Dave Glover

Collecting Windows Logs Via NXLog over TLS

Discussion created by Dave Glover Employee on Feb 26, 2018
Latest reply on Apr 23, 2018 by Steven Dearstyne

NXlog (NXLog Community Edition | nxlog.co ) is a Windows Log Collection agent that can be used with RSA Netwitness.  In addition to being able to send logs to Netwitness over UDP/TCP, NXLog can also be configured to send logs via TLS.  There are a few steps that need to be performed in order to configure NXLog.  If you are only planning on sending the logs over tcp/udp then only steps 1 and 2 are necessary.  For TLS you must continue on..


Step 1. Download the NXLog community edition and install it on the Windows system of choice.

Step 2. Make sure the configure file looks like the below:


<Output out>
Module om_tcp
Port 514
Exec to_syslog_snare();


The 'Exec to_syslog_snare();' Must be present to make sure that NXLog sends in Snare format to Netwitness.


*********** For V11 ****************


Step 3. On the Log decoder that you will be sending to.. navigate to /etc/pki/nw/node directory and locate the node-cert.p7b file.  In order to prevent any possible errors copy the file to the /tmp directory


Step 4.  Change to the tmp directory 'cd /tmp'   Execute the following....  openssl pkcs7 -print_certs -in node-cert.p7b -out ld.crt


Proceed to step 5 below


***********  For V10.6.x 


Step 3. On the Log Decoder that you will be sending the logs to.. navigate to /etc/netwitness/ng/logdecoder/trustpeers

Step 4. Run '/etc/puppet/scripts/node_id.py'  Take note of the ID

Step 5. Copy the two files to /tmp and rename the extension from .0 to .cer

Step 6. run for each of the files to convert from cer to crt.  pick two different names for the output openssl x509 -inform  -in xx.cer -out xx.crt 


Step 7. Copy each x.crt file to the windows host

Step 8.  Double click each file and find the one that matches the node_id value from step 4

Step 9. for the file that matches the node id, rename the file to ld.crt


Proceed to step 5 below...





Step 5.   Copy the ld.crt file (or what every you named it above) to the Windows system running NXLog and place it in 'C:\Program Files (x86)\nxlog\cert' directory


Step 6. Navigate to 'C:\Program Files (x86)\nxlog\conf' and open the nxlog.conf file in notepad or notepad++


**it is important that you open notepad or notepad++ in administrator mode**


Step 7. Add in/replace the following lines:


<Output out>
Module om_ssl
Port 6514
CAFile %ROOT%\cert\ld.crt
AllowUntrusted FALSE
Host xxx.xxx.xxx.xxx
Exec to_syslog_snare();


Step 8. Restart NXlog service in the Services applet


Hope that helps