Hyper-v logs using nxlog

We have been using nxlog and graylog combination for a while now.

We recently observed challenges with logging with hyper-v cluster. Tried all possible configuration along wtih xml filter, etc.

Anybody has implemented this successfully. We want to record all hyper-v events including activities related to vms and creation, etc.

@abhishekg

Hello,
Maybe I can help you with this problem.
For a better understanding, we have 100+ Hyper-V servers running Windows Server 2019 and they all have Nxlog configured.
Our standard configuration as shown below.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define LOGFILE C:\Program Files (x86)\nxlog\data\nxlog.log


Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _fileop>
    Module xm_fileop
    # Check the log file size every hour and rotate if larger than 5 MB
    <Schedule>
        Every 1 hour
        <Exec>
            if (file_exists('%LOGFILE%') and file_size('%LOGFILE%') >= 5M)
                file_cycle('%LOGFILE%', 8);
        </Exec>
    </Schedule>
    # Rotate log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>

<Extension gelf>
    Module      xm_gelf
 </Extension>


<Input in>
    Module      im_msvistalog
    #Query <QueryList>\
    #<Query Id="0">\
    #<Select Path="Application">*</Select>\
    #<Select Path="System">*</Select>\
    #<Select Path="Security">*</Select>\
    #</Query>\
    #</QueryList>  
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
</Input>

<Output out>
    Module      om_ssl 
    Host        graylog.domain.com
    Port        51412
    OutputType  GELF_TCP 
    CertFile    %CERTDIR%/graylog3-certificate.pem
    CertKeyFile %CERTDIR%/graylog3-key.pem
    CAFile      %CERTDIR%/cert3.pem
    KeyPass     secret 
    AllowUntrusted  true   
    Exec $Hostname = hostname_fqdn();
    Exec $FullMessage = $raw_event;
    #Exec        to_syslog_snare();
</Output>

<Route >
    Path        in => out
</Route>

What we noticed with this configuration above is that it does pick up a lot of Default Events generated from Hyper-V servers, BUT we had to enable the proper Audit logging in the Domain controlers and what I mean by that is some events did not come through.

Here is example below just to give you a better understanding what we had to go though.

To make this happen as shown below.

We had to configure this in our domain control as follow.

Step 1: going to your Group Policy management console → Domain policy → Computer configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy/Advanced audit policy configuration. 
Step 2: Select the events you want to audit. 
Step 3: Now to view the AD event logs for these, go to Administrative tools → Event Viewer.
Step 4: Select the type of AD audit logs that you wish to view (ex: Application, System, etc.).

So, the moral of the story is if you need something unique or verbose logging you may have to enable certain Audit logging configurations in your domain controller and/or Hyper-v server.

Hope this helps.

2 Likes

Will test this today and update. Thanks