Whether you are using NXLog Community or Enterprise, on a Windows 2008 or newer domain controller, you may notice that security events aren't being sent to your log collector. You might see error messages indicating that you've hit the limit for number of subscriptions and assume you need to restrict your Query to correct the problem. While I agree that you should at least filter Windows Firewall logs when using NXLog on a Windows server and reduce the events you forward to only those that are necessary (for the health/storage space of your collectors at the very least) this is a red herring when dealing with a Windows DC.

At some point if you' The NXLog documentation will tell you that you are dealing with a permissions issue but won't go into detail on how to correct the permissions specifically on a Windows 2008+ DC.

The problem stems directly from the fact that the Domain Controller does not use local groups for permissions. You need to add (A;;0x1;;;NS) to the custom SDDL for the NT Authority\Network Service user in order to give it read access to security events.

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)(A;;0x1;;;NS) 

If you've haven't already gone through the steps of testing on similar Windows 2008+ servers and changed your configuration for im_vistalog, I would advise you to do so if only to prepare your for the volume of events your are likely to receive from your DC's. If you're running a collector like Graylog and dealing with events at moderate to high volume, you should filter any extraneous events before they hit the collector as much as possible.

On the Graylog side, you need to be very aware of your input extractors and your stream rules as performance reduces dramatically with inappropriate regular expressions. Generally speaking though I would hope that you take advantage of multiple inputs and send your high volume logs to specific inputs wherever possible to reduce the complexity of your stream rules and input extractors where appropriate (with NXLog I wouldn't expect you to need extractors on GELF inputs).

Next Post