Windows NXLog Agent Setup

Blumira uses NXLog in order to collect logs from Active Directory. NXLog is a multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs.

In concept NXLog is similar to syslog-ng or Rsyslog, but it is not limited to UNIX and syslog only.

Setting up a Standard Host

  • Download and install the newest stable NXLog Community Edition.
  • Replace C:\Program Files (x86)\nxlog\conf\nxlog.conf with the Blumira nxlog configuration file found here:
  • Open the configuration file for editing as an administrator replace A.B.C.D. with the actual IP address of the Blumira Sensor at line 21. The edited line should look like this:
    define SIEM
  • Save the file.
  • Open Windows Services and restart the NXLog service.  You can also run net start nxlog to start the service in an administrator command prompt.
  • Log into Blumira platforn and verify that you are receiving NXLog events by navigating to the Settings > Sensors > Logging Devices page or look at your Security dashboard.

If you are using Windows 2003:

  • You should use this configuration instead of the aforementioned configuration:
  • It can be placed in the same location, assuming you are using x86 version of Windows 2003, C:\Program Files\nxlog\conf\nxlog.conf.
  • This configuration strips out a number of features that the 2008+ version has.  We strongly recommend using the latest version of Sysmon that supports Windows 2003 to fill in the holes that are lost due to the Windows 2003 event log not being very verbose.
  • You do not need to set up any additional logging on the host, no additional steps are required beyond the hardening guide.
  • Please reach out to [email protected] for our Windows 2003 hardening and visibility guide.

Setting up IIS Logging

Event Viewer Collection for IIS – Recommended

With the configuration file change on 2019/10/16, updates to the configuration file are no longer required to support IIS.  If you currently use IIS, you should run the following commands in an Administrative command prompt to enable logging:

wevtutil sl Microsoft-IIS-Configuration/Administrative /e:true
wevtutil sl Microsoft-IIS-Configuration/Operational /e:true
wevtutil sl Microsoft-IIS-Logging/Logs /e:true

If IIS is not installed you will get an error.  That’s OK, it’s non-harmful if being used across a broad deployment.

Lastly, each IIS server will need it’s logging configuration changed in Log Event Destination to support the Event Log.

  • Go to your IIS Manager>Server Configuration>Logging
  • Select “Both log file and ETW event”
  • Restart nxlog from the services console or with the following command
net stop nxlog && net start nxlog
  • Data from IIS will start flowing

Direct Log File Collection

NOTE: This is an option INSTEAD of the recommended collection option above. If you have an older nxlog.conf that you’d like to use.

If you are leveraging IIS on a server and would like to collect the access logs associated with it, a few small modifications are required to the aforementioned nxlog.conf file that you downloaded from above. In most cases just enabling logging for your IIS Site and uncommenting the section in nxlog.conf will be all that is required from the below steps.

  • Check that you have Logging enabled on your IIS instance.
  • Go to your IIS Manager>Server Configuration>Logging
  • Ensure that your main Logging configuration matches the below configurations.  The locations of the log file(s) can be in a different place than the default, but, the actual field selection seen in the below image must match or the data will fail to parse appropriately.

    When you click on Select Fields… next to W3C format, the fields seen below should be selected in this order.  Your Standard Fields output should look exactly like the following image.
  • Once you have validated that the logging is set up correctly and the logs are either in the default path or you are aware as to where they are located, you can proceed to the next step.
  • Open up nxlog.conf downloaded from the previous section and navigate to Windows IIS Event Logs START.  If your logs are in the default location, C:\inetpub\logs\LogFiles\, then you likely do not need to make any changes.  Otherwise, change the File path at line 201 to be where your logfiles are located and named, e.g., C:\logfiles\site* if all files are rotating at C:\logfiles\site_log1.log.
  • Uncomment the section, this means that you will remove all # from the beginning of the lines.  Starting at #<Extension w3c> until #</Route> above the Windows IIS Event Logs END block.
  • You can now restart your nxlog instance, net stop nxlog && nx start nxlog and IIS logs will now show up as http_access on your Sensor Details page.

NOTE: If you have more than one Site on your host, you will need to ensure that each Site is configured appropriately for Logging.  Then, you will need to copy and paste the entire Windows IIS Event Logs START to END block and change the File parameters appropriately for those log files.

Setting up Windows Firewall Logging

*Tested from Server 2012 to Current

Windows Firewall Logging has some significant benefits, but it does increase the amount of logs and data being extracted from your host. Blumira recommends implementing this configuration in areas where you do not have good visibility within the network.

NOTE: Successful logging requires the on-host firewall to be enabled and functioning in the appropriate policies. In situations where your Windows Firewall has been disabled, this will only set the FirewallProfile and not necessarily enable it.  Please review Microsoft documentation pertaining to your on-host firewall for more details.  Blumira always recommends least-access, only expected protocols should be allowed when possible, however, even just having it to default policies and enabled will allow log collection to function.

Enabling Using Powershell

To reduce noise, Blumira recommends setting this up to only log out Dropped traffic by the Firewall.  While Allowed traffic can be sent, it will drastically increase noise within your logging infrastructure and will essentially log all traffic from that host.  Blumira recommends only doing this in situations where you have a highly sensitive host that does not traverse any other logging that Blumira captures.

Recommended Powershell Command

Set-NetFirewallProfile –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed False -LogIgnored True

If significant verbosity is required, use this command which will log Allowed connections as well

Set-NetFirewallProfile –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log -LogBlocked True -LogAllowed True -LogIgnored True

Enabling Using GPO

You will need to ensure that logging is enabled for the Windows FW via GPO for Dropped packets only. Adding successful packets will most likely be unnecessarily verbose unless you require visibility due to lack of segmentation.

  • Open the appropriate group policy object
  • Navigate to Computer Configuration>Windows Settings>Security Settings>Windows Defender Firewall with Advanced Security>Windows Defender Firewall Properties* Example of the local Group Policy editor, refer to this link for Domain-specific guidance to deploy GPOs for Windows Firewall.For each network location type (Domain, Private, Public), perform the following steps.
  • Click the tab that corresponds to the network location type.
  • Under Logging, click Customize.
    • No need to change the location, the configuration assumes that you will have it in the default place.
    • Ensure that you only selected Log dropped packets as Yes, unless you require significant visibility Log successful connections should be No.
    • Click OK
    • If you did not change the default path for the Logging file, you only need to uncomment the Windows Firewall Logs section.
    • Uncomment the section, this means that you will remove all # from the beginning of the lines.
    • Starting at #<Extension csv_windows_fw> until #</Route> above the Windows Firewall Logs END block.
    • Restart nxlog from the services console or with the following command
net stop nxlog && net start nxlog
  • Data from the firewall will start flowing

Change Log

After testing 2012-2019 Windows kernels we have determined that uncommenting is no longer necessary.  The new configuration supports IIS and Windows Firewall out of the box with new methods to collect data.  It is no longer required to define per site for IIS, IIS will ingest directly from the Event Viewer. Additionally the Windows Firewall section now has an accompanying Powershell command to enable logging.

As of 2019/10/08 the Blumira NXLog configuration has adopted a new format and style. In some cases you may need to uncomment sections to ensure certain types of data, like IIS and FW, are appropriately consumed. Please refer to sections later in this document that discuss enabling certain log types and configuration for more details. To use this to only collect OS-level logs, you only need to change the IP for the sensor as discussed in the following content. In many cases application logs, such as SQL Server, will flow through Event Viewer so no changes will be required on your part.