Send logs to McAfee Enterprise Security Manager (ESM)
McAfee Enterprise Security Manager (ESM) is a security information and event management (SIEM) solution that can collect logs from various sources and correlate events for investigation and incident response. For more information, see McAfee Enterprise Security Manager on Trellix.com.
NXLog Agent can be configured to collect logs and forward them to McAfee ESM. NXLog Agent can collect logs from several log types, such as DHCP server audit logs, DNS Debug logs, and events from Windows Event Log, and forward these logs to ESM for parsing. NXLog Agent can also forward logs to ESM with TLS encryption to ensure any sensitive data is encrypted when sent to McAfee ESM.
Configuring McAfee ESM
For ESM to receive events from NXLog Agent, you must add a log source. Each log source type must have a corresponding data source (or parent source) configured in the ESM local receiver. Follow these steps to add a new log source:
-
On the McAfee web interface, open the menu in the upper left corner and click More Settings.
-
Select the Local Receiver-ELM in the left panel and click Add Data Source.
-
Choose a Data Source Vendor, Data Source Model, Data Format, and Data Retrieval. Consult the sections below for the correct values to use for each log source type.
-
Enable Parsing and ELM storage if required.
-
Enter the appropriate Name, IP Address, and Host Name values.
-
For Syslog Relay, select None.
-
Enter a Mask to use an IP address range, if required.
-
To require TLS transport, check Require syslog TLS.
-
For Port, use the default of 514 or click Interface to change the available syslog ports.
-
For Support Generic Syslogs, select Log "unknown syslog" event.
-
Click OK to save the changes. When the Apply Data Source Settings dialog appears, click Yes. Then click OK on the Rollout window to deploy the changes.
Sending specific log types to McAfee ESM with NXLog Agent
To take full advantage of ESM’s log parsing and rules, NXLog Agent can be configured to send log types in a format expected by ESM. A few common log types are shown here.
Sending DHCP server audit logs to McAfee ESM with NXLog Agent
To send DHCP Server audit logs to ESM, set up DHCP Audit Logging and use the NXLog Agent configuration below. When adding an ESM data source, use the following parsing configuration (see Configuring McAfee ESM):
| Field | Value |
|---|---|
Data Source Vendor |
Microsoft |
Data Source Model |
Windows DHCP |
Data Format |
Default |
Data Retrieval |
SYSLOG (Default) |
For more information, see DHCP server audit logging and the Microsoft DHCP Server page in the McAfee ESM Data Source Configuration Reference Guide.
In this example, NXLog Agent is configured to read logs from the DhcpSrvLog and DhcpV6SrvLog log files.
NXLog Agent then adds a syslog header with xm_syslog to prepare the logs for forwarding to ESM.
64,08/31/19,14:38:17,No static IP address bound to DHCP server,,,,,0,6,,,,,,,,,0<Extension syslog>
Module xm_syslog
</Extension>
<Input dhcp>
Module im_file
File 'C:\Windows\System32\dhcp\DhcpSrvLog-*.log'
File 'C:\Windows\System32\dhcp\DhcpV6SrvLog-*.log'
<Exec>
# Discard header lines
if $raw_event !~ /^\d+,/ drop();
# Add Syslog header
$Message = $raw_event;
to_syslog_bsd();
</Exec>
</Input><13>Aug 31 14:38:17 Host 64,08/31/19,14:38:17,No static IP address bound to DHCP server,,,,,0,6,,,,,,,,,0Sending DNS debug logs to McAfee ESM with NXLog Agent
To send DNS debug logs to ESM, enable debug logging and use the NXLog Agent configuration below. When adding an ESM data source, use the following parsing configuration (see Configuring McAfee ESM):
| Field | Value |
|---|---|
Data Source Vendor |
Microsoft |
Data Source Model |
Windows DNS |
Data Format |
Default |
Data Retrieval |
SYSLOG (Default) |
For more information, see Windows DNS Server and the Microsoft DNS Debug page in the McAfee ESM Data Source Configuration Reference Guide.
The following configuration uses im_file to read from the Windows DNS debug log. A syslog header is added with the xm_syslog to_syslog_bsd() procedure.
8/31/2019 15:17:04 PM 2AE8 PACKET 00000005D03B4CE0 UDP Snd 192.168.1.42 fdd7 R Q [8081 DR NOERROR] A (9)imap-mail(7)outlook(3)com(0)<Extension syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_file
File 'C:\logs\dns.log'
<Exec>
# Discard header lines
if $raw_event !~ /^\d+\/\d+\/\d+/ drop();
# Add Syslog header
$Message = $raw_event;
to_syslog_bsd();
</Exec>
</Input><13>Aug 31 15:17:04 Host 8/31/2019 15:17:04 PM 2AE8 PACKET 00000005D03B4CE0 UDP Snd 192.168.1.42 fdd7 R Q [8081 DR NOERROR] A (9)imap-mail(7)outlook(3)com(0)Sending Windows Event Log data to McAfee ESM with NXLog Agent
Microsoft Windows Event Log data can be collected and sent to McAfee ESM with the NXLog Agent configuration below. When adding an ESM data source, use the following parsing configuration (see Configuring McAfee ESM):
| Field | Value |
|---|---|
Data Source Vendor |
Microsoft |
Data Source Model |
Windows Event Log – CEF |
Data Format |
Default |
Data Retrieval |
SYSLOG (Default) |
See the Windows Event Log integration guide for more information.
In this configuration, Windows Event Log data is collected from the Security channel with im_msvistalog and converted to CEF with a syslog header.
<Extension cef>
Module xm_cef
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input eventlog>
Module im_msvistalog
Channel Security
<Exec>
$Message = to_cef();
to_syslog_bsd();
</Exec>
</Input><14>Sep 25 23:25:53 WINSERV Microsoft-Windows-Security-Auditing[568]: CEF:0|NXLog|NXLog|4.99.5128|0|-|7|end=1569453953000 dvchost=WINSERV Keywords=9232379236109516800 outcome=AUDIT_SUCCESS SeverityValue=2 Severity=INFO externalId=4801 SourceName=Microsoft-Windows-Security-Auditing ProviderGuid={54849625-5478-4994-A5BA-3E3B0328C30D} Version=0 TaskValue=12551 OpcodeValue=0 RecordNumber=395661 ActivityID={61774D29-73EB-0000-4B4D-7761EB73D501} ExecutionProcessID=568 ExecutionThreadID=3164 deviceFacility=Security msg=The workstation was unlocked.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2262720663-2632382095-2856924348-500\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tWINSERV\r\n\tLogon ID:\t\t0x112FE1\r\n\tSession ID:\t1 cat=Other Logon/Logoff Events Opcode=Info duid=S-1-5-21-2262720663-2632382095-2856924348-500 duser=Administrator dntdom=WINSERV TargetLogonId=0x112fe1 SessionId=1 EventReceivedTime=1569453953949 SourceModuleName=eventlog SourceModuleType=im_msvistalogForwarding logs to McAfee ESM with NXLog Agent
Use an output instance to forward the processed logs to McAfee ESM.
The configurations shown below can be used with any of the above input instances.
Because all event formatting is done in the input sections, the output instances here do not require any Exec directives (the $raw_event field is passed without any further modification).
This om_tcp instance sends logs to ESM via TCP. In this example, logs are sent from the Windows Event Log source.
<Output esm>
Module om_tcp
Host 10.10.1.10
Port 514
</Output>
<Route r>
Path eventlog => esm
</Route>To forward logs with TLS, the Require syslog TLS option needs to be enabled on the data source(s).
The certificate can be found in the ESM platform under /etc/NitroGuard/ and the required file is SSL.crt.
The om_ssl module is used here to send logs to ESM securely, with TLS encryption.
<Output esm>
Module om_ssl
Host 10.10.1.10
Port 6514
CAFile C:\Program Files\cert\SSL.crt
</Output>