WIndows Log dont seem to match what NZLog is sending?
Hey All,
A bit of a newbee and trying to get NXLOG working with GrayLog. It is working and I'm seeing the information. The issue is that the information I'm seeing does not seem to match the PC's event logs.
Please see below Config File:
<Extension _exec> Module xm_exec </Extension>
<Extension _fileop> Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Extension _gelf> Module xm_gelf </Extension>
<Input win> Module im_msvistalog </Input>
Converting events to Snare format and sending them out over TCP syslog
<Output graylog> Module om_udp Host X.X.X.X Port 3514 OutputType GELF </Output>
<Route graylog_route> Path win => graylog </Route>
Any ideas about what I'm doing wrong????
Hi LogicalSolutions,
what are the differences you determined? Can you provide examples?
Some recommendations besides:
Instead of
Host X.X.X.X
Port 3514
note it like
Host X.X.X.X:3514
Instead of using UDP, better to switch to TCP which has some advantages like max. length and connection keep-alive e.g. Such Input can be easily configured in Graylog. A working NXLog config in one of my threads: https://nxlog.co/question/8456/problems-immsvistalog-under-windows-server-2022
