Windows Server NXLog - Graylog

Hello,

I’m sending syslog data from Window Server using NXlog to Graylog and we’re generating lots of logs well over 500 message per second.

Is there a setting I’m missing in NXlog or Graylog to filter which messages are sent to Graylog?

image.png1855×806 110 KB

NXlog conf

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile C:\Logs\Nxlog\nxlog.log

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Input in_eventlog>
    Module      im_msvistalog
</Input>

<Input in_internal>
    Module      im_internal
</Input>

<Processor p_2syslog>
    Module      pm_transformer
    Exec        $Hostname = hostname();
    OutputFormat syslog_rfc5424
</Processor>

<Output out>
    Module      om_tcp
    Host        10.200.60.51
    Port        10514
#    Exec        to_syslog_snare();
</Output>

<Route 1>
    Path        in_internal, in_eventlog => p_2syslog => out
</Route>

On our domain controllers we are getting about 4000 events in hour in daytime and about 2000/h at night. Your screenshot shows about 350/h, not so much.

You can filter messages by Event ID in NXLOG, see Query and QueryXML in NXLog Community Edition Reference Manual | NXLog Docs.

Additionally, I’d recommend sending structured log messages to Graylog via GELF, see NXLog Community Edition Reference Manual | NXLog Docs.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.