When I configured the nxlog file on my DC to point to the graylog server and added _UDP after the GELF in the output section.
I enabled all of the Group policy Objects indicated in the readme (** Audit Account Logon Events ** Audit Account Management ** Audit Logon Events ** Audit Object Access ** Audit Policy Change ** Audit System Events).
I have another GELF_TCP input working, collecting windows server event logs working fine for port 12201 with nxlog, so I’ve done this correctly, at least once before
I’m including my nxlog file below. If someone can please tell me what I’m missing, It would be greatly appreciated. I’ve been at this all day. Thank you in advance.
nxlog.conf:
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension gelf>
Module xm_gelf
</Extension>
<Input in>
# For windows vista/2008 and above use:
Module im_msvistalog
</Input>
<Output out>
Module om_udp
Host 10.1.1.111
Port 5414
OutputType GELF_UDP
</Output>
<Route 1>
Path in => out
</Route>
I haven’t used the content pack before, but have a windows DC successfully sending specific security event IDs manually. If it helps I’ve included it below - noticed a few small differences.
A few things to also try:
confirm a few events are showing first in Event viewer (ensure the GPO is working)?
confirm the nxlog service is running on the server, maybe restart it (check nxlog.log for errors)
unlikely but check firewall rules on the windows server?
noticed the content pack also required “Leading Wildcard Searches enabled in graylog.conf: allow_leading_wildcard_searches = true” not sure if you’ve changed that?
Thank you very much for the reply. As soon as I came in this mornong, I began checking the things you pointed out. Here are the results:
I went to the Event Viewer and, Under Windows Logs -> Security, saw many entries that said Audit Success. I clicked on one and it shows EventID: 4624 (screenshot attached).
I confirmed the nxlog service is running and restarted it again.
No windows firewalls are running on the server. itself.
I changed the value of Leading Wildcard Searches enabled from False to True, but I did this in /etc/graylog/server/server.conf, not in graylog.conf. Is that my problem? If so, can you please direct me to the file path for graylog.conf? I found a graylog.conf file located at: /opt/graylog/conf/graylog.conf but it was an empty file. If that’s not the case, do you have any other ideas?
Should I be creating a separate Logon/Logoff Policy specifically for this, or should I be editing the existing Default Domain Controllers Policy? (I created a specific policy and linked it at the domain level).
Should I have installed sidecar as well? I don’t know if that helps anything here, but thought I’d ask.
Thanks again for your assistance. I’d really like to get this up and running today.
I also want to mention that this is configured on a Windows Server 2008 R2 Primary Domain Controller. I’ve read on the web that if you’re configuring auditing on a 2008 R2, you should be doing it in the Advanced Audit Policy Configuration, instead of the legacy Local Policies area of the Security Settings (screenshot attached and both areas outlined in red). I configured mine in the legacy Local Policies section as that was the only place that clearly marked each of the policies indicated in the Content Pack requirements. If I should be using the Advanced section, can someone tell me what exactly I should be doing?
