Syslog and dynamic firewalling

Linux (and other Unix) systems already have the ability to log events to a syslog server.  Windows' equivalent is the Event Log this is not readily parsable with text processing tools and is non-trivial to centralise if you do not have a windows domain.

Windows log entries to a central syslog server

PowerShell script to install and configure NXLog

Invoke-WebRequest -Uri "https://nxlog.co/system/files/products/files/348/nxlog-ce-2.10.2150.msi" -OutFile "~\nxlog-ce-2.10.2150.msi"
Start-Process -Filepath "~\nxlog-ce-2.10.2150.msi" "/passive" -Wait
wget "nxlog.conf" -outfile "C:\Program Files (x86)\nxlog\conf\nxlog.conf"

Where nxlog.conf looks like:

Panic Soft

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<extension>
    Module xm_syslog
</extension>

<input>
    Module im_msvistalog
    <queryxml>
        <querylist>
            <query id="0">
                <select path="Security">*</select>
                <select path="Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational">*</select>
            </query>
        </querylist>
    </queryxml>
</input>

<output>
    Module  om_udp
    Host    syslogserverurl;
    Port    514
    Exec    to_syslog_bsd();
</output>

<extension>
    Module xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</extension>

<route>
    Path in => out
</route>

Dynamic firewalling is most effective when based on multi-source analysis. CIS uses syslog as the central point that collates multiple sources' logs for intelligent processing and feeding results of active attacks to firewalls for blocking.

syslog is a standard for message logging

PowerShell is used for automating the install and configuration of NXLog

Valid XHTML 1.1 Strict CIS ZA | CIS UK

© Commercial Internet Solutions Limited (2019-)
Registered in England and Wales, Company No. 07276867

Full QR Code

Brief QR Code Take a look at our QR code, if you hover over it you can scan our full VCard.

Commercial Internet Solutions provides internet applications and services to Small Business clients around London. from our Tier 4 hosting facility - Custodian in Maidstone Kent using n+1 redundant Supermicro servers.

We provide fast web and secure (SSL) imap and pop3 email hosting and cheap, compliant easy to use email marketing software.

We host, manage and backup Microsoft Windows Small Business Servers, dedicated Linux servers and Asterisk/ SIP based VoIP PBX solutions.