0
responses

Dear all,

I have question below:

1 -  I want to get log from my Server 2008 r2 and i have installed nxlog in there. Beside, i have configed a file logstash config with some information as:

input {
  syslog {
    type => "WindowsEventLog"
    codec => json
    port => 3515 --> i open this port on Win Server
  }
}

filter {
  if [type] == "WindowsEventLog" {
    json {
      source => "message"
    }
    if [SourceModuleName] == "eventlog" {
      mutate {
        replace => [ "message", "%{Message}" ]
      }
      mutate {
        remove_field => [ "Message" ]
      }
    }
  }
}

output {
  elasticsearch {
    protocol {host => localhost}
    stdout {codec => rubydebug}
  }
}

And have a file config as nxlog

#define ROOT C:\\Program Files\\nxlog
#define ROOT_STRING C:\\Program Files\\nxlog
define ROOT C:\\Program Files (x86)\\nxlog
define ROOT_STRING C:\\Program Files (x86)\\nxlog
define CERTDIR %ROOT%\\cert
 
Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\nxlog.pid
SpoolDir %ROOT%\\data
LogFile %ROOT%\\data\\nxlog.log
 
# Include fileop while debugging, also enable in the output module below

#<Extension fileop>
#    Module      xm_fileop
#</Extension>
 
<Extension json>
    Module      xm_json
</Extension>
 
<Extension syslog>
    Module xm_syslog
</Extension>
 
<Input internal>
    Module im_internal
    Exec  $Message = to_json();
</Input>
    
<Input eventlog>
    Module      im_msvistalog
# Uncomment if you want only specific logs
#    Query       <QueryList>\
#                    <Query Id="0">\
#                        <Select Path="Application">*</Select>\
#                        <Select Path="System">*</Select>\
#                        <Select Path="Security">*</Select>\
#                    </Query>\
#                </QueryList>
</Input>

<Input file>
    Module    im_file
    File    "C:\\MyApp\\Logs\\mylog.json"
</Input>

<Input myapp>
    Module    im_file
    File    "C:\\MyApp\\Logs\\mylog.json"
    Exec    parse_json();
    Exec        $EventTime = parsedate($timestamp);
</Input>

<Input eventlog>
# Uncomment im_msvistalog for Windows 2008 and later
    Module im_msvistalog
 
#Uncomment im_mseventlog for Windows XP/Windows 7 and later
#Module im_mseventlog
 
    Exec  $Message = to_json();
</Input>
 
<Output elasticsearch>
    Module      om_http
    URL         http://elasticsearch:9200
    ContentType application/json
    Exec        set_http_request_path(strftime($EventTime, "/nxlog-%Y%m%d/" + $SourceModuleName)); rename_field("timestamp","@timestamp"); to_json();
</Output>

<Output out>
    Module om_tcp
    Host 10.151.130.114 --> this is address of Kibana and Logstash ( i config in a same server )
    Port 3515
 
    Exec to_syslog_ietf(); $raw_event = replace($raw_event, 'NXLOG@14506', '6701e99f-8724-4388-b2ac-cce6fd0eb03f@41058 tag="windows"] [', 1);
 
#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log",  $raw_event);
</Output>
 
<Route 1>
    Path internal, eventlog => out
</Route>

However, when i open kibana with it's address 10.151.130.114, don't have other data in there as well as result is No Results Found

I don't know where is my mistake. Pls, support me

2- Follow this web https://nxlog.co/docs/elasticsearch-kibana/using-nxlog-with-elasticsearch-and-kibana.html#idp54463840

in here, i don't know about om_elasticsearch module as well as om_http module. Where are they? and how can i config them?

Pls support me

Thanks and regds

AskedApril 7, 2016 - 4:15am

Answers (0)