I’m curious into how to collect logs from SCCM. Logs related to endpoint protection, virus alarms, quarantind threats etc.
Found out that nxlog provides a configuration file for this. Missing some fields in the configuration file, example <Output out_syslog>. To point out the syslog dst.
Microsoft System Center Configuration Manager :: NXLog Documentation
Has anyone any experience about this?
Thankful for replies.
According to the offical NxLOG documentation, Nxlog is using file collector module to collect SCCM logs which can be also done via LPAgent File collector and doesn't requires to point out to syslog in the lpagent configuration. So, we dont need the <Output out_syslog> in configuration file. Exisitng configuration should work fine.
Thanks for your reply. I’m not using the LPA Agent file collector at the moment. Currently have NXLog agent and belonging configuration rolled out.
So you mean with the existing example NXlog config I’m able to collect syslog to LogPoint SIEM? How do SCCM know where to send the syslog If no dst is specified in the host file?
I’m missing an answer on my latest reply abow.
For incoming SCCM logs to LogPoint, I can see that there’s no available normalization package for that log source. Is there any chance that someone has some regex for normalization?
Yes you need to load the xm_syslog module as
Define the input as in the given docs over here : Microsoft System Center Configuration Manager :: NXLog Documentation
Define the output module for sending log data to remote destination : (example):
And add routes as:
Path in => out
You can find the detailed documentation about this in this link: https://docs.nxlog.co/userguide/intro/modules-and-routes.html
Also You can find this link for the reference of Nxlog Configuration provided by logpoint over here: https://docs.logpoint.com/docs/windows/en/latest/Configurationofsources.html
Also for the part of normalization windows 5.x supports sccm logs(json format) so you can use this link(https://servicedesk.logpoint.com/hc/en-us/articles/115003856929-Windows) and give the try on LPA_Windows.
Thanks. The process of onboarding the log source went smooth. But It’s not generating the correct information that I want. The main goal of this is to capture Defender Malware events from client.
I performed a test were I put in a test eicar file on a client, defender detected the malware and It gave a result on the SCCM Console. But nothing showed up in the logs and LogPoint SIEM.
Did some more research about this and It seems the the NXLog config on the SCCM doesn’t caputer Defender or malware events.
These folders does not contain any related information about Defender or Malware.
We have the module SCEP in the SCCM console? Is this the way to go? Forward events from the module to get the related events?
Is there anyone that can help me with to accomplish my goal to caputera Defender and Malware event from clients to LogPoint SIEM?
Can you please create a support ticket for this so that we can have a detail look into it and troubleshoot if required?
I’ve summed up all of this and handed over to our partner. They will reach out to you and create a support ticket.