search

Cyb3rWard0g / HELK

The Hunting ELK
GNU General Public License v3.0
3.73k stars 675 forks source link

Documentation leaves NXLog configuration blank #574

Open vicosurge opened 2 years ago

vicosurge commented 2 years ago

This is more of an observation than a complaint; so far, it has been super simple to implement and use (much, much more straightforward than SecurityOnion or the whole Elastic stack).

The thing I could not find in the documentation was how to setup NXLog to send logs that Logstash could understand, I got the port, but it was missing the portion in which to_json(); has to be added for it to work and for the data actually to be interpreted.

Example below:

<Extension _json>
    Module  xm_json
</Extension>

<Input windows_helk>
    Module          im_msvistalog
    SavePos         TRUE
    <QueryXML>
        <QueryList>
            <Query Id='0'>
                <Select Path='Application'>*</Select>
                <Select Path='Security'>*[System/Level&lt;4]</Select>
                <Select Path='System'>*</Select>
                <Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select>          
        <Select Path='Microsoft-Windows-PowerShell/Operational'>*</Select>
        <Select Path='Windows PowerShell'>*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

<Output helk_logstash>
    Module      om_tcp
    Host        <my_ip>:8531
    Exec        to_json();
</Output>

<Route helk>
    Path    windows_helk => helk_logstash
</Route>