For various reasons unknown to mankind, Windows has a very retarded relationship with logs. Because it was designed without any inkling of networking or internet in mind, Windows logs are very local and very stupid. I don’t know why, maybe because whoever created windows never really thought that their OS will be in a networked environment.
Anyway, to get Windows to work with a sort of syslog capability, NXLog can be used. In the next few articles, we will explore how to get it working, because like everything else in Windows, it needs some work. 10 years from now, our children will probably do the same thing by clicking an icon and everything magically works. For now, its back to CLI.
First – NxLog runs on TCP 514. Alienvault by default listens on UDP only.
Go ahead to /etc/rsyslog.conf
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
The ones in bold were commented, so just go ahead uncomment it and service rsyslog restart.
Do a netstat -tulpen | grep rsyslog and you should see it listening. For good measure, do nc – vt 127.0.0.1 514 and it will say its open.
Done!
Not really. Alienvault has additional issues. For some reason, even if you turn off Alienvault Firewall from the setup menu, you still cannot telnet to 514 from another system. Something is obviously blocking it.
I will assume you have installed nxlog in your windows. In nxlog.conf under C:\Program Files (x86)\nxlog\conf, you should see
<Output out-5141>
#Send to central nxlog listener on tcp port 5141, change host address
Module om_tcp
Host xxx.xxx.xxx.xxx
Port 514
OutputType LineBased
</Output>
Just replace the xxx with the IP of your Alienvault
Go ahead to
C:\Program Files (x86)\nxlog\data\nxlog.log
You might encounter
2016-03-23 10:31:47 ERROR couldn’t connect to tcp socket on <IP ADDRESS>:514; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Obviously, the IP is your Alienvault IP. This generally means there is some issue. Try telneting to port 514 from your Windows and you will get a timeout.
On your Alienvault
VirtualUSMAllInOne:/var/log# tcpdump -i eth0 “tcp port 514”
Restart your nxlog on your windows and you will see some packets coming in. It’s just not connecting. This shows you that the packets are reaching your AV, but for some nefarious reason your AV is not willing to talk.
Firewall?
As I mentioned, disabling firewall on the Alienvault menu doesn’t help because…I don’t know. It just doesn’t.
Luckily, we know a secret.
/etc/ossim/firewall_include
This little file is where you configure your policies for firewall. Just add
-A INPUT -p tcp -m state –state NEW -m tcp –dport 514 -j ACCEPT
At the bottom. This opens up the port 514 to chat.
Now, you need to reload the ossim config. No, service ossim-server restart or service ossim-agent restart won’t work. You need to do the full ossim-reconfig.
Once that is done, do a telnet again, or a tcpdump or check the nxlog log (after restarting).
2016-03-23 11:12:08 INFO nxlog-ce-2.8.1248 started
2016-03-23 11:12:08 INFO connecting to <IP ADDRESS>:514
Your port 514 is open now.
We will configure NXlog in the next article to send logs over to Alienvault.