How-To NXlog, Graylog and Eventlog (Windows 2003)


#1

Hi all here! My question is how can I send EventLog (im_mseventlog) from windows server 2003 to graylog mainly events like login to AD server and file operation like delete, create, read.

My setup works “in some way” and events are sent from nxlog to graylog (gelf) but the format is not much usefull. In the search page I see only a fragment of (Czech) message:

2017-05-17 06:04:59.000	AD1
Úspěšné přihlášení k síti:
Uživatelské jméno: jur

But the Full_Message is ok:

full_message
Úspěšné přihlášení k síti:
 	Uživatelské jméno: myusername
 	Doména: MYDOMAIN
 	ID přihlášení: (0x0,0x4BCB9960)
 	Typ přihlášení: 3
 	Přihlašovací proces: Kerberos
 	Ověřovací balíček: Kerberos
 	Název pracovní stanice: 
 	Přihlašovací identifikátor GUID: {fb1abed2-164b-39b4-0622-17795b159899}
 	Uživatelské jméno volajícího: -
 	Doména volajícího: -
 	ID přihlášení volajícího: -
 	ID procesu volajícího: -
 	Přenosové služby: -
 	Adresa zdrojové sítě: 172.16.12.36
 	Zdrojový port: 0

Is there way to format message on the side of nxlog or graylog to get more readable message from full_message?

Here is nxlog configuration:

define ROOT C:\Program Files\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
    Module xm_syslog
</Extension>

<Extension gelf>
    Module xm_gelf
</Extension>

<Extension charconv>
    Module xm_charconv
    AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2, windows-1250
</Extension>
 
<Input evtlog>
     # Use 'im_mseventlog' for Windows XP, 2000 and 2003
    Module      im_mseventlog
</QueryList>
Exec        convert_fields("AUTO", "utf-8"); if $raw_event == '' drop();
Exec if $EventID NOT IN (529,540,644,680) drop(); 
</Input>

<Output graylog>
    Module      om_udp
    Host        172.16.110.110
    Port        12201      
    OutputType  GELF
</Output>

<Route Events>
    Path evtlog => graylog
</Route>

Thank you for any help
Gracian


(Jochen) #2

You can use the Processing Pipelines to build a custom message with the desired information from any other fields of the same message: http://docs.graylog.org/en/2.2/pages/pipelines.html


#3

Oh, great news to me, thanks a lot for another information source. Do you know about any site with rule examples which could be right for my needs? That means something like:
rule "when is eventlog source"
when
contains(to_string($message.SourceModuleName), “evtlog”)
then
// set_field(to_string($message.message), "AD event: " + othe + fileds + from + raw + message);
end

I know, the best way is RTFM, but examples are good way as well.

Gracian


#4

I suggest switching to TCP (remember to change the output type to GELF_TCP

At least then you will not have problems with maximum packet size.


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.