Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1. Describe your incident:
2. Describe your environment:
OS Information:
Graylog is running from a docker container within Ubuntu 22.04.2.
Sidecar 1.4.0 is installed and running on a Windows 10 client.
Package Version:
Graylog version is 5.1.3
Service logs, configurations, and environment variables:
Nxlog configuration listed in Collector Configuration > nxlog:
define ROOT C:\Program Files (x86)\nxlog
Module xm_fileop
When @daily
Exec file_cycle('%ROOT%\data\nxlog.log', 7);
Module xm_gelf
# Avoid truncation of the short_message field to 64 characters.
ShortMessageLength 65536
Module im_msvistalog
PollInterval 20
SavePos True
ReadFromLast True
Query <QueryList>\
[System[(EventID=20003)]]
[System[(EventID=137)]]
*[System[(EventID=1150)]]
Module im_file
File 'C:\Windows\MyLogDir\\*.log'
PollInterval 1
SavePos True
ReadFromLast True
Recursive False
RenameCheck False
Exec $FileName = file_name(); # Send file name with each message
Module om_udp
Host x.x.x.x (obfuscated IP)
Port 12201
OutputType GELF_UDP
# These fields are needed for Graylog
$gl2_source_collector = '${sidecar.nodeId}';
$collector_node_id = '${sidecar.nodeName}';
$Hostname = hostname_fqdn();
Path eventlog => gelf
Path file => gelf
3. What steps have you already taken to try and solve the problem?
I’ve generated Events in the Windows client that I’m trying to see in Graylog, and have confirmed there’s no filters preventing the events I’m looking for.
4. How can the community help?
I’m trying to validate the nxlog configuration I’m currently using, but there seems to be Windows Events missing from the Graylog messages. Starting with Microsoft-Windows-Windows Defender/Operational, I am seeing event ID 1151 feed into Graylog hourly and it shows:
Endpoint Protection client health report (time in UTC):
Platform version: 4.18.23050.5
Engine version: 1.1.23060.1005
Network Realtime Inspection engine version: 1.1.23060.1005
Antivirus security intelligence version: 1.393.261.0
What I am not seeing is any other event related to Microsoft-Windows-Windows Defender/Operational, even though the nxlog config is only suppressing event ID 1150. When I initiate a Microsoft Defender scan, it creates an Event ID of 1000. I even downloaded a Malware test into the client which generates an event ID of 1116. Neither of those instances appear in Graylog. I’m looking for help to determine why not every event from Microsoft-Windows-Windows Defender/Operational appears in Graylog other than the 1150 event that I’m suppressing.
I’ve updated my config to remove that first Query value and without the \ at the end of each line, but still not seeing any Windows Defender events besides 1151
Ok, my file is pretty close to how that the one above is configured. I’m using the EICAR files as well to test for Malware. I can see that event in the client, but it doesn’t populate to Graylog. This is the only Windows Defender event that shows up
Can you try separate query id for each type of channel ?
What I have seen from here or here is that you cannot filter different channel from the same Query.
When you try to filter the channel through the GUI of Windows event Log, you can not filter another channel from the same query, only the selected channel, the process is the same for nxlog.
I updated my config to the above as well, but not seeing any change. For additional background, our org currently has Graylog version 2.4.7 with very similar Nxlog settings. I’m replacing that server with this one, but I’m just unclear what the reason for the difference is. Every intended Windows Defender/Operational log is populating in the old Graylog server based on a near similar Nxlog while the new server is being more selective
This was solved by going into the Index and rotating it. What caused the index issue and to prevent it is something else, but my missing logs have been solved by performing this.
