Has anyone succeed in sending .evt file content to graylog ?
Actually, I found that:
- Using im_file module I can parse .evt file and send its content outside, but logs are bad formatted
- Using im_vistalog module I can't parse .evt files only the Windows Event log, but logs are well formatted
Any advice someone ?
Maybe it is possible to send the ouput of im_file to im_vistalog ?
Thanks,
--
Mathieu
There is no reason and no advantage to parse .evtx files directly.
Use Windows Event Viewer as the source of your data. NXLog is very powerfull to push reliable your events using flow control when needed.
You have just to set retention period of Event Viewer's Source of interest to a reasonable value according to your requirements.
Thank you bourazaniss for your comment, but, please note that my question is, "I need to read .evt or .evtx files, how can I do ?", it is not "Why I don't need to read .evt or .evtx files" ...
You will find my case very useful the day you will have to audit the CIFS log files of a NetApp filer.
Sorry if you found my answer aggressive. I did't want to sound like that. My point is that if you can use event viewer directly and this is working ok, what is the advantage you have reading evtx files directly and you have to stick with that?
Well you are right I should have explained my problem further.
When you want to audit the CIFS accesses made on the shares of a NetApp filer, you configure it to create ".evt" files, and you have no access to the file using an event viewer, no RPC, no WMI, just the .evt files.
So it is the reason why I have to ask NXLog to parse the evt files and inject the events to my graylog server.
The explanation I gave about retrieving events from the event viewer were just here as a proof that my setup was correct.
Hello,
for the netapp audit log you can also configure it to generate xm file log. Then you can (relatively) easily parse theses files with nxlog using regular expression and then get processed by graylog.
Comments (5)
Thank you for your answer, I just give a try to the enterprise edition.
Could you please help with the syntax ?
I don't know where to put the path to the event log files.
There is a File directive for the im_msvistalog module, see the NXLog EE Reference Manual that's bundled with the package.
Great, thank you for the answer.
So now, when I write the full path to the log file it works OK:
But, I'm actually trying to use the wildcard character * in the file path, but no luck, the error is:
I'm actually trying to use the wildcard character * in the file path with no luck, the error is:
I followed the documentation here : https://nxlog.co/docs/en/nxlog-reference-manual.html#im_file_config_file
And saw that another guy had the same problem : https://nxlog.co/question/945/directory-wildcardsfollowing
I tried the following with the wildcard * without success:
Could you please explain my mistake ?
Best regards,
Mathieu
Wildcards are not supported by the File directive of im_msvistalog yet. If you have multiple files then you should define a new module instance for each file.
Note that the File directive not intended as an eventlog monitoring facility as it cannot pick up newly added records either. This is only for the use-case when you have an evtx file that you want to parse once for audit/forensics purposes.
Hello thank you for the answer,
Well my NetApp filer generates everday, 70 .evt files for a total of 20GB size, the name is generated automatically based on the date and the timestamp when a new file is created.
My idea was to use make a script in order to copy the evt files into a temporary location where NXlog will parse those files and forward the logs to our Graylog server.
Or to simply ask NXlog to parse the location where NetApp store the evt files for new files and use the RenameCheck, SavePos and ReadFromLast parameters to automate things.
I understand that it s not possible for the moment.
Thank you again.