Forwarding Windows Logs to Syslog using NXLog Tool

John Jonusauskas 29/05/2024
Forwarding Windows Logs to Syslog using NXLog Tool

NXLog is an open-source, multi-platform log management tool designed to collect, process, and forward log messages. It can gather logs from various sources across the network, including systems, applications, and devices.

Understanding NXLog Tool

By centralizing log data, NXLog enables security teams to monitor and analyze activities, detect anomalies, and respond swiftly to potential threats.  

Architecture

The diagram below presents centralized log collection architecture. The single, central server collects logs from other servers, applications, and network devices. 

A diagram that centralized log collection architecture

Key Features and Capabilities of NXLog

  • Compatible with major operating systems   
  • Supports a wide range of log sources  
  • Offers filtering, parsing, and transformation capabilities  
  • Supports secure transmission of log data to centralized log management systems or SIEM platforms.  

It is worth mentioning that NXLog tool is available as a free community edition, NXLog CE, and a commercial enterprise edition. This blog is based on NXLog CE. 

Getting Started with NXLog 

The journey with NXLog begins with a three-step process: 

  • Download and Install 
  • Customize Configuration 
  • Start the nxlog service 

Step 1: Download and install NXLog CE 

Download the NXLog MSI file from the official NXLog website. The installation process is straightforward, and comprehensive documentation is available to guide you through the setup at official NXLog site. Download

Step 2:  Modify the configuration file 

Modify nxlog.conf to your requirements. (If you have accepted default installation parameters your configuration file could be found in C:\Program Files\nxlog\conf\ ). Before we apply any changes to the original nxlog.conf file it's a good practice to create a backup copy. 

The configuration file has three main sections: global directives, input and output blocks, and a route block.  

  • Global directives define what NXLog can do.  
  • The input block defines the input module used to collect logs, while the output block defines the output module or how the logs are forwarded. 
  • The route block tells NXLog what order to process the input and output blocks in.  

Let's modify those blocks to send our Windows logs to the Syslog server. 

According to the “NXLog User Guide” the input block could be described as: 

NXLog User Guide

Or with im_mseventlog module for Windows Event log collection(reading all System, Application, and Custom events) as shown below: 

NXLog User Guide event log

The NXLog User Guide, lists two modules om_tcp or om_udp as a output method. Based on the output format several functions are available: two Syslog formats, the older BSD Syslog (RFC 3164) and the newer IETF Syslog (RFC 5424) plus Snare format. 

NXLog Syslog format

Above the configuration file is using the to_syslog_ietf() procedure to convert the corresponding fields in the event record to a Syslog message in IETF format. The result is forwarded over TCP by the om_tcp module. 

NXLog Syslog message in IETF Format

In the example above, the to_syslog_snare() procedure converts the corresponding fields in the event record to Snare format. The messages are then forwarded over UDP by the om_udp module.  

If our task is to collect Windows events and send them over UDP to syslog server on port 514, then the final nxlog.conf would look like:

NXLog Snare format

Step 3: Start NXLog service 

Start the NXLog service to begin sending logs to the syslog server. Make sure to adjust the configuration according to your specific environment and requirements. Additionally, consider any security considerations, such as firewall rules and encryption, when forwarding logs over the network.  

Summary  

NXLog is a valuable addition to any cybersecurity toolkit, empowering organizations to streamline log management, strengthen security posture, and mitigate risks effectively. By harnessing the power of NXLog, you can gain actionable insights from log data, detect security incidents in real-time, and safeguard your digital assets against evolving threats. Whether you're a beginner or a seasoned cybersecurity professional, exploring NXLog's capabilities can unlock new possibilities in threat detection and incident response.  

If you found this topic interesting and you don’t have any exposure to Malware Analysis, Reverse Engineering, Digital Forensics and Incident Response, why not take a look at our gamified blue team training platform

About Security Blue Team, a leading provider of online blue team training

Security Blue Team provides defensive cybersecurity training, and has been trusted to train security teams across governments, military units, law enforcement agencies, managed security providers, and many more industries.

About John Jonusauskas

John Jonusauskas

With over ten years of cybersecurity experience, John has worked in both offensive and defensive teams. In recent years, he has specialized in cybersecurity education, and he now heads up our live training department.