Splitting Logs by filter and send them to two different Graylogs
reesthil
(Last updated
)
Hello everyone,
I'm trying to solve a problem that seems simple.
I would like to log Windows events on two different log servers. I would like to send all relevant logs to a Graylog but without the MSSQL logs. These are filtered and sent to another Graylog.
Filtering by “MSSQL-ONLY” works fine, but dropping MSSQL events does not work. I get all logs including MSSQL an the "logs" output.
Any idea?
Windows Server 2022,
nxlog-ce-3.2.2329.msi
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension gelf>
Module xm_gelf
</Extension>
<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
<Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>\
</Query>\
</QueryList>
<Exec>
if ($SourceName = "SQLSERVER") drop();
</Exec>
</Input>
<Input sqllog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*[System[Provider[@Name='MSSQLSERVER']]]</Select>\
</Query>\
</QueryList>
</Input>
<Output logs>
Module om_tcp
Host graylog01.something.com
Port 12202
OutputType GELF_TCP
Exec $Hostname = 'XYZ.somthing.com';
</Output>
<Output sqllogs>
Module om_tcp
Host graylog02.something.com
Port 12202
OutputType GELF_TCP
Exec $Hostname = 'XYZ.somthing.com';
</Output>
<Route eventlog_to_udp>
Path eventlog => logs
</Route>
<Route sqllog_to_udp>
Path sqllog => sqllogs
</Route>
