NXlog to SO

[CyberC3nturion]

Version

2.4.201

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32gb

Storage for /

1.5TB

Storage for /nsm

5TB

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I currently have an NXlog server porting logs to both Qradar and SO. I'm having issues with parsing the logs into SO. I see logs but they are just a strand of data. Is there way I can convert to JSON without affecting the Qradar log ingest?

Thank you

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

How are you sending to SO and in what format?

[CyberC3nturion]

Hi Chris — thanks for the follow-up.

We’re sending logs to Security Onion via NXLog over TCP (port 6052) using a dedicated output. The logs are converted to structured JSON before being sent.

Specifically:

Syslog traffic is received by NXLog (TCP/UDP inputs)
It is processed through a filter that:

• Parses the syslog header
• Extracts embedded JSON payloads (where present, e.g., DNS logs)
• Maps key fields (e.g., source IP, DNS query, protocol)

The events are then sent using to_json() via om_tcp to Security Onion

[cm-ops]

How are they being received by Security Onion? Are you using a Logstash input plugin or custom log integration in an Elastic agent policy?

If they are being received in JSON, you should be able to parse them using a JSON processor. But you might want to set a custom ingest pipeline and template for settings and mappings.