-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnxlog.conf
67 lines (57 loc) · 3.03 KB
/
nxlog.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#NoFreeOnExit TRUE
# This code is licensed under MIT license (see LICENSE for details)
# Joel Eckert, joel@joelme.ca, 2022-08-11
# Install NXLog CE
# Configure NPS with the defaults, to log to XML
# File should be placed in the "NXLox" directory, e.g. "C:\Program Files (x86)\nxlog\conf\nxlog.conf"
# For troubleshooting, it also uploads the syslog/reparsed XML data to "C:\Program Files (x86)\nxlog\data\output.txt"
# Comment out <Output Out-File> section to disable local logging after troubleshooting is complete
# Replace NBDOMAIN with your NetBIOS domain name
# Enter the path to your NPS XML logs, if non-standard
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %ROOT%\data\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Input NPS>
Module im_file
# Replace this with the path to your NPS logs, normally C:\Windows\System32\LogFiles\IN*.log
File "C:\\windows\\system32\\logfiles\\IN*.log"
InputType LineBased
Exec $Message = $raw_event;
SavePos TRUE
ReadFromLast TRUE
<Exec>
# Replace NBDOMAIN with your NetBIOS domain name in all if statements below
# If the log line doesn't match the following format, drop it, it is not a user authentication attempt, connect or disconnect
if $raw_event !~ /(Type\sdata_type="0">)(\d{1,2})(<\/Acct)(.+)(Name\sdata_type="1">)([a-zA-Z0-9\$\._-]{3,15})(.*)(<\/User)(.+)(Address\sdata_type="3">)([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})(<\/Framed)/ drop ();
if $raw_event =~ /(Type\sdata_type="0">)(\d{1,2})(<\/Acct)(.+)(Name\sdata_type="1">)([a-zA-Z0-9\$\._-]{3,15})(.*)(<\/User)(.+)(Address\sdata_type="3">)([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})(<\/Framed)/ \
$raw_event = '<Event>' + '<Acct-Status-Type data_type="0">' + $2 + '</Acct-Status-Type>' + '<Framed-IP-Address data_type="3">' + $11 + '</Framed-IP-Address>' + '<User-Name data_type="1">' + 'NBDOMAIN\' + $6 + '</User-Name>' + '</Event>';
# Drop events if they are not user-authenticated, authenticated by computer account
if $raw_event =~ /(.+)(>NBDOMAIN\\host<)(.+)/ drop ();
</Exec>
</Input>
<Output User-ID-Agent>
Module om_tcp
# Replace this with the hostname of the Palo Alto User-ID Agent running on a Windows box
# User-ID Agent can generally not be installed on a DC, IP address of User-ID Agent host
# Ensure UDP 514 is allowed on the host from the NPS host that runs NXLog as a log collector / tail
Host 10.1.2.3
# Replace this with the port that the User-ID agent is listening on for Syslog connections
Port 514
</Output>
<Output Out-File>
Module om_file
File 'C:\program files (x86)\nxlog\data\output.txt'
CreateDir TRUE
</Output>
<Route 1>
# Sends from NPS to User-ID-Agent and also out to a file, for diagnostic purposes
# You can remove "=> Out-File" if you do not wish to log to a file, could become very large
Path NPS => User-ID-Agent => Out-File
</Route>