Request trial
Request Trial

Windows 2016 to RHEL 7 Syslog collector

Tags:
#1 syslog_guru_192

Hi,

I am trying to forward Windows 2016 event logs to a RHEL 7 syslog collector, on the community edition. I am not receiving any logs at the collector. I know that this is not a network issue as syslog generator tools (such as kiwi) are working. Current config is below:

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension _syslog> Module xm_syslog </Extension>

<Input in> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="Security">*[System[(EventID=4624 or EventID=4634 or EventID=4656 or EventID=4659 or EventID=4662 or EventID=4663 or EventID=4672 or EventID=4676 or EventID=6272 or EventID=6278)]]</Select>
</Query>
</QueryList> </Input>

<Output out> Module om_udp Host <myhostip> Port 514 Exec to_syslog_snare(); </Output>

<Route 1> Path in => out </Route>

Any pointers as to where I'm going wrong? Ideally I would like to send all Windows Event logs, not just the IDs listed above.

Permalink
#2 b0ti Nxlog ✓
#1 syslog_guru_192
Hi, I am trying to forward Windows 2016 event logs to a RHEL 7 syslog collector, on the community edition. I am not receiving any logs at the collector. I know that this is not a network issue as syslog generator tools (such as kiwi) are working. Current config is below: #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="Security">*[System[(EventID=4624 or EventID=4634 or EventID=4656 or EventID=4659 or EventID=4662 or EventID=4663 or EventID=4672 or EventID=4676 or EventID=6272 or EventID=6278)]]</Select> </Query> </QueryList> </Input> <Output out> Module om_udp Host <myhostip> Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path in => out </Route> Any pointers as to where I'm going wrong? Ideally I would like to send all Windows Event logs, not just the IDs listed above.
  • Have you confirmed that the udp packets actually reach your server (e.g. with wireshark or something else) ?
  • If the above has been ruled out try to_syslog_bsd() or to_syslog_ietf() if your rsyslog is allergic to the snare format.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS