NXLog is a multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs. In concept, NXLog is similar to syslog-ng or Rsyslog, but it is not limited to UNIX and syslog only.

NXLog for Windows Setup

Setting up a Standard Host

• Download and install the newest stable NXLog Community Edition.
• Download Blumira’s nxlog template by right clicking this link and save as to download: https://raw.githubusercontent.com/Blumira/Flowmira/master/nxlog.conf
  (You can subscribe to updates of the Blumira’s nxlog template here: https://github.com/Blumira/Flowmira/blob/master/nxlog.conf )
• Replace C:\Program Files (x86)\nxlog\conf\nxlog.conf with the Blumira nxlog configuration file downloaded
• Open the configuration file for editing as an administrator replace A.B.C.D. with the actual IP address of the Blumira Sensor at line 56. The edited line should look like this:

  define SIEM 10.11.12.13

• Save the configuration file.
• Open Windows Services and restart the NXLog service.  You can also run net start nxlog to start the service in an administrator command prompt.
• Log into Blumira platforn and verify that you are receiving NXLog events by navigating to the Infrastructure> Sensors > Logging Devices page or look at your Security dashboard.

Enabling Additional Logging

• See this help center article for recommended Windows logging GPO settings
• If there are additional logging files above and beyond what is covered here you will need to specify them as channels in the nxlog.conf

If you are using Windows 2003

• You should use this configuration instead of the aforementioned configuration: https://storage.googleapis.com/blumira-shipping-configurations/nxlog/nxlog_2003.conf
• It can be placed in the same location, assuming you are using x86 version of Windows 2003, C:\Program Files\nxlog\conf\nxlog.conf.
• This configuration strips out a number of features that the 2008+ version has.  We strongly recommend using the latest version of Sysmon that supports Windows 2003 to fill in the holes that are lost due to the Windows 2003 event log not being very verbose.
• You do not need to set up any additional logging on the host, no additional steps are required beyond the hardening guide.
• Please reach out to [email protected] for our Windows 2003 hardening and visibility guide.

Sending Sysmon Events to Blumira

By enabling Sysmon (System Monitor) in three easy steps, you can turn on advanced Windows logging for greater visibility. See How to Enable Sysmon for instructions.

Once Sysmon is configured, you will need to add the Sysmon event channel to your NXLog configuration in order to start sending logs to Blumira’s platform for detection and response. You can use our latest version of Flowmira, or add the Sysmon route to your existing config. The latest version of Flowmira can be found here: https://github.com/Blumira/Flowmira/blob/master/nxlog.conf

Detection for Windows Firewall

For instructions on how to configure detection for Windows Firewall using NXLog, please see the following documentation:
https://www.blumira.com/integration/microsoft-windows-firewall/

Detection for IIS

For instructions on how to configure detection for IIS using NXLog, please see the following documentation: https://www.blumira.com/integration/microsoft-windows-iis/

Detection for PowerShell

For instructions on how to configure detection for PowerShell using NXLog, please see the following documentation:
https://www.blumira.com/integration/windows-server-powershell/

Detection for DNS

For instructions on how to configure detection for DNS using NXLog, please see the following documentation: https://www.blumira.com/integration/microsoft-windows-dns/