I am trying to forward Windows 2016 event logs to a RHEL 7 syslog collector, on the community edition. I am not receiving any logs at the collector. I know that this is not a network issue as syslog generator tools (such as kiwi) are working. Current config is below:

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
Module xm_syslog

<Input in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*[System[(EventID=4624 or EventID=4634 or EventID=4656 or EventID=4659 or EventID=4662 or EventID=4663 or EventID=4672 or EventID=4676 or EventID=6272 or EventID=6278)]]</Select>\

<Output out>
Module om_udp
Host <myhostip>
Port 514
Exec to_syslog_snare();

<Route 1>
Path in => out

Any pointers as to where I'm going wrong? Ideally I would like to send all Windows Event logs, not just the IDs listed above.

AskedApril 25, 2018 - 6:50pm

    • Have you confirmed that the udp packets actually reach your server (e.g. with wireshark or something else) ?
    • If the above has been ruled out try to_syslog_bsd() or to_syslog_ietf() if your rsyslog is allergic to the snare format.

