Documentation Center
AlienVault® USM Anywhere™

Configuring NXLog CE for Windows Hosts

If you want to collect and forward Windows events that are not supported by the Windows Event Collector sensor app or other types of non-Windows application events from a Windows host, you can install and configure NXLog Community Edition (CE) and customize your configuration file for integration with USM Anywhere. You can choose to set up NXLog on each Windows host to forward events directly to the USM Anywhere Sensor or use a forwarding server as a central collection point.

The MS Windows NXLog plugin provided by USM Anywhere translates the raw log data into normalized eventsNormalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. for analysis. This plugin automatically processes all messages forwarded to the USM Anywhere Sensor where the syslog tag matches the value "eventlog”.

Forwarding NXLog Messages Directly to the Sensor

The simplest implementation is to install NXLog CE on each Windows host and configure it to forward messages to the USM Anywhere Sensor.

Using a Windows Server as a Central Collector

You can choose an implementation where you set up each Windows host to forward its events to a subscribing server. In this scenario, the collector server acts as a central repository for Windows logs from other servers in the network. With this method, you must set up Windows Event Forwarding on each Windows host to enable the collection functions.

  • Forward Windows Events to a NXLog CE agent running on a Windows server
  • Enable syslog forwarding from the NXLog CE agent to the USM Anywhere Sensor

This method of auditing and forwarding Windows event logs is intended for use in these USM Anywhere environments:

  • On-premises (VMware or Hyper-V sensors)
  • AWS, where the Windows hosts are deployed within one of the following configurations:

    • The Windows hosts, the NXLog agent server, and USM Anywhere Sensor are located in the same AWS VPC.
    • The Windows hosts, the NXLog agent server, and USM Anywhere Sensor are not located in the same AWS VPC, but you have VPC peering configured to allow the NXLog server to communicate with the sensor using UDP port 514.
  • Azure, where the Windows hosts, the NXLog agent server, and USM Anywhere Sensor are located in the same virtual network.

    Important: Because it does not require that you set up log forwarding on each host, the easiest and most straightforward method for Windows log collection in an Azure environment is to collect the Windows Security events from the Azure storage table. However, if you need the additional logs forwarded by NXLog, you can use the following information to configure Windows log collection for this environment.

Complete the following tasks to implement this method of auditing and forwarding Windows event logs and manage the subscriptions.