AlienVault® USM Anywhere™

Windows Server as an NXLog Central Collector

You can choose an implementation where you set up each Windows host to forward its events to a subscribing server. In this scenario, the collector server acts as a central repository for Windows logs from other servers in the network. With this method, you must set up Windows Event Forwarding on each Windows host to enable the collection functions.

  • Forward Windows Events to a NXLog CE agent running on a Windows server
  • Enable syslog forwarding from the NXLog CE agent to the USM Anywhere Sensor

Using Windows Server as a means of collecting Windows event logs is intended for use in these USM Anywhere environments:

  • On-premises (VMware or Hyper-V sensors)
  • AWS, where the Windows hosts are deployed within one of the following configurations:

    • The Windows hosts, the NXLog agent server, and USM Anywhere Sensor are located in the same AWS VPC.
    • The Windows hosts, the NXLog agent server, and USM Anywhere Sensor are not located in the same AWS VPC, but you have VPC peering configured to allow the NXLog server to communicate with the sensor using UDP port 514.
  • Azure, where the Windows hosts, the NXLog agent server, and USM Anywhere Sensor are located in the same virtual network.

    Important: Because it does not require that you set up log forwarding on each host, the easiest and most straightforward method for Windows log collection in an Azure environment is to collect the Windows Security events from the Azure storage table. However, if you need the additional logs forwarded by NXLog, you can use the following information to configure Windows log collection for this environment.

Install and Configure NXLog on the Central or "Subscribing" Server

Complete the following tasks to implement this method of auditing and forwarding Windows event logs and manage the subscriptions.

The first task to install NXLog CE on the computer where events will be collected.

To install NXLog CE and configure forwarding

  1. Download the newest stable NXLog Community Edition.
  2. Make a backup copy of the original C:\Program Files (x86)\nxlog\conf\nxlog.conf file and give it another name.
  3. Download the NXLog configuration for USM Anywhere and save it as your new nxlog.conf file.
  4. Open the configuration file for editing and replace usmsensoriphere with the IP address of the USM Anywhere Sensor.
  5. USM Anywhere listens for syslog at UDP port 514, TCP port 601, or TLS/TCP port 6514. Depending on the protocol you decide to use, edit the configuration file as detailed below. Make sure USM Anywhere allows inbound requests to the corresponding port.

  6. Some sections in the nxlog.conf file have been commented out to improve performance. Depending on which product you want to collect logs from, you need to uncomment the corresponding section. See specific plugin documentation for details.

  7. Save the file.
  8. Open Windows Services and restart the NXLog service.
  9. Open USM Anywhere and verify that you are receiving NXLog events.

Note: If you need to debug NXLog, open C:\Program Files (x86)\nxlog\data\nxlog.log.

Next you can go directly to the NXLog Collection and Subscriptions.