Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Source

Destination

Port

Microsoft IIS (NxLog Agent)

CyberHub

10014 (TCP)

Microsoft IIS (Epilog Agent & Syslog-NG Agent)

CyberHub

10013

To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.

...

  1. In Logging > Log File, click W3C in the Format and click Select Fields.

...

  1. In the Log File area in the Logging pane, click on Select Fields.

  2. In W3C Logging Fields window, click select all fields, then click OK.

  3. To get the real source IPs in the IIS hit logs for servers, create a new custom field (optional)

...

Source Type – Request Header

Source – X-FORWARDED-FOR

...

  1. Please proceed with restarting IIS. Following this action, our IIS logs will display the IP addresses of client PCs instead of the IP addresses of the load balancer.

To configure NxLog Agent for Microsoft IIS logs on port 10014

  1. Download and install the NXLog Windows agent from the following location: https://nxlog.co/products/nxlog-community-edition/download.

  2. Navigate to services.msc and stop the nxlog service.

  3. Navigate to the folder C:\Program Files\nxlog\data and delete the file configcache.dat if it present.

  4. Rename the attached

    View file
    nameNxlog_MS-IIS_TCP.conf
    file to nxlog.conf and copy into C:\Program Files\nxlog\conf. folder.

  5. Replace the placeholder CyberHub IP with the actual CyberHub IP in the nxlog.conf file.

  6. Copy the previously created certificate file on Windows machine where nxlog agent is installed and mentioned this cert path in nxlog.conf against "CAFile" on line number 45 & 6543.

  7. Now, start the NxLog service from services.msc.

  8. NXLog agent logs will be available at the location C:\Program Files\nxlog\data\nxlog.log.

  9. The log flow should work, and you can check it using tcpdump with the command tcpdump -AA port 10014

...