Order messages from Windows Event Log with nxlog-elasticsearch-Kibana

#1 moses 8 years ago

Hi,

I'm using nxlog to send logs from Windows eventlog to elasticsearch, and using Kibana view.

I'm getting all the message as it is in the 'Message' column, I want to re-order it so the hostname parameter will be the windows server (and not the elasticsearch server), add 'Type' to the messages, etc.

this is the configuration file of nxlog:

* 55.2.110.4=elasticsearch server

<Extension json>
Module xm_json
</Extension>

# Nxlog internal logs
<Input internal>
   Module im_internal
   Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
</Input>

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
   Module im_msvistalog

# Uncomment im_mseventlog for Windows XP/2000/2003
#   Module im_mseventlog

   Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
</Input>

<Output out>
   Module om_http
   URL https://55.2.110.4:443
   HTTPSAllowUntrusted   TRUE
</Output>

<Route 1>
   Path internal, eventlog => out
</Route>

this is an example message from kibana:

Field Action Value

@timestamp 2015-09-08T07:35:47.064Z

@version 1

_id AU-r4dtqVULqkki94YkZ

_index logstash-2015.09.08

_type logs

host 55.2.110.4

http_port 5005

message
2015-09-08 07:35:43 dc-prod-zone-a.organization.com AUDIT_SUCCESS 4634 An account was logged off. Subject: Security ID: S-1-5-21-1595779987-1987268195-2987234418-1104 Account Name: DC-PROD-ZONE-C$ Account Domain: ORGANIZATION Logon ID: 0x679381 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

Field	Action	Value
@timestamp		2015-09-08T07:35:47.064Z
@version		1
_id		AU-r4dtqVULqkki94YkZ
_index		logstash-2015.09.08
_type		logs
host		55.2.110.4
http_port		5005
message		2015-09-08 07:35:43 dc-prod-zone-a.organization.com AUDIT_SUCCESS 4634 An account was logged off. Subject: Security ID: S-1-5-21-1595779987-1987268195-2987234418-1104 Account Name: DC-PROD-ZONE-C$ Account Domain: ORGANIZATION Logon ID: 0x679381 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

Thanks a lot

Permalink

#2 adm Nxlog ✓ 8 years ago

#1 moses

Hi, I'm using nxlog to send logs from Windows eventlog to elasticsearch, and using Kibana view. I'm getting all the message as it is in the 'Message' column, I want to re-order it so the hostname parameter will be the windows server (and not the elasticsearch server), add 'Type' to the messages, etc. this is the configuration file of nxlog: * 55.2.110.4=elasticsearch server <Extension json> Module xm_json </Extension> # Nxlog internal logs <Input internal> Module im_internal Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; </Input> # Windows Event Log <Input eventlog> # Uncomment im_msvistalog for Windows Vista/2008 and later Module im_msvistalog # Uncomment im_mseventlog for Windows XP/2000/2003 # Module im_mseventlog Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; </Input> <Output out> Module om_http URL https://55.2.110.4:443 HTTPSAllowUntrusted TRUE </Output> <Route 1> Path internal, eventlog => out </Route> this is an example message from kibana: Field Action Value @timestamp 2015-09-08T07:35:47.064Z @version 1 _id AU-r4dtqVULqkki94YkZ _index logstash-2015.09.08 _type logs host 55.2.110.4 http_port 5005 message 2015-09-08 07:35:43 dc-prod-zone-a.organization.com AUDIT_SUCCESS 4634 An account was logged off. Subject: Security ID: S-1-5-21-1595779987-1987268195-2987234418-1104 Account Name: DC-PROD-ZONE-C$ Account Domain: ORGANIZATION Logon ID: 0x679381 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. Thanks a lot

You need to send JSON payload. See here.