NXLog to Gray Log

woodworth · January 15, 2020, 4:06pm

I have NXLog setup and forwarding messages to my Graylog server but I want to filter and only send a few event ID’s. I have tried configuring as follows but now I get nothing sent.

Module im_msvistalog *[System[(EventID=4724)]]\ *[System[(EventID=4727)]]\ *[System[(EventID=5141)]]\ *[System[(EventID=5137)]]\ Module om_udp Host 10.53.5.29 Port 3514 OutputType GELF

<Route 1>
Path in => out

Module xm_syslog Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 Module xm_exec Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') >= 5M)) \
                file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>

Ponet · January 16, 2020, 9:20am

https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#im_msvistalog_config

Arvo · January 17, 2020, 11:15am

Below is piece of working config (nxlog is quite old: v2.9.1716), which selects all security events and also Application SRP event 865. Just copy this event line four times, change Application to System and all EventID values. There are six more lines - to notice new anomalies and errors or analyze trends, often it is worth to collect all System and Application events, except for level:6 May be not the shortest syntax, but works well.
Forum distorts config tags , so will put it as a picture (Host intentionally replaced):

woodworth · January 17, 2020, 1:04pm

@Arvo

Thanks for that, I have the following but now the service will not start after matching your lines.

Module im_msvistalog Query *\ *[System[(EventID=4727)]]\

Ponet · January 20, 2020, 10:32am

You’re missing a ‘\’ after the </Query> from looking at that screenshot.

You should check Nxlog’s log file to assist with debugging: %Nxlog Install Path%\data\nxlog.log

woodworth · January 21, 2020, 9:00pm

@Ponet are you referring to the line towards the bottom above . So it should be:

Module im_msvistalog
Query

\
[System[(EventID=4727)]]

Capture

system · February 4, 2020, 9:00pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to filter eventlog and forward to graylog Graylog Central (peer support) sidecar , nxlog , nodatanx	4	3554	August 22, 2018
Filtering specific event-ids for windows at nxlog Graylog Central (peer support) sidecar , nxlog , nodatanx	2	1408	January 7, 2020
Advanced XML filtering in Nxlog for Windows Events to help reduce noise on GrayLog Graylog Central (peer support) sidecar , nxlog , nodatanx	3	5965	October 12, 2018
Windows Server NXLog - Graylog Graylog Central (peer support) sidecar , nxlog , nodatanx	3	9097	August 2, 2018
61 / 5000 Resultados de traducción I need help sending IIS events to graylog with NXLog Graylog Central (peer support) sidecar , nxlog , nodatanx , send-csv-logsnx	2	704	August 17, 2021

NXLog to Gray Log

Related topics