Specific windows events log (EventID 104 etc) not arriving

Gosh · 2017-07-16 13:15:37 UTC

Hello,

I have the graylog sidecar and nxlog installed and configured on my DC in order to send windows events log, the issue is, although i receive the logs (Application,Security,Setup) properly, i don’t receive all System logs properly, specifically the 104 event id, for event log cleared, although the event id is actually exists and appears in the System log when i check it on Event Viewer.

I am using collector sidecar version 0.1.3 and the DC is a Windows Server 2008r2.

Am i missing anything? Do i need to configure anything else, in the graylog web ui or something?

Thank you

jtkarvo · 2017-07-16 14:09:42 UTC

What level of logs have you specified in nxlog conf query element? 104 might be on such a low level, that the default settings of nxlog might not grab them and you need to make your own QueryList in the input module config.

Gosh · 2017-07-16 14:29:09 UTC

Hi jtkarvo,

I have tried the following options:
In the graylog web ui, under “Configure NXLog Inputs”:
Channel is empty and Query is empty.

Under “Define NXLog Snippets” i am using the following:

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO

Module xm_syslog Module im_msvistalog

This is really strange…when i explicitly set/type “System” in the Channel, the log arrives properly. But only system logs of course.
I am really confused, i though that leaving Channel empty will bring events from all sources?

How can i use more than one channel in the Channel field?

jtkarvo · 2017-07-16 15:32:15 UTC

you can use Querylist

For example, this source: https://serverfault.com/questions/543494/query-specific-logs-from-event-log-using-nxlog has the following example:

Query   <QueryList>\
        <Query Id="0">\
            <Select Path="Security">*</Select>\
            <Select Path="System">*[System/Level=4]</Select>\
            <Select Path="Application">*[Application/Level=2]</Select>\
            <Select Path="Setup">*[System/Level=3]</Select>\
            <Select Path='Windows PowerShell'>*</Select>\
        </Query>\
    </QueryList>

Gosh · 2017-07-16 15:50:12 UTC

Thank you,

So should i leave “Channel” empty and just put the above query to the “Query”?

jtkarvo · 2017-07-16 18:43:37 UTC

I think the default channel should be OK.

You need to customize the query according to your own needs. That example and link just show an example.

Edit: you can test the query with the event viewer: there is a “create custom view” option, where you can test the query first; then when you see it works, use it in nxlog configuration.

Gosh · 2017-07-17 08:22:40 UTC

Thank you jtkarvo, much appreciated

system · 2017-07-31 08:22:50 UTC

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.