My example nxlog.conf file for all windows services we monitor.

View thread

surfrock66

On our Graylog server we have GELF over TCP enabled. I use the following as a prototype Windows Server config file, with all relevant log paths defined for various services. We then just erase the lines we dont' want. I don't think I've seen a sample template, so this would have been useful when I was first building. Important to note, we didn't find any useful logs in event log for sharepoint, sccm, SQL Server, IIS, or Dynamics CRM, they log separately:

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_syslog </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _exec> Module xm_exec </Extension>

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
&lt;Schedule&gt;
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
                (file_size('%LOGFILE%') &gt;= 5M)) \
                file_cycle('%LOGFILE%', 8);
&lt;/Schedule&gt;

# Rotate our log file every week on Sunday at midnight
&lt;Schedule&gt;
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
&lt;/Schedule&gt;

</Extension>

<Extension gelf> Module xm_gelf </Extension>

<Input inWindowsAudit> Module im_msvistalog ReadFromLast True Query <QueryList>
<Query Id="0">\

Delete Unwanted Rows

Standard Server Logs

		&lt;Select Path=&quot;Security&quot;&gt;*&lt;/Select&gt;\
		&lt;Select Path=&quot;System&quot;&gt;*[System/Level=4]&lt;/Select&gt;\
		&lt;Select Path=&quot;Application&quot;&gt;*[Application/Level=2]&lt;/Select&gt;\
		&lt;Select Path=&quot;Setup&quot;&gt;*[System/Level=3]&lt;/Select&gt;\

Hardware Logs

		&lt;Select Path=&quot;HardwareEvents&quot;&gt;*&lt;/Select&gt;\

Key Management

		&lt;Select Path=&quot;Key Management Service&quot;&gt;*&lt;/Select&gt;\

Windows Powershell

		&lt;Select Path=&quot;Windows PowerShell&quot;&gt;*&lt;/Select&gt;\

Internet Explorer

		&lt;Select Path=&quot;Internet Explorer&quot;&gt;*&lt;/Select&gt;\

Active Directory

		&lt;Select Path=&quot;Active Directory Web Services&quot;&gt;*&lt;/Select&gt;\
		&lt;Select Path=&quot;DFS Replication&quot;&gt;*&lt;/Select&gt;\
		&lt;Select Path=&quot;Directory Service&quot;&gt;*&lt;/Select&gt;\
		&lt;Select Path=&quot;DNS Server&quot;&gt;*&lt;/Select&gt;\
		&lt;Select Path=&quot;File Replication Service&quot;&gt;*&lt;/Select&gt;\

Server Manager

		&lt;Select Path=&quot;Microsoft-ServerManagementExperience&quot;&gt;*&lt;/Select&gt;\

Exchange Logs

		&lt;Select Path=&quot;EWS Monitoring Events&quot;&gt;*&lt;/Select&gt;\
		&lt;Select Path=&quot;MSExchange Management&quot;&gt;*&lt;/Select&gt;\

VAMT

		&lt;Select Path=&quot;Volume Activation Management Tool&quot;&gt;*&lt;/Select&gt;\

Lync/Skype

		&lt;Select Path=&quot;Lync Server&quot;&gt;*&lt;/Select&gt;\

Blank Template

		&lt;Select Path=&quot;&quot;&gt;*&lt;/Select&gt;\
		
	&lt;/Query&gt;\
&lt;/QueryList&gt;
# For windows 2003 and earlier use the following:
# Module im_mseventlog
Exec $CustomerID = 'my_customer';
Exec $LogType = 'Windows Audit';

</Input>

<Output outGraylog> Module om_tcp Host ## GRAYLOG SERVER IP ## Port 12201 OutputType GELF_TCP </Output>

<Route 1> Path inWindowsAudit => outGraylog </Route>