Issue receive data from NXlog on TCP


(Samuele) #1

Hi,
I’m new inGraylog and NXLOG. I’m using nxlog to send Windows server log to Graylog,
My final goal is to transfer and log in ssl, but proceed by step. All my machines are on my company lan
I’ve tried to install on ESXI 6.5 both the OVA and a new CENTOS7 + Grayloig application

Graylog input UDP

    bind_address:      0.0.0.0
    decompress_size_limit:      8388608
    override_source:      <empty>
    port:      12201
    recv_buffer_size:      262144
Graylog input TCP
    bind_address:     0.0.0.0
    decompress_size_limit:      8388608
    max_message_size:      2097152
    override_source:      <empty>
    port:      12201
    recv_buffer_size:     1048576
    tcp_keepalive:      false
    tls_cert_file:      <empty>
    tls_client_auth:      disabled
    tls_client_auth_cert_file:      <empty>
    tls_enable:     false
    tls_key_file:      <empty>
    tls_key_password:      ********
    use_null_delimiter:      true

The configuration of NXLOG with OM_UDP

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
Module xm_gelf
</Extension>

<Input in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*[System[(EventID=4624 or EventID=4634 or EventID=4656 or EventID=4659 or EventID=4662 or EventID=4663 or EventID=4672 or EventID=4676 or EventID=6272 or EventID=6278)]]</Select>\
</Query>\
</QueryList>
</Input>

<Output out>
Module om_udp
Host 10.0.0.22
Port 12201
#Exec to_syslog_snare();
Exec if ($ProcessName =~ /TbService.exe/ or $ProcessName =~ /w3wp.exe/) drop();
OutputType GELF
</Output>

<Route 1>
Path in => out
</Route>

works correctly, while the one, identical, that I did with OM_TCP

<Output out>
Module om_tcp
Host 10.0.0.22
Port 12201
#Exec to_syslog_snare();
Exec if ($ProcessName =~ /TbService.exe/ or $ProcessName =~ /w3wp.exe/) drop();
OutputType GELF
</Output>

create this log

018-04-11 19:48:06 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-11 19:48:06 INFO reconnecting in 2 seconds
2018-04-11 19:48:07 INFO connecting to 10.0.0.22:12201
2018-04-11 19:48:07 INFO reconnecting in 1 seconds
2018-04-11 19:48:07 ERROR om_tcp send failed; An established connection was aborted by the software in your host machine.
2018-04-11 19:48:08 INFO connecting to 10.0.0.22:12201
2018-04-11 19:52:59 ERROR couldn't connect to tcp socket on 10.0.0.22:12201; No connection could be made because the target machine actively refused it.
2018-04-11 19:53:01 INFO connecting to 10.0.0.22:12201
2018-04-11 19:53:02 INFO reconnecting in 4 seconds
2018-04-12 10:02:09 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:10 INFO connecting to 10.0.0.22:12201
2018-04-12 10:02:10 INFO reconnecting in 1 seconds
2018-04-12 10:02:10 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:11 INFO connecting to 10.0.0.22:12201
2018-04-12 10:02:11 INFO reconnecting in 1 seconds
2018-04-12 10:02:11 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:11 INFO reconnecting in 2 seconds
2018-04-12 10:02:12 INFO connecting to 10.0.0.22:12201
2018-04-12 10:02:12 INFO reconnecting in 1 seconds
2018-04-12 10:02:12 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:13 INFO connecting to 10.0.0.22:12201
2018-04-12 10:02:13 INFO reconnecting in 1 seconds
2018-04-12 10:02:13 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:13 INFO connecting to 10.0.0.22:12201

does not work correctly
In graylog i recive 1 message / minute Instead of 15/20 which I receive with the udp onfiguration,even if the Graylog input message counter reports about 20 / minute. It seems that most messages are discarded as incorrect
On Graylog server firewall port 12201 tcp/udp is open, and on windows server 12201 port is open too.
I have no idea what’s going on. thank you


(Jochen) #2

@sbergami Please format the configuration and log snippets in your original post for better readability:
https://help.github.com/articles/creating-and-highlighting-code-blocks/

What type of inputs are “Graylog input TCP” and “Graylog input UDP” exactly?
Have you considered using Winlogbeat instead of NXLOG?


(Samuele) #3

thank you.
input type is GELF… I will try Winlogbeat.


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.