Thursday, March 25, 2021

Send Custom Application Log to Central Syslog/SIEM Server (e.g. graylog/QRadar)

Let's say, our application which is running on a Windows 2016 server which is generating customs logs and we want to send those logs to our central syslog or SIEM server. For log collection and forwarding we will use NXLog Community Edition. NXLog Community Edition is an open source log collection tool available at no cost.

Let's assume our syslog server (e.g. graylog or Qradar) is installed and configured. We will just collect and forward logs from a Windows Server to destination server. To achieve that, let's follow below steps:


1) Install NXLog Community Edition.

2) Depending on this installation location, update the configuration file nxlog.conf. In my case, the file location is C:\Program Files (x86)\nxlog\conf

3) Let's say we wanna forward access and error logs. Add below configuration in the above mentioned configuration file. Beforehand, make sure the input methods are properly configured and service is running on respective server. In case of graylog, GELF input method is configured and running (Picture-1)


# For sending logs to graylog, we'll use xm_gelf module. Add below in configuration file.
# Assume graylog server IP is 10.10.100.100 and QRadar server IP is 10.10.100.200.
# Application is generating custom logs at a shared folder under directory \\10.20.30.40\LOG\WebApp\

<Extension _gelf>
    Module      xm_gelf
</Extension>

# send logs to graylog

<Input application_accesslog_graylog>
Module im_file
        File '\\10.20.30.40\LOG\WebApp\Information\\accesslog_*'
#File 'C:\Program Files (x86)\nxlog\data\\*.log'
PollInterval 1
SavePos True
ReadFromLast True
Recursive False
RenameCheck False
        Exec $FileName = file_name();
</Input>

<Input application_errorlog_graylog>
Module im_file
File '\\10.20.30.40\LOG\WebApp\Error\\errorlog_*'
#File 'C:\Program Files (x86)\nxlog\data\\*.log'
PollInterval 1
SavePos True
ReadFromLast True
Recursive False
RenameCheck False
Exec $FileName = file_name();
</Input>

<Output gelf>
Module om_tcp
Host 10.10.100.100
Port 12201
OutputType  GELF_TCP
</Output>

<Route graylog>
Path application_accesslog_graylog , application_errorlog_graylog => gelf
</Route>

# send logs to QRadar

<Input application_accesslog_qradar>
Module im_file
        File '\\10.20.30.40\LOG\WebApp\Information\\accesslog_*'
#File 'C:\Program Files (x86)\nxlog\data\\*.log'
ReadFromLast False
Exec parse_syslog();
Exec log_info("Input Event: " + $raw_event);
</Input>

<Input application_errorlog_qradar>
Module im_file
        File '\\10.20.30.40\LOG\WebApp\Error\\errorlog_*'
#File 'C:\Program Files (x86)\nxlog\data\\*.log'
ReadFromLast False
Exec parse_syslog();
Exec log_info("Input Event: " + $raw_event);
</Input>

<Output event-out-qradar>
Module om_tcp
Host 10.10.100.200
Port 514
</Output>

<Route qradar>
    Path application_accesslog_qradar, application_errorlog_qradar  => event-out-qradar
</Route>

############################
#End of configuration file
############################

4) Save the configuration file and restart nxlog service from services.msc


After login to respective portal, verify the results.


Picture-2: graplog



Picture-3: QRadar



Cheers :-)



-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Restore Archived Log into VMware Aria Operations for Logs (formerly known as vRealize Log Insight - vRLI)

As we cannot keep all logs in searchable space in vRLI production system due to performance and slowness issue, it is always recommended to ...