WEC > NXLog > LogServer loses source hostname/ip

[jaimie.livingston]

Hello,

We have Windows Event Logs being sent to a Windows Event Collector server before being forwarded to the Nagios Logserver via NXLog.

One of the hiccups we've hit is that the source hostname and ip in the event gets re-written to the hostname and ip of the Windows Event Collector server.

For example:
A security log originating from RDCENGSRC01.RDC.L, forwarded via policy to the WEC server RDCENGWEC01.RDC.L, which is running NXLog to send the event onto the Nagios Logserver.

RDCENGSRC01.RDC.L >> RDCENGWEC01.RDC.L >> NXLog >> LogServer

Referring to the log snippet below:
> the Hostname value has been changed from RDCENGSRC01.RDC.L to RDCENGWEC01.RDC.L
> the host (ip address) has been changed from 10.67.6.100 (the IP of RDCENGSRC01.RDC.L) to 10.67.6.243 (the IP of RDCENGWEC01.RDC.L)

Is there anything we can do to prevent the hostname and host values from being changed?
From the basic troubleshooting we have done so far, it appears the unwanted change is happening when NXLog reads the message data from the WEC before forwarding onto the Nagios Logserver.

Thanks,

Jaimie Livingston


LOG SNIPPET
----------------------------------------

Code: Select all

{
  "_index": "logstash-2020.01.23",
  "_type": "eventlog",
  "_id": "AW_TcMxH2xmB2uvxAP6R",
  "_score": null,
  "_source": {
    "EventTime": "2020-01-23 12:26:21",
    "Hostname": "RDCENGWEC01.RDC.L",
    "Keywords": -9214364837600035000,
    "EventType": "AUDIT_SUCCESS",
 
--- snip ---

    "SourceModuleName": "eventlog",
    "SourceModuleType": "im_msvistalog",

--- snip ---

    "host": "10.67.6.243",
    "port": 49718,
    "type": "eventlog",
    "alert_names": ""
  },

[mbellerue]

When the Event Logs hit your WEC, do the actual log entries show the WEC's hostname, or the hostname of the server from where the logs originated?

I'm wondering if we can mitigate this problem by modifying the Input, and/or Filter on Log Server.

Otherwise the next best option might be to run nxlog on the Windows servers and have them ship their logs to both the WEC and Log Server.

[jaimie.livingston]

Hi...
Thanks for your reply.

At the moment, our problem appears to be a limitation to NXLog CE that we were using to forward events to LogServer.
From what I gather, properly forwarding the events with the correctly recorded hostnames/ips would require NXLog EE with the im_wseventing module. This is not currently an option for our shop, so we will be looking for other alternatives.

To address your question:
The logs are gathered into Windows Event Viewer using the WIndows Event Collector service. The events in the WIndows Event Viewer logs are correctly attributed to their source hosts/ips. It's the transition from Windows to NXLog that loses the source info...

Jaimie

[cdienger]

In case others have the same question, the im_wseventing module is what is needed for NXLOG. From https://nxlog.co/documentation/nxlog-us ... e-features:

Multi-platform support for Windows Event Forwarding

The im_wseventing input module can be used to collect forwarded events from Windows hosts. The Windows clients can be configured from Group Policy to send Windows EventLog using Windows Event Forwarding. While NXLog Enterprise Edition can collect Windows EventLog remotely over WMI and MSRPC, this module provides improved security for collecting from Windows machines in agent-less mode, with support for both Kerberos and HTTPS data transfer. The im_wseventing module is platform independent and available on Linux as well as Windows.