Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we shall get it updated.
| Product |
Samurai [Local] Collector |
Samurai [Cloud] Collector |
| Windows Event Log (using NXLog CE) |
|
Windows Event Logs can also be collected and ingested into Samurai XDR by installing NXLog Community Edition on a Windows endpoint, and sending logs to a Local Collector using the Snare Syslog format.
Note that the format required by Samurai XDR requires that you change the delimiter used in the log entries from a Tab character to a comma. The configuration steps to do this are described in this article.
To complete this Integration you will need to:
1) On a Windows endpoint:
2) From the Samurai XDR application:
For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the Samurai XDR Application as we auto detect the vendor and product. The only reason you need to use the Samurai XDR Application is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning! See Integrations for more information on checking status.
Download and Install NXLog CE
To download NXLog Community Edition, go to the Downloads page on the NXLog website, and select the installer for Microsoft Windows. Once you have downloaded the installer, run it and follow the installation instructions in the installer.
Configure NXLog CE to send syslog messages to your Local Collector
You can find instructions on how to send Windows Event Logs in Snare Syslog format on the NXLog website. On this page, you will find an example config to be added to your nxlog.conf file to send logs in Snare format. Your nxlog.conf file can typically be found in the directory C:\Program Files\nxlog\conf.
You will need to make 2 changes to this example, namely:
- Change the IP address 192.168.0.1 to the address of your Local Collector, and
- Change the field delimiter to a comma, by appending the following line to the Exec line in the Output section of your nxlog.conf file:
$raw_event = replace($raw_event, "\t", ',');
With this modification, the example on the NXLog website will look as follows:
<Extension _syslog> Module xm_syslog </Extension>
<Input eventlog> Module im_msvistalog <QueryXML>
<QueryList>
<Query Id='0'><SelectPath='Security'>*</Select></Query>
</QueryList>
</QueryXML>
</Input>
<Output tcp> Module om_tcp Host 192.168.0.1 # replace with Local Collector address Port 514 Exec to_syslog_snare(); $raw_event = replace($raw_event, "\t", ','); </Output>
<Route eventlog_to_tcp> Path eventlog => tcp </Route>
Once you have updated nxlog.conf, restart NXLog CE, using the following commands, as administrator, from the Windows command prompt:
SC STOP NXLOG
SC START NXLOG
Your can query the status of the NXLog process using the following command:
SC QUERY NXLOG
Comments
0 comments
Article is closed for comments.