Send Specific windows security event to graylog server
navdeepsingh83
Hi Folks,
I have been playing with nxlog config for more than 24 hrs but i am not able to get a specific windows security event into the graylog server. I can send non filtered events without issue.
Here is the nxlog.conf file
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
Module xm_syslog
Module xm_gelf
Module im_msvistalog
Query \
\
# *\
# *\
# *[System[(EventID=EventID=4625 or EventID=4740)]]\
*\
\
Module pm_buffer
# 100Mb disk buffer
MaxSize 102400
Type disk
Module om_tcp
Host SERVER_IP
Port 5044
OutputType GELF_TCP
Exec $short_message = $raw_event;
Path in => out
************************************
In the log file i get the following error,
2018-02-01 03:24:50 ERROR failed to subscribe to msvistalog events using bookmark: The specified query is invalid.
2018-02-01 03:24:50 ERROR failed to subscribe to msvistalog events,the Query is invalid: [error code: 15001]
somtimes the error changes and service won't start, this happens when i uncomment specific event line and comment all security event line
nxlog failed to start: Expected but saw at C:\Program Files\graylog\collector-sidecar\generated\nxlog.conf:31
Appreciate if someone can guide me in right direction.
Thanks,
Navdeep