Windows Event Forwarder and NXLog
Hello,
first of all, sorry to bother you with a question that might be easy for you, but im a bit lost.
I would like to know if NXlog is compatible with WEF ?
Long story made short, I plan on using NXlog to output to my SIEM Security logs of Windows Domain Controller following this guide :
https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2
wich as you can see, is to configured windows event forwarding ( to reduce the number of nxlog installation on critical server )
Once that first part done, I would like to know what config I should set to be able to "fetch" all of the "Forwarded Event" on my "windows log collector" ?
Thank you !
The im_msvistalog does not currently parse the full data when received from Forwarded Events but it still does work:
<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="ForwardedEvents">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
The NXLog Enterprise Edition comes with a module called im_wseventing that can be used to receive Windows Eventlog forwarded over WEF and this works on all platforms not only on Windows.
Note that WEF is limited to Windows Eventlog and you cannot forward files or ETW so in many cases it still makes sense to use NXLog deployed as an agent.
See the NXLog User Guide about collecting Windows Eventlog.
