Sidecar/ nxlog not forwarding

HI There,

I am running graylog 2.3.1 and have successfully deployed sidecar 0.1.4-1 to windows clients along with NXLOG 2.5. I have created configs to forward windows event logs and the config is being pushed with the nxlog.conf file being created in the generated folder, however, I do not seem to be getting any logs forwarded. I have added test EV logs using powershell but still do not see anything. I previously had this working on some server with just NXLOG. the config is attached. any thoughts on this?

image.png496×611 25 KB

did you create the gelf udp input in graylog to receive the files?

Hi Jan,

Yeah, that was already in place from the previous standalone NXLOG config.

Is there any more logging I can generate/ find to indicate the status of event log polling in NXlog or a CLI command I can use to test polling?

I have resolved the issue. I enabled debugging via the snippet, restarted the collector and looked at the nxlog.log file to see the query was invalid. Originally when I was adding it it complained about invalid xml so I stripped out what I had on the original file and just left the select which stopped it complaining. I added used ms event log xml to copy the syntax and pasted that in, with no more warning about invalid xml I saved and pushed. I added a test event and seen it come through. for reference the query syntax should be as below. the back slashes are required for escaping.

<QueryList> \
	   <Query Id="0"> \
                <Select Path="path goes here">*[System[eventids go here]]/select> \
	   </Query> \
 </QueryList> 

Cheers,
Jamesy

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.