Request trial
Request Trial

Send Specific windows security event to graylog server

Tags:
#1 navdeepsingh83

Hi Folks, I have been playing with nxlog config for more than 24 hrs but i am not able to get a specific windows security event into the graylog server. I can send non filtered events without issue. Here is the nxlog.conf file

This is a sample configuration file. See the nxlog reference manual about the

configuration options. It should be installed locally and is also available

online at http://nxlog.org/docs/

Please set the ROOT to the folder your nxlog was installed into,

otherwise it will not start.

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_syslog Module xm_gelf Module im_msvistalog Query 
 
 # 
 # 
 # 
 
 
 Module pm_buffer

100Mb disk buffer

MaxSize 102400 Type disk Module om_tcp Host SERVER_IP Port 5044 OutputType GELF_TCP Exec $short_message = $raw_event; Path in => out ************************************ In the log file i get the following error, 2018-02-01 03:24:50 ERROR failed to subscribe to msvistalog events using bookmark: The specified query is invalid. 2018-02-01 03:24:50 ERROR failed to subscribe to msvistalog events,the Query is invalid: [error code: 15001] somtimes the error changes and service won't start, this happens when i uncomment specific event line and comment all security event line nxlog failed to start: Expected but saw at C:\Program Files\graylog\collector-sidecar\generated\nxlog.conf:31 Appreciate if someone can guide me in right direction. Thanks, Navdeep

Permalink
#2 b0ti Nxlog ✓
#1 navdeepsingh83
Hi Folks, I have been playing with nxlog config for more than 24 hrs but i am not able to get a specific windows security event into the graylog server. I can send non filtered events without issue. Here is the nxlog.conf file This is a sample configuration file. See the nxlog reference manual about the configuration options. It should be installed locally and is also available online at http://nxlog.org/docs/ Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_syslog Module xm_gelf Module im_msvistalog Query 
 
 # 
 # 
 # [System[(EventID=EventID=4625 or EventID=4740)]]
 
 
 Module pm_buffer 100Mb disk buffer MaxSize 102400 Type disk Module om_tcp Host SERVER_IP Port 5044 OutputType GELF_TCP Exec $short_message = $raw_event; Path in => out ************************************ In the log file i get the following error, 2018-02-01 03:24:50 ERROR failed to subscribe to msvistalog events using bookmark: The specified query is invalid. 2018-02-01 03:24:50 ERROR failed to subscribe to msvistalog events,the Query is invalid: [error code: 15001] somtimes the error changes and service won't start, this happens when i uncomment specific event line and comment all security event line nxlog failed to start: Expected but saw at C:\Program Files\graylog\collector-sidecar\generated\nxlog.conf:31 Appreciate if someone can guide me in right direction. Thanks, Navdeep

You seem to be using # for comments inside single line XML which is incorrect and that is why you get the invalid query error. Use QueryXML without the \ line continuation marks or use XML style comments <!-- -->.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS