Hello!
I’ve had my fair share of troubles with securely sending Windows event logs to Graylog with NXlog and wanted to share what has worked for me. I know winlogbeat is the way to go nowadays but here’s to those who want to go the NXlog way.
Panic Soft
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
LogFile %ROOT%\data\nxlog.log
LogLevel INFO<Extension gelf>
Module xm_gelf
</Extension><Input eventlog>
# Use ‘im_mseventlog’ for Windows XP, 2000 and 2003
Module im_msvistalog
</Input><Output ssl>
Module om_ssl
Host <IP / DNS>
Port <Port #>
OutputType GELF_TCPCAFile %CERTDIR%<CA Cert>
CertFile %CERTDIR%<Client Cert file>
CertKeyFile %CERTDIR%<Client Key file>
KeyPass secret
AllowUntrusted TRUE
</Output><Route eventlog_to_ssl>
Path eventlog => ssl
</Route>
Feel free to configure the im_msvistalog to your liking, there are various ways to send different types of Windows event logs in NXlog.
Note that you must place the certs within the NXlog certs directory, PFX files do not work. Indent every line within the various sections (gelf, eventlog, ssl).
Place the certificate used in the CertFile variable within your trusted certs directory, which can be anywhere on the Graylog server. Set up your graylog input as “GELF TCP” and use the port # you used in the config file.
Here’s the settings I used for the SSL connection on the Graylog side,
Note that “TLS cert file” and “TLS private key file” are the certificates used to secure the connection between Graylog and the client host machine, “TLS client authentication” should be the path to the uploaded client certificate used within NXlog.
Hope this helps some.