...
Source | Destination | Port |
---|---|---|
Microsoft IIS (NxLog Agent) | CyberHub | 10014 (TCP) |
Microsoft IIS (Epilog Agent & Syslog-NG Agent) | CyberHub | 10013 |
To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.
...
In Logging > Log File, click W3C in the Format and click Select Fields.
...
In the Log File area in the Logging pane, click on Select Fields.
In W3C Logging Fields window, click select all fields, then click OK.
To get the real source IPs in the IIS hit logs for servers, create a new custom field (optional)
...
Source Type – Request Header
Source – X-FORWARDED-FOR
...
Please proceed with restarting IIS. Following this action, our IIS logs will display the IP addresses of client PCs instead of the IP addresses of the load balancer.
To configure NxLog Agent for Microsoft IIS logs on port 10014
Download and install the NXLog Windows agent from the following location: https://nxlog.co/products/nxlog-community-edition/download.
Navigate to
services.msc
and stop the nxlog service.Navigate to the folder
C:\Program Files\nxlog\data
and delete the fileconfigcache.dat
if it present.Rename the attached
file toView file name Nxlog_MS-IIS_TCP.conf nxlog.conf
and copy intoC:\Program Files\nxlog\conf.
folder.Replace the placeholder
CyberHub IP
with the actual CyberHub IP in the nxlog.conf file.Copy the previously created certificate file on Windows machine where nxlog agent is installed and mentioned this cert path in nxlog.conf against "CAFile" on line number 45 & 6543.
Now, start the NxLog service from services.msc.
NXLog agent logs will be available at the location
C:\Program Files\nxlog\data\nxlog.log
.The log flow should work, and you can check it using tcpdump with the command
tcpdump -AA port 10014
...