3
responses

We recently enabled logging on CIFS share hosted on our Netapp. The audit logs that are generated are stored on a network share currently in EVTX format (XML logs are also an option). I have a windows server that has NXLog installed and can mount the network share where the EVTX files are located. What is the best module to use get these EVTX or XML files into our Graylog server on a regular basis?

AskedJune 6, 2018 - 6:24pm

Answer (1)

The NXLog Enterprise Edition supports reading .evtx files directly via the File config directive.

Comments (2)

  • craig.gaspara's picture

    Thanks for your prompt response.

    We've been using NXLog Community version on other systems and we don't have an Enterprise license. If I generate my logs in XML format instead of EVTX, will that allow us to use the community version to push logs to Graylog?

    Thanks,
    Craig

  • Zhengshi's picture
    (NXLog)

    Community edition comes with xm_xml and the parse_xml(); function from that extension. It also comes with xm_gelf for your output. These should handle what you need.

    There are a few examples in the CE reference manual as well as the EE User Guide. I would suggest searching for parse_xml(); within the manuals for some examples.