5
responses

Hi there

Maybe a dumb/newbie question: I'm not a Windows guy, but I know EventLogs have some weird normalization trick where GUIDs/etc have to be cross-referenced against some locale data to show you what you really want to see. I'm trying to run nxlog on a domain controller, but instead of forwarding (to syslog) "english text", we're seeing "Object: Object Server: DS Object Type: %{bf967a9c-0de6-11d0-a285-00aa003049e2} Object Name: %{d7cb26ca-1f06-4d..." kind of stuff

It looks fine in the the EventLog viewer on the DC, and running "nxlog -f" from the command line doesn't show any error, so any ideas what's missing?

According to this: https://nxlog.co/question/794/64-bit-windows-event-log-support-community-vs-enterprise I would think standard "this user was added to this group" kind of Security messages would be covered, but I suspect this isn't the case with the community edition?

So do you need the enterprise version to get all Eventlog "translations" that are really standard on systems like domain controllers?

This is with nxlog-ce-2.9.1716.msi.

Thanks, Jason

AskedMay 3, 2018 - 6:14am

Answer (1)

The NXLog EE has an extra SID lookup feature via the ResolveSid configuration option but that is supposed to be only for SID values.

You may still want to test the EE regardless to see if these object guids are resolved properly with the EE.

Comments (4)

  • jhaar's picture

    Weird. I've just got the EE trial and enabled ResolveSID - and with or without it I still get GUID/whatever strings instead of human-readable text. ie what shows up on the local EventLog is not reflected by the local nxlog. Any other suggestions? No errors when running "nxlog -f" - ie no direct sign it failed to find the, the, the, whatever-the-data-is that is needed to do the "translation"