My example nxlog.conf file for all windows services we monitor.
On our Graylog server we have GELF over TCP enabled. I use the following as a prototype Windows Server config file, with all relevant log paths defined for various services. We then just erase the lines we dont' want. I don't think I've seen a sample template, so this would have been useful when I was first building. Important to note, we didn't find any useful logs in event log for sharepoint, sccm, SQL Server, IIS, or Dynamics CRM, they log separately:
Panic Soft #NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data
<Extension _syslog> Module xm_syslog </Extension>
<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>
<Extension _exec> Module xm_exec </Extension>
<Extension _fileop> Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Extension gelf> Module xm_gelf </Extension>
<Input inWindowsAudit>
Module im_msvistalog
ReadFromLast True
Query <QueryList>
<Query Id="0">\
Delete Unwanted Rows
Standard Server Logs
<Select Path="Security">*</Select>\
<Select Path="System">*[System/Level=4]</Select>\
<Select Path="Application">*[Application/Level=2]</Select>\
<Select Path="Setup">*[System/Level=3]</Select>\
Hardware Logs
<Select Path="HardwareEvents">*</Select>\
Key Management
<Select Path="Key Management Service">*</Select>\
Windows Powershell
<Select Path="Windows PowerShell">*</Select>\
Internet Explorer
<Select Path="Internet Explorer">*</Select>\
Active Directory
<Select Path="Active Directory Web Services">*</Select>\
<Select Path="DFS Replication">*</Select>\
<Select Path="Directory Service">*</Select>\
<Select Path="DNS Server">*</Select>\
<Select Path="File Replication Service">*</Select>\
Server Manager
<Select Path="Microsoft-ServerManagementExperience">*</Select>\
Exchange Logs
<Select Path="EWS Monitoring Events">*</Select>\
<Select Path="MSExchange Management">*</Select>\
VAMT
<Select Path="Volume Activation Management Tool">*</Select>\
Lync/Skype
<Select Path="Lync Server">*</Select>\
Blank Template
<Select Path="">*</Select>\
</Query>\
</QueryList>
# For windows 2003 and earlier use the following:
# Module im_mseventlog
Exec $CustomerID = 'my_customer';
Exec $LogType = 'Windows Audit';
</Input>
<Output outGraylog> Module om_tcp Host ## GRAYLOG SERVER IP ## Port 12201 OutputType GELF_TCP </Output>
<Route 1> Path inWindowsAudit => outGraylog </Route>
Hello,
Thank you for this one, I'm sure somebody will find it useful.
Regards, Arch
