Windows 10 11 Server 2022 nxlog community edition missing events in syslog

#1 Andreas 3 weeks ago (Last updated 3 weeks ago )

Hello

I startet central logging with nxlog community edition on windows

most works fine

finding a working nxlog.conf to graylog needs a lot of ours

so I hope to find better help here in the community forum

but missing several events in syslog

for example

Dns Client Events Event ID 1014

AppCrash Outlook Exe Event ID 1001

At the Moment i need to send all Windows events to the graylog syslog server

can you give me an example config file for logging all Windows events ?

thanks

my config file

++++++++++

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data

# define Application Crash Events
define AppCrashes 1000, 1001, 1002

include %CONFDIR%\\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

<Extension _syslog>
Module xm_syslog
</Extension>

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
Module xm_exec
</Extension>

<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>

<Extension _gelf>
Module xm_gelf
</Extension>

<Input win>
Module im_msvistalog

Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>

</Input>

<Output graylog>
Module om_tcp
Host syslog.geodata.local
Port 3515
OutputType GELF
</Output>

<Route graylog_route>
Path win => graylog
</Route>

Permalink

#2 alexander.lifanov@nxlog.org Nxlog ✓ 2 weeks ago

Hi!

Your query looks weird: the word “Query” looks spare. “Query” and “QueryXML” are alternative ways to configure the request. Please, check this example - https://docs.nxlog.co/refman/current/im/msvistalog.html#example-1

More of that, the easiest way is just to remove the query. By default im_msvistalog capures everything available for the module, refer to the very first article by the link above. At least, works for me ;)