• Support
  • Forums
  • Blogs

Nxlog Global Plugin for Windows Event Logging

GunnyGunny

New Life Form
I've tried to comb all manner of areas looking for answers on this. We've enabled the nxlog plugin at the global level (on Sensor Configuration-->Collection). The plugin appears to be enabled correctly, as we've been trolling around in Jailbreak/CLI mode. 
  • Plugin listed in /etc/ossim/agent/config.cfg (nxlog=/etc/ossim/agent/plugins/nxlog.cfg)
  • We see the plugin enabled/running in /var/log/alienvault/agent/agent.log (nxlog[1817] Total lines [2042102] TotalEvents:[0]  EPS: [0.00] elapsed [10.01] seconds) and (plugin (nxlog) is enabled) messages
  • Ran tcpdump to validate a remote Windows host running Nxlog is communicating with USM over UDP 514
    • tcpdump -n -i eth0 -vvvvv host <IP ADDRESS> and udp port 514
  • Can see the actual syslog events sent from the Windows host in /var/log/alienvault/devices/<IP ADDRESS>/<IP ADDRESS>.log
    • Not sure if this is the issue and why events are going here

We don't see anything in the USM UI. We also never see the /var/log/nxlog.log get updated and i believe it should. 

Any thoughts?
Tagged:

Share post:

Best Answer

  • Answer ✓
    Looks like support helped figure this out. Thanks! Apparently, someone put in a custom plug config file in /etc/rsyslog.d above our nxlog.conf file. That was preventing nxlog plugin from working properly. I also found out that the folder processes the plugins in alpha order--thus why there are zzz* names there so they can be sorted/processed in order. I ended up moving the offending plugin config file to the bottom of the list, restarted rsyslog and bam--worked. Hope this will be useful for someone else.
    BenGjerstadAMeana

Answers

  • One note. I configured an asset to use the Microsoft-->Windows-->Nxlog plugin and it started working. I don't want ot configure the nxlog plugin per asset--I need it global, as we will have hundreds of servers delivering logs to AlienVault. So, the issue appears to be directly tied to enabling the global plugin.
  • Thank You. 

    I had this problem too. Your suggestion to "moving the offending plugin config file to the bottom of the list, restarted rsyslog" worked for me. 
     
  • Great to hear, Ben! It takes a village...
Sign In or Register to comment.