Nxlog on windows 2012 not working

I have graylog 4.X on ubuntu 20.

I don’t have problem to read any ubuntu, debian server log on graylog.

But i create sidecar for windows 10 and nxlog for windows 2012.

All input is running (green) but server not received messages from windows.

I don’t have a firewall on ubuntu and special port for windows is open in windows firewall.
my conf file on 2012 is:
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

< Extension syslog">
Module xm_syslog

</Extension">
<Input in_eventlog">
Module im_msvistalog
ReadFromLast TRUE
SavePos TRUE
</Input">
<Output out_eventlog">
Module om_udp
Host my-ip
Port 12201
Exec $Message = string($SourceName) + ": " + string($EventID) + “: " + $Message;
Exec if ($EventID == 18454 or $EventID == 18456 ) { $SyslogFacilityValue = 18; }
else { $SyslogFacilityValue = 13; }
Exec if ($EventType == ‘ERROR’ or $EventType == ‘AUDIT_FAILURE’) { $SyslogSeverityValue = 3; }
else if ($EventType == ‘WARNING’) { $SyslogSeverityValue = 4; }
else if ($EventType == ‘INFO’ or $EventType == ‘AUDIT_SUCCESS’) { $SyslogSeverityValue = 5; }
Exec to_syslog_bsd();
</Output”>

<Route eventlog">
Path in_eventlog => out_eventlog
</Route">

Hello,

I might be able to help but your nxlog configuration is hard to read. it needs to be formatted like this.

From what I understand is that your Linux devices are good but your Windows server/s using nxlog is not.

• Did you check your nxlog log file for errors?
• Did you execute a tcpdump on Graylog server?

Judging your configuration from what I can see doesn’t look right.

My suggestion would be try something like this first.

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define LOGFILE C:\Program Files (x86)\nxlog\data\nxlog.log

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _fileop>
    Module xm_fileop
    # Check the log file size every hour and rotate if larger than 5 MB
    <Schedule>
        Every 1 hour
        <Exec>
            if (file_exists('%LOGFILE%') and file_size('%LOGFILE%') >= 5M)
                file_cycle('%LOGFILE%', 8);
        </Exec>
    </Schedule>
    # Rotate log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>


<Input in>
    Module im_msvistalog
    Query <QueryList>\
      <Query Id="0">\
		<Select Path="Application">*</Select>\
		<Select Path="System">*</Select>\
		<Select Path="Security">*</Select>\
	   </Query>\
    </QueryList>  
</Input>

<Output out>
    Module      om_udp 
    Host        8.8.8.8
    Port        12201
    Exec $Hostname = hostname_fqdn();
    Exec $ShortMessage = $raw_event;
</Output>

<Route >
    Path        in => out
</Route>

Once you start receiving logs then I would start fine tuning it. Keep it simple so you can find out where the issue is.

Below configuration doesn’t look right but I could be wrong.

Exec $Message = string($SourceName) + ": " + string($EventID) + “: " + $Message;
Exec if ($EventID == 18454 or $EventID == 18456 ) { $SyslogFacilityValue = 18; }
else { $SyslogFacilityValue = 13; }
Exec if ($EventType == ‘ERROR’ or $EventType == ‘AUDIT_FAILURE’) { $SyslogSeverityValue = 3; }
else if ($EventType == ‘WARNING’) { $SyslogSeverityValue = 4; }
else if ($EventType == ‘INFO’ or $EventType == ‘AUDIT_SUCCESS’) { $SyslogSeverityValue = 5; }
Exec to_syslog_bsd();

Here is the Documentation for using nxlog with Graylog Sidecar not sure if you missed a step. I believe you need to install the binaries for nxlog.

https://docs.graylog.org/docs/sidecar#:~:text=Copy-,NXlog%20on%20Windows,-Install%20the%20NXLog

And here is some information about configurations of Nxlog-ce not sure if you have seen this.

Hope that helps

sorry i am new here. i find out what the problem is it was firewall between to subnet now i can see my graylog take row when i look under system/input it show total 10 MB.
But when i say show received messages graylog show nothing. nxlog say running and no error

how to send conf file conf file has <> and this is ignore in this text messages

You’re sending syslog messages over UDP to Graylog, which is listening on 12201, is that right? If so, 12201 isn’t a default syslog port, nor is it something that we typically recommend setting syslog ports to. That’s the default port for GELF, so you should probably change your port to whatever you’re using for your syslog input in Graylog, or change your output in nxlog to GELF.

Hello,

I concur with @aaronsachs perhaps changing you Port from12201 to something like 5140 and see if that helps.

Can I ask why your using to_syslog_bsd?

why port should be an issue. by the way, it was what graylog 4 suggested.

i have data on this server

but when i say show received messages i don’t have any entry.
I don’t undrestand why port should be changed.
?

Hi there, not to be terse, but neither

Nor

Tell me anything at all. Can you point me to where you got the config for NXlog? Can you also provide a full screenshot of the input? I’ll also reiterate what @gsmith has mentioned: The more detail you provide, the better we can help. It’s difficult to help you get an answer to your problem if information is lacking.

i have an ubuntu 20.04 with utc time (which is 2 hours diff with windows)

That still doesn’t tell me anything–it shows the config of the output. Can you try something like this:

The gist of what I’m getting at is you’re sending syslog messages to a GELF input–that won’t work. At least that’s what I’m inferring from the port number you’re using. Syslog uses port 514 (a privileged port, which you’ll need to change). Are you actually sending syslog messages to a syslog input? If not, then that’s your problem.

i do not change the port graylog suggested. it send entry and i can see input. when i try show received messages. it’s nothing to show.

Hello @Sharzad

Did you see what @aaronsachs was telling you in his statement?

You have configured your NXLOG as shown below which will not work with your INPUT you have made.

If you going to send messages to a GELF Input you need to configure NXLOG to something like this.

<Extension _gelf>
    Module         xm_gelf
</Extension>
<Output out>
    Module         om_udp
    Host           YOUR_HOST
    Port           12201
    OutputType     GELF_UDP     
    Exec $short_message = $raw_event;
    Exec $Hostname = hostname_fqdn();
</Output>

This tells me that you Nxlog configuration is incorrect. I showed you an example above.

• Here is a GELF UDP INPUT

• Here is a Syslog UDP INPUT.

You have two choices.
You either need to adjust you NXLOG for you INPUT or your INPUT for NXLOG configuration

Hope that helps

i have following in my nxlog

---

Module xm_gelf Module im_msvistalog Module om_udp Host my-ip Port 12201 OutputType GELF Exec $short_message = $raw_event; Exec $Hostname = hostname_fqdn(); Path win => graylog and following gelf udp on graylog 

@Sharzad

Sir,
This is really, really hard to help you. Please re-read @aaronsachs posts and mine above. I have no idea what I’m seeing.
Your Nxlog configuration is incorrect. Please read over this post.

This is my xnlog

Panic Soft
define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
    Module      xm_exec
</Extension>

<Extension _fileop>
    Module      xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>


<Extension _gelf>
     Module	xm_gelf
</Extension>

<Input win>
     Module	im_msvistalog
</Input>

<Output graylog>
      Module	 om_udp
      Host	 my-ip
      Port	 12201
      OutputType GELF
  Exec $short_message = $raw_event;

Hello

Looks like your missing parts of your Nxlog configuration file. The closing of Outputs and your Route

This is incorrect.

It should be like this

<Output graylog>
      Module	 om_udp
      Host	     my-ip
      Port	     12201
      OutputType GELF_UDP 
      Exec $short_message = $raw_event;
</Output>

Then you need a route.

So, it should look like this.

<Route >
    Path        win => out
</Route>

This is shown in Nxlog-ce here

Hope that helps

Hello, i don’t know, why the last line not copied here. but you are right i forgat GELF_UDP
i add UDP and i have a rout from win to graylog nothing happen. No enry in my graylog.

Panic Soft
define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
    Module      xm_exec
</Extension>

<Extension _fileop>
    Module      xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>


<Extension _gelf>
     Module	xm_gelf
</Extension>

<Input win>
     Module	im_msvistalog
</Input>

<Output graylog>
      Module	 om_udp
      Host	 My-ip
      Port	 12201
      OutputType GELF_UDP
  Exec $short_message = $raw_event;
    Exec $Hostname = hostname_fqdn();
</Output>

<Route graylog_rute>	
      Path       win => graylog
</Route>

Hello,

Did you restart nxlog service after you reconfigured nxlog.conf file?
Did you execute tcpdump on Graylog to see if messages were reaching Graylog from your Windows device?
Example:

tcpdump -n host 192.168.1.10

It would help showing what you are seeing in the form of logs , etc…

@gsmith , It’s working know, it was a wrong ip.
I don’t know i should open a new question for following issue.
I have more than 800 linux / windows server, if they are going on graylog does everyone have to have their own port?

Hello,

You could but its not recommended.

To give you some ideas, what we have in production are the following INPUT’s with different ports ( i.e. you can not use the same port on multiple INPUTS). Because this is a public forum I did change port number for this post but it will give you an idea on what I’m talking about.

• Cisco UDP Raw/Plaintext UDP (port 34001) ← switches
• Security Devices Raw/Plaintext UDP (port 35001) ← Firewalls
• Windows System Secure GELF TCP (port 36001) ← Windows Devices
• Network Devices (Force 10) Raw/Plaintext UDP (port 37001) ← specific Devices
• Linux Secure System GELF TCP (port 38001) ← Linux devices
• NetFlow NetFlow UDP (port 2055) ← specific Devices that have netflow

It should be obvious that the Windows Device go to the Windows INPUT etc…
Also on each INPUT that receives multiple devices logs our INPUT/s are set for Global as shown below.

We also have a chart for Graylog Port Reservations. This insures there are no port confliction.

Hope that helps