1
answer

Hi,

I'm using nxlog to send logs from Windows eventlog to elasticsearch, and using Kibana view.

I'm getting all the message as it is in the 'Message' column, I want to re-order it so the hostname parameter will be the windows server (and not the elasticsearch server), add 'Type' to the messages, etc.

this is the configuration file of nxlog:

* 55.2.110.4=elasticsearch server

<Extension json>
 Module xm_json
</Extension>

# Nxlog internal logs
<Input internal>
   Module im_internal
   Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
</Input>
 
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
   Module im_msvistalog
 
# Uncomment im_mseventlog for Windows XP/2000/2003
#   Module im_mseventlog
 
   Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
</Input>
 
<Output out>
   Module om_http
   URL  https://55.2.110.4:443
   HTTPSAllowUntrusted    TRUE
</Output>
 
<Route 1>
   Path internal, eventlog => out
</Route>

 

this is an example message from kibana:

 

Field
Action
Value

@timestamp
 
2015-09-08T07:35:47.064Z

@version
 
1

_id
 
AU-r4dtqVULqkki94YkZ

_index
 
logstash-2015.09.08

_type
 
logs

host
 
55.2.110.4

http_port
 
5005

message
 

2015-09-08 07:35:43 dc-prod-zone-a.organization.com AUDIT_SUCCESS 4634 An account was logged off. Subject: Security ID: S-1-5-21-1595779987-1987268195-2987234418-1104 Account Name: DC-PROD-ZONE-C$ Account Domain: ORGANIZATION Logon ID: 0x679381 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

 

 

Thanks a lot

AskedSeptember 8, 2015 - 9:44am

Answer (1)

You need to send JSON payload. See here.

AnsweredSeptember 8, 2015 - 10:03pm