NxLog to GrayLog Can't get it to work

Ok I am really new to this and I have looked at every video I could find before asking for help.

I have a windows HyperV server Windows 2012 r2 (standalone not joined to the domain yet) and a VM of Centos 7 running Graylog and nothing else; built it just fro GrayLog.
So I can’t seam to get the Windows 2012r2 HyperV server to send anything to the GrayLog Server.
Can someone point me in how to get this to work?
I have opened both firewalls on the Centos 7 and on the windows 12 Server for port 12201 both TCP and UDP.
NXLog-Config

I started real simple but I must be missing something critical?
Help?

So… Troubleshooting basics.

  • Do you have ANY indication that NXLog is actually picking up logs?
  • Or is NXLog itself spinning its wheels, not grabbing any logging at all?
  • If NXLog is working fine, do you have evidence that it is trying to contact your Graylog host?
  • What does the NXLog file say? Are connections made, or can it not connect?
  • If NXLog cannot connect, can you connect manually from Windows to your Graylog box? You can check this with Test-NetConnection -computername $GraylogHostname -port $nxlogInputPort.
  • If NXlog cannot connect and neither can you, is the port for the NXLog input even open?
  • Is there evidence on the Graylog host that the input is listening on the port that you configured?
  • Can you connect locally?
  • Are there firewall rules active which may be blocking your access?
  • If NXLog can in fact connect and it is in fact grabbing log messages, then it’s a new matter: is the Graylog input receiving them and what is it doing with them?

But first things first :slight_smile:

// you should do a new topic for your standards.
Sometime it could be useful if we have it one place (for linking) instead of finding your work :slight_smile:

I have the windows Server that the VM GrayLog is sitting on to start talking; my next question is how many machines can I connect to the GrayLog server using NxLog and how? I put the same nxlog.conf file on two windows PC and they are not talking. I am new to this process and I am just trying to learn the ropes.

So to go step by step

Download and install your nxlog agent - nxlog-ce-2.10.2150.msi

Once installed your navigating to: C:\Program Files (x86)\nxlog\conf and editing nxlog.conf

In the conf file you want it to look like this

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

Module xm_gelf

########## INPUTS ###########

Module im_msvistalog

################# OUTPUTS ##############

 Module      om_udp
 Host        HostIP or Hostname
 Port        12201
 OutputType  GELF_UDP

#################### ROUTE ###########
<Route 1>
Path in => out

Now on your CentOS 7 box you need to allow the incoming traffic from port 12201 (which is the port specified in you nxlog.conf)

Run as a sudo user

sudo firewall-cmd --zone=public --add-port=12201/udp

List ports and check that it has been applied

sudo firewall-cmd --zone=public --list-ports

  • Now go to you Graylog server and on the menu go to system/enterprise>inputs
  • Select “GELF UDP” then Click on 'Lunch new input
  • Give it a name such as HyperV hosts
  • Bind address: Enter the graylogs server IP
  • You port should already be 12201, If not change it to 12201
  • Leave everything else and click save
  • You should now have logs coming through

If you are having problem from there then you need to start with the troubleshooting basics from Tess.
Also make sure you can ping your vm from your host and your vm can ping your host (If they are not on the same network they’re not going to be able to talk to each other.)

Ok I installed the Enterprise package and I am looking at the LDAP/Active Directory setup trying to understand the User Search Pattern & Display Name attribute etc…

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.