通过Sysmon+Nxlogs收集Windows Server 2012服务器日志-并以Syslog形式发送Json格式数据至SIEM

0x01 环境介绍

Windows Server 2012 已经安装部署好了域控，目的除了收集Windows服务器本身的日志外还收集域控环境下的各种日志。

0x02 Nxlog配置和使用

• 使用社区版本即可，下载地址：
• https://nxlog.co/downloads/nxlog-ce#nxlog-community-edition
  
• 使用的版本是当前最新版本
  
• 安装过程就省略，下一步下一步一路走下去即可。
• 最终安装在C盘下默认的目录
  
• 下面就是准备修改配置
  

0x03 安装Sysmon

• Sysmon安装很简单，下载GitHub提供的配置文件，使其能收集想要的日志
• 参考：
  https://cloud.tencent.com/developer/article/1970103
  https://github.com/SwiftOnSecurity/sysmon-config
  https://github.com/trustedsec/SysmonCommunityGuide
• 配置文件：
  https://github.com/Neo23x0/sysmon-config
  https://github.com/SwiftOnSecurity/sysmon-config
• 下载Sysmon
  https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• 执行安装
  sysmon.exe -accepteula -i sysmonconfig-export.xml

0x04 开启Windows服务器审核策略

• https://learn.microsoft.com/zh-cn/windows/security/threat-protection/auditing/basic-security-audit-policies
• https://forum.butian.net/share/355
  

0x05 修改Nxlog配置文件

• 本次是需要收集Windows服务器System，Security，Application，Sysmon，Powershell的相关日志
• 配置文件详情

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf\nxlog.d
define LOGDIR   %ROOT%\data

include %CONFDIR%\\*.conf
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension json>
    Module      xm_json
</Extension>

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Input internal>
    Module      im_internal
</Input>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets gbk, iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
    Module      xm_exec
</Extension>

<Extension _fileop>
    Module      xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);
    </Schedule>

    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>

<Input eventlog>
    Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                        <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>\
                        <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>\
                    </Query>\
                </QueryList>
    Exec if ($EventID == 5156) OR ($EventID == 5158) drop();
</Input>

<Output out>
     Module      om_udp
     Host        192.168.50.20
     Port        536
     Exec        $EventTime = integer($EventTime) / 1000000;
     Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000000;
     Exec        $Message = to_json(); to_syslog_bsd();
</Output>

<Route 1>
Path    eventlog, internal => out
</Route>

• 可参考借鉴的配置文件
  https://github.com/SMAPPER/NXLog-AutoConfig
  https://github.com/Starke427/NXlog
  https://github.com/Hacks4Snacks/windows-nxlog
  https://github.com/Sep0lkit/Windows-Event-Forwarder
  https://github.com/thefaxe/nxlog-config
  https://github.com/acochenour/AND-NXLog-Windows-Configuration
  https://github.com/smiley2x4/NXLOG-Example-conf
  https://github.com/noobzero/siem-and-event-forwarding-configs
  https://github.com/sandeep663/windows
• 重启Nxlog服务
  

0x06 SIEM平台确认日志接收情况

• 这里接收过来的日志需要先使用grok解析为json格式，然后再解析json，生成每个字段，然后基于字段进行日常安全运营配置相关策略进行告警。
• 使用到的Grok语法

.+]: %{GREEDYDATA:windows2012_json}

• 原始日志

<14>Feb 23 21:20:20 SHUNANDC2012.shunanatomic.com Microsoft-Windows-Security-Auditing[512]: {"EventTime":1677158419,"Hostname":"SHUNANDC2012.shunanatomic.com","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":516532,"ProcessID":512,"ThreadID":4984,"Channel":"Security","Message":"已注销帐户。\r\n\r\n使用者:\r\n\t安全 ID:\t\tS-1-5-18\r\n\t帐户名:\t\tSHUNANDC2012$\r\n\t帐户域:\t\tSHUNANATOMIC\r\n\t登录 ID:\t\t0xBB2EC6\r\n\r\n登录类型:\t\t\t3\r\n\r\n在登录会话被破坏时生成此事件。可以使用登录 ID 值将它和一个登录事件准确关联起来。在同一台计算机上重新启动的区间中，登录 ID 是唯一的。","Category":"注销","Opcode":"信息","TargetUserSid":"S-1-5-18","TargetUserName":"SHUNANDC2012$","TargetDomainName":"SHUNANATOMIC","TargetLogonId":"0xbb2ec6","LogonType":"3","EventReceivedTime":1677158420,"SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"}

• 进行Json格式解析
  
  

0x07 SIEM平台效果展示

---

0x08 更新nxlog日志发送至华为平台

• 参考：
• https://support.huawei.com/hedex/hdx.do?docid=EDOC1100191078&id=ZH-CN_TOPIC_0000001062358230

nxlog配置模板

• 此nxlog配置，可以直接在Windows环境下安装成功之后，将发送的IP地址更改为自己实际的IP地址，然后重启服务即可使用。

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
    Module      xm_syslog
</Extension>
<Extension json>
	Module xm_json
</Extension>

#define LOGFILE C:\Program Files (x86)\nxlog\data\nxlog.log
#<Extension fileop>
#Module xm_fileop
## Check the size of our log file every hour and rotate if it is larger than 1Mb
#<Schedule>
#Every 1 hour
#Exec if (file_size('%LOGFILE%') >= 1M) file_cycle('%LOGFILE%', 2);
#</Schedule>
## Rotate our log file every week on sunday at midnight
#<Schedule>
#When @weekly
#Exec file_cycle('%LOGFILE%', 2);
#</Schedule>
#</Extension>

<Input eventlog>
    Module      im_msvistalog
	ReadFromLast TRUE
	<QueryXML>
		<QueryList>
			<Query Id="0">
				<Select Path="System">*</Select>
			</Query>
			<Query Id="1">
				<Select Path="Security">*</Select>
			</Query>
			<Query Id="2">
				<Select Path="Application">*</Select>
			</Query>
		</QueryList>
	</QueryXML>
	<Exec>
		$raw_event = "0|EventlogType=" +$Channel    +
					  "|DetectTime="   +$EventTime  +
					  "|EventSource="  +$SourceName +
					  "|EventID="      +$EventID    +
					  "|EventType="    +$EventType  +
					  "|EventCategory="+$Task       +
					  "|User="         +$AccountName+
					  "|ComputerName=" +$Hostname   +
					  "|Description="  +$Message;
	</Exec>
#	Exec	log_info("raw event is: " + $raw_event);
</Input>

<Input in2>
Module im_file
File 'C:\Program Files (x86)\Tencent\RTXServer\Logs\Security\*'
SavePos TRUE
ReadFromLast TRUE
#Exec $raw_event = 'DbAppSOCAgent get log from "abc" ' + $raw_event;
#Exec log_info("raw event 2 is: " + $raw_event);
</Input>

#<Input in3>
#Module im_file
#File 'C:\Program Files\Microsoft SQL Server\110\Setup Bootstrap\Log\20151217_130836\\*.log'
#SavePos TRUE
#ReadFromLast TRUE
#Exec $raw_event = 'DbAppSOCAgent get log from "sqlserver" ' + $raw_event;
#Exec log_info("raw event 3 is: " + $raw_event);
#</Input>


<Output out>
    Module      om_udp
    Host        10.11.8.10
    Port        514
</Output>

<Route udp1>
#    Path	eventlog,in2,in3 => out
	Path	eventlog,in2 => out    
</Route>

• 下载地址：
• https://nxlog.co/products/nxlog-community-edition/download
• 配置地址：
• https://support.huawei.com/hedex/api/pages/EDOC1100191078/AZK04171/15/resources/resource/nxlog_0000001917614638.zip