Specific windows events log (EventID 104 etc) not arriving

Gosh · July 16, 2017, 1:15pm

Hello,

I have the graylog sidecar and nxlog installed and configured on my DC in order to send windows events log, the issue is, although i receive the logs (Application,Security,Setup) properly, i don’t receive all System logs properly, specifically the 104 event id, for event log cleared, although the event id is actually exists and appears in the System log when i check it on Event Viewer.

I am using collector sidecar version 0.1.3 and the DC is a Windows Server 2008r2.

Am i missing anything? Do i need to configure anything else, in the graylog web ui or something?

Thank you

jtkarvo · July 16, 2017, 2:09pm

What level of logs have you specified in nxlog conf query element? 104 might be on such a low level, that the default settings of nxlog might not grab them and you need to make your own QueryList in the input module config.

Gosh · July 16, 2017, 2:29pm

Hi jtkarvo,

I have tried the following options:
In the graylog web ui, under “Configure NXLog Inputs”:
Channel is empty and Query is empty.

Under “Define NXLog Snippets” i am using the following:

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO

Module xm_syslog Module im_msvistalog

This is really strange…when i explicitly set/type “System” in the Channel, the log arrives properly. But only system logs of course.
I am really confused, i though that leaving Channel empty will bring events from all sources?

How can i use more than one channel in the Channel field?

jtkarvo · July 16, 2017, 3:32pm

you can use Querylist

For example, this source: https://serverfault.com/questions/543494/query-specific-logs-from-event-log-using-nxlog has the following example:

Query   <QueryList>\
        <Query Id="0">\
            <Select Path="Security">*</Select>\
            <Select Path="System">*[System/Level=4]</Select>\
            <Select Path="Application">*[Application/Level=2]</Select>\
            <Select Path="Setup">*[System/Level=3]</Select>\
            <Select Path='Windows PowerShell'>*</Select>\
        </Query>\
    </QueryList>

Gosh · July 16, 2017, 3:50pm

Thank you,

So should i leave “Channel” empty and just put the above query to the “Query”?

jtkarvo · July 16, 2017, 6:33pm

I think the default channel should be OK.

You need to customize the query according to your own needs. That example and link just show an example.

Edit: you can test the query with the event viewer: there is a “create custom view” option, where you can test the query first; then when you see it works, use it in nxlog configuration.

Gosh · July 17, 2017, 8:22am

Thank you jtkarvo, much appreciated

system · July 31, 2017, 8:22am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Some Windows event logs not showing in Graylog Graylog Central (peer support) sidecar , windows , nxlog , gelf	11	1133	January 18, 2023
Graylog Sidecar Collector, NXLOG and Windows Events Graylog Central (peer support) sidecar	5	6902	February 16, 2017
Sidecar/ nxlog not forwarding Graylog Central (peer support) sidecar	5	1627	February 7, 2018
Missing some event viewer logs Graylog Central (peer support) sidecar , nxlog , nodatanx	8	2027	April 23, 2019
Not receiving logs Graylog Central (peer support) sidecar , nxlog , nodatanx	2	1968	May 13, 2019

Specific windows events log (EventID 104 etc) not arriving

Related topics