Some Windows event logs not showing in Graylog

We are having problems where some, but not all of our windows event logs are not showing up in graylog.

We are running nxlog, to send all the event logs. We have two syslog servers as well, one is graylog, and another is a different brand. Nxlog is sending duplicate logs to both servers.

We are able to see most of logs on both servers. However, windows logs such as event id 4624, and 4625, show up on the other log server, but do not show up on graylog.

When logging into the windows machine directly we can see that those specific logs are generated. We have also tested forwarding logs from our other syslog server to graylog with similar results.

I’ve tested disabling aws instance name lookup, geoIP resolver and pipeline processor. I’ve validated the config in nxlog to ensure everything is setup properly. I’ve also checked processing and indexing failures with no success.

At this point I’m at a loss, and not quite sure where to continue to troubleshoot this. I guess my first question would be how can I know that those logs are even making to graylog? Is there a way to see logs before any processing is done on them?

2. Describe your environment:

  • Ubuntu 20.04

  • Graylog 5.0

  • Windows 10 w/ nxlog & sidecar 1.3

Blank post. Try again Chase?

I am not a pro with nxlog, but maybe it is a configuration thing.
It is possible to set the wanted logs in the
“nxlog.conf”.
Maybe the wanted logs can also set via sidecar.

What nxlog version are you using?
The newest version is not officially supported, but it will work with some tricks with the installation path.
The new version standard path is

C:Program Files/…

but the sidecar configuration is for:

C:\Program Files (x86)\nxlog.

Installing the new version with the old path works. The new path might also work by changing permissions within the sidecar config file. I never tried that, but sidecar has limitations due to security.

Thank you for your reply.

We are currently running ce-2.11.2190. However, I don’t believe this to be a nxlog issue, though I’ll leave that up as a possibility. There are two reasons for this:

  1. The second syslog server is receiving those same logs from log360.
  2. We tried forwarding logs directly from our other log server, to graylog and those same logs were not showing up.

FYI, our version is still installing it in the x86 folder.

Is there any way to validate that the logs are getting to graylog?

Some other things that might be important:

  • Currently I’m sending my logs via nxlog in GELF UDP format.
  • When we tried the forwarding from the other syslog server to graylog, we forwarded it using syslog format with udp.

Some more information that I have discovered.

I tested pointing nxlog to our old graylog server, and was able to see the logs. I believe that it’s fair to say that it has something to do with new graylog server and not anything to do with nxlog.

@gsmith is the community NXlog expert… maybe if you posted your configs he could spot an issue in them?

Hello @Chase

Yes, you could use tcpdump on graylog, use host IP/fqdn and port for the INPUT used
Example:

tcpdump -ni eth0 host 192.168.1.100 and tcp port 51411

If I were to do this tcp dump, is there a way to sort out the event logs though the dump?

Hey @Chase

You may want to look at this.

https://www.tcpdump.org/manpages/tcpdump.1.html

You can put it into a file.

tcpdump -ni eth0 host 192.168.1.100 and tcp port 51411 > chase.log

Thanks you for your help. We have actually determined the problem to be outside graylog and related to a firewall policy. We are not exactly sure why it caused this problem at this time. But we are confident that this is the root cause.

Again, thanks to you and to everyone for you your help.

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.