Hi aleksta,

According to the offical NxLOG documentation, Nxlog is using file collector module to collect SCCM logs which can be also done via LPAgent File collector and doesn't requires to point out to syslog in the lpagent configuration. So, we dont need the <Output out_syslog> in configuration file. Exisitng configuration should work fine. 

Hi Prabesh

Thanks for your reply. I’m not using the LPA Agent file collector at the moment. Currently have NXLog agent and belonging configuration rolled out.

So you mean with the existing example NXlog config I’m able to collect syslog to LogPoint SIEM? How do SCCM know where to send the syslog If no dst is specified in the host file?

Hi again

I’m missing an answer on my latest reply abow. 

For incoming SCCM logs to LogPoint, I can see that there’s no available normalization package for that log source. Is there any chance that someone has some regex for normalization?

Thanks

Hello,
Yes you need to load the xm_syslog module as 
<Extension _syslog>
    Module  xm_syslog
</Extension>
Define the input as in the given docs over here : Microsoft System Center Configuration Manager :: NXLog Documentation
Define the output module for sending log data to remote destination : (example):
<Output out>
Module om_tcp/om_udp
Host nnn.nnn.nnn.nnn
Port 514
OutputType to_syslog_bsd();
</Output>

And add routes as:

<Route 1>
    Path in => out
</Route>
 

You can find the detailed documentation about this in this link: https://docs.nxlog.co/userguide/intro/modules-and-routes.html

Also You can find this link for the reference of Nxlog Configuration provided by logpoint over here: https://docs.logpoint.com/docs/windows/en/latest/Configurationofsources.html

Also for the part of normalization windows 5.x supports sccm logs(json format) so you can use this link(https://servicedesk.logpoint.com/hc/en-us/articles/115003856929-Windows) and give the try on LPA_Windows.

Best Regards,
Sagar

Hi!

Thanks. The process of onboarding the log source went smooth. But It’s not generating the correct information that I want. The main goal of this is to capture Defender Malware events from client. 

I performed a test were I put in a test eicar file on a client, defender detected the malware and It gave a result on the SCCM Console. But nothing showed up in the logs and LogPoint SIEM. 

Did some more research about this and It seems the the NXLog config on the SCCM doesn’t caputer Defender or malware events. 
‘C:\WINDOWS\SysWOW64\CCM\Logs\*'
'C:\WINDOWS\System32\CCM\Logs\*'
These folders does not contain any related information about Defender or Malware.

We have the module SCEP in the SCCM console? Is this the way to go? Forward events from the module to get the related events?

Is there anyone that can help me with to accomplish my goal to caputera Defender and Malware event from clients to LogPoint SIEM? 

Hello Aleksta,

Can you please create a support ticket for this so that we can have a detail look into it and troubleshoot if required? 

Best Regards,

Hey!

I’ve summed up all of this and handed over to our partner. They will reach out to you and create a support ticket.