Hi guys,

I must forwarding some logs, but only of some users. this's my current configuration.

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_syslog </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _exec> Module xm_exec </Extension>

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') >= 5M)) \
                file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>

</Extension>

<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'>*[System[(EventID=4720 or EventID=4634 or EventID=4625 or EventID=4624 or EventID=4726)]]</Select> </Query> </QueryList> </QueryXML> Exec $Message = 'EventID: ' + $EventID +' Source: '+ $IpAddress + ' Username: ' + $TargetUserName ; </Input>

<Output tcp> Module om_udp Host xx.xxx.xx.xxx Port xxx Exec to_syslog_bsd(); </Output>

<Route eventlog_to_tcp> Path eventlog => tcp </Route>

can you help me? thank you

Hello,

I am evaluating NXLog using the Community Edition. I created input as shown below to monitor certain Windows events and forward them via email. Everything is working as expected except that $Message or $raw_event variables always return word "true" instead of actual details about the event. Is this a limitation of the CE or am I doing something else wrong? Many thanks in advance for your assistance.

<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0" Path="Application"> <Select Path="Application">[System[Provider[@Name='Symantec AntiVirus' or @Name='Symantec Network Protection']]]</Select> </Query> </QueryList> </QueryXML> <Exec> exec("c:/utils/mailsend.exe", "-to", "info@***.com", "-body", $raw_event, "-subject", "Symantec EPP Alert"); </Exec> </Input>

Hello everybody, I'm sorry to bother you with another question concerning Windows Eventlog forwarding to graylog. Unfortunately I'm not able to figure this out on my own. used versions: nxlog 2.10.2102 (running on Windows Server 2016) graylog 2.4.6 (running on Debian 9) I have two nxlog setups. One using syslog and another one using GELF. Both do not work as I would expect. **1. Syslog** ``` Module xm_syslog Module im_msvistalog Exec delete($Keywords); Exec if ($EventType == "VERBOSE") drop(); Module om_tcp Host graylog Port 5140 Exec $raw_event = replace($raw_event, "\n", " "); Exec $raw_event = replace($raw_event, "\r", " "); Exec $raw_event = replace($raw_event, "\t", " "); Exec to_syslog_ietf(); Path eventlog => out_graylog ``` The problem is that there are eventlog entries containing line breaks. Unfortunately they are not removed by the replace commands. So in graylog one message is split into many messages with every linebreak. Using wireshark I can observe that the linebreaks consist of LF characters (Unix line endings). **2. Gelf** ``` Module xm_gelf Module im_msvistalog Exec delete($Keywords); Exec if ($EventType == "VERBOSE") drop(); Module om_tcp Host graylog Port 12201 OutputType GELF Path eventlog => out_graylog ``` Unfortunately this setup does not work at all. No messages are showing up in Graylog (of course I've activated the correspnding input). Using wireshark I can observe that a lot of TCP packets are sent to graylog but none of them contain readable messages. Can anybody help me with either setup? Thanks and Regards, Carsten

Hi,

I'm using nxlog to send logs from Windows eventlog to elasticsearch, and using Kibana view.

I'm getting all the message as it is in the 'Message' column, I want to re-order it so the hostname parameter will be the windows server (and not the elasticsearch server), add 'Type' to the messages, etc.

this is the configuration file of nxlog:

* 55.2.110.4=elasticsearch server

<Extension json>
 Module xm_json
</Extension>

# Nxlog internal logs
<Input internal>
   Module im_internal
   Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
</Input>
 
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
   Module im_msvistalog
 
# Uncomment im_mseventlog for Windows XP/2000/2003
#   Module im_mseventlog
 
   Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
</Input>
 
<Output out>
   Module om_http
   URL  https://55.2.110.4:443
   HTTPSAllowUntrusted    TRUE
</Output>
 
<Route 1>
   Path internal, eventlog => out
</Route>

 

this is an example message from kibana:

 

Field Action Value @timestamp   2015-09-08T07:35:47.064Z @version   1 _id   AU-r4dtqVULqkki94YkZ _index   logstash-2015.09.08 _type   logs host   55.2.110.4 http_port   5005 message  

2015-09-08 07:35:43 dc-prod-zone-a.organization.com AUDIT_SUCCESS 4634 An account was logged off. Subject: Security ID: S-1-5-21-1595779987-1987268195-2987234418-1104 Account Name: DC-PROD-ZONE-C$ Account Domain: ORGANIZATION Logon ID: 0x679381 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

 

 

Thanks a lot