How to get the customized logs for windows

grayloglearn · June 5, 2017, 8:39am

Hi team,

I have configured the graylog2.0.3 in centos 7 and its working fine. I want to enable the customized logs windows. For ex: The logs will store in Drive D:/logs/iis/* . How we can customize the logs using graylog.

jan · June 7, 2017, 12:43pm

Hej,

you would need to have a log shipper installed and configured. Please use the search in this Forum, this is discussed several times.

regards
Jan

grayloglearn · June 8, 2017, 7:20am

Hi Jan,

Can you send the link to me it will help to me i have searched but i did not get right link.

grayloglearn · June 9, 2017, 4:35am

Hi jan,

can you please share the link i have been searching but no luck.

grayloglearn · June 14, 2017, 9:34am

Hi jan,

I have followed the below by the below input to get the logs using nxlog but still i did not getany logs which are in D Drive…

<Input dlogs>
	Module	im_file
	File	File "D:\\Websites\\alllogs\\Logs\\BusinessLog"
	Exec	$Message = $raw_event;
	SavePos	 TRUE
	Recursive	TRUE
</Input>

<Route dlogs>
Path dlogs => t => dlogs_out
</Route>

grayloglearn · June 19, 2017, 8:25am

Can anybody help how to get the customized logs from windows:
Ex: The logs are stored in Driver the path D:\Websites\alllogs\Logs\BusinessLog.
how to get the logs.

jochen · June 19, 2017, 8:55am

What’s the complete configuration of NXLOG?
Have you considered switching to Filebeat, which might be easier to configure?

grayloglearn · June 19, 2017, 9:03am

Hi jochen,
thanks for the reply can you tell me the steps please and find the my complete nxlog.conf

## This is a sample configuration file. See the nxlog reference manual about the
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension gelf>
	Module xm_gelf
</Extension>

 <Extension json>
    Module      xm_json
</Extension>

<Input in>
    Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
</Input>

<Extension w3c>
    Module 			xm_csv
    Fields 			$date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $scStatus, $sc-substatus, $sc-win32-status, $time-taken
    FieldTypes 		string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
    Delimiter 		' '
    QuoteChar 		'"'
    EscapeControl 	FALSE
    UndefValue 		-
</Extension>

<Input iis>
Module im_file
File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \
$SourceName = "IIS"; \
}
</Input>

<Input dlogs>
	Module	im_file
	File	File "D:\\Websites\\ehruat\\Logs\\u_ex*"
	Exec	$Message = $raw_event;
	SavePos	 TRUE
	Recursive	TRUE
</Input>



#<Output out>
#    Module      om_tcp
#    Host        192.168.1.1
#    Port        514
#    Exec        to_syslog_snare();
#</Output>

<Output out>
	Module om_udp
	Host X.X.X
	Port 12201
	OutputType GELF_UDP
</Output>


<Route 1>
    Path        in => out
</Route>
<Route iis>
	Path		iis => graylog
</Route>
<Route dlogs>
Path dlogs => t => dlogs_out
</Route>

jochen · June 19, 2017, 9:44am

There is no output called “dlogs_out” which you’re referencing in your “dlogs” route.

grayloglearn · June 19, 2017, 9:48am

Hi jochen,
Can you please tell me please how to add it i am new to graylog. I did not do any Filebeat config can you please guide it will help me too

jochen · June 19, 2017, 10:10am

Please refer to the NXLOG reference manual for information about how to configure NXLOG:
https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html

grayloglearn · June 19, 2017, 11:21am

hi jochen,

Thanks for the help can you please suggest that what should i change in my configuration so that it will help directly.

jochen · June 19, 2017, 12:13pm

You’ll have to define an output named “dlogs_out” and a filter named “t”, if you want to keep the route as is.

Also, you’re missing an output named “graylog” (used in the “iis” route).

grayloglearn · June 19, 2017, 12:30pm

Hi jochen,
My goal is the logs are storing in below path.

Ex: D:\Websites\servie\Logs\all_logs. Can you give the configure file as my requirement so that it will help alot to me and others.

jochen · June 19, 2017, 12:45pm

I’ve given you the link to the NXLOG reference documentation and some hints what to fix, which should be enough to figure it out.

If you need individual support, consider buying Graylog Enterprise: https://www.graylog.org/enterprise

system · July 3, 2017, 12:46pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to get log from windows to graylog2.0.3 Graylog Central (peer support) sidecar , nxlog , nodatanx	8	8057	June 23, 2017
FIXED: Windows Logs retrieve Graylog Central (peer support)	3	262	October 10, 2022
How to collect custom logs? Graylog Central (peer support) sidecar , filebeat-windows , winlogbeat	4	1792	October 10, 2019
Graylog Sidecar Graylog Central (peer support) sidecar , nxlog , filebeat-windows , winlogbeat , nodatanx	7	2336	May 21, 2020
Graylog Sidecar and static windows server .log files Graylog Central (peer support) sidecar , nxlog , nodatanx	2	1417	June 29, 2017

How to get the customized logs for windows

Related topics