Send logs to McAfee Enterprise Security Manager (ESM)

McAfee Enterprise Security Manager (ESM) is a security information and event management (SIEM) solution that can collect logs from various sources and correlate events for investigation and incident response. For more information, see McAfee Enterprise Security Manager on Trellix.com.

NXLog Agent can be configured to collect logs and forward them to McAfee ESM. NXLog Agent can collect logs from several log types, such as DHCP server audit logs, DNS Debug logs, and events from Windows Event Log, and forward these logs to ESM for parsing. NXLog Agent can also forward logs to ESM with TLS encryption to ensure any sensitive data is encrypted when sent to McAfee ESM.

Configuring McAfee ESM

For ESM to receive events from NXLog Agent, you must add a log source. Each log source type must have a corresponding data source (or parent source) configured in the ESM local receiver. Follow these steps to add a new log source:

  1. On the McAfee web interface, open the menu in the upper left corner and click More Settings.

  2. Select the Local Receiver-ELM in the left panel and click Add Data Source.

    mcafee esm local receiver elm
  3. Choose a Data Source Vendor, Data Source Model, Data Format, and Data Retrieval. Consult the sections below for the correct values to use for each log source type.

    mcafee esm add data source
  4. Enable Parsing and ELM storage if required.

  5. Enter the appropriate Name, IP Address, and Host Name values.

  6. For Syslog Relay, select None.

  7. Enter a Mask to use an IP address range, if required.

  8. To require TLS transport, check Require syslog TLS.

  9. For Port, use the default of 514 or click Interface to change the available syslog ports.

  10. For Support Generic Syslogs, select Log "unknown syslog" event.

  11. Click OK to save the changes. When the Apply Data Source Settings dialog appears, click Yes. Then click OK on the Rollout window to deploy the changes.

Sending specific log types to McAfee ESM with NXLog Agent

To take full advantage of ESM’s log parsing and rules, NXLog Agent can be configured to send log types in a format expected by ESM. A few common log types are shown here.

Sending DHCP server audit logs to McAfee ESM with NXLog Agent

To send DHCP Server audit logs to ESM, set up DHCP Audit Logging and use the NXLog Agent configuration below. When adding an ESM data source, use the following parsing configuration (see Configuring McAfee ESM):

Field Value

Data Source Vendor

Microsoft

Data Source Model

Windows DHCP

Data Format

Default

Data Retrieval

SYSLOG (Default)

For more information, see DHCP server audit logging and the Microsoft DHCP Server page in the McAfee ESM Data Source Configuration Reference Guide.

Example 1. Sending Windows DHCP logs to McAfee ESM

In this example, NXLog Agent is configured to read logs from the DhcpSrvLog and DhcpV6SrvLog log files. NXLog Agent then adds a syslog header with xm_syslog to prepare the logs for forwarding to ESM.

Input sample
64,08/31/19,14:38:17,No static IP address bound to DHCP server,,,,,0,6,,,,,,,,,0
nxlog.conf
<Extension syslog>
    Module    xm_syslog
</Extension>

<Input dhcp>
    Module    im_file
    File      'C:\Windows\System32\dhcp\DhcpSrvLog-*.log'
    File      'C:\Windows\System32\dhcp\DhcpV6SrvLog-*.log'
    <Exec>
        # Discard header lines
        if $raw_event !~ /^\d+,/ drop();

        # Add Syslog header
        $Message = $raw_event;
        to_syslog_bsd();
    </Exec>
</Input>
Output sample
<13>Aug 31 14:38:17 Host 64,08/31/19,14:38:17,No static IP address bound to DHCP server,,,,,0,6,,,,,,,,,0

Sending DNS debug logs to McAfee ESM with NXLog Agent

To send DNS debug logs to ESM, enable debug logging and use the NXLog Agent configuration below. When adding an ESM data source, use the following parsing configuration (see Configuring McAfee ESM):

Field Value

Data Source Vendor

Microsoft

Data Source Model

Windows DNS

Data Format

Default

Data Retrieval

SYSLOG (Default)

For more information, see Windows DNS Server and the Microsoft DNS Debug page in the McAfee ESM Data Source Configuration Reference Guide.

Example 2. Sending DNS debug logs to McAfee ESM

The following configuration uses im_file to read from the Windows DNS debug log. A syslog header is added with the xm_syslog to_syslog_bsd() procedure.

Input sample
8/31/2019 15:17:04 PM 2AE8 PACKET  00000005D03B4CE0 UDP Snd 192.168.1.42    fdd7 R Q [8081   DR  NOERROR] A      (9)imap-mail(7)outlook(3)com(0)
nxlog.conf
<Extension syslog>
    Module    xm_syslog
</Extension>

<Input in>
    Module    im_file
    File      'C:\logs\dns.log'
    <Exec>
        # Discard header lines
        if $raw_event !~ /^\d+\/\d+\/\d+/ drop();

        # Add Syslog header
        $Message = $raw_event;
        to_syslog_bsd();
    </Exec>
</Input>
Output sample
<13>Aug 31 15:17:04 Host 8/31/2019 15:17:04 PM 2AE8 PACKET  00000005D03B4CE0 UDP Snd 192.168.1.42    fdd7 R Q [8081   DR  NOERROR] A      (9)imap-mail(7)outlook(3)com(0)

Sending Windows Event Log data to McAfee ESM with NXLog Agent

Microsoft Windows Event Log data can be collected and sent to McAfee ESM with the NXLog Agent configuration below. When adding an ESM data source, use the following parsing configuration (see Configuring McAfee ESM):

Field Value

Data Source Vendor

Microsoft

Data Source Model

Windows Event Log – CEF

Data Format

Default

Data Retrieval

SYSLOG (Default)

See the Windows Event Log integration guide for more information.

Example 3. Sending Windows Event Log data to McAfee ESM

In this configuration, Windows Event Log data is collected from the Security channel with im_msvistalog and converted to CEF with a syslog header.

nxlog.conf
<Extension cef>
    Module     xm_cef
</Extension>

<Extension syslog>
    Module     xm_syslog
</Extension>

<Input eventlog>
    Module     im_msvistalog
    Channel    Security
    <Exec>
        $Message = to_cef();
        to_syslog_bsd();
    </Exec>
</Input>
Output sample
<14>Sep 25 23:25:53 WINSERV Microsoft-Windows-Security-Auditing[568]: CEF:0|NXLog|NXLog|4.99.5128|0|-|7|end=1569453953000 dvchost=WINSERV Keywords=9232379236109516800 outcome=AUDIT_SUCCESS SeverityValue=2 Severity=INFO externalId=4801 SourceName=Microsoft-Windows-Security-Auditing ProviderGuid={54849625-5478-4994-A5BA-3E3B0328C30D} Version=0 TaskValue=12551 OpcodeValue=0 RecordNumber=395661 ActivityID={61774D29-73EB-0000-4B4D-7761EB73D501} ExecutionProcessID=568 ExecutionThreadID=3164 deviceFacility=Security msg=The workstation was unlocked.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2262720663-2632382095-2856924348-500\r\n\tAccount Name:\t\tAdministrator\r\n\tAccount Domain:\t\tWINSERV\r\n\tLogon ID:\t\t0x112FE1\r\n\tSession ID:\t1 cat=Other Logon/Logoff Events Opcode=Info duid=S-1-5-21-2262720663-2632382095-2856924348-500 duser=Administrator dntdom=WINSERV TargetLogonId=0x112fe1 SessionId=1 EventReceivedTime=1569453953949 SourceModuleName=eventlog SourceModuleType=im_msvistalog

Forwarding logs to McAfee ESM with NXLog Agent

Use an output instance to forward the processed logs to McAfee ESM. The configurations shown below can be used with any of the above input instances. Because all event formatting is done in the input sections, the output instances here do not require any Exec directives (the $raw_event field is passed without any further modification).

Example 4. Forwarding logs to McAfee ESM via TCP

This om_tcp instance sends logs to ESM via TCP. In this example, logs are sent from the Windows Event Log source.

nxlog.conf
<Output esm>
    Module    om_tcp
    Host      10.10.1.10
    Port      514
</Output>

<Route r>
    Path      eventlog => esm
</Route>

To forward logs with TLS, the Require syslog TLS option needs to be enabled on the data source(s). The certificate can be found in the ESM platform under /etc/NitroGuard/ and the required file is SSL.crt.

Example 5. Forwarding logs to McAfee ESM with TLS encryption

The om_ssl module is used here to send logs to ESM securely, with TLS encryption.

nxlog.conf
<Output esm>
    Module    om_ssl
    Host      10.10.1.10
    Port      6514
    CAFile    C:\Program Files\cert\SSL.crt
</Output>
Disclaimer

While we endeavor to keep the information in our guides up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

McAfee ESM version 11.2.0.

Last revision: 26 September 2019