communication Broker Sender has specifications for log data accepted an logdata from specific sources that is currently supported. TAP generally accepts logs fromlog aggregation systems and other sources such as network devices, security systems,and operating systems.Types of Log Data for TAPThe detection capability from various sources including log data can be compared withthe “cost” (in terms of dollars as well as resources and effort) to form an efficiency curvePerimeter devices create a bottleneck for network traffic to the internet and are generallyeasy to configure for syslog. Perimeter devices, such as firewalls, perform translation ofinside IPs to outside Ops, and track ports used, providing key information used to identifymalware and other activities of known malicious actors. Web proxy events allow detection of beaconing activities and SQL injections.Event data generated by the following network devices, network services, securitydevices and applications help detect advanced threats:lllllNetwork devices: Routers, SwitchesNetwork services: DNS, DHCP, NATSecurity devices: Firewalls with NAT table logs, Web Proxy with user tracking, AV,IPS, DLPApplications: ERP, CRM, web applicationsE-mail: Server transaction events, filtering, and security eventsWeb Intrusion Prevention Systems (IPS) and Intrusion Detection System (IDS) are alsovaluable log sources.Operating system logs including system events and process tracking from high-valuesystems like domain controller and logs from DNS, DCHP, and other anti-virus softwareoffer valuable context into potential malicious activity such as lateral movement.Data logs such a file auditing, DLP or file integrity auditing have less value to securityoperations compared to other data sources and can be complex to implement effectively.TAP accepts log data from sources such as the following:lllThreat Detection Systems such as FireEyeFirewalls including web application firewalls, such as Checkpoint, Cisco, F5Internet devices including switches, routers, and VPNs such as Cisco, Juniper,Internet Information Server (IIS), and ApacheFireEye, Inc.Deployment Guide8
lllllNetwork Access Control such as Forescout NACWeb Proxy with user tracking such as BlueCoat, WebsenseIntrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) such asIronport, McAfee, SymantecEndpoint security events such as anti-virus, HIPS, and Bit9Log aggregators such as Splunk, Q1, Rsyslog, ArcSight, RSA Envision, EstreamerLog Specifications for TAPBecause of the flexibility of these data source input methods, and how TAP processlogs, TAP is compatible with virtually any data source.Through the Communications Broker Sender, TAP accepts machine-generated messages and logs from hardware devices, operating systems, applications, security appliances, network devices and databases via a variety of methods.The CB looks for events formatted as IETF syslog RFC5424, RFC3164, date-prefixedarbitrary data, and just-plain-arbitrary data, in descending order of preference. On streaming inputs (TCP, named pipe) the Comm Broker Sender expects linefeed-separated messages/records.TAP currently accepts and processes events sent via syslog, flat files, UDP/TCPstreams, and queries via JDBC connection.With the use of an additional java-based utility provided by TAP Support, the CommBroker Sender will query Microsoft SQL, MySQL, Oracle, and PostgreSQL databasesand will accept non-RFC formatted data inputs via HTTP methods.Log Aggregation System Configuration for TAPIf you have already implemented a log aggregation system such as centralized logging,SIEM, or "Big Data" systems, you will likely be able leverage those systems to send logsinto TAP.Many of these systems support forwarding of messages and/or logs to other systems.You may be able to forward logs directly to TAP, as long as those logs follow the log specifications and the following:lllllDoes not alter the original messagePreserves the original source IP address (typically this spoofing requires UDP forwarding, vs. TCP)Preserves the original timestampPreserves the original program namePreserves the original message formatExamples of existing aggregations systems from which customers have successfully forwarded messages and logs include:FireEye, Inc.Deployment Guide9
llllllSyslog-ngSolarwindsKiwi Enterprise Syslog serverSplunkArcSightQ1Log Sources Supported by TAPThe following table shows the devices and applications that TAP currently supports.TAP Supported Log SourcesVendorSourceMethodApachehttpd, Tomcatsyslog, flat logCheckpoint*FW-1syslogCheckpoint*Secure onetsyslogCiscoASAsyslogCiscoCall ManagersyslogCiscoCatalyst port E-mailsyslogCiscoISEsyslogCiscoNexussyslogFireEye, Inc.Deployment Guide10
CiscoPIXsyslogCiscoVPN 3000 ConcentratorsyslogCitrixNetscalersyslogf5ASM XsyslogForescoutNACsyslogIBMAIXsyslogIBMAS rSA Series VPNsyslogKiwiSyslog eeNitrosyslogMicrosoftOS EventssyslogMicrosoftDHCPsyslogMicrosoftDNSsyslog, flat fileMicrosoftExchangesyslogMicrosoftIISsyslog, flat fileMicrosoftSCOM ACSsyslogPalo AltoURL filtering, firewallsyslogFireEye, Inc.Deployment Guide11
tication ManagersyslogSourceFireDefense ailsyslogSymantecEndpoint ProtectionsyslogTipping PointIPSsyslogTomcatapplicationsyslogTrend MicroControl ManagersyslogTrend MicroDeep Discovery IPSsyslogVMWareESX, ESXisyslogWebsenseWeb Proxysyslog*For more information:llllBlueCoat: https://kb.bluecoat.com/index?page content&id KB4294Checkpoint FW-1: us.us.checkpoint.com/msg26440.htmlCheckpoint Secure Platform: t-deviceKiwi Syslog Server: ction forward to another host.htmCisco PIX and ASA Firewall ConfigurationTo send logs from Cisco Pix or ASA firewall's, you must configure logging on the device,capture the activity on the NAT table, and forward it to the Communications Broker viasyslog as follows:#Config t(config)#Logging on(config)#Logging host (IP ADDRESS OF COMM BROKER)(config)#Logging trap 6(config)#Service timestamps log datetimeTo configure access control list logging:FireEye, Inc.Deployment Guide12
Each line in the access control lists (ACLs) should end with the keyword “log”.l Each ACL should end with a default statement to deny all traffic, and log:#Deny IP any any LOGlMore Cisco logging information is available from the Cisco /en/US/products/hw/vpndevc/ps2030/products configurationexample09186a00805a2e04.shtmlJuniper Secure Access ConfigurationTo configure Juniper Secure Access (SA) logging to syslog:1. Select System then Log/Monitoring2. Click the Settings tab3. Input the following:l Server name/IP (IP generally more fault tolerant)l Facility: Generally Local0l Type: UDPl Client Certificate: Not Supported yetl Filter: Standard4. Save the configuration.For more information, see http://www.juniper.net/techpubs/en yslog-configuring.htmlLinux ConfigurationLinux systems can utilize a number of different syslog tools to send logs to the Communications Broker.Rsyslog ConfigurationWhen configuring Rsyslog for Centros and RedHat 5 and 6, be sure the fully qualifieddomain name (FQDN) of the Communications Broker is registered in domain namingserver (DNS) and the server can resolve the name correctly.To edit the Ryslog configuration:1. Open /etc/rsyslog.conf2. Add the following lines to the body of the file (note that in this script @ infers UDPis used, @@ will use TCP):“# ### begin forwarding rule ###”# These messages will log to the Communications BrokerAuth.info @CommBroker.company.com:514FireEye, Inc.Deployment Guide13
Authpriv.info @CommBroker.company.com:514Cron.* @CommBroker.company.com:514Daemon.crit @CommBroker.company.com:514Kern.crit @CommBroker.company.com:514Uncomment the following lines to cache logs on hard disk: WorkDirectory /var/lib/rsyslog ActionQueueFileName fwdRule1 ActionQueueMaxDiskSpace 1g ActionQueueuSaveOnShutdown on ActionQueueType LinkedList ActionResumeRetryCount -1*.* @CommBroker.company.com:514 #this final line specifiesthe forwarding locationTo ensure rsyslog runs at boot:Chkconfig rsyslog onTo restart the service:Service rsyslog restartSyslog-ng ConfigurationEdit the Syslog-ng Configuration for Ubuntu LTS:1. Open /etc/syslog-ng/syslog-ng.conf2. Define a new destination: destination d commbroker {syslog("10.1.1.1"transport("udp")port(514));};3. Replace "10.1.1.1" with theIP address of the communication broker4. Add this destination to the appropriate log definition:log {source(s network); #example existing log sourcesource(s bro conn); # example existing log sourcedestination(d commbroker);}To restart the service:service syslog-ng restartMcAfee Nitro ConfigurationFor McAfee Nitro, Syslog Forwarding sends the raw data for syslog protocols as a continuous stream of combined syslogs to the device configured in the Syslog ForwardingFireEye, Inc.Deployment Guide14
section of the Data Archival Settings screen. Enter the following information to configurethe device:llForwarding IP Address. IP Address of the Comm Broker Sender to which thedata stream should be forwarded.Forwarding Port. Port of the Comm Broker Sender to which the data streamshould be forwarded.RSA Authentication Manager ConfigurationTo configure RSA Authentication Manager 7.1 (running on a Linux server) to send thesyslog, you must enable the Send system to send messages to the OS system log, as follows:1. Log in to the security console, select the appropriate instance configuration,select the Logging tab, and then select the Send system messages to OS System Log checkbox.2. Log in to the Linux terminal as root and use cd to change to the following directory: ils/resources3. Use vi to edit the ims.properties file. Change the values of the three *syslog.hostfields to the IP address of your Comm Broker Sender.4. Change the *.use os logger field values to true to enable the remote logging.5. Restart the syslog daemon using the following command: kill -1 pid pid is the specific process ID of syslogd. The ID can be found by running the followingcommand: ps auxf syslogSplunk ConfigurationThere are three types of Splunk Fowarders: Universal, Heavy, and Light; the only onethat supports SYSLOG is a Heavy Forwarder.The following links provide data on forwarding data from atothirdpartysystemsd#Forward syslog dataValidate that logs were being forwarded to the Comm Broker Sender by running this tcpdump command: tcpdump port 514 host IP address of Splunk Server/Fowarder) –AThe Splunk GUI may flash a message saying that forwarding has stopped due to a spikein event volume. The message also may say there is a lack of open files or memory. Inthe event Splunk stops forwarding data and starts dropping events, do the following:1. Modify the memory setting on the Splunk server in /etc/security/limits.conf or in /etc/security/limits.d/90-nproc.confFireEye, Inc.Deployment Guide15
(RedHat) by adding these parameters to the file and then reboot the server:soft nproc 10240hard nproc 10240soft nofile 65536hard nofile 655362. Clear all the stale queries.3. Add the following to the splunk output.conf file: Send cookeddata falseAfter each step, restart Splunk.Symantec Endpoint Protection ConfigurationTo configure System Endpoint Protection Logging to send logs to the Comm BrokerSender:1.2.3.4.5.6.In the Symantec console, click Admin.Click Servers.Select the local or remote site for which you want to configure external logging.Under Tasks, click Configure External Logging.On the General tab, select how often you want log data to be sent.Select the Master Logging server that you want to handle external logging. If youuse Microsoft SQL with more than one management server connecting to the database, only one server needs to be a Master Logging Server.7. Check Enable Transmission of Logs to a Syslog Server.8. In the Syslog Server box, type the IP address or hostname of the CommunicationsBroker Sender. The Destination Port information should be UDP and 514 (default).9. Click OK.Default settings on the Log Filter tab are set to send all logs. If you run into performanceissues, you can scale this back to send only relevant events.Tomcat Configuration via SyslogTomcat does not send logs using syslog natively, In order to send syslog to the CommBroker Sender, you must use log4j.To configure log4j logging of Tomcat to syslog:1. Edit or create the following file: TOMCAT HOME /common/classes/log4j.properties (usually in /var/lib/tomcat*)2. Add the following making sure to put your syslog destination hostname or IP in thehighlighted space(s):log4j.rootLogger INFO, SYSLOG1, SYSLOG2FireEye, Inc.Deployment Guide16
log4j.logger.org.apache.catalina INFO, SYSLOG1, SYSLOG2log4j.appender.SYSLOG1 SYSLOG1.syslogHost syslog1.example.comlog4j.appender.SYSLOG1.layout G1.layout.ConversionPattern %p: %mlog4j.appender.SYSLOG1.Facility LOCAL1log4j.appender.SYSLOG1.threshold WARNlog4j.appender.SYSLOG2 SYSLOG2.syslogHost syslog2.example.comlog4j.appender.SYSLOG2.layout G2.layout.ConversionPattern %p: %mlog4j.appender.SYSLOG2.Facility LOCAL1log4j.appender.SYSLOG2.threshold WARN3. Restart Tomcat.Trend Micro Control Manager ConfigurationTo configure Trend Micro Control Manager to send logs to the Comm Broker Sender:1. Open Control Manager, click on Administration and select Settings then selectEvent Center Settings.2. In the syslog settings area configure the following:l Server IP Address: Enter the IP of the Communications Broker Senderl Server Port: Set to 5143. Click Save to complete this setupFireEye, Inc.Deployment Guide17
Appendix A. Windows Logging with NXLogCollecting events logs from Windows systems is a complex problem. Windows doesn’tsyslog natively, and important data is spread between the Windows event logs and flatfiles. Additionally, without tuning, the logs are not verbose enough to find evil.NXLog has the ability to pull Windows events, and read from flat files for DNS, DHCP,Netlogon, IIS, and any other log file on Windows. You must first install and configureNXLog then configure each log type.NXLog Installation and ConfigurationThe following instructions contain sample entries; we encourage you to read the full documentation found at http://nxlog.org/resources.To install and configure NXLog:1. Obtain the latest MSI install file from http://sourceforge.net/projects/nxlog-ce/files/2. Run the NXLog installer using the MSI package, accept the license agreement andclick finish.3. Start the service and set to start automatically4. Using a text editor, open the nxlog configuration file which is C:\ProgramFiles\nxlog\conf or C:\Program Files (x86)\nxlog\conf on 64-bitarchitectures.5. Update important entries to get the following log types such as:a. Windows Event Logging (select which version by uncommenting)#Windows Event Logging of Security,System and Application Logs Input eventlog #Uncomment im msvistalog for Windows Vista/2008 andlater#Module im msvistalog#Uncomment im mseventlog for Windows XP/2000/2003#Module im mseventlogExec Message to syslog bsd(); /Input b. DNS Logs# Sample DNS Input DNS Module im fileFireEye, Inc.Deployment Guide18
###Path to DNS Logs, make sure the is a double backslashFile "C:\\path to logs\\dns.log"SavePos TrueExec to syslog bsd(); /Input c. DHCP Logs (Note: Logs cannot be in their default location of C:\Windows\System32\dhcp and must be placed elsewhere.)# Sample DHCP Input DHCP Module im file###Path to DHCP Logs, make sure the is a double backslashFile "C:\\path to logs\\dhcp.log"SavePos TrueExec to syslog bsd(); /Input d. IIS Logs# Configure your IIS server as per the FireEye recommended settings.# Sample IIS# Add the extention for w3c format. Extension w3c Module xm csvFields date, time, s-sitename, s-computername, sip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs-version, cs(User-Agent), cs(Cookie), cs(Referer), cs-host, sc-status, sc-substatus, sc-win32-status, sc-bytes, cs-bytes, timetakenFieldTypes string, string, string, string, string,string, string, string, string, string, string,string, string, string, string, string, string,string, string, stringDelimiter ' ' /Extension FireEye, Inc.Deployment Guide19
# Add the configuration for reading and forwarding IISlogs for W3SVC1 (a new stanza should be made if youhave multiple sites). Input IIS Logs Module im fileFile "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u ex*"SavePos TRUEExec to syslog bsd(); /Input # Add IIS Logs to the output sectione. Output#Output to syslog Destination Output out Module om tcp###Insert IP of syslog destination belowHost X.X.X.XPort 514 /Output # Add a route to complete the configuration Route 1 Path internal, eventlog, DNS, DHCP, IIS Logs out /Route 2. Restart the nxlog service to pick up the changes made to your nxlog.conf file.a. net stop nxlogb. net start nxlogExample nxlog.conf FileThe following is an example nxlog.conf for Windows Server 2008 Events, DNS, DHCPand IIS logs:## This is a sample configuration file. See the nxlog reference manual about the## configuration options. It should be installed locally andis also available## online at al.htmlFireEye, Inc.Deployment Guide20
## Please set the ROOT to the folder your nxlog was installedinto,## otherwise it will not start.#define ROOT C:\Program Files\nxlogdefine ROOT C:\Program Files (x86)\nxlogModuledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\dataLogFile %ROOT%\data\nxlog.log Extension syslog Module xm syslog /Extension Extension json Module xm json /Extension Extension w3c Module xm csvFields date, time, s-sitename, s-computername, sip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs-version, cs(User-Agent), cs(Cookie), cs(Referer), cs-host, sc-status, sc-substatus, sc-win32-status, sc-bytes, cs-bytes, timetakenFieldTypes string, string, string, string, string,string, string, string, string, string, string,string, string, string, string, string, string,string, string, stringDelimiter ' ' /Extension Input internal Module im internal /Input FireEye, Inc.Deployment Guide21
Input eventlog Module im msvistalogExec to syslog bsd();# For windows 2003 and earlier use the following:# Module im mseventlog /Input Input DNS Module im fileFile "C:\\dns.log"SavePos TrueExec to syslog bsd(); /Input Input DHCP Module im fileFile "C:\\dhcp logs\\DhcpSrvLog-*.log"SavePos TrueInputType LineBasedExec to syslog bsd(); /Input Input IIS Logs Module im fileFile "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u ex*"SavePos TRUEExec to syslog bsd(); /Input Output out Mod
Citrix Netscaler syslog f5 ASM (WAF) syslog Fidelis XPS syslog FireEye NX syslog FireEye EX syslog Forescout NAC syslog IBM AIX syslog IBM AS400 syslog IBM zSecure syslog Ironport E-mail syslog Ironport Proxy syslog InfoBlox DNS syslog InfoBlox DHCP syslog ISC BIND syslog Juniper AVT sysl
