#1
c.scharfenberg
Hello everybody,
I'm sorry to bother you with another question concerning Windows Eventlog forwarding to graylog. Unfortunately I'm not able to figure this out on my own.
used versions:
nxlog 2.10.2102 (running on Windows Server 2016)
graylog 2.4.6 (running on Debian 9)
I have two nxlog setups. One using syslog and another one using GELF. Both do not work as I would expect.
**1. Syslog**
```
Module xm_syslog
Module im_msvistalog
Exec delete($Keywords);
Exec if ($EventType == "VERBOSE") drop();
Module om_tcp
Host graylog
Port 5140
Exec $raw_event = replace($raw_event, "\n", " ");
Exec $raw_event = replace($raw_event, "\r", " ");
Exec $raw_event = replace($raw_event, "\t", " ");
Exec to_syslog_ietf();
Path eventlog => out_graylog
```
The problem is that there are eventlog entries containing line breaks. Unfortunately they are not removed by the replace commands. So in graylog one message is split into many messages with every linebreak. Using wireshark I can observe that the linebreaks consist of LF characters (Unix line endings).
**2. Gelf**
```
Module xm_gelf
Module im_msvistalog
Exec delete($Keywords);
Exec if ($EventType == "VERBOSE") drop();
Module om_tcp
Host graylog
Port 12201
OutputType GELF
Path eventlog => out_graylog
```
Unfortunately this setup does not work at all. No messages are showing up in Graylog (of course I've activated the correspnding input). Using wireshark I can observe that a lot of TCP packets are sent to graylog but none of them contain readable messages.
Can anybody help me with either setup?
Thanks and Regards,
Carsten
#1
c.scharfenberg
Hello everybody,
I'm sorry to bother you with another question concerning Windows Eventlog forwarding to graylog. Unfortunately I'm not able to figure this out on my own.
used versions:
nxlog 2.10.2102 (running on Windows Server 2016)
graylog 2.4.6 (running on Debian 9)
I have two nxlog setups. One using syslog and another one using GELF. Both do not work as I would expect.
**1. Syslog**
```
Module xm_syslog
Module im_msvistalog
Exec delete($Keywords);
Exec if ($EventType == "VERBOSE") drop();
Module om_tcp
Host graylog
Port 5140
Exec $raw_event = replace($raw_event, "\n", " ");
Exec $raw_event = replace($raw_event, "\r", " ");
Exec $raw_event = replace($raw_event, "\t", " ");
Exec to_syslog_ietf();
Path eventlog => out_graylog
```
The problem is that there are eventlog entries containing line breaks. Unfortunately they are not removed by the replace commands. So in graylog one message is split into many messages with every linebreak. Using wireshark I can observe that the linebreaks consist of LF characters (Unix line endings).
**2. Gelf**
```
Module xm_gelf
Module im_msvistalog
Exec delete($Keywords);
Exec if ($EventType == "VERBOSE") drop();
Module om_tcp
Host graylog
Port 12201
OutputType GELF
Path eventlog => out_graylog
```
Unfortunately this setup does not work at all. No messages are showing up in Graylog (of course I've activated the correspnding input). Using wireshark I can observe that a lot of TCP packets are sent to graylog but none of them contain readable messages.
Can anybody help me with either setup?
Thanks and Regards,
Carsten
1. Syslog
LF is "\n". The problem here comes from the fact that you are removing linebreaks before generating the syslog. If any of your fields (most importantly $Message) contain a linebreak it will generate a syslog record with the linebreak. to_syslog_ietf() does not use $raw_event, it only generates a syslog record and puts it there.
Changing the order should help:
Exec to_syslog_ietf();
Exec $raw_event = replace($raw_event, "\n", " ");
Exec $raw_event = replace($raw_event, "\r", " ");
Exec $raw_event = replace($raw_event, "\t", " ");
2. Gelf
The problem is caused by the following:
Module om_tcp
OutputType GELF
GELF is for the gzip compressed format that is for UDP only and does not work with TCP. You need OutputType GELF_TCP.
