Windows log to Rsyslog?


#1

Hello,

Maybe it’s off topic but, witch free solution are you used to send logs from Windows to Rsyslog (centos7)?

Than you.


(Jesse Hills) #2

Hey Arethusa,

This sounds like a rather awful idea but, it is apparently possible with Nxlog…

I came across this thread on Server Fault where people are talking about exactly this.

Source: https://serverfault.com/questions/884955/how-to-forward-windows-log-using-nxlog-to-rsyslog-serverlinux


#3

Ok thank you, i have to try it.

I just try “syslogagent_v2.3_x64”, that works but only on UDP.

But some characters are not readable, (not UTF-8).

Thank you, now I will try Nxlog.


(Oidz1234) #4

Hello,
I am using nxlog to solve this problem

See my config here, you can just change the output section and change the details to be relevent to you and it should just work.

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension syslog>
    Module      xm_syslog
</Extension>



<Input eventlog>
    Module 	im_msvistalog
</Input>





<Extension charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension exec>
    Module      xm_exec
</Extension>

<Extension fileop>
    Module      xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>

#Define Processors

<Processor p_anco_01>
  Module pm_transformer
  Exec $hostname = hostname();
  OutputFormat syslog_rfc5424
</Processor>


#Define outputs

<Output heron>
    Module om_udp
    Host   192.168.1.141
    Port   8514
    Exec   $raw_event = replace($raw_event, "\r\n", " "); 
    Exec   $raw_event = replace($raw_event, "\t", " "); 
</Output>

#Define routes
<Route heron>
   Path  eventlog => p_anco_01 => heron
</route>

#5

Thank you, I will try, but is nxlog are 100% free ?

edit : Ok, I go on https://nxlog.co/products/nxlog-community-edition/download and download “nxlog-ce-2.10.2102”


(Oidz1234) #6

Free to use.

It’s “open source” under the NXLOG license so I am not sure if it qualifies as “free software”

Here is the license for reference


#7

Hello,

nxlog works good with TCP and it don’t have syntax fail on log !

So I am happy, thank your for your advisement.


#8

oidz1234,

That works good, but do you use filter? for example, after a "ping" , I have 2100 craters on log o_O

He talks about token.

I dit not need to many information ^^

Thank you.


(Oidz1234) #9

Nah I don’t I just fire everything and filter in graylog itself.


#10

why use rsyslog? wouldn’t it be better to send windows logs directly to graylog using collector-sidecar with nxlog or better minlogbeats?