Integrate with NXLog

In this topic, you will learn how to send Portnox™ Cloud alerts to an on-premises NXLog Community Edition instance.

Important: Portnox Cloud can send alerts to your on-premises SIEM in one of two ways: by using an on-premises portnox-siem Docker container, or by using on-premises Active Directory Broker (AD Broker). We recommend using the Docker image, unless you already use AD Broker to integrate with your on-premises Active Directory authentication repository or OpenLDAP repository. Complete the first section of this topic and then choose either the second or the third section, depending on whether you use Docker or AD Broker.

Before you start, download and install NXLog Community Edition on a physical or virtual machine in the same local subnet as the portnox-siem Docker container or AD Broker.

Note: These instructions can be easily adjusted for any other on-premises syslog listener. The configuration on the Portnox side remains the same; you just need to know how to set up your listener to accept syslog data on a local IP address using TCP port 514.

Configure NXLog

In this section, you will modify the nxlog.conf file to accept syslog data from Portnox Cloud.

  1. Open the nxlog.conf file in a text editor.
    • On Windows, the default file location is: C:\Program Files\nxlog\conf\nxlog.conf.
    • On Linux, the default file location is: /etc/nxlog/nxlog.conf.
  2. Add the following at the end of the nxlog.conf file:

    • Windows:

      <Input syslog_tcp>
  Module im_tcp
  Host 0.0.0.0
  Port 514
  Exec parse_syslog();
</Input>
                                
<Output file_output>
  Module om_file
  File "C:\\Program Files\\nxlog\\data\\received_logs.txt"
</Output>
                                
<Route syslog_route>
  Path syslog_tcp => file_output
</Route>

    • Linux:

      <Input syslog_tcp>
  Module im_tcp
  Host 0.0.0.0
  Port 514
  Exec parse_syslog();
</Input>
                                
<Output file_output>
  Module om_file
  File "/var/log/nxlog/received_logs.txt"
</Output>
                                
<Route syslog_route>
  Path syslog_tcp => file_output
</Route>
    Note: Adjust the configuration if needed, for example, by changing the file locations or the host IP address/interface.
  3. Restart NXLog:

    • Windows:

      next stop nxlog
      next start nxlog

    • Linux:

      sudo systemctl restart nxlog
  4. Optional: Check if NXLog is listening on TCP port 514:

    • Windows:

      netstat -ano | findstr :514

    • Linux:

      sudo netstat -tuln | grep :514

    You should see output similar to:

    TCP  0.0.0.0:514  0.0.0.0:0  LISTENING

Configure Portnox Cloud with the portnox-siem Docker container

In this section, you will learn how to configure Portnox™ Cloud to send alert data to an on-premises portnox-siem Docker container and then forward them to the on-premises NXLog syslog listener.

Note: Complete this section only if you want to forward alert data via the portnox-siem Docker container. Skip this section if you want to forward alert data via AD Broker.
Note: Before you start, install Docker on a local machine (physical or virtual) in the same subnet as your on-premises NXLog installation. For more information about installing Docker, see our guides for using Docker with Portnox local RADIUS servers: Install Docker for Linux or Install Docker Desktop for Windows.
  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand menu, click on the Integration Services > SIEM INTEGRATION SERVICE option.

  3. Create a new SIEM integration.
    1. In the SIEM integration service section, click on the Add new SIEM link.

      The NEW SIEM INTEGRATION section opens.

    2. In the Type field, select the Custom option.

    3. In the Name field, enter the name for the new integration.

      In this example, we used the name NXLog but you can use any name you like.

    4. In the Status field, select the Enabled option.

    5. In the Protocol type field, select the Syslog over TCP option.

    6. In the IP field, enter the private IP address of the machine with the NXLog listener.

    7. In the Port field, type 514.

    8. In the Communication method field, select the Via Docker image: portnox-siem option.

    9. In the Data format field, select the CEF option.

    10. Click on the Save button to add the integration.

    11. In your list of SIEM integrations, click on the Edit button in the row representing the configuration that you just created.

    12. Click on the Copy command link under the Via Docker image: portnox-siem option.

    13. Paste the command in your shell or command line window on the machine where you installed Docker.
      Note: If you’re using Docker with Windows, replace the \ characters at the end of each line with ^ characters or remove the \ characters and paste the entire command as a single line.
    14. Optional: Click on the Test button in the row representing the configuration that you just created.

      Result: You will see the following information in this row: Docker image: Active.

  4. Optional: To configure the types of alerts sent to your SIEM solution, see the following topic: Portnox Cloud alerts.
    Note: To learn more about the content and format of alert messages sent to SIEM solutions, see the following topic: Format and content of alert information for SIEM.

    You can also send all of the Portnox Cloud activity log (activities performed by administrators in Portnox Cloud) to your SIEM solution. To do this, go to Troubleshooting > ACTIVITY LOG > Log Settings, activate the Activity log switch, and click on the Save button.

Result: NXLog is receiving alerts from Portnox Cloud via the portnox-siem Docker container.

Configure Portnox Cloud with AD Broker

In this section, you will learn how to configure Portnox™ Cloud to send alert data to AD Broker and then forward them to the on-premises NXLog syslog listener.

Note: Complete this section only if you want to forward alert data via AD Broker. Skip this section if you want to forward alert data via the portnox-siem Docker container.
  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand menu, click on the Integration Services > SIEM INTEGRATION SERVICE option.

  3. Create a new SIEM integration.
    1. In the SIEM integration service section, click on the Add new SIEM link.

      The NEW SIEM INTEGRATION section opens.

    2. In the Type field, select the Custom option.

    3. In the Name field, enter the name for the new integration.

      In this example, we used the name NXLog but you can use any name you like.

    4. In the Status field, select the Enabled option.

    5. In the Protocol type field, select the Syslog over TCP option.

    6. In the IP field, enter the private IP address of the machine with the NXLog listener.

    7. In the Port field, type 514.

    8. In the Communication method field, select the Via CLEAR Directory Broker option.

    9. In the Data format field, select the CEF option.

    10. Click on the Save button to add the integration.

  4. Optional: To configure the types of alerts sent to your SIEM solution, see the following topic: Portnox Cloud alerts.
    Note: To learn more about the content and format of alert messages sent to SIEM solutions, see the following topic: Format and content of alert information for SIEM.

    You can also send all of the Portnox Cloud activity log (activities performed by administrators in Portnox Cloud) to your SIEM solution. To do this, go to Troubleshooting > ACTIVITY LOG > Log Settings, activate the Activity log switch, and click on the Save button.

Result: NXLog is receiving alerts from Portnox Cloud via AD Broker.