Schedule NxLog on Windows Server 2016

christianjungwirth · November 29, 2021, 5:45am

Hello,

I have running Graylog 4.2 on Ubuntu 20.4 LTS.

I want to sent Windows Event Logs from some Windows Server 2016 in China to our Central Logserver in Austria. This should only happen in a certain time.

To test this i had added a schedule block to my standard config.

My input block reads the application and system events from the windows server and som specified security events, this works in the standard perfectly for me.

The reason why i want to do this in this way, is that the bandwidth our dedicated line from austria to china is not very high. So i have to sent the logs during no working hours.

The logs during the working hour, should be sent to a buffer and should be then transmitted during the allowed time period.

My config in the sidecar is the following:

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _gelf>
	Module		xm_gelf
</Extension>

<Input win>
	Module		im_msvistalog
	<QueryXML>
		<QueryList>
			<Query Id='1'>
			<Select Path='Application'>*</Select>
			<Select Path="Security">*[System[(EventID=4767 or EventID=4740)]]</Select>
			<Select Path='System'>*</Select>
			</Query>
		</QueryList>
	</QueryXML>
</Input>

<Processor buffer>
    Module      pm_buffer
    Type        disk
    # 100 MB disk buffer
    MaxSize     102400
    WarnLimit   409600
</Processor>

<Processor schedule>
    Module      pm_blocker
    <Schedule>
        When    0 10 * * *
        Exec    schedule->block(TRUE);
    </Schedule>
    <Schedule>
        When    0 15 * * *
        Exec    schedule->block(FALSE);
    </Schedule>
</Processor>

<Output graylog>
	Module		om_udp
	Host		V.X.Y.Z
	Port		8514
	OutputType	GELF
	<Exec>
	  # These fields are needed for Graylog
	  $gl2_source_collector = '2ba8d9fb-8fc1-4447-8e85-331de205d1b5';
	  $SourceNodeType = 'WindowsServerEvents';
	  $OperatingSystem = 'Windows';
	</Exec>
</Output>

<Route graylog_route>
	Path	win => buffer => schedule => graylog
</Route>

The Problem which i have now, is that the node is sending the logs all the time and not in the defined time period (Block from 8 - 16 and send from 16 - 8).

Or does anybody has another tip, which i could do it in a better way?

Can anybode help me with this problem?

Best regards

Christian Jungwirth

gsmith · November 29, 2021, 11:18pm

Hello,
I might be able to help. Your settings for the following look right.
Example:

<Processor buffer>
    Module      pm_buffer
    # 100 MB disk buffer
    MaxSize     102400
    Type        disk
</Processor>

<Processor blocker>
    Module      pm_blocker
    <Schedule>
        When    0 8 * * *
        Exec    blocker->block(TRUE);
    </Schedule>
    <Schedule>
        When    0 19 * * *
        Exec    blocker->block(FALSE);
    </Schedule>
</Processor>

Your Output section needs to be adjusted.

Should be

OutputType GELF_UDP

As for this section.

christianjungwirth:

<Exec>
	  # These fields are needed for Graylog
	  $gl2_source_collector = '2ba8d9fb-8fc1-4447-8e85-331de205d1b5';
	  $SourceNodeType = 'WindowsServerEvents';
	  $OperatingSystem = 'Windows';
	</Exec>

If your using Graylogs GELF_UDP I would assume it will create those fields already.

Here is mine but I’m using GELF_TCP /w GELF_TCP Input.

Why its sending logs all the time I’m not completely sure, maybe something else is interfering.

What I did notice in the documentation about

pm_blocker.This module blocks log messages and can be used to simulate a blocked route. When the module blocks the data flow, log messages are first accumulated in the buffers, and then the flow control mechanism pauses the input modules. Using the block() procedure, it is possible to programmatically stop or resume the data flow.

So I think its blocking the route as shown in the documentation
From

<Input udp>
    Module      im_udp
    ListenAddr  0.0.0.0:1514
</Input>

To

<Output tcp>
    Module      om_udp
    Host        192.168.1.1:1514
</Output>

Did a little research maybe this might help.

system · December 13, 2021, 11:18pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to Send Syslog Data From Windows Server 2016 Graylog Central (peer support) sidecar , nxlog , filebeat-windows , winlogbeat , nodatanx	10	10389	October 7, 2017
Specific windows events log (EventID 104 etc) not arriving Graylog Central (peer support) sidecar , nxlog , nodatanx	7	3422	July 31, 2017
Graylog Sidecar Collector, NXLOG and Windows Events Graylog Central (peer support) sidecar	5	6658	February 16, 2017
Sidecar/ nxlog not forwarding Graylog Central (peer support) sidecar	5	1582	February 7, 2018
Not receiving logs Graylog Central (peer support) sidecar , nxlog , nodatanx	2	1889	May 13, 2019

Schedule NxLog on Windows Server 2016

Related Topics