Windows Logging
Attempting to log to a syslog server based upon the specified filtered log ID's. When I use this config, I do not get any errors in the error log when the service starts. However I do not get anything to my syslog server. Not sure if this a problem with the in or output and would love some feedback.
Panic Soft #NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data
<Extension _syslog> Module xm_syslog </Extension> define HighEventIds 4618, 4649, 4719, 4765, 4766, 4794, 4897, 4964, 5124, 1102
define MediumEventIds 4621, 4675, 4692, 4693, 4706, 4713, 4714, 4715, 4716, 4724,
4727, 4735, 4737, 4739, 4754, 4755, 4764, 4764, 4780, 4816,
4865, 4866, 4867, 4868, 4870, 4882, 4885, 4890, 4892, 4896,
4906, 4907, 4908, 4912, 4960, 4961, 4962, 4963, 4965, 4976,
4977, 4978, 4983, 4984, 5027, 5028, 5029, 5030, 5035, 5037,
5038, 5120, 5121, 5122, 5123, 5376, 5377, 5453, 5480, 5483,
5484, 5485, 6145, 6273, 6274, 6275, 6276, 6277, 6278, 6279,
6280, 24586, 24592, 24593, 24594
define LowEventIds 4608, 4609, 4610, 4611, 4612, 4614, 4615, 4616, 4624, 4625,
4634, 4647, 4648, 4656, 4657, 4658, 4660, 4661, 4662, 4663,
4672, 4673, 4674, 4688, 4689, 4690, 4691, 4696, 4697, 4698,
4699, 4700, 4701, 4702, 4704, 4705, 4707, 4717, 4718, 4720,
4722, 4723, 4725, 4726, 4728, 4729, 4730, 4731, 4732, 4733,
4734, 4738, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747,
4748, 4749, 4750, 4751, 4752, 4753, 4756, 4757, 4758, 4759,
4760, 4761, 4762, 4767, 4768, 4769, 4770, 4771, 4772, 4774,
4775, 4776, 4778, 4779, 4781, 4783, 4785, 4786, 4787, 4788,
4789, 4790, 4869, 4871, 4872, 4873, 4874, 4875, 4876, 4877,
4878, 4879, 4880, 4881, 4883, 4884, 4886, 4887, 4888, 4889,
4891, 4893, 4894, 4895, 4898, 5136, 5137
<Input events> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0" Path="Directory Service"> <Select Path="Directory Service">*[System[Provider[ @Name='Microsoft-Windows-ActiveDirectory_DomainService']]] </Select> </Query> </QueryList> </QueryXML> <Exec> if $EventID NOT IN (%HighEventIds%) and $EventID NOT IN (%MediumEventIds%) and $EventID NOT IN (%LowEventIds%) drop(); </Exec> </Input>
<Output udp> Module om_udp Host 172.17.103.13 Port 514 Exec to_syslog_snare(); </Output>
<Route uds_to_udp> Path events => udp </Route>
<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>
<Extension _exec> Module xm_exec </Extension>
<Extension _fileop> Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
Hello. In order to see if we are processing those logs we recommend to do the following:
- add to you input and output modules log_info() expression just to make everything, coming through, be visible in internal nxlog logs.
In your case it would look like:
Exec log_info("Before: " + $raw_event);
and
Exec log_info("After: " + $raw_event);
- launch nxlog not as service but using cmd/powershell with -f parameter, just like
nxlog -f.
After that you will see every log record and how do they change in your console as a standard output.
This could help you find, where your logs are missing.
Best regards
Arch
