Skip to main content

Windows Hostlogs (AERSS)

Windows Hostlogs collection is configured through an existing ActiveEye Remote Security Sensor (AERSS) which resides inside a customer network.

Prerequisites

In order to create a Windows Hostlogs collector you will need an existing AERSS service connector.

Service connector creation

  1. First, go to Admin => Service Connectors, then click on "Add Connector" button, and pick "Windows Hostlogs" in the list under "SYSTEM & APPLICATIONS" section.
Cloudtrail - image Cloudtrail - image
  1. Apply common knowledge about service connectors to fill out the Display Name and Account Priority fields. Leave "Enabled" checked by default, unless there is a specific requirement not to do so.
  2. For AERSS Connector field, select the corresponding AERSS service connector. Please note that the AERSS service connector must not have been associated with another Windows Hostlogs service connector.

When you have filled out all the fields and verified that the information provided is correct, click "Add."

NXLog Installation and Configuration

Finally, on any Windows machine that will send its logs to the AERSS Windows Hostlogs service connector, download and install the NXLog Community Edition Windows installer (https://nxlog.co/products/nxlog-community-edition/download).

After installation, open your nxlog.conf file (likely located at C:\Program Files (x86)\nxlog\conf) and add the following lines to the bottom:


<Extension json>
  Module xm_json
</Extension>
<Input eventlog>
Module   im_msvistalog
Query    <QueryList>\
          <Query Id="0">\
            <Select Path="Application">*</Select>\
            <Select Path="System">*</Select>\
            <Select Path="Security">*</Select>\
          </Query>\
        </QueryList>
</Input>
<Output udp>
  Module  om_udp
  Host    [AERSS host IP]
  Port 514
  <Exec>
    $EventTime = integer($EventTime) / 1000000;
    $EventReceivedTime = integer($EventReceivedTime) / 1000000;
    to_json();
  </Exec>
</Output>
<Route eventlog_to_udp>
  Path    eventlog  => udp
</Route>

Here, replace [AERSS Host IP] with the IP of the AERSS host in your environment.

Then, go to Services, find the nxlog service, and start it. Make sure it is configured to automatically start on startup.