NXLog to Gray Log

I have NXLog setup and forwarding messages to my Graylog server but I want to filter and only send a few event ID’s. I have tried configuring as follows but now I get nothing sent.

Module im_msvistalog *[System[(EventID=4724)]]\ *[System[(EventID=4727)]]\ *[System[(EventID=5141)]]\ *[System[(EventID=5137)]]\ Module om_udp Host Port 3514 OutputType GELF

<Route 1>
Path in => out

Module xm_syslog Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 Module xm_exec Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') >= 5M)) \
                file_cycle('%LOGFILE%', 8);

# Rotate our log file every week on Sunday at midnight
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);


Below is piece of working config (nxlog is quite old: v2.9.1716), which selects all security events and also Application SRP event 865. Just copy this event line four times, change Application to System and all EventID values. There are six more lines - to notice new anomalies and errors or analyze trends, often it is worth to collect all System and Application events, except for level:6 May be not the shortest syntax, but works well.
Forum distorts config tags :frowning:, so will put it as a picture (Host intentionally replaced):


Thanks for that, I have the following but now the service will not start after matching your lines.

Module im_msvistalog Query *\ *[System[(EventID=4727)]]\

You’re missing a ‘\’ after the </Query> from looking at that screenshot.

You should check Nxlog’s log file to assist with debugging: %Nxlog Install Path%\data\nxlog.log

@Ponet are you referring to the line towards the bottom above . So it should be:

Module im_msvistalog



This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.