I’m attempting to ship Windows and App logs to Graylog via NxLog. I know it’s at least partially working because I’ll randomly receive logs in Graylog, but not all of them. I’m running Windows Server 2019 and I’m trying to send some Event Logs, Sysmon, and FileZilla logs to Graylog via TCP GELF. I’ve tried running nxlog as a server and under the administrator user.
Can someone please sanity check my nxlog config file?
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
######################################################
############## Extensions ############################
ReadFromLast True
BatchSize 25
SavePos True
PollInterval 2
#TolerateQueryErrors True
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Security">*</Select>
</Query>
<Query Id="1">
<Select Path="Application">*</Select>
</Query>
<Query Id="2">
<Select Path="Setup">*</Select>
</Query>
<Query Id="3">
<Select Path="System">*</Select>
</Query>
<Query Id="13">
<Select Path="Microsoft-Windows-PowerShell/Admin">*</Select>
</Query>
<Query Id="14">
<Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
</Query>
<Query Id="15">
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</QueryList>
#######################################
################# OUTPUTS ##############
Module om_tcp
Host 10.0.4.3
Port 1518
OutputType GELF
<Route 1>
Path eventlog => out
<Route 2>
Path FTP => out_ftp