AWS EC2 Instance running Window Server 2019 event viewer

Hi, on AWS instance I already allow security group 12201 on graylog server at AWS
I install nxlog on windows server 2019 on AWS and add config as below

#Module xm_gelf Module im_msvistalog Module om_udp Host {ip address graylog} Port 12201 #Exec to_syslog_snare(); OutputType GELF

<Route 1>
Path in => out

on Graylog inputs I create a GELEF UDP to point the windows server to get event viewer detail.
after I setup, and show received messages is blank?

may I know any configuration miss up?

thanks.

@kvstudio6
Hello,
I might be able to help you and just so you know I‘m not to familiar with AWS settings but I am very knowledgeable with MS 2019 and Nxlog.

First make sure your firewall on graylog server and MS 2019 is not blocking port 12201. Check you network connection from MS 2019 to Graylog Server by using telnet. I have some links below you might was to look at.

telnet <ip_address> <port_number>
telnet 192.168.1.100 12201  <-- this would be your graylog server address.

Second when you install nxlog check to make sure the service is running. I noticed after installing nxlog I had to start the service manually on Windows.

I assume your INPUT looks something like this?

Does your nxlog config looks something like this?

<Extension gelf>
    Module      xm_gelf
</Extension>

<Input eventlog>
    # Use 'im_mseventlog' for Windows XP, 2000 and 2003
    Module      im_msvistalog
    # Uncomment the following to collect specific event logs only
    # but make sure not to leave any `#` as only <!-- --> style comments
    # are supported inside the XML.
    #Query  <QueryList>\
    #           <Query Id="0">\
    #               <Select Path="Application">*</Select>\
    #               <Select Path="System">*</Select>\
    #               <Select Path="Security">*</Select>\
    #           </Query>\
    #       </QueryList>
</Input>

<Output udp>
    Module      om_udp
    Host        graylog_server:12201
    OutputType  GELF_UDP
</Output>

<Route eventlog_to_udp>
    Path        eventlog => udp
</Route>

Check you nxlog log files to see if there are any errors.

Here are some References you might want to look at.

https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html
https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#xm_gelf

Hope this helps

1 Like

hi, I attach my nxlog.conf file, is the configure setting is correct?

I already try telnet from windows server to graylog with port 12201, and is failed. but on AWS Security group I already allow the port?

please help, I still not able to get the event viewer log.

the setting I setup on graylog, am I correct the setting?

@kvstudio6

Hello,
Ok so AWS instance port is opened to 12201, how about you graylog Server, is that port opened also?
By chance did you check if nxlog service is running on MS 2019 (AWS Instance)?
AWS instance and Graylog server on the same subnet? If not can you PING your graylog server from your MS 2019 server?

Ping -t graylog-IP

If you execute the following command on Graylog server, do you see your port 12201?

sudo lsof -i -P -n | grep 12201

As for your configurations they seem to be alright.
I take it you blotted out your Graylog server IP address with “GraylogIP”?

<Output udp>
    Module      om_udp
    Host       GraylogIP :12201
    OutputType  GELF_UDP
</Output>

If you not getting messages with those configurations, I’m assuming something is blocking messages getting to your Graylog server like securty device, firewall, etc…

Hope this helps

To piggy back off of @gsmith have you checked iptables or firewalld/ufw?

how about you graylog Server, is that port opened also?
Yes is been opened

AWS instance and Graylog server on the same subnet?
Yes, same subnet

If you execute the following command on Graylog server, do you see your port 12201?
Capture

As for your configurations they seem to be alright.
I take it you blotted out your Graylog server IP address with “GraylogIP”?
Yes, I key in my graylog IP.

everything is allow, but is not able get the log from the windows server event viewer?

@kvstudio6
Hello,
Thanks for the information. It seams like there is something in the way between your Graylog server and your AWS instance. I could be wrong but judging from what you showed us, you should have received messages from the AWS server. Just an idea but make sure the IP Address matches the Nxlog config file to your Graylog Server.

Did you check if nxlog service is running on MS 2019 (AWS Instance)?

Did you check your Nxlog log file?

If I’m reading this right, you stated that all the required ports are opened on Graylog Server and AWS (i.e.122010) and there on the same subnet. Just out of curiousity can you PING your Graylog server from your AWS instance?
Hope that helps.

I able to ping private IP from windows server 2019 to Graylog server.

here the log error:
INFO nxlog-ce-2.10.2150 started

ERROR apr_sockaddr_info failed for [PRIVATE IP GRAYLOG SERVER]:12201:514; No such host is known.

WARNING Due to a limitation in the Windows EventLog subsystem, a query cannot contain more than 256 sources.

WARNING The following sources are omitted to avoid exceeding the limit in the generated query: Microsoft-Windows-StorageSpaces-Api/Operational Microsoft-Windows-StorageSpaces-Driver/Diagnostic Microsoft-Windows-StorageSpaces-Driver/Operational Microsoft-Windows-StorageSpaces-ManagementAgent/WHC Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic Microsoft-Windows-StorageSpaces-SpaceManager/Operational Microsoft-Windows-Store/Operational Microsoft-Windows-SystemDataArchiver/Diagnostic Microsoft-Windows-SystemSettingsThreshold/Operational Microsoft-Windows-TaskScheduler/Maintenance Microsoft-Windows-TaskScheduler/Operational Microsoft-Windows-TCPIP/Operational Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational Microsoft-Windows-TerminalServices-LocalSessionManager/Admin Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Microsoft-Windows-TerminalServices-PnPDevices/Admin Microsoft-Windows-TerminalS

Hello,
Try this configuration.
Separate line for your port as shown below. Dont forget to restart nxlog service.

 <Output udp>
    Module    om_udp
    Host        graylog_server
    Port         12201
    OutputType  GELF_UDP
</Output>

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.