• Support
  • Forums
  • Blogs

nxlog or ossec

BBanksBBanks

New Life Form
+4
Hi guys,

i know that´s the topic have a long history :) but what´s the current in 2017 q4 ?

in our mix windows infrastructure (win7-10, win server 2008-2016) we have to choose nxlog or ossec. 
i am on the right way then ossec have more option as it´s hids and it could be forward all events, too
nxlog is a "simple" event forwarder

is there any pro or cons against ossec or it´s better to choose nxlog?
have you got the feeling/impression that alienvault focus more on nxlog as on ossec? e.g the new plugin for sysmon is just on nxlog..
btw. let us be realistic that sysmon is very great tool and i can´t understand why just on nxlog?!??!? the rule/decoder for ossec are already on the market...

or maybe both? like siemonster use it?

thx guys for your help

Share post:

Answers

  • remember that this is just an opinion based on my own knowledge.

    both ossec and Nxlog work fine as log collector but both have pros and cons when it comes to alienvault.

    Ossec is the official HIDS agent for the AV appliance, its fully intergrated and supported by AV support (basic configuration) its monitored so if the service goes offline on a server your aware.

    Nxlog isnt supported officially on the appliance but its the Default plugin on USM Anywhere, AV current flagship offering, ask yourself why would they switch from Ossec which they've been using for so long to Nxlog?

    while the ossec intergration makes it convinient to use, we have had some issues, because of the use of encryption keys and times, we have ossec agents constantly going offline in our more dynamic environments, theres been an occasion where the ossec agent took down a branch connection because of a dramatic increase in log traffic.
    were in the process of implementing and testing Nxlog in some of our environments and so far were happy with how detailed and flexible some of the logs are. and you also have the option of logging DHCP and DNS logs.
  • I would say that Nxlog is supported on the appliance. It has multiple plugin builds in /etc/ossim/agent/plugins and in the sensor plugin menu. Plus there is documentation on How-to https://www.alienvault.com/documentation/usm-appliance/supported-plugins/configuring-nxlog.htm. ;

    Nxlog is great but kind of a pain from my experience to set up. It records very similar events to OSSEC, but can monitor DNS, DHCP, IIS logs etc. 

    One thing Nxlog doesn't do is file integrity, and usb monitoring. So just depends on the situation. 


  • when i said supported i meant along the lines of official intergration and support, like it is in USM Anywhere. 
  • I don't understand what would make it not officially integrated. You install the agent on the end point, forward the log to your sensor. I haven't worked with Anywhere much but seems like this plugin is solid in the appliance. 

    Nxlog is built in as a global plugin in the appliance /etc/rsyslog.d/ rules. So all you have to do is enable the plugin and forward the log. Just make sure to add the /var/log/nxlog.log location in the /etc/logrotate.d/ rules. Since Alienvault didn't do that when they setup the rsyslog.d rule. Will keep your log rotated and not get over sized in the sql db. 

  • might be worth your time to make sure that the /var/log/nxlog.log is getting rotated properly if you have already implemented it in your current deployment. 
  • @zparker NXlog is supported but not officially integrated as in the default agent.a page with the status of all the NXlog agents deployed, notifications if they go offline, mass deployment from the web interface, those conveniences may be important for those that are less technical or are new to AV.  if you read my first comment properly you would see that I am supporting the use of NXlog instead of OSSEC, i just felt the OC should have all the facts so he could make an informed decision.

    as far as the logrotate that came up months ago on a clients deployment, the engineers we spoke to said it was intentional and there was no need for it. we haven't seen any dramatic increase in space used.  the one thing we recently started looking into was a way to be notified when specific agents stop forwarding logs.
  • Nxlog is very verbose. So I don't know why it would make sense to not put that log in the logrotate rules just like all of the other global plugins. Same way when you enable other plugins (not listed in rsyslog.d) as global plugins, you have to put the log in a logrotate rule. The log will simply continue to get bigger and never be rotated. 

    My opinion is that Nxlog is useful in some situations. It doesn't do usb monitoring or FIM. Just depends on the need. 

    Also you can write a script to check syslog every so often, and if there is logs in a certain amount of time, create a event and send it to /var/log/syslog-check.log and build you a plugin for it. 
  • yea i dont understand why they claim theres no need for a logrotate rule either, but i figure they may know something im not aware of since they maintain the system. im monitoring the diskspace on that system carefully.

    also NXlog already has heartbeat events for every agent, what im trying to figure out is a way to be alerted when that event isnt recieved but you may of giving me an idea 
  • hi guys, thx for responses.

    yes that´s exactly we us asking why nxlog will be or is the default by av anywhere...

    i saw by another project siemonster that they are using both ossec and nxlog 
    i would just see a reason to nxlog as a kind of longterm log collector, or?

  • just go to /var/log and check the log sizes to see if the log is rotating. nxlog communicates on udp 514, ossec on udp 1514.
  • > My opinion is that Nxlog is useful in some situations. It doesn't do usb monitoring or FIM.

    This is not entirely correct. See the im_fim module. For USB monitoring see this thread on reddit.

    rdiethzparker
  • Is anyone from AlienVault able to give direction as to which agent will be preferred going forward?
Sign In or Register to comment.