Linux Log Collection with NXLog

NXLog is a universal log collection and forwarding agent for various platforms, including Linux. With the NXLog Enterprise Edition, you can scan files and directories to report detected change, known as file integrity monitoring (FIM). USM Anywhere provides an BlueApp for Linux NXLog and the configuration file to collect FIM data. According to the vendor documentation, FIM is only available in the NXLog Enterprise Edition. In addition, NXLog must have permission to read the files you want to monitor. You can run NXLog as root, or make sure the nxlog user or group has permission to read the files. To download the configuration file from USM Anywhere

Log in to USM Anywhere and go to Settings > System.
In the left navigation panel, click NXLog Configuration to open the page.
Select Linux Systems.
Click File Integrity Monitoring.
Enter the IP address of your USM Anywhere Sensor.
Note: USM Anywhere uses UDP port 514 to forward the logs.
Click Create File to generate the new nxlog.conf file and save it to your NXLog installation directory.
Note: LevelBlue recommends you to save a copy of the original nxlog.conf file first.
Restart NXLog. The BlueApp for Linux NXLog is auto-discovered. No additional configuration is needed. Following is an example of the downloaded file:

#
# Configuration for converting and sending Linux logs
# to AlienVault USM Anywhere.
#
# Version: 0.0.1
# Last modification: 2020-12-02
#

define OUTPUT_DESTINATION_ADDRESS_AND_PORT 1.1.1.1:514

# Default values:
# Note: These values can change depending on the Linux flavour

define INSTALLDIR /opt/nxlog
define LOGDIR %INSTALLDIR%/var/log/nxlog
define MYLOGFILE %LOGDIR%/nxlog.log
LogFile     %MYLOGFILE%

# Load extension common to all inputs
<Extension _json>
	Module	xm_json
</Extension>

<Extension _syslog>
	Module  xm_syslog
</Extension>

# Set all inputs
<Input rsyslog_in>
	Module      im_file
	File        "/var/log/syslog"
	Exec        parse_syslog();
</Input> 

<Input secure_in>
	Module	im_file
	File        "/var/log/auth.log"
	Exec        parse_syslog();
</Input>

<Input audit_in>
	Module	im_file
	File        "/var/log/audit/audit.log"
	Exec        parse_syslog();
</Input>

<Output out>
	Module      om_udp
	Host        %OUTPUT_DESTINATION_ADDRESS_AND_PORT%
	Exec        $EventTime = integer($EventTime) / 1000000;
	Exec        $EventReceivedTime = integer($EventReceivedTime)/1000000;
	Exec        $Message = to_json(); to_syslog_bsd();
</Output>

# Set common route
<Route USM_Out>
	Path rsyslog_in, secure_in, audit_in  => out
</Route>

#######################################################################
####                        FIM-LINUX-NXLOG-EE                    #####
####    Uncomment the following lines for FIM LINUX NXLOG EE      #####
####                          log forwarding                      #####
#######################################################################

## This config includes just the paths specified in nxlog official 
## documentation, but more paths can be added if needed

<Input fim_linux>
	Module          im_fim
	File            "/bin/*"
	File            "/etc/*"
	File            "/lib/*"
	File            "/opt/nxlog/bin/*"
	File            "/opt/nxlog/lib/*"
	File            "/sbin/*"
	File            "/usr/bin/*"
	File            "/usr/sbin/*"
	Exclude         "/etc/hosts.deny"
	Exclude         "/etc/mtab"
	Recursive       TRUE
	ScanInterval    1800
</Input>

 

<Output fim_out_linux>
	Module	om_udp
	Host	%OUTPUT_DESTINATION_ADDRESS_AND_PORT%
	Exec	$SourceName = "FIM-LINUX-NXLOG-EE";
	Exec	$Message = to_json(); to_syslog_bsd();
</Output>

<Route fim_route_linux>
	Path	fim_linux => fim_out_linux
</Route>

#######################################################################
####                        FIM-LINUX-NXLOG-EE                    #####
#######################################################################