Missing some event viewer logs

Graylog Central (peer support)
, ,
1

Hi,

I have configured graylog 3 and I’m using nxlog and collector-sidecar (1.0.0) to send event viewer logs to the graylog server.
For some reason, I’m not seeing some logs in the graylog server but they are in the event viewer… I’m not filtering any log for the time being… and actually the same configuration in graylog 2.4 works fine…
Not sure if this could help but for instance Security EventID 4625 or 4624 are some of the events I’m not seeing in graylog but are there in the Event Viewer.

The config I’m using:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel DEBUG

<Extension logrotate>
    Module  xm_fileop
    <Schedule>
        When    @daily
        Exec    file_cycle('%ROOT%\data\nxlog.log', 7);
     </Schedule>
</Extension>


<Extension gelfExt>
  Module xm_gelf
</Extension>

<Input eventlog>
        Module im_msvistalog
        PollInterval 1
        SavePos True
        ReadFromLast True
        
Query <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                    </Query>\
</QueryList>

</Input>



<Output gelf>
	Module om_udp
	Host my_server
	Port 12201
	OutputType  GELF
	<Exec>
	  # These fields are needed for Graylog
	  $gl2_source_collector = '${sidecar.nodeId}';
	  $collector_node_id = '${sidecar.nodeName}';
	</Exec>
</Output>



<Route route-0>
  Path eventlog => gelf
</Route>

Thanks in advance.

2

Did you checked your Graylog server.log and your elasticsearch logs for errors?

Special when it “suddenly” stop working that is a good place to start investigation.

3

Just to clarify this never worked in graylog 3.0… What I mentioned is that this same configuration in my prod server with Graylog 2.4 works fine…
No errors in the elasitcearch, graylog or sidecar so far…

4

so to clarify:

You use NXLOG to send GELF Messages to Graylog (Version 3.0) and you do not see any Message in Graylog?

5

Yes, I’m using gelf udp to send messages to Graylog 3, but actually I’m seeing most of the events in the Graylog, just some of them are not there, for instance Security EventID 4625 or 4624.
I’m not sure what to check… as you can see in the config I’m not filtering any event…

6

Something I tried now was to filter exactly one of the events I know Im not getting…

Query <QueryList>\
                <Query Id="0">\
                    <Select Path="Security">*[System[(EventID=4625)]]</Select>\
                </Query>\

Still the same issue, and I’m not seeing any relevant in the logs…
Anything else I can try to troubleshoot this ?

7

you might want to ask in the NXLOG community if that is a known issue …

8

Just to let you know, it seems that this is related with an issue in docker with udp connections… for some reason some udp messages are being filtered.
I just tried gelf tcp and it’s working as expected.

9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.