Windows server logs using NXLOG showing encrypted on Graylog

SodOB · April 25, 2023, 9:17am

I recently configured some Windows 2016 servers with NXLOG and Graylog, but the logs are showing encrypted, like in the screenshot attached on Graylog.

OS Information: Red Hat, Inc. 1.8.0_362 on Linux 3.10.0-1160.81.1.el7.x86_64

Package Version: Graylog 4.2.13+9c90b93

I have removed the configuration and redone the configuration, also tested it with another Windows server and restarted the server, and it is still the same.

Please, anyone with experience with similar issues and remediation ideas?

Thank you for your anticipated support.

Joel_Duffield · April 25, 2023, 9:38am

Can you post your nxlog config, and the details of the input you are sending the logs to?

patrickmann · April 25, 2023, 9:46am

I think your NXLOG may be sending Unicode.
You need to convert to UTF-8

SodOB · April 25, 2023, 11:15am

I had tested with a different server before which the logs show on the Graylog unencrypted.

SodOB · April 25, 2023, 11:16am

Please see attached.

SodOB · April 25, 2023, 11:19am

Please see attached for the continuation.

Joel_Duffield · April 25, 2023, 11:45am

Is there a reason you are using snare over syslog?gelf is the recomended encoding for sending from nxlog to Graylog. gelf will preserve all the individual fields so you dont need to parse them once recieved.

You can see an example config here Sample NXLog Windows Collection configuration

You will of course also need to create a gelf input to receive it.

SodOB · April 25, 2023, 1:53pm

The reason for using Snare is to streamline logs for security activities.

And I already have gelf input created, from which I receive logs from another Windows server unencrypted.

GELF

SodOB · April 27, 2023, 7:09am

@Joel_Duffield please any further insights?

patrickmann · April 27, 2023, 8:43am

Did you try character conversion to UTF-8 as described here?

gsmith · April 27, 2023, 9:13pm

Hey @SodOB

I agree with @patrickmann about converting the logs. Normally when you see logs like that its not in the right format, Either you have to use another input or convert the logs to the right format for that input.

SodOB · May 2, 2023, 7:02am

Thank you for the support @patrickmann and @gsmith.

The Windows logs are now received on Graylog unencrypted.

SodOB · May 2, 2023, 7:03am

Thank you as the issue is resolved now.

system · May 16, 2023, 7:03am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Windows logs + SIdecar + Nxlog Graylog Central (peer support)	11	1651	January 4, 2022
GELF TCP and RAW TCP - NXLOG and GRAYLOG Graylog Central (peer support) nxlog , gelf	3	928	May 24, 2023
Windows Event logging into graylog Graylog Central (peer support) sidecar , nxlog , nodatanx	9	12870	March 5, 2018
NxLog configured but cannot see any logs on Greylog Graylog Central (peer support) sidecar , nxlog , winlogbeat , nodatanx	4	835	September 23, 2020
NXLOG failing to send GELF to graylog New to Graylog Community? READ-ME FIRST Guides	4	1023	November 11, 2022

Windows server logs using NXLOG showing encrypted on Graylog

Related topics