Hi, on AWS instance I already allow security group 12201 on graylog server at AWS
I install nxlog on windows server 2019 on AWS and add config as below
<Route 1>
Path in => out
on Graylog inputs I create a GELEF UDP to point the windows server to get event viewer detail.
after I setup, and show received messages is blank?
may I know any configuration miss up?
thanks.
@kvstudio6
Hello,
I might be able to help you and just so you know I‘m not to familiar with AWS settings but I am very knowledgeable with MS 2019 and Nxlog.
First make sure your firewall on graylog server and MS 2019 is not blocking port 12201. Check you network connection from MS 2019 to Graylog Server by using telnet. I have some links below you might was to look at.
telnet <ip_address> <port_number>
telnet 192.168.1.100 12201 <-- this would be your graylog server address.
Second when you install nxlog check to make sure the service is running. I noticed after installing nxlog I had to start the service manually on Windows.
I assume your INPUT looks something like this?
Does your nxlog config looks something like this?
<Extension gelf>
Module xm_gelf
</Extension>
<Input eventlog>
# Use 'im_mseventlog' for Windows XP, 2000 and 2003
Module im_msvistalog
# Uncomment the following to collect specific event logs only
# but make sure not to leave any `#` as only <!-- --> style comments
# are supported inside the XML.
#Query <QueryList>\
# <Query Id="0">\
# <Select Path="Application">*</Select>\
# <Select Path="System">*</Select>\
# <Select Path="Security">*</Select>\
# </Query>\
# </QueryList>
</Input>
<Output udp>
Module om_udp
Host graylog_server:12201
OutputType GELF_UDP
</Output>
<Route eventlog_to_udp>
Path eventlog => udp
</Route>
Check you nxlog log files to see if there are any errors.
Here are some References you might want to look at.
https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html
https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#xm_gelf
Hope this helps
hi, I attach my nxlog.conf file, is the configure setting is correct?
I already try telnet from windows server to graylog with port 12201, and is failed. but on AWS Security group I already allow the port?
please help, I still not able to get the event viewer log.
Hello,
Ok so AWS instance port is opened to 12201, how about you graylog Server, is that port opened also?
By chance did you check if nxlog service is running on MS 2019 (AWS Instance)?
AWS instance and Graylog server on the same subnet? If not can you PING your graylog server from your MS 2019 server?
Ping -t graylog-IP
If you execute the following command on Graylog server, do you see your port 12201?
sudo lsof -i -P -n | grep 12201
As for your configurations they seem to be alright.
I take it you blotted out your Graylog server IP address with “GraylogIP”?
<Output udp>
Module om_udp
Host GraylogIP :12201
OutputType GELF_UDP
</Output>
If you not getting messages with those configurations, I’m assuming something is blocking messages getting to your Graylog server like securty device, firewall, etc…
Hope this helps
To piggy back off of @gsmith have you checked iptables or firewalld/ufw?
how about you graylog Server, is that port opened also?
Yes is been opened
AWS instance and Graylog server on the same subnet?
Yes, same subnet
If you execute the following command on Graylog server, do you see your port 12201?
As for your configurations they seem to be alright.
I take it you blotted out your Graylog server IP address with “GraylogIP”?
Yes, I key in my graylog IP.
everything is allow, but is not able get the log from the windows server event viewer?
@kvstudio6
Hello,
Thanks for the information. It seams like there is something in the way between your Graylog server and your AWS instance. I could be wrong but judging from what you showed us, you should have received messages from the AWS server. Just an idea but make sure the IP Address matches the Nxlog config file to your Graylog Server.
Did you check if nxlog service is running on MS 2019 (AWS Instance)?
Did you check your Nxlog log file?
If I’m reading this right, you stated that all the required ports are opened on Graylog Server and AWS (i.e.122010) and there on the same subnet. Just out of curiousity can you PING your Graylog server from your AWS instance?
Hope that helps.
I able to ping private IP from windows server 2019 to Graylog server.
here the log error:
INFO nxlog-ce-2.10.2150 started
ERROR apr_sockaddr_info failed for [PRIVATE IP GRAYLOG SERVER]:12201:514; No such host is known.
WARNING Due to a limitation in the Windows EventLog subsystem, a query cannot contain more than 256 sources.
WARNING The following sources are omitted to avoid exceeding the limit in the generated query: Microsoft-Windows-StorageSpaces-Api/Operational Microsoft-Windows-StorageSpaces-Driver/Diagnostic Microsoft-Windows-StorageSpaces-Driver/Operational Microsoft-Windows-StorageSpaces-ManagementAgent/WHC Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic Microsoft-Windows-StorageSpaces-SpaceManager/Operational Microsoft-Windows-Store/Operational Microsoft-Windows-SystemDataArchiver/Diagnostic Microsoft-Windows-SystemSettingsThreshold/Operational Microsoft-Windows-TaskScheduler/Maintenance Microsoft-Windows-TaskScheduler/Operational Microsoft-Windows-TCPIP/Operational Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational Microsoft-Windows-TerminalServices-LocalSessionManager/Admin Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Microsoft-Windows-TerminalServices-PnPDevices/Admin Microsoft-Windows-TerminalS
Hello,
Try this configuration.
Separate line for your port as shown below. Dont forget to restart nxlog service.
<Output udp>
Module om_udp
Host graylog_server
Port 12201
OutputType GELF_UDP
</Output>This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.