NxLog Help - Logs Not Fully Ingesting

Graylog Central (peer support)
1

I’m attempting to ship Windows and App logs to Graylog via NxLog. I know it’s at least partially working because I’ll randomly receive logs in Graylog, but not all of them. I’m running Windows Server 2019 and I’m trying to send some Event Logs, Sysmon, and FileZilla logs to Graylog via TCP GELF. I’ve tried running nxlog as a server and under the administrator user.

Can someone please sanity check my nxlog config file?

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data

define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

Module pm_transformer Exec $Hostname = hostname(); OutputFormat syslog_snare Module xm_syslog Module xm_json Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 Module xm_exec Module xm_fileop 
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') >= 5M)) \
                file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>

######################################################
############## Extensions ############################

Module xm_gelf ########## INPUTS ########### Module im_file File "C:\Program Files (x86)\FileZilla Server\Logs\*" Module im_msvistalog 
   ReadFromLast True
   BatchSize 25
   SavePos True
   PollInterval 2
   
   #TolerateQueryErrors True
   
<QueryXML>
    <QueryList>
      <Query Id="0">
	<Select Path="Security">*</Select>
      </Query>
    <Query Id="1">
	<Select Path="Application">*</Select>
      </Query>
      <Query Id="2">
	<Select Path="Setup">*</Select>
      </Query>
      <Query Id="3">
	<Select Path="System">*</Select>
      </Query>
    <Query Id="13">
        <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select>
        </Query>
    <Query Id="14">
        <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
        </Query>
    <Query Id="15">
        <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
        </Query>
    </QueryList>

#######################################
################# OUTPUTS ##############

Module om_tcp
Host 10.0.4.3
Port 1518
OutputType GELF

Module om_tcp Host 10.0.4.3 Port 1520 #Exec to_syslog_snare(); OutputType GELF ####################################### #################### ROUTE ########### # # Path eventlog => eventlog_transformer => out #

<Route 1>
Path eventlog => out

<Route 2>
Path FTP => out_ftp

2

Hey @a7ebouovue8v

Not sure what you have going on with NXlog and its hard to read your configuration file, BUT here mine perhaps that will help.

define ROOT C:\Program Files (x86)\nxlog
define LOGFILE C:\Program Files (x86)\nxlog\data\nxlog.log


Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO

<Extension _fileop>
    Module xm_fileop
    # Check the log file size every hour and rotate if larger than 5 MB
    <Schedule>
        Every 1 hour
        <Exec>
            if (file_exists('%LOGFILE%') and file_size('%LOGFILE%') >= 5M)
                file_cycle('%LOGFILE%', 8);
        </Exec>
    </Schedule>
    # Rotate log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>

<Extension gelf>
    Module      xm_gelf
 </Extension>
 
<Input zone-01>
    Module      im_msvistalog
      Query <QueryList>\
                     <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                       <Select Path="Setup">*</Select>\
                      </Query>\
     </QueryList>  
</Input>

<Output out>
    Module      om_tcp 
    Host        graylog.domain.com
    Port        51412
    OutputType  GELF_TCP         
    Exec $Hostname = hostname_fqdn();
    Exec $FullMessage = $raw_event;    
</Output>

<Route >
    Path        zone-01 => out
</Route>
3

Yea, I don’t know what happened with my paste there.

Your config fixed my issue. Thank you so much!

1 Like
4

hey @a7ebouovue8v

It happens :laughing: , if you could mark this post as resolved for future searches that would be great :+1:

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.