NXLog search
Let's talk Start free
Let's talk Start free

Read from multiple folders with multiple files with .evtx

Tags:
#1 Anbers

Hi all!

Actually i have this config in a server to get windows event and send to a graylog:

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _gelf>
    #Module      xm_syslog
	Module 	 	 xm_gelf
	#Module		 xm_json
</Extension>

<Input in1>
    Module im_msvistalog
# Uncomment the following to collect specific event logs only
     Query <QueryList>\
               <Query Id="0">\
                  <Select Path="Application">*</Select>\
                  <Select Path="System">*</Select>\
                  <Select Path="Security">*</Select>\
               </Query>\
           </QueryList>
	<Exec>
        if $Channel == 'Security' and $ObjectName =~ /.tmp/ drop();
    </Exec>
</Input>

<Output out>
    Module      om_udp
    Host        11x.11x.11x.11x
    Port        12201
    #Exec       to_syslog_snare();
	OutputType  GELF 
</Output>

<Route 1>
    Path        in1 => out
</Route>

But i want to know if exist any method to read a lot a .evtx files in a folder and send to graylog. I need help with this because i dont know what is the best "input modules" i need

Thanks!

Permalink
#2 manuel.munozDeactivated Nxlog ✓
#1 Anbers
Hi all! Actually i have this config in a server to get windows event and send to a graylog: #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _gelf> #Module xm_syslog Module xm_gelf #Module xm_json </Extension> <Input in1> Module im_msvistalog # Uncomment the following to collect specific event logs only Query <QueryList>\ <Query Id="0">\ <Select Path="Application">*</Select>\ <Select Path="System">*</Select>\ <Select Path="Security">*</Select>\ </Query>\ </QueryList> <Exec> if $Channel == 'Security' and $ObjectName =~ /.tmp/ drop(); </Exec> </Input> <Output out> Module om_udp Host 11x.11x.11x.11x Port 12201 #Exec to_syslog_snare(); OutputType GELF </Output> <Route 1> Path in1 => out </Route> But i want to know if exist any method to read a lot a .evtx files in a folder and send to graylog. I need help with this because i dont know what is the best "input modules" i need Thanks!

I think that is not posible. In order to read .evtx file you would need to use File parameter in im_msvistalog module, which unfortunately is only available in Enterprise version.
Login to see more