I’m trying to configure the Active Directory Auditing (NXLOG) content pack from the Graylog Marketplace (https://marketplace.graylog.org/addons/750b88ea-67f7-47b1-9a6c-cbbc828d9e25) and I can’t get any results in the search pane.
- The content pack installed correctly.
- When I configured the nxlog file on my DC to point to the graylog server and added _UDP after the GELF in the output section.
- I enabled all of the Group policy Objects indicated in the readme (** Audit Account Logon Events ** Audit Account Management ** Audit Logon Events ** Audit Object Access ** Audit Policy Change ** Audit System Events).
- I have another GELF_TCP input working, collecting windows server event logs working fine for port 12201 with nxlog, so I’ve done this correctly, at least once before
I’m including my nxlog file below. If someone can please tell me what I’m missing, It would be greatly appreciated. I’ve been at this all day. Thank you in advance.
define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension gelf> Module xm_gelf </Extension> <Input in> # For windows vista/2008 and above use: Module im_msvistalog </Input> <Output out> Module om_udp Host 10.1.1.111 Port 5414 OutputType GELF_UDP </Output> <Route 1> Path in => out </Route>