5.2.2.3. Sending OpenNAC logs to SIEM

To send OpenNAC Enterprise logs to an external SIEM, we need to use the NXLog service.

The necessary steps are detailed below:

5.2.2.3.1. Using NXLog

To configure the sending through NXLog it will be necessary to execute the following script on the machine that we want to send the logs:

bash /usr/share/opennac/utils/nxlog/install_nxlog.sh

Once executed we will have to add the SIEM ip where to send the logs with the hostname “siem_fwd” in the /etc/hosts file.

vi /etc/hosts

The following entry needs to be added:

<SIEM_IP> siem_fwd

For example, if the SIEM has the following ip:

10.10.39.102 siem_fwd

Finally it will be necessary to restart the nxlog service to apply the changes:

systemctl restart nxlog

Note

The install_nxlog.sh script requires connectivity to the OpenNAC Enterprise repository to obtain the packages needed for the installation.