1
response

Hi,
I'm new in NXLOG and Graylog. I'm using nxlog to send Windows server log to Graylog,
My final goal is to transfer and log in ssl, but proceed by step. All my machines are on my company lan
The configuration of NXLOG with OM_UDP

---------------------------
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
Module xm_gelf
</Extension>

<Input in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*[System[(EventID=4624 or EventID=4634 or EventID=4656 or EventID=4659 or EventID=4662 or EventID=4663 or EventID=4672 or EventID=4676 or EventID=6272 or EventID=6278)]]</Select>\
</Query>\
</QueryList>
</Input>

<Output out>
Module om_udp
Host 10.0.0.22
Port 12201
#Exec to_syslog_snare();
Exec if ($ProcessName =~ /TbService.exe/ or $ProcessName =~ /w3wp.exe/) drop();
OutputType GELF
</Output>

<Route 1>
Path in => out
</Route>
---------------------------

works correctly, while the one, identical, that I did with OM_TCP

---------------------------
<Output out>
Module om_tcp
Host 10.0.0.22
Port 12201
#Exec to_syslog_snare();
Exec if ($ProcessName =~ /TbService.exe/ or $ProcessName =~ /w3wp.exe/) drop();
OutputType GELF
</Output>
---------------------------

create this log

018-04-11 19:48:06 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-11 19:48:06 INFO reconnecting in 2 seconds
2018-04-11 19:48:07 INFO connecting to 10.0.0.22:12201
2018-04-11 19:48:07 INFO reconnecting in 1 seconds
2018-04-11 19:48:07 ERROR om_tcp send failed; An established connection was aborted by the software in your host machine.
2018-04-11 19:48:08 INFO connecting to 10.0.0.22:12201
2018-04-11 19:52:59 ERROR couldn't connect to tcp socket on 10.0.0.22:12201; No connection could be made because the target machine actively refused it.
2018-04-11 19:53:01 INFO connecting to 10.0.0.22:12201
2018-04-11 19:53:02 INFO reconnecting in 4 seconds
2018-04-12 10:02:09 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:10 INFO connecting to 10.0.0.22:12201
2018-04-12 10:02:10 INFO reconnecting in 1 seconds
2018-04-12 10:02:10 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:11 INFO connecting to 10.0.0.22:12201
2018-04-12 10:02:11 INFO reconnecting in 1 seconds
2018-04-12 10:02:11 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:11 INFO reconnecting in 2 seconds
2018-04-12 10:02:12 INFO connecting to 10.0.0.22:12201
2018-04-12 10:02:12 INFO reconnecting in 1 seconds
2018-04-12 10:02:12 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:13 INFO connecting to 10.0.0.22:12201
2018-04-12 10:02:13 INFO reconnecting in 1 seconds
2018-04-12 10:02:13 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:13 INFO connecting to 10.0.0.22:12201

does not work correctly
In graylog i recive 1 message / minute Instead of 15/20 which I receive with the udp onfiguration,even if the Graylog input message counter reports about 20 / minute. It seems that most messages are discarded as incorrect
On Graylog server firewall port 12201 tcp/udp is open, and on windows server 12201 port is open too.
I have no idea what's going on. thank you

AskedApril 12, 2018 - 10:11am

Comments (1)

  • tape's picture

    Hello,

    i think the problem will be not on the nxlog side, but on the receiving side. Is graylog listening also on TCP? According to your log, the remote host is closing the conenction.

    Peter

Answers (0)