Integrate with NXLog

In this topic, you will learn how to send Portnox™ Cloud alerts to an on-premises NXLog Community Edition instance.

Before you start:

Integrate Portnox Cloud with on-premises Active Directory and install AD Broker.

AD Broker is required to send alerts to an on-premises SIEM solution. It connects with Portnox Cloud, receives log data, and forwards it to an on-premises syslog collector like NXLog. Without AD Broker, the syslog collector on an internal IP would not be reachable.

Note: In an upcoming Portnox Cloud update, a Docker container with the same functionality will replace AD Broker in this setup. This will remove the need to use Active Directory as an authentication repository.
Download and install NXLog Community Edition on a physical or virtual machine.

Note: These instructions can be easily adjusted for any other on-premises syslog listener. The configuration on the Portnox side remains the same; you just need to know how to set up your listener to accept syslog data on a local IP address using TCP port 514.

Configure NXLog

In this section, you will modify the nxlog.conf file to accept syslog data from Portnox Cloud via AD Broker.

Open the nxlog.conf file in a text editor.
- On Windows, the default file location is: C:\Program Files\nxlog\conf\nxlog.conf.
- On Linux, the default file location is: /etc/nxlog/nxlog.conf.

Add the following at the end of the nxlog.conf file:

Windows:

<Input syslog_tcp>
  Module im_tcp
  Host 0.0.0.0
  Port 514
  Exec parse_syslog();
</Input>
                                
<Output file_output>
  Module om_file
  File "C:\\Program Files\\nxlog\\data\\received_logs.txt"
</Output>
                                
<Route syslog_route>
  Path syslog_tcp => file_output
</Route>

Linux:

<Input syslog_tcp>
  Module im_tcp
  Host 0.0.0.0
  Port 514
  Exec parse_syslog();
</Input>
                                
<Output file_output>
  Module om_file
  File "/var/log/nxlog/received_logs.txt"
</Output>
                                
<Route syslog_route>
  Path syslog_tcp => file_output
</Route>

Note: Adjust the configuration if needed, for example, by changing the file locations or the host IP address/interface.

Restart NXLog:

Windows:
```
next stop nxlog
```
```
next start nxlog
```
Linux:
```
sudo systemctl restart nxlog
```

Optional: Check if NXLog is listening on TCP port 514:
- Windows:
```
netstat -ano | findstr :514
```
- Linux:
```
sudo netstat -tuln | grep :514
```
You should see output similar to:
```
TCP  0.0.0.0:514  0.0.0.0:0  LISTENING
```

Configure Portnox Cloud

In this section, you will learn how to configure Portnox™ Cloud to send alert data to AD Broker and then forward them to the on-premises NXLog syslog listener.

In the Cloud portal top menu, click on the Settings option.
In the Cloud portal left-hand menu, click on the Integration Services > SIEM INTEGRATION SERVICE option.
Create a new SIEM integration.
1. In the SIEM integration service section, click on the Add new SIEM link.
  
  The NEW SIEM INTEGRATION section opens.
2. In the Type field, select the Custom option.
3. In the Name field, enter the name for the new integration.
  
  In this example, we used the name NXLog but you can use any name you like.
4. In the Status field, select the Enabled option.
5. In the Protocol type field, select the Syslog over TCP option.
6. In the IP field, enter the private IP address of the machine with the NXLog listener.
7. In the Port field, type 514.
8. In the Communication method field, select the Via CLEAR Directory Broker option.
9. In the Data format field, select the CEF option.
10. Click on the Save button to add the integration.
Optional: To configure the types of alerts sent to your SIEM solution, see the following topic: Portnox Cloud alerts.

Note: To learn more about the content and format of alert messages sent to SIEM solutions, see the following topic: Format and content of alert information for SIEM.

You can also send all of the Portnox Cloud activity log (activities performed by administrators in Portnox Cloud) to your SIEM solution. To do this, go to Troubleshooting > ACTIVITY LOG > Log Settings, activate the Activity log switch, and click on the Save button.

Result: NXLog is receiving alerts from Portnox Cloud.