How-To NXlog, Graylog and Eventlog (Windows 2003)

Gracianos · May 17, 2017, 6:15am

Hi all here! My question is how can I send EventLog (im_mseventlog) from windows server 2003 to graylog mainly events like login to AD server and file operation like delete, create, read.

My setup works “in some way” and events are sent from nxlog to graylog (gelf) but the format is not much usefull. In the search page I see only a fragment of (Czech) message:

2017-05-17 06:04:59.000	AD1
Úspěšné přihlášení k síti:
Uživatelské jméno: jur

But the Full_Message is ok:

full_message
Úspěšné přihlášení k síti:
 	Uživatelské jméno: myusername
 	Doména: MYDOMAIN
 	ID přihlášení: (0x0,0x4BCB9960)
 	Typ přihlášení: 3
 	Přihlašovací proces: Kerberos
 	Ověřovací balíček: Kerberos
 	Název pracovní stanice: 
 	Přihlašovací identifikátor GUID: {fb1abed2-164b-39b4-0622-17795b159899}
 	Uživatelské jméno volajícího: -
 	Doména volajícího: -
 	ID přihlášení volajícího: -
 	ID procesu volajícího: -
 	Přenosové služby: -
 	Adresa zdrojové sítě: 172.16.12.36
 	Zdrojový port: 0

Is there way to format message on the side of nxlog or graylog to get more readable message from full_message?

Here is nxlog configuration:

define ROOT C:\Program Files\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
    Module xm_syslog
</Extension>

<Extension gelf>
    Module xm_gelf
</Extension>

<Extension charconv>
    Module xm_charconv
    AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2, windows-1250
</Extension>
 
<Input evtlog>
     # Use 'im_mseventlog' for Windows XP, 2000 and 2003
    Module      im_mseventlog
</QueryList>
Exec        convert_fields("AUTO", "utf-8"); if $raw_event == '' drop();
Exec if $EventID NOT IN (529,540,644,680) drop(); 
</Input>

<Output graylog>
    Module      om_udp
    Host        172.16.110.110
    Port        12201      
    OutputType  GELF
</Output>

<Route Events>
    Path evtlog => graylog
</Route>

Thank you for any help
Gracian

jochen · May 17, 2017, 7:23am

You can use the Processing Pipelines to build a custom message with the desired information from any other fields of the same message: http://docs.graylog.org/en/2.2/pages/pipelines.html

Gracianos · May 17, 2017, 9:28am

Oh, great news to me, thanks a lot for another information source. Do you know about any site with rule examples which could be right for my needs? That means something like:
rule "when is eventlog source"
when
contains(to_string($message.SourceModuleName), “evtlog”)
then
// set_field(to_string($message.message), "AD event: " + othe + fileds + from + raw + message);
end

I know, the best way is RTFM, but examples are good way as well.

Gracian

jtkarvo · May 17, 2017, 6:09pm

I suggest switching to TCP (remember to change the output type to GELF_TCP

At least then you will not have problems with maximum packet size.

system · May 31, 2017, 6:09pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
NXLog to Gray Log Graylog Central (peer support) sidecar , nxlog , nodatanx	6	1216	February 4, 2020
Windows Event logging into graylog Graylog Central (peer support) sidecar , nxlog , nodatanx	9	12894	March 5, 2018
61 / 5000 Resultados de traducción I need help sending IIS events to graylog with NXLog Graylog Central (peer support) sidecar , nxlog , nodatanx , send-csv-logsnx	2	710	August 17, 2021
How to filter eventlog and forward to graylog Graylog Central (peer support) sidecar , nxlog , nodatanx	4	3619	August 22, 2018
Windows Server NXLog - Graylog Graylog Central (peer support) sidecar , nxlog , nodatanx	3	9123	August 2, 2018

How-To NXlog, Graylog and Eventlog (Windows 2003)

Related topics