nxlog+sidecar+Windows eventlogs

Graylog Add-ons
,
1

I am using nxlog with sidecars to collect windows logs from 5 machines. I can only see logs from 1 machine at a time in Graylog UI. On restarting Graylog, logs from the other machine will show up, but logs from one machine at a time is visible. Nxlog file configuration is same on all machines and sidecar status is looking healthy. tcpdump shows logs from all machines.

I have no idea what to look for. Any help will be appreciated.

Below is my nxlog config file.

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO
<Extension logrotate>
    Module  xm_fileop
    <Schedule>
        When    @daily
        Exec    file_cycle('%ROOT%\data\nxlog.log', 7);
     </Schedule>
</Extension>

<Extension _json>
    Module xm_json
</Extension>

<Extension _syslog>
  Module xm_syslog
</Extension>

<Input internal>
    Module im_internal
</Input>

<Input win>
	Module im_msvistalog
         Query     <QueryList>                        \
               <Query Id="0" Path="Security">            \
                <Select Path="Security">*</Select>    \
               </Query>                \
              </QueryList>
</Input>

<Output graylog>
	Module om_udp
	Host graylog.msbcc.taitradio.com
	Port 12201
	<Exec>
   $Hostname = string(host_ip());
        $Keywords = string($Keywords);
        $Message = to_json();
        $Message =~ s/}$/,"tcid":"000"}\n/g;
        $Message = replace($Message, '\r', " ");
        $Message = replace($Message, '\n', " ");
        $Message = replace($Message, '\t', " ");
        $Message =~ s/\s{2,}/ /g;
    to_syslog_bsd();
    </Exec>
	 
	</Output>
	
	<Route graylog_route>
	Path win => graylog
</Route>
2

Just some ideas:

  • Are all graylog sidecar services running on your windows systems (like “Graylog Sidecar” and like Graylog Collector)?
  • Have you checked the current sidecar logfile on your windows system: C:\Program Files\Graylog\sidecar\logs\sidecar.txt ?
  • Have you tried to collect the logs with winlogbeat?
  • The hostnames (and IP adresses) are not the same on the windows systems?

There are not that many log entries for the “Security” log (your only input). Try to extend your Querylist with e.g. “Application” and “System” and / or trigger an event manually on the cmd: eventcreate /T ERROR / ID 100 /L Security /D "Test Entry"

3

Hello

Adding on to @valhaim suggested. What type of INPUT are you using that you have to configure your output with an Exec to JSON then with to_syslog_bsd? Just curious.
Was this working before or this just happen?

Example of mine if that helps.

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Input cloud>
    Module      im_msvistalog
    Query <QueryList>\
    <Query Id="0">\    
    <Select Path="System">*</Select>\
    <Select Path="Security">*</Select>\
    </Query>\
    </QueryList>  
</Input>

<Output out>
    Module      om_udp 
    Host        8.8.8.8
    Port        51412 <-- custom port on Syslog UDP input.
    Exec $ShortMessage = $raw_event;    
</Output>

<Route >
    Path        cloud => out
</Route>
4

Hello valhaim and Gsmith

Thanks for your reply. I am using syslog UDP input as the logs are being converted to Syslog from Jason format.

It started working a few days ago but having some hiccups again. Logs are coming from a few machines without any issues which means my script and input are working fine. A few machine disappears in between. tcpdump is all good, restarting graylog fix everything for a few minutes. I have 150 log sources, but windows are problematic,

I do have some index failure messages, however unable to figure out what messages are being dropped. Any help on finding the log messages with letter id would be appreciated.

image
image1794×194 26.2 KB

5

@Raynu
I think that error is related to this doc/post.

What to Do When You Have 1000+ Fields? | Graylog.

This depends on your Windows log shipper configuration, perhaps what type of Input your using. Input (Syslog UDP) should not create that many fields, GELF or using a bunch of extractors/pipelines would possably create that many.

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.