NXLog Configuration

Modified on Mon, 12 Aug at 8:52 AM

The ARIA™ Cybersecurity Solutions Advanced Detection and Remediation (ADR) platform integrates with NXLog records. When configured, NXLog collects information and sends it to the Control and Collections Engine (CCE) virtual machine (VM). This document provides the steps required to configure NXLog to send records to the CCE.


To configure NXLog:

  1. Log into the Active Directory server as Administrator.
  2. If you are not already running NXLog, follow the directions below:
    1. Download the latest version of NXLog for Windows: http://nxlog.org/products/nxlog-community-edition/download.
    2. Double-click on the downloaded MSI and install NXLog.
  3. As an administrator, download the adr_nxlog.conf file from: https://support-aria.s3.amazonaws.com/ADR/adr_nxlog.conf and save it in C:\Program Files\nxlog\conf.
  4. As an administrator, open C:\Program Files\nxlog\conf\nxlog.conf in a text editor.
    1. Add the following lines to provide logs to ADR.
    2. Replace <CCE_IP_ADDRESS> with the local IP of your CCE VM.

      ## Replace <CCE_IP_ADDRESS> with the IP of your Collector VM ##
      ## and configure nxlog to use the ARIA ADR configuration file ##
      define CCE_IP <CCE_IP_ADDRESS>
      include %ROOT%\conf\adr_nxlog.conf


  5. Open a Command or PowerShell Window as an administrator and restart NXLog.
    net stop nxlog
    net start nxlog
  6. Run the gpmc.msc command to open Group Policy Management Console.


  7. Choose whether to apply the policy to the whole domain or a specific organizational unit:
    • Whole domain: Right-click on the Domain Object and select Create a GPO in this domain and Link it here….


    • Specific organizational unit: Right-click the unit and select New. 
  8. Enter a name for the group policy object (GPO) and click OK.


  9. Right-click on the new GPO and select Edit to open the Group Policy Management Editor (GPME).


  10. Select Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy. 
  11. Double-click Audit logon events to open the properties window.
  12. Check the Success and Failure boxes and click OK.


  13. Repeat steps 11-13 for the following events:
    • Audit account logon events
    • Audit directory service access
    • Audit object access
    • Audit policy change
    • Audit privilege use
    • Audit system events
    • Audit process tracking

      Note: It is not necessary to define the policy for:
    • Audit account management
  14. Run gpupdate /force to update the GPO.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article