Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Device Integration: Windows AD and IIS

            Modified on Thu, 7 May at 5:46 PM

            TABLE OF CONTENTS


            Overview

            This article explains how to enable and forward Active Directory (AD) audit logs and IIS web server logs from a Windows server to ADR CCE using NxLog. Once configured, ADR ingests, normalizes, and analyses these logs to provide visibility into user authentication, system events, and web application traffic.


            Prerequisites

            • Admin access to the Windows server hosting AD and IIS.

            • Outbound connectivity from the Windows server to ADR CCE on:

              • UDP 514 (IIS logs)

              • UDP 5154 (AD audit logs)

            • Installed NxLog Community Edition (download link).

            • IIS Logging enabled


            Enabling Audit & IIS Logs

            Enable Windows / AD Audit Logs

            Follow ADR KB instructions:

            Enabling Windows Security Events using Audit Policy

            Enable IIS Logging

            1. Log in to the Windows server.

            2. Open IIS Manager.

            3. Select your server → double-click Logging.

            4. Ensure logging is enabled, the log file directory is configured, and the W3C format is selected. Reference: Enable Logging on Windows IIS Server


            NxLog Configuration for AD and IIS

            File Location

            C:\Program Files\nxlog\conf\nxlog.conf

            Sample Configuration

            Replace file content with the following (update <CCE_IP> with your ADR CCE IP):


            ###############################################
# NxLog configuration for AD + IIS logs
###############################################

define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _json>
  Module xm_json
</Extension>

<Extension syslog>
  Module xm_syslog
</Extension>

################################################
# Active Directory / Windows Security Audit Logs
################################################
define aisiem                                                                       \
2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 17, 18, 19, 20, 21, 41, 104, 500,   \
520, 600, 1001, 1006, 1007, 1008, 1015, 1033, 1034, 1074, 1102, 1116, 1117, 1118,   \
1119, 1125, 2003, 2100, 4103, 4104, 4608, 4609, 4616, 4618, 4624, 4625, 4634, 4647, \
4648, 4649, 4656, 4657, 4659, 4660, 4661, 4662, 4663, 4670, 4672, 4673, 4674, 4685, \
4688, 4690, 4697, 4698, 4699, 4700, 4702, 4703, 4704, 4705, 4707, 4717, 4718, 4719, \
4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, \
4735, 4737, 4738, 4739, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747, 4748, 4749, \
4750, 4751, 4752, 4753, 4754, 4755, 4756, 4757, 4758, 4759, 4760, 4761, 4762, 4763, \
4764, 4765, 4767, 4769, 4771, 4772, 4776, 4777, 4778, 4779, 4780, 4781, 4782, 4783, \
4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4794, 4797, 4798, 4799, 4800, 4801, \
4802, 4803, 4946, 4947, 4950, 4954, 4964, 4985, 5001, 5004, 5007, 5010, 5012, 5025, \
5031, 5136, 5137, 5140, 5141, 5142, 5143, 5144, 5145, 5152, 5153, 5155, 5157, 5376, \
5377, 5447, 5712, 6005, 6006, 6008, 7034, 7035, 7036, 7040, 7045, 8003, 8004, 8007, \
11707, 11708, 23010, 23050, 23090, 34112, 34113, 64004 \

<Input in_ad>
    Module im_msvistalog
    Query <QueryList>\
              <Query Id="0">\
                   <Select Path="Security">* </Select>\
                   <Select Path="Application">* </Select>\
                   <Select Path="System">* </Select>\
              </Query>\
          </QueryList>
</Input>

<Output out_ad>
    Module om_udp
    Host <CCE_IP>
    Port 5154
    Exec to_json();
</Output>

<Route ad_route>
    Path in_ad => out_ad
</Route>

################################################
# IIS Web Server Logs
################################################
<Input in_iis>
    Module im_file
    File "C:\\inetpub\\logs\\LogFiles\\W3SVC*\\u_ex*"
    SavePos TRUE
    ReadFromLast TRUE
    InputType LineBased
    Exec if $raw_event =~ /^#/ drop();
    Exec $Message = $raw_event;
</Input>

<Output out_iis>
    Module om_udp
    Host <CCE_IP>
    Port 514
    Exec $SyslogFacilityValue = 2;
    Exec $SourceName = 'windows_iis_logs';
    Exec to_syslog_bsd();
</Output>

<Route iis_route>
    Path in_iis => out_iis
</Route>


            Apply and Restart NxLog

            1. Save the updated nxlog.conf.

            2. Restart the NXLog service:

              net stop nxlog
net start nxlog

            3. Generate test activity:

              • AD: User login/logout.

              • IIS: Access the hosted web application/site.


            Verification (MSSP Only)

            On ADR CCE

            Execute the following command:


            For Windows AD

            sudo tcpdump -i any port 5154 and host <IP Adrress> -s0 -AAA


            For Windows IIS

            sudo tcpdump -i any port 514 and host <IP Adrress> -s0 -AAA


            Confirm logs from the server are being received.


            On ADR GUI

            1. Log in to the ADR dashboard.

            2. Navigate: System → Logs and Flows Collection Status.

            3. Verify the Windows server’s IP is listed, and both AD and IIS logs are visible.


            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0