About

I am using a combination of Squid (proxy) and NxLog (log collector) to forward HTTP/S logs from the Windows 11 VM to the QRadar server.

Table of Contents

• Setup
  • Install Squid and NxLog
  • QRadar: Add Squid Web Proxy as log source
  • Windows Firewall: Create outbound rule
  • Squid configuration
  • NxLog configuration
  • Windows proxy configuration
  • Check
• Results: Testing Squid proxy log source

Setup

Install Squid and NxLog

Install Squid and NxLog

QRadar: Add Squid Web Proxy as log source

Create log source for Squid Web Proxy in QRadar

Use the source system's IP address or hostname as the Log Source Identifier

Windows Firewall: Create outbound rule

Create an outbound rule in Windows Defender Firewall

The rule should allow data to go out port UDP port 514, enabling QRadar to receive the HTTP logs

Allow the connection

Profile

Name

Squid configuration

Use the following log formatting for QRadar (add the lines that begin with logformat and access_log)

NxLog configuration

Use the following configuration for NxLog (lines from Input squid_input to /Route)

Restart the nxlog service in Services

Windows proxy configuration

Open Windows proxy settings

Next to Use a proxy server, click Set up

Enter 127.0.0.1 for Proxy IP address and 3128 into the Port field, click Save

Check

The last ten lines of the Squid log show that HTTPS is being logged

Squid Windows 11 log source status says OK

Results: Testing Squid proxy log source

Filtering by Squid log source to see log activity

Example HTTP website for testing

Inspecting TCP_MISS event...

Event summary, including the website and filename of the icon file that was retrieved from the host URL

Inspecting TCP_TUNNEL event...

Event summary showing that I connected to bing.com