Hi,
I’m new inGraylog and NXLOG. I’m using nxlog to send Windows server log to Graylog,
My final goal is to transfer and log in ssl, but proceed by step. All my machines are on my company lan
I’ve tried to install on ESXI 6.5 both the OVA and a new CENTOS7 + Grayloig application
Graylog input UDP
bind_address: 0.0.0.0
decompress_size_limit: 8388608
override_source: <empty>
port: 12201
recv_buffer_size: 262144
Graylog input TCP
bind_address: 0.0.0.0
decompress_size_limit: 8388608
max_message_size: 2097152
override_source: <empty>
port: 12201
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: <empty>
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: false
tls_key_file: <empty>
tls_key_password: ********
use_null_delimiter: true
The configuration of NXLOG with OM_UDP
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_gelf
</Extension>
<Input in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*[System[(EventID=4624 or EventID=4634 or EventID=4656 or EventID=4659 or EventID=4662 or EventID=4663 or EventID=4672 or EventID=4676 or EventID=6272 or EventID=6278)]]</Select>\
</Query>\
</QueryList>
</Input>
<Output out>
Module om_udp
Host 10.0.0.22
Port 12201
#Exec to_syslog_snare();
Exec if ($ProcessName =~ /TbService.exe/ or $ProcessName =~ /w3wp.exe/) drop();
OutputType GELF
</Output>
<Route 1>
Path in => out
</Route>
works correctly, while the one, identical, that I did with OM_TCP
<Output out>
Module om_tcp
Host 10.0.0.22
Port 12201
#Exec to_syslog_snare();
Exec if ($ProcessName =~ /TbService.exe/ or $ProcessName =~ /w3wp.exe/) drop();
OutputType GELF
</Output>
create this log
018-04-11 19:48:06 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-11 19:48:06 INFO reconnecting in 2 seconds
2018-04-11 19:48:07 INFO connecting to 10.0.0.22:12201
2018-04-11 19:48:07 INFO reconnecting in 1 seconds
2018-04-11 19:48:07 ERROR om_tcp send failed; An established connection was aborted by the software in your host machine.
2018-04-11 19:48:08 INFO connecting to 10.0.0.22:12201
2018-04-11 19:52:59 ERROR couldn't connect to tcp socket on 10.0.0.22:12201; No connection could be made because the target machine actively refused it.
2018-04-11 19:53:01 INFO connecting to 10.0.0.22:12201
2018-04-11 19:53:02 INFO reconnecting in 4 seconds
2018-04-12 10:02:09 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:10 INFO connecting to 10.0.0.22:12201
2018-04-12 10:02:10 INFO reconnecting in 1 seconds
2018-04-12 10:02:10 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:11 INFO connecting to 10.0.0.22:12201
2018-04-12 10:02:11 INFO reconnecting in 1 seconds
2018-04-12 10:02:11 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:11 INFO reconnecting in 2 seconds
2018-04-12 10:02:12 INFO connecting to 10.0.0.22:12201
2018-04-12 10:02:12 INFO reconnecting in 1 seconds
2018-04-12 10:02:12 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:13 INFO connecting to 10.0.0.22:12201
2018-04-12 10:02:13 INFO reconnecting in 1 seconds
2018-04-12 10:02:13 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:13 INFO connecting to 10.0.0.22:12201
does not work correctly
In graylog i recive 1 message / minute Instead of 15/20 which I receive with the udp onfiguration,even if the Graylog input message counter reports about 20 / minute. It seems that most messages are discarded as incorrect
On Graylog server firewall port 12201 tcp/udp is open, and on windows server 12201 port is open too.
I have no idea what’s going on. thank you