NXLog Configuration for IIS Logs to Syslog SIEM Server

Comprehensive Guide and Sample Configuration for NXLog on Windows

Key Highlights

• Comprehensive Setup: Step-by-step explanation from installation to configuration and execution.
• Customization Tips: Guidance on adapting file paths, server IP, and module formats.
• Reliable Log Forwarding: Use of industry-standard extensions and modules such as xm_syslog and im_file.

---

Introduction

When you are managing a Windows server running Microsoft Internet Information Services (IIS), it is crucial to have a robust logging mechanism that allows efficient log processing and analysis. NXLog is a powerful log collection tool that can be used to retrieve IIS logs and forward them to a Syslog SIEM server. SIEM (Security Information and Event Management) platforms help in real-time monitoring, analysis, and responding to security events. In this guide, you will find a detailed configuration file for the NXLog service to facilitate the forwarding of IIS logs to a Syslog SIEM server.

Overview of NXLog Configuration

The NXLog configuration file (commonly named nxlog.conf) controls how logs are read from sources, parsed, and sent to destinations. This configuration file is modular, meaning you can specify a variety of input, output, and extension modules to tailor your log-forwarding mechanism. The guide below provides a sample configuration that will read Microsoft IIS logs and send them to a Syslog SIEM server over UDP.

Prerequisites

Before proceeding, ensure that you have:

• NXLog Installed: Download and install NXLog (Community or Enterprise edition) on your IIS server.
• Access Rights: Sufficient permissions to read the IIS log files and to modify NXLog configuration files.
• SIEM Server Details: The IP address/hostname and correct syslog port (typically UDP 514) of your SIEM server.

NXLog Configuration File: Detailed Breakdown

1. Define Global Constants and Paths

Start by defining the root path for your NXLog installation along with other useful constants. Using definitions makes your configuration file easier to read and maintain.

define ROOT      C:\Program Files (x86)\nxlog
define CERTDIR   %ROOT%\cert
define CONFDIR   %ROOT%\conf
define LOGDIR    %ROOT%\data
define LOGFILE   %LOGDIR%\nxlog.log
  

2. Global Settings and Module Directories

Configure essential parameters like module directories, caching paths, process ID files, and spool directories. These parameters ensure NXLog runs efficiently.

Moduledir %ROOT%\modules
CacheDir  %LOGDIR%
Pidfile   %LOGDIR%\nxlog.pid
SpoolDir  %LOGDIR%
LogFile   %LOGFILE%
  

3. Extension Modules

Extensions enhance log processing capabilities. In this configuration, we use:

• xm_syslog: For formatting logs to the syslog format.
• Optional Extensions: Modules such as xm_csv or xm_json can be used for processing log fields if required.

<Extension syslog>
    Module      xm_syslog
</Extension>
  

4. Configuring the Input Module for IIS Logs

The input module is set to monitor IIS log files. Microsoft IIS typically stores log files in C:\inetpub\logs\LogFiles\W3SVC*. Adjust the file path according to your environment. Options such as SavePos ensure that NXLog keeps track of the last processed log entry, which is crucial for restarting the service without data duplication.

<Input iis_logs>
    Module       im_file
    File         'C:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log'
    SavePos      TRUE
    ReadFromLast TRUE
    Recursive    FALSE
    PollInterval 1
    Exec         $Message = $raw_event;
</Input>
  

In this snippet:

• File: Indicates the file path pattern to read logs from. Replace W3SVC1 with your specific IIS site identifier if necessary.
• SavePos: Retains the position in the log file to avoid reprocessing on NXLog restarts.
• Exec Statement: Copies the raw event into the message field which is later processed by the output module.

5. Configuring the Output Module to Forward Logs

The output module sends logs to your Syslog SIEM server. The default configuration uses UDP and assumes that your SIEM expects logs on port 514. The conversion function to_syslog_ietf() or an alternative like to_syslog_bsd() facilitates the appropriate conversion to a syslog format.

<Output syslog_server>
    Module      om_udp
    Host        192.168.1.100  // Replace with your actual syslog server IP.
    Port        514            // Adjust the port if your SIEM requires a different one.
    Exec        to_syslog_ietf();
</Output>
  

If prefer RFC 3164 formatting, you can use to_syslog_bsd(). For environments requiring additional formatting, consider exploring other functions available with the syslog extension.

6. Establishing Log Routing

A route section directs logs from the input module to the output module. This simple routing ensures that all logs collected by NXLog from IIS logs are forwarded to your SIEM server.

<Route IIS_to_Syslog>
    Path   iis_logs => syslog_server
</Route>
  

Complete Sample Configuration File

Bringing together all the above components, here is a complete sample configuration file for forwarding Microsoft IIS logs to a Syslog SIEM server:

###############################################
# NXLog Configuration for IIS to Syslog SIEM  #
###############################################

# Define global constants for paths.
define ROOT      C:\Program Files (x86)\nxlog
define CERTDIR   %ROOT%\cert
define CONFDIR   %ROOT%\conf
define LOGDIR    %ROOT%\data
define LOGFILE   %LOGDIR%\nxlog.log

# Global configuration directives.
Moduledir %ROOT%\modules
CacheDir  %LOGDIR%
Pidfile   %LOGDIR%\nxlog.pid
SpoolDir  %LOGDIR%
LogFile   %LOGFILE%

# Load the syslog extension for message formatting.
<Extension syslog>
    Module      xm_syslog
</Extension>

# Input module configuration for Microsoft IIS logs.
<Input iis_logs>
    Module       im_file
    File         'C:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log'
    SavePos      TRUE
    ReadFromLast TRUE
    Recursive    FALSE
    PollInterval 1
    Exec         $Message = $raw_event;
</Input>

# Output module to send logs to the Syslog SIEM server.
<Output syslog_server>
    Module      om_udp
    Host        192.168.1.100  // Replace with your SIEM server IP.
    Port        514            // Replace with syslog port if necessary.
    Exec        to_syslog_ietf();
</Output>

# Route to link the input module to the output module.
<Route IIS_to_Syslog>
    Path   iis_logs => syslog_server
</Route>
  

Customization and Advanced Options

Field Parsing and Log Transformation

Depending on the logging format and data enrichment requirements, you may need to parse the IIS logs further. Microsoft IIS often uses a W3C extended log file format that may contain header lines (beginning with "#"). You can add logic to ignore these lines and parse the remaining entries to extract meaningful fields:

<Input iis_logs>
    Module       im_file
    File         'C:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log'
    SavePos      TRUE
    ReadFromLast TRUE
    Recursive    FALSE
    PollInterval 1
    Exec         if $raw_event =~ /^#/ drop();  // Ignore header lines.
    Exec         $Message = $raw_event;
</Input>
  

This snippet demonstrates how to drop any header lines starting with '#' so that only actual log entries are processed.

Using Different Syslog Formats

NXLog offers several functions to convert message data to various syslog formats. The two most common are:

• to_syslog_ietf(): This function converts the log message to a format compliant with modern syslog variants, suitable for SIEMs that require enhanced information like structured data.
• to_syslog_bsd(): Use this function for logs formatted according to the BSD syslog standard.

You can choose the function based on the requirements of your SIEM server. Simply change the Exec line in the output module accordingly.

Utilizing TCP or SSL for Secure Transmission

In environments where data security and reliability are prioritized, or if your SIEM requires TCP instead of UDP, you can modify the output module to use om_tcp or even om_ssl. For example:

// Example output for TCP transmission
<Output syslog_server>
    Module      om_tcp
    Host        192.168.1.100  // Replace with your SIEM server IP.
    Port        514            // Adjust if necessary.
    Exec        to_syslog_ietf();
</Output>
  

If your SIEM server also supports SSL/TLS encryption for log transmission, review the NXLog documentation on configuring SSL and adjust the output module to include necessary certificate paths and encryption settings.

Table: Key Configuration Components Overview

Component	Purpose	Key Settings
Global Definitions	Set installation paths and constants	ROOT, CERTDIR, CONFDIR, LOGDIR, LOGFILE
Module Directories	Locate necessary modules and manage caches	Moduledir, CacheDir, Pidfile, SpoolDir
Extensions	Enable specific functions (e.g., syslog formatting)	xm_syslog
Input Module	Read log files from IIS	im_file, File path, SavePos, PollInterval
Output Module	Forward logs to the SIEM server	om_udp/om_tcp, Host, Port, Exec with syslog transformer
Route	Define log flow from source to destination	Path configuration

Customization and Deployment Best Practices

Here are some best practices to consider when deploying and customizing your NXLog configuration file:

1. Validate File Paths

Confirm that file paths specified in the configuration accurately map to the location of your IIS logs. If your server hosts multiple websites, you may need to use wildcard expressions or configure additional input modules.

2. Test Configuration Changes

After modifying the configuration file, always test it to ensure there are no syntax errors or misconfigurations. Start by running NXLog in a debug mode if available, then progressively check the data flow to your SIEM server.

3. Monitoring and Maintenance

Regularly monitor the NXLog log file (specified by %LOGFILE%) for any errors or issues. Utilize logging levels and detailed error messages to diagnose problems. A well-maintained configuration helps in troubleshooting and ensures continuous log forwarding.

4. Security Considerations

When running NXLog on production systems, ensure proper permissions are configured to secure both log files and configuration data. If using TCP or SSL, ensure that certificate paths and encryption settings conform to your organization's security standards.

Conclusion

The NXLog configuration file detailed above provides a robust mechanism for collecting Microsoft IIS logs and forwarding them reliably to a Syslog SIEM server. With clearly defined global parameters, input definitions, output configurations, and routing instructions, administrators can efficiently monitor and secure web server activities. Adapting this configuration for TCP or SSL, and adding custom parsing logic if necessary, further tailors the setup to meet diverse enterprise requirements.

By following the best practices outlined and leveraging the modular structure of NXLog, organizations can ensure seamless log forwarding, robust monitoring, and comprehensive security event management. This configuration serves as both a starting point and a blueprint for further customization to suit unique logging environments.

References

• Rapid7 InsightIDR Documentation - Rapid7
• Netenrich Support - Windows IIS via NXLog
• NXLog Documentation on Microsoft IIS Integration - NXLog
• NXLog User Guide for IIS - NXLog

Recommended Searches for Further Insights

• Discover advanced NXLog configuration tips for multiple IIS instances.
• Learn how to secure log forwarding using TCP and SSL with NXLog.
• Explore custom log parsing strategies for W3C IIS logs using NXLog.