Splitting Logs by filter and send them to two different Graylogs

#1 reesthil 1 year ago (Last updated 1 year ago )

Hello everyone,

I'm trying to solve a problem that seems simple.

I would like to log Windows events on two different log servers. I would like to send all relevant logs to a Graylog but without the MSSQL logs. These are filtered and sent to another Graylog.

Filtering by “MSSQL-ONLY” works fine, but dropping MSSQL events does not work. I get all logs including MSSQL an the "logs" output.

Any idea?

Windows Server 2022,

nxlog-ce-3.2.2329.msi

define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension gelf>
  Module      xm_gelf
</Extension>

<Input eventlog>
  Module im_msvistalog
  Query <QueryList>\
    <Query Id="0">\
      <Select Path="Application">*</Select>\
      <Select Path="System">*</Select>\
      <Select Path="Security">*</Select>\
      <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>\
    </Query>\
  </QueryList>
  <Exec>
    if ($SourceName = "SQLSERVER") drop();
  </Exec>
</Input>


<Input sqllog>
  Module im_msvistalog
  Query <QueryList>\
    <Query Id="0">\
      <Select Path="Application">*[System[Provider[@Name='MSSQLSERVER']]]</Select>\
     </Query>\
  </QueryList>
</Input>

<Output logs>
    Module      om_tcp
    Host        graylog01.something.com
    Port        12202
    OutputType  GELF_TCP
    Exec $Hostname = 'XYZ.somthing.com';
</Output>

<Output sqllogs>
    Module      om_tcp
    Host        graylog02.something.com
    Port        12202
    OutputType  GELF_TCP
    Exec $Hostname = 'XYZ.somthing.com';
</Output>

<Route eventlog_to_udp>
    Path        eventlog => logs
</Route>

<Route sqllog_to_udp>
    Path        sqllog => sqllogs
</Route>

Permalink