Documentation leaves NXLog configuration blank #574

vicosurge · 2021-10-13T23:04:38Z

This is more of an observation than a complaint; so far, it has been super simple to implement and use (much, much more straightforward than SecurityOnion or the whole Elastic stack).

The thing I could not find in the documentation was how to setup NXLog to send logs that Logstash could understand, I got the port, but it was missing the portion in which to_json(); has to be added for it to work and for the data actually to be interpreted.

Example below:

<Extension _json>
	Module 	xm_json
</Extension>

<Input windows_helk>
    Module          im_msvistalog
    SavePos         TRUE
    <QueryXML>
        <QueryList>
            <Query Id='0'>
                <Select Path='Application'>*</Select>
                <Select Path='Security'>*[System/Level&lt;4]</Select>
                <Select Path='System'>*</Select>
                <Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select>			
		<Select Path='Microsoft-Windows-PowerShell/Operational'>*</Select>
		<Select Path='Windows PowerShell'>*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

<Output helk_logstash>
	Module		om_tcp
	Host		<my_ip>:8531
	Exec		to_json();
</Output>

<Route helk>
	Path	windows_helk => helk_logstash
</Route>

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Documentation leaves NXLog configuration blank #574

Documentation leaves NXLog configuration blank #574

vicosurge commented Oct 13, 2021

Documentation leaves NXLog configuration blank #574

Documentation leaves NXLog configuration blank #574

Comments

vicosurge commented Oct 13, 2021