response
Hi Folks, I have been playing with nxlog config for more than 24 hrs but i am not able to get a specific windows security event into the graylog server. I can send non filtered events without issue. Here is the nxlog.conf file
This is a sample configuration file. See the nxlog reference manual about the
configuration options. It should be installed locally and is also available
online at http://nxlog.org/docs/
Please set the ROOT to the folder your nxlog was installed into,
otherwise it will not start.
define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_syslog Module xm_gelf Module im_msvistalog Query \ \ # \ # \ # [System[(EventID=EventID=4625 or EventID=4740)]]\ \ \ Module pm_buffer
100Mb disk buffer
MaxSize 102400 Type disk Module om_tcp Host SERVER_IP Port 5044 OutputType GELF_TCP Exec $short_message = $raw_event; Path in => out ************************************ In the log file i get the following error, 2018-02-01 03:24:50 ERROR failed to subscribe to msvistalog events using bookmark: The specified query is invalid. 2018-02-01 03:24:50 ERROR failed to subscribe to msvistalog events,the Query is invalid: [error code: 15001] somtimes the error changes and service won't start, this happens when i uncomment specific event line and comment all security event line nxlog failed to start: Expected but saw at C:\Program Files\graylog\collector-sidecar\generated\nxlog.conf:31 Appreciate if someone can guide me in right direction. Thanks, Navdeep
Comments (1)
You seem to be using
#
for comments inside single line XML which is incorrect and that is why you get the invalid query error. UseQueryXML
without the\
line continuation marks or use XML style comments<!-- -->
.