Sidecar/ nxlog not forwarding

Jamesy281 · 2018-01-23 15:37:31 UTC

HI There,

I am running graylog 2.3.1 and have successfully deployed sidecar 0.1.4-1 to windows clients along with NXLOG 2.5. I have created configs to forward windows event logs and the config is being pushed with the nxlog.conf file being created in the generated folder, however, I do not seem to be getting any logs forwarded. I have added test EV logs using powershell but still do not see anything. I previously had this working on some server with just NXLOG. the config is attached. any thoughts on this?

jan · 2018-01-23 16:34:38 UTC

did you create the gelf udp input in graylog to receive the files?

Jamesy281 · 2018-01-23 16:46:04 UTC

Hi Jan,

Yeah, that was already in place from the previous standalone NXLOG config.

Jamesy281 · 2018-01-24 12:35:44 UTC

Is there any more logging I can generate/ find to indicate the status of event log polling in NXlog or a CLI command I can use to test polling?

Jamesy281 · 2018-01-24 13:27:26 UTC

I have resolved the issue. I enabled debugging via the snippet, restarted the collector and looked at the nxlog.log file to see the query was invalid. Originally when I was adding it it complained about invalid xml so I stripped out what I had on the original file and just left the select which stopped it complaining. I added used ms event log xml to copy the syntax and pasted that in, with no more warning about invalid xml I saved and pushed. I added a test event and seen it come through. for reference the query syntax should be as below. the back slashes are required for escaping.

<QueryList> \
	   <Query Id="0"> \
                <Select Path="path goes here">*[System[eventids go here]]/select> \
	   </Query> \
 </QueryList>

Cheers,
Jamesy

system · 2018-02-07 13:19:09 UTC

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.