3
responses

Hello!
I an having trouble finding documentation on how/where I would alter the config files to forward all windows logs. I can setup the config to forward logs, which was simple, but specifying which logs to forward is where I am stuck

AskedJuly 16, 2019 - 6:27pm

Answer (1)

Jacob,

I think knowing a little more about what you are trying to accomplish could be useful.

From what you wrote, I believe you are wanting to filter your input so that only some of it is sent?
For Microsoft Event Log entries, you are able to filter based on any of the fields available.
This can include $Channel, $EventID, etc. You can also tweak your query so that it only returns a specific channel to begin with.
https://nxlog.co/documentation/nxlog-user-guide/windows-eventlog.html

The first example in the following link will show you how to ignore events that are not a part of an EventID list that you want to keep.
https://nxlog.co/documentation/nxlog-user-guide/ad-domain-controller.html

Comments (2)

  • JacobY's picture

    Actually what I wanted to accomplish is much easier then that. I just want to forward all Event Logs to TCP 13073. Using my config below, I'm not receiving anything. NXlog.log shows no errors:

    Important to note: the recipient server 192.168.1.20 is Apache server, not NXLog.

    <Extension _syslog>
    Module xm_syslog
    </Extension>

    <Input eventlog>
    Module im_msvistalog
    Exec $Message =~ s/(\t|\R)/ /g; to_syslog_bsd();
    </Input>

    <Output tcp>
    Module om_tcp
    Host 192.168.1.20
    Port 13073
    </Output>

  • Zhengshi's picture
    (NXLog)

    As long as your target server (192.168.1.20) is set to listen on TCP:13073, you should be ok.
    Check the nxlog.log file to see if there are any connections established. It should be trying to connect and then either succeed of fail.
    If they fail, then there is something likely getting in the way. Network issue, app not listening on receiving end, firewall, etc.
    If it connects then it could be the listening app is dropping events.

    You could add an additional output on NXLog to send to file (om_file) to make sure that you are indeed getting events and processing them.
    Next verification step would be tcpdump/windump/wireshark or similar to verify that the events are being placed on the wire.