Windows server logs using NXLOG showing encrypted on Graylog

I recently configured some Windows 2016 servers with NXLOG and Graylog, but the logs are showing encrypted, like in the screenshot attached on Graylog.

OS Information: Red Hat, Inc. 1.8.0_362 on Linux 3.10.0-1160.81.1.el7.x86_64

  • Package Version: Graylog 4.2.13+9c90b93

I have removed the configuration and redone the configuration, also tested it with another Windows server and restarted the server, and it is still the same.

Please, anyone with experience with similar issues and remediation ideas?

Thank you for your anticipated support.

Can you post your nxlog config, and the details of the input you are sending the logs to?

I think your NXLOG may be sending Unicode.
You need to convert to UTF-8

I had tested with a different server before which the logs show on the Graylog unencrypted.

Please see attached.

Please see attached for the continuation.

Is there a reason you are using snare over syslog?gelf is the recomended encoding for sending from nxlog to Graylog. gelf will preserve all the individual fields so you dont need to parse them once recieved.

You can see an example config here Sample NXLog Windows Collection configuration

You will of course also need to create a gelf input to receive it.

The reason for using Snare is to streamline logs for security activities.

And I already have gelf input created, from which I receive logs from another Windows server unencrypted.


@Joel_Duffield please any further insights?

Did you try character conversion to UTF-8 as described here?

Hey @SodOB

I agree with @patrickmann about converting the logs. Normally when you see logs like that its not in the right format, Either you have to use another input or convert the logs to the right format for that input.

Thank you for the support @patrickmann and @gsmith.

The Windows logs are now received on Graylog unencrypted.

Thank you as the issue is resolved now.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.