Collecting Windows Logs with NXLOG

Graylog3 Appliance on Ubuntu
Sidecar on my Windows8
I have configured nxlog:

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\
SpoolDir %ROOT%\data

<Extension _syslog>
Module xm_syslog

<Extension _gelf>
Module xm_gelf

<Input in>
Module im_msvistalog

<Output out_udp>
Module om_udp
Port 12201
OutputType GELF

<Route 1>
Path in => out_udp

All firewalls are disabled, on graylog and on my windows (i think!)
But in nxlog.log i see:

2019-04-02 10:52:29 INFO connecting to 192.168.x.x:12201
2019-04-02 10:52:30 INFO reconnecting in 200 seconds
2019-04-02 10:52:30 ERROR couldn’t connect to tcp socket on 192.168.x.x:12201; No se puede establecer una conexión ya que el equipo de destino denegó expresamente dicha conexión.

No inputs received.
Not sure how to test it, I have tried:

C:\windows\system32>echo -n ‘{ “version”: “1.1”, “host”: “”, “short_m
essage”: “A short message”, “level”: 5, “_some_info”: “foo” }’ | nc -w0 -u 192.1
68.x.x 12201

C:\windows\system32>eventcreate /id 11 /l application /t information /so graylog
source /d “Event testing”

From Graylog console, I see my sidecar running, and created a GELD UDP input

And created input:

prova-nginx-udp GELF UDP RUNNING

On node 2d09728c / graylog

  • bind_address:192.168.x.x
  • decompress_size_limit:8388608
  • number_worker_threads:2
  • override_source:<empty>
  • port:12201
  • recv_buffer_size:262144

seen in sidecar.log:

time=“2019-04-02T14:04:59+02:00” level=error msg="[UpdateRegistration] Failed to report collector status to server: Put http://192.168.x.x:9000/api/sidecars/689e2b7d-9005-4a95-a1da-0eb1ac20ba87: read tcp 192.168.*.:50605->192.168.x.x:9000: wsarecv: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond." ^

where 192.168.. is my windows8 server
and 192.168.x.x is the graylog server


In your input section you need to specify which windows events you want to collect using XPATH queries

Example below

<Input eventlog>
Module im_msvistalog
Query <QueryList>
<Query Id=“0”>
<Select Path=“Application”>*[System[(EventID=1102)]]</Select>
<Select Path=“Microsoft-Windows-Powershell/Operational”>
[System[(EventID=1102 or EventID=4103 or EventID=4104)]]
<Select Path=“Microsoft-Windows-Sysmon/Operational”>
<Select Path=“Security”>
[System[ (EventID=1102 or EventID=4624 or EventID=4625 or
EventID=4720 or EventID=4722 or EventID=4732)]]
<Select Path=“System”>
[System[(EventID=1102 or EventID=7009 or EventID=7045)]]</Select>

You can use wildcards and or multiple queries as well, something like

Just google nxlog configuration github.

Your log source is trying to connect to your server at on udp port 12201 according to your configuration. This will be caused by a firewall issue.

You can try to use ncat (part of nmap suite) to verify connectivity, but it is a security tool so may be flagged by AV.



1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.