Configuring Nxlog and Rsyslog Servers to Send Logs to NxSIEM Server
Comodo NxSIEM features agent-less log collection from Windows/Linux endpoints connected to customers' networks, through the use of Nxlog and Rsyslog utilities. This is useful for customers who do not wish to install agents on their endpoints. The NXLOG utility (Windows endpoints) and the RSYSLOG utility (Linux endpoints) need to be configured to send logs to the NxSIEM server.
Comodo NxSIEM provides ready-made configuration script files for each customers /network/zone which can be downloaded from the respective 'Customer Details' page. Once connected, the NxSIEM server will be able to receive and store logs from the customer's endpoints.
The following sections explain more about:
Administrators can download a specific customer's NXLOG configuration file from the administrative console and use this to configure the NXLOG utilities installed on Windows endpoints connected to the customer's network.
To download the NXLOG Configuration File
- Open the 'Asset Management' interface by clicking the 'Menu' button, then 'Assets' > 'Asset Management'.
- Select the customer from the left hand side pane.
The 'Customer Details' pane will open at the right.
- Click 'Manage' at the bottom left of the right pane and choose the 'Hard Assets' tab.
- Choose the network/zone you wish to configure from the right hand side pane and click the button in the row of the network/zone.
The authentication token, the authentication key and the download buttons for the NXLOG and RSYSLOG configuration script files for the selected network/zone will be displayed at the bottom of the right pane.
- Click the NXLOG Configuration File Download button as shown in the figure and save the file.
- Replace the NXLOG configuration file at the location C:Program Files (x86)nxlogconfnxlog.conf in the endpoints with the downloaded configuration file.
All settings in the configuration file are pre-configured and will instruct the NXLOG utility to send logs to the NxSIEM server. The NxSIEM server will receive and store the logs under the respective customer/network for monitoring and incident reporting.
Administrators can download a pre-configured RSYSLOG configuration script, generated specifically for each customer/network, from the administrative console. This script will configure RSYSLOG utilities installed on Linux endpoints in customer networks to send logs to the NxSIEM server.
To download the RSYSLOG Configuration File
- Open the 'Asset Management' interface by clicking the 'Menu' button, then 'Assets' > 'Asset Management'.
- Select a customer from the left hand pane.
The 'Customer Details' pane will open at the right.
- Click 'Manage' at the bottom left of the right pane and choose the 'Hard Assets' tab.
- Choose the network/zone whose endpoints are to be configured, from the right hand side pane and click the button in the row of the network/zone.
The authentication token, the authentication key and the download buttons for the NXLOG and RSYSLOG configuration script files for the selected network/zone will be displayed at the bottom of the right pane.
- Click the RSYSLOG Configuration File Download button as shown below and save the file.
- Run the script file on all required endpoints.
Alternatively, you can download the script file for configuring the RSYSLOG utility from 'Agents' > 'Collection Agents' > 'Agentless Collection' interface, manually enter the parameters for the customer network to be monitored and run the script at the endpoints. Refer to the section Agentless Log Collection for more details.