NXLog search
Let's talk Start free
Let's talk Start free

Windows serveur 2019 and NXLOG-CE 2.10.21.50

Tags:
#1 Ahmed.MEZRAG

hello,
Windows serveur 2019
NXLOG-CE 2.10.21.50

i have difficulties to transfert Windows 2016/2019 sercurity logs to a Syslog host.

i think that my nxlog.conf is not working right, sometimes i receive the logs some time not

can you help me please ?

###############
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
Module xm_syslog
</Extension>

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
Module xm_exec
</Extension>

<Extension _json>
Module xm_json
</Extension>
<Input in_eventlog>
# For windows 2008/vista/7/8/2012/2012R2 and latter use the following:
Module im_msvistalog

Query <QueryList>

<Query Id="0">

<Select Path="Security">[System[(EventID=1100)]]</Select>

<Select Path="Security">[System[(EventID=4768)]]</Select>

<Select Path="Security">[System[(EventID=4769)]]</Select>

<Select Path="Security">[System[(EventID=4771)]]</Select>

<Select Path="Security">[System[(EventID=4616)]]</Select>

<Select Path="Security">[System[(EventID=4625)]]</Select>

<Select Path="Security">[System[(EventID=4647)]]</Select>

<Select Path="Security">[System[(EventID=4648)]]</Select>

<Select Path="Security">[System[(EventID=4656)]]</Select>

<Select Path="Security">[System[(EventID=4719)]]</Select>

<Select Path="Security">[System[(EventID=4720)]]</Select>

<Select Path="Security">[System[(EventID=4722)]]</Select>

<Select Path="Security">[System[(EventID=4723)]]</Select>

<Select Path="Security">[System[(EventID=4724)]]</Select>

<Select Path="Security">[System[(EventID=4725)]]</Select>

<Select Path="Security">[System[(EventID=4726)]]</Select>

<Select Path="Security">[System[(EventID=4727)]]</Select>

<Select Path="Security">[System[(EventID=4728)]]</Select>

<Select Path="Security">[System[(EventID=4729)]]</Select>

<Select Path="Security">[System[(EventID=4730)]]</Select>

<Select Path="Security">[System[(EventID=4731)]]</Select>

<Select Path="Security">[System[(EventID=4732)]]</Select>

<Select Path="Security">[System[(EventID=4733)]]</Select>

<Select Path="Security">[System[(EventID=4734)]]</Select>

<Select Path="Security">[System[(EventID=4735)]]</Select>

<Select Path="Security">[System[(EventID=4737)]]</Select>

<Select Path="Security">[System[(EventID=4738)]]</Select>

<Select Path="Security">[System[(EventID=4739)]]</Select>

<Select Path="Security">[System[(EventID=4740)]]</Select>

<Select Path="Security">[System[(EventID=4741)]]</Select>

<Select Path="Security">[System[(EventID=4742)]]</Select>

<Select Path="Security">[System[(EventID=4743)]]</Select>

<Select Path="Security">[System[(EventID=4744)]]</Select>

<Select Path="Security">[System[(EventID=4745)]]</Select>

<Select Path="Security">[System[(EventID=4748)]]</Select>

<Select Path="Security">[System[(EventID=4749)]]</Select>

<Select Path="Security">[System[(EventID=4750)]]</Select>

<Select Path="Security">[System[(EventID=4753)]]</Select>

<Select Path="Security">[System[(EventID=4754)]]</Select>

<Select Path="Security">[System[(EventID=4755)]]</Select>

<Select Path="Security">[System[(EventID=4756)]]</Select>

<Select Path="Security">[System[(EventID=4758)]]</Select>

<Select Path="Security">[System[(EventID=4759)]]</Select>

<Select Path="Security">[System[(EventID=4760)]]</Select>

<Select Path="Security">[System[(EventID=4763)]]</Select>

<Select Path="Security">[System[(EventID=4764)]]</Select>

<Select Path="Security">[System[(EventID=4767)]]</Select>

<Select Path="Security">[System[(EventID=4778)]]</Select>

<Select Path="Security">[System[(EventID=4783)]]</Select>

<Select Path="Security">[System[(EventID=4800)]]</Select>

<Select Path="Security">[System[(EventID=4801)]]</Select>

<Select Path="System">[System[(EventID=7036)]]</Select>

<Select Path="Application">[System[(EventID=18454)]]</Select>

<Select Path="Application">[System[(EventID=18456)]]</Select>

</Query>

</QueryList>


Exec $Message=to_json();
# to_syslog_bsd();
# Exec $ModuleType = 'event_log';
# ReadFromLast TRUE

</Input>

<Output out_eventlog>
Module om_udp
Host xx.xx.xx.xx
#Port 514


Exec to_syslog_bsd();
</Output>

<Route eventlog>
Path in_eventlog => out_eventlog
</Route>
#####################################

Permalink
Login to post