Nxlog to Graylog / Nxlog config

Graylog Labs
1

I want to send the login and failure logs from my Windows systems to Graylog via NXLog. Can anyone tell me how to adjust the NXLog configuration to make this work? I’ve already tried using a configuration but I’m not getting the data I want in Graylog.
thanks
My current config:

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf\nxlog.d
define LOGDIR   %ROOT%\data

include %CONFDIR%\\*.conf
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension gelf>
    Module      xm_gelf
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
    Module      xm_exec
</Extension>

<Extension _fileop>
    Module      xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>

# Snare compatible example configuration
# Collecting event log
<Input in>
    Module      im_msvistalog
	SavePos     TRUE
    ReadFromLast TRUE 
</Input>
# 
# Converting events to Snare format and sending them out over TCP syslog
<Output out>
    Module      om_tcp
    Host        192.168.178.50
    Port        12201
    OutputType  GELF_TCP
</Output>

<Route eventlog_to_graylog>
    Path in => out
</Route>
2

Can you clarify what is not working or how it is not working?

What version of nxlog are you using?

As far as I can tell the Output section looks correct. Here is an example I just pulled from the nxlog template inside graylog:

<Output gelf>
	Module om_tcp
	Host <host_or_ip>
	Port 12201
	OutputType  GELF_TCP
	<Exec>
	  # These fields are needed for Graylog
	  $gl2_source_collector = '${sidecar.nodeId}';
	  $collector_node_id = '${sidecar.nodeName}';
	</Exec>
</Output>

Can you confirm that you have a “GELF TCP” input running on your graylog node at that IP address and that the firewall is not blocking traffic? Note there are several different GELF inputs and this configuration specifically requires “GELF TCP” (not GELF HTTP and not GELF UDP)

4

Good evening,
thanks for your message.
I can give him the information on Monday.
I will be sure to get in touch.

5

yes good morning,
my Nxlog version is the current “nxlog-ce-3.2.2329”.
Yes I have defined GELF in Graylog under system > Input >TCP.
I think TCP protocol is the right one, right? and not UDP?
I get a few logs from my Windows PC with my Nxlog, but only somehow from the local administrator.
I would like to log only the login processes, including the failed login attempts on this Windows PC.
Why is that? If I log in from a different account, no logs are created.

6

With which permissions does graylog sidecar run on the system?
If you install nxlog, it runs with SYSTEM permissions and can therefore access the entire event log.
It sounds to me that the user who starts nxlog via graylog sidecar does not have the appropriate permissions to access the eventlog.

7

So Nxlog is installed with local administrator.
What is not currently logged are domain users, for example I try to log on to this Windows PC with a domain user, no failed or successful logins are logged.
Do I have to set something in the group policy on the domain controller so that it works with domain user logs?