I might be able to help you and just so you know I‘m not to familiar with AWS settings but I am very knowledgeable with MS 2019 and Nxlog.
First make sure your firewall on graylog server and MS 2019 is not blocking port 12201. Check you network connection from MS 2019 to Graylog Server by using telnet. I have some links below you might was to look at.
telnet <ip_address> <port_number>
telnet 192.168.1.100 12201 <-- this would be your graylog server address.
Second when you install nxlog check to make sure the service is running. I noticed after installing nxlog I had to start the service manually on Windows.
# Use 'im_mseventlog' for Windows XP, 2000 and 2003
# Uncomment the following to collect specific event logs only
# but make sure not to leave any `#` as only <!-- --> style comments
# are supported inside the XML.
# <Query Id="0">\
# <Select Path="Application">*</Select>\
# <Select Path="System">*</Select>\
# <Select Path="Security">*</Select>\
Path eventlog => udp
Check you nxlog log files to see if there are any errors.
Here are some References you might want to look at.
Ok so AWS instance port is opened to 12201, how about you graylog Server, is that port opened also?
By chance did you check if nxlog service is running on MS 2019 (AWS Instance)?
AWS instance and Graylog server on the same subnet? If not can you PING your graylog server from your MS 2019 server?
Ping -t graylog-IP
If you execute the following command on Graylog server, do you see your port 12201?
sudo lsof -i -P -n | grep 12201
As for your configurations they seem to be alright.
I take it you blotted out your Graylog server IP address with “GraylogIP”?
Thanks for the information. It seams like there is something in the way between your Graylog server and your AWS instance. I could be wrong but judging from what you showed us, you should have received messages from the AWS server. Just an idea but make sure the IP Address matches the Nxlog config file to your Graylog Server.
Did you check if nxlog service is running on MS 2019 (AWS Instance)?
If I’m reading this right, you stated that all the required ports are opened on Graylog Server and AWS (i.e.122010) and there on the same subnet. Just out of curiousity can you PING your Graylog server from your AWS instance?
Hope that helps.
I able to ping private IP from windows server 2019 to Graylog server.
here the log error:
INFO nxlog-ce-2.10.2150 started
ERROR apr_sockaddr_info failed for [PRIVATE IP GRAYLOG SERVER]:12201:514; No such host is known.
WARNING Due to a limitation in the Windows EventLog subsystem, a query cannot contain more than 256 sources.
WARNING The following sources are omitted to avoid exceeding the limit in the generated query: Microsoft-Windows-StorageSpaces-Api/Operational Microsoft-Windows-StorageSpaces-Driver/Diagnostic Microsoft-Windows-StorageSpaces-Driver/Operational Microsoft-Windows-StorageSpaces-ManagementAgent/WHC Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic Microsoft-Windows-StorageSpaces-SpaceManager/Operational Microsoft-Windows-Store/Operational Microsoft-Windows-SystemDataArchiver/Diagnostic Microsoft-Windows-SystemSettingsThreshold/Operational Microsoft-Windows-TaskScheduler/Maintenance Microsoft-Windows-TaskScheduler/Operational Microsoft-Windows-TCPIP/Operational Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational Microsoft-Windows-TerminalServices-LocalSessionManager/Admin Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Microsoft-Windows-TerminalServices-PnPDevices/Admin Microsoft-Windows-TerminalS