NXLog Integration

Overview

NXLog is a multi-platform log collection agent supporting Windows Event Log, syslog, and file-based collection. KYRA MDR uses NXLog for collecting Windows events and forwarding them to the collector.

Prerequisites

A KYRA MDR Collector installed and running
NXLog installed on Windows or Linux hosts
Administrative access for NXLog configuration
Network connectivity from NXLog hosts to the collector on port 514

Configuration

Configure NXLog for Windows Event Log collection:

<!-- C:\Program Files\nxlog\conf\nxlog.conf -->
<Extension _syslog>
    Module xm_syslog
</Extension>

<Input in_eventlog>
    Module im_msvistalog
    Query <QueryList>\
        <Query Id="0">\
            <Select Path="Security">*</Select>\
            <Select Path="System">*</Select>\
            <Select Path="Application">*</Select>\
        </Query>\
    </QueryList>
</Input>

<Output out_kyra>
    Module om_tcp
    Host <collector-ip>
    Port 514
    Exec to_syslog_bsd();
</Output>

<Route 1>
    Path in_eventlog => out_kyra
</Route>

Restart the NXLog service.

Collected Log Types

Log Type	Description	Security Use
Security Events	Windows Security event log	Authentication monitoring
System Events	Windows System event log	Host integrity
Application Events	Application event log	Application monitoring
PowerShell	PowerShell script execution logs	Script-based attack detection
Sysmon	Sysmon detailed events	Advanced endpoint telemetry
Custom Logs	File-based log collection	Application security

Troubleshooting

No events forwarded: Check NXLog service status and logs at C:\Program Files\nxlog\data\nxlog.log.

Access denied: NXLog must run as SYSTEM or with Event Log Reader permissions.

Buffer management: Configure BufferSize for high-volume environments.

Contact kyra@seekerslab.com for support.