First part of this blog can be found here
Configuring Nxlog is a simple and straight process with changes made to ‘nxlog.conf’ file to read alerts from the alert.json file in the log directory and send it to the Nagios log server for processing.‘nxlog.conf’ file is created automatically during the installation with some default parameters. These default parameters will be customized according to our environment. The default location of the configuration file is at /opt/nxlog/etc.
Snort provides multiple output plugins that support writing logs in different formats, including JSON, CSV, unified2, and the typical one-line (fast) and five-line (full) formats. By default, all file-based logs are saved in the /var/log/snort folder. The easiest way NXLog can collect and parse Snort logs is to configure the alert_json plugin to write events to files in JSON format. This is done in the Snorts configuration file located at /usr/local/etc/snort/snort.lua. This step is already explained in the Snort configuration document and this is how the alert_json plugin looks like in snort.lua file
alert_json =
{
file = true,
limit = 100,
fields = ‘timestamp class msg priority src_addr src_port dst_addr dst_port’,
}
A sample snort alert log for a Denial of Service rule is shown below
alert tcp any any -> any any (flags: S; msg:”Possible DoS Attack Type : SYN flood”; classtype:attempted-dos; flow:stateless; sid:3; detection_filter:track by_dst, count 20, seconds 10;)
Alert Log created by alert_json plugin.
{
“timestamp”: “06/17-21:53:38.555249”,
“class”: “Attempted Denial of Service”,
“msg”: “Possible DoS Attack Type : SYN flood”,
“priority”: 2,
“src_addr”: “98.137.240.250”,
“src_port”: 37396,
“dst_addr”: “192.168.1.6”,
“dst_port”: 80
}
Configuring Nxlog boils down to three parts
-Configuring Inputs
-Configuring Outputs
Configuring Inputs
This part of the config does the function of collecting the logs from the source. In our case, the source is ‘alert_json’ file from the log directory. Below is the configuration for it
<Input snort_logs>
Module im_file
File ‘/var/log/snort/alert_json*.txt’
<Exec>
parse_json();
if $raw_event =~ /(\d{2})\/(\d{2})-(\d{2}:\d{2}:\d{2}\.\d{1,6})/
{
$EventTime = parsedate(year(now()) + “-” + $1 + “-” + $2 + “T” + $3);
}
else
{
$EventTime = $timestamp
}
rewrite->process();
to_json();
</Exec>
</Input>
<Extension json>
Module xm_json
</Extension>
This configuration uses the im_file input module to collect Snort logs from /var/log/snort/alert_json.txt. It utilizes a regular expression to parse event records and the parse_json() procedure of the xm_json module to convert the record into structured data. The parsedate() function is used to output the $EventTime in ISO format.
The record is then processed with the xm_rewrite module to use more user-friendly field names before formatting it to JSON with the to_json() procedure.
<Extension rewrite>
Module xm_rewrite
Rename msg, EventName
Rename class, Classification
Rename priority, Priority
Rename src_addr, SourceIPAddress
Rename src_port, SourcePort
Rename dst_addr, DestinationIPAddress
Rename dst_port, DestinationPort
Delete timestamp
</Extension>
Configuring Output
Here the module om_tcp initiates a TCP connection to a remote host and transfers log messages. In our case, the logs are sent to the Nagios Log Server sitting at 10.0.0.67
<Output snortout>
Module om_tcp
Host 10.0.0.67:3516
</Output>
<Route snort>
Path snortlog => snortout
</Route>
Once you have configured the three steps, you can verify the configuration file syntax as below
# /opt/nxlog/bin/nxlog -V
Now enable the NXlog to run at start up
# service nxlog enable
Now you can start and stop the NXlog service using the following commands
# service nxlog start
# service nxlog stop