1
answer

Attempting to log to a syslog server based upon the specified filtered log ID's. When I use this config, I do not get any errors in the error log when the service starts. However I do not get anything to my syslog server. Not sure if this a problem with the in or output and would love some feedback.

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log

LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

<Extension _syslog>
Module xm_syslog
</Extension>
define HighEventIds 4618, 4649, 4719, 4765, 4766, 4794, 4897, 4964, 5124, 1102

define MediumEventIds 4621, 4675, 4692, 4693, 4706, 4713, 4714, 4715, 4716, 4724, \
4727, 4735, 4737, 4739, 4754, 4755, 4764, 4764, 4780, 4816, \
4865, 4866, 4867, 4868, 4870, 4882, 4885, 4890, 4892, 4896, \
4906, 4907, 4908, 4912, 4960, 4961, 4962, 4963, 4965, 4976, \
4977, 4978, 4983, 4984, 5027, 5028, 5029, 5030, 5035, 5037, \
5038, 5120, 5121, 5122, 5123, 5376, 5377, 5453, 5480, 5483, \
5484, 5485, 6145, 6273, 6274, 6275, 6276, 6277, 6278, 6279, \
6280, 24586, 24592, 24593, 24594

define LowEventIds 4608, 4609, 4610, 4611, 4612, 4614, 4615, 4616, 4624, 4625, \
4634, 4647, 4648, 4656, 4657, 4658, 4660, 4661, 4662, 4663, \
4672, 4673, 4674, 4688, 4689, 4690, 4691, 4696, 4697, 4698, \
4699, 4700, 4701, 4702, 4704, 4705, 4707, 4717, 4718, 4720, \
4722, 4723, 4725, 4726, 4728, 4729, 4730, 4731, 4732, 4733, \
4734, 4738, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747, \
4748, 4749, 4750, 4751, 4752, 4753, 4756, 4757, 4758, 4759, \
4760, 4761, 4762, 4767, 4768, 4769, 4770, 4771, 4772, 4774, \
4775, 4776, 4778, 4779, 4781, 4783, 4785, 4786, 4787, 4788, \
4789, 4790, 4869, 4871, 4872, 4873, 4874, 4875, 4876, 4877, \
4878, 4879, 4880, 4881, 4883, 4884, 4886, 4887, 4888, 4889, \
4891, 4893, 4894, 4895, 4898, 5136, 5137

<Input events>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Directory Service">
<Select Path="Directory Service">*[System[Provider[
@Name='Microsoft-Windows-ActiveDirectory_DomainService']]]
</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
if $EventID NOT IN (%HighEventIds%) and
$EventID NOT IN (%MediumEventIds%) and
$EventID NOT IN (%LowEventIds%) drop();
</Exec>
</Input>

<Output udp>
Module om_udp
Host 172.17.103.13
Port 514
Exec to_syslog_snare();
</Output>

<Route uds_to_udp>
Path events => udp
</Route>

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
Module xm_exec
</Extension>

<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>

AskedJanuary 28, 2020 - 4:33pm

Answer (1)

Hello. In order to see if we are processing those logs we recommend to do the following:

  • add to you input and output modules log_info() expression just to make everything, coming through, be visible in internal nxlog logs.
    In your case it would look like:

Exec log_info("Before: " + $raw_event);
and
Exec log_info("After: " + $raw_event);

  • launch nxlog not as service but using cmd/powershell with -f parameter, just like nxlog -f.

After that you will see every log record and how do they change in your console as a standard output.
This could help you find, where your logs are missing.

Best regards
Arch

Comments (4)

  • smplegge's picture

    Is this what you mean?

    Panic Soft
    #NoFreeOnExit TRUE

    define ROOT C:\Program Files (x86)\nxlog
    define CERTDIR %ROOT%\cert
    define CONFDIR %ROOT%\conf
    define LOGDIR %ROOT%\data
    define LOGFILE %LOGDIR%\nxlog.log

    LogFile %LOGFILE%

    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data

    <Extension _syslog>
    Module xm_syslog
    </Extension>
    define HighEventIds 4618, 4649, 4719, 4765, 4766, 4794, 4897, 4964, 5124, 1102

    define MediumEventIds 4621, 4675, 4692, 4693, 4706, 4713, 4714, 4715, 4716, 4724, \
    4727, 4735, 4737, 4739, 4754, 4755, 4764, 4764, 4780, 4816, \
    4865, 4866, 4867, 4868, 4870, 4882, 4885, 4890, 4892, 4896, \
    4906, 4907, 4908, 4912, 4960, 4961, 4962, 4963, 4965, 4976, \
    4977, 4978, 4983, 4984, 5027, 5028, 5029, 5030, 5035, 5037, \
    5038, 5120, 5121, 5122, 5123, 5376, 5377, 5453, 5480, 5483, \
    5484, 5485, 6145, 6273, 6274, 6275, 6276, 6277, 6278, 6279, \
    6280, 24586, 24592, 24593, 24594

    define LowEventIds 4608, 4609, 4610, 4611, 4612, 4614, 4615, 4616, 4624, 4625, \
    4634, 4647, 4648, 4656, 4657, 4658, 4660, 4661, 4662, 4663, \
    4672, 4673, 4674, 4688, 4689, 4690, 4691, 4696, 4697, 4698, \
    4699, 4700, 4701, 4702, 4704, 4705, 4707, 4717, 4718, 4720, \
    4722, 4723, 4725, 4726, 4728, 4729, 4730, 4731, 4732, 4733, \
    4734, 4738, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747, \
    4748, 4749, 4750, 4751, 4752, 4753, 4756, 4757, 4758, 4759, \
    4760, 4761, 4762, 4767, 4768, 4769, 4770, 4771, 4772, 4774, \
    4775, 4776, 4778, 4779, 4781, 4783, 4785, 4786, 4787, 4788, \
    4789, 4790, 4869, 4871, 4872, 4873, 4874, 4875, 4876, 4877, \
    4878, 4879, 4880, 4881, 4883, 4884, 4886, 4887, 4888, 4889, \
    4891, 4893, 4894, 4895, 4898, 5136, 5137

    <Input events>
    Module im_msvistalog
    <QueryXML>
    <QueryList>
    <Query Id="0" Path="Directory Service">
    <Select Path="Directory Service">*[System[Provider[
    @Name='Microsoft-Windows-ActiveDirectory_DomainService']]]
    </Select>
    </Query>
    </QueryList>
    </QueryXML>
    <Exec>
    if $EventID NOT IN (%HighEventIds%) and
    $EventID NOT IN (%MediumEventIds%) and
    $EventID NOT IN (%LowEventIds%) drop();
    </Exec>
    Exec log_info("Before: " + $raw_event);
    </Input>

    <Output udp>
    Module om_udp
    Host 172.17.103.13
    Port 514
    Exec to_syslog_snare();
    Exec log_info("After: " + $raw_event);
    </Output>

    <Route uds_to_udp>
    Path events => udp
    </Route>

    <Extension _charconv>
    Module xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
    </Extension>

    <Extension _exec>
    Module xm_exec
    </Extension>

    <Extension _fileop>
    Module xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
    Every 1 hour
    Exec if (file_exists('%LOGFILE%') and \
    (file_size('%LOGFILE%') >= 5M)) \
    file_cycle('%LOGFILE%', 8);
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
    When @weekly
    Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
    </Extension>

  • Arkadiy's picture
    (NXLog)

    Exactly. This should do the trick.
    It's up to you, how to launch it - as a service or via command line, both would work - but as for me in this case cmd are much more handy.

  • smplegge's picture

    It didnt show up in the logs, but i found out all the event filtering I was trying to do was the cause. This is my end result config that works.

    Panic Soft
    #NoFreeOnExit TRUE

    define ROOT C:\Program Files (x86)\nxlog
    define CERTDIR %ROOT%\cert
    define CONFDIR %ROOT%\conf
    define LOGDIR %ROOT%\data
    define LOGFILE %LOGDIR%\nxlog.log

    LogFile %LOGFILE%

    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data

    <Extension _syslog>
    Module xm_syslog
    </Extension>

    <Input in_app>
    Module im_msvistalog
    Query <QueryList><Query Id="0"><Select Path="Application">*</Select></Query></QueryList>
    Exec $Hostname = hostname();
    </Input>

    <Input in_sys>
    Module im_msvistalog
    Query <QueryList><Query Id="0"><Select Path="System">*</Select></Query></QueryList>
    Exec $Hostname = hostname();
    </Input>

    <Input in_sec>
    Module im_msvistalog
    Query <QueryList><Query Id="0"><Select Path="Security">*</Select></Query></QueryList>
    Exec $Hostname = hostname();
    </Input>

    <Output out>
    Module om_udp
    Host host
    Port 514
    Exec to_syslog_snare();
    </Output>

    <Route out_app>
    Path in_app => out
    </Route>

    <Route out_sys>
    Path in_sys => out
    </Route>

    <Route out_sec>
    Path in_sec => out
    </Route>

  • hcs's picture
    (NXLog)

    This will only collect if the specific Event IDs from the Microsoft-Windows-ActiveDirectory_DomainService Event Log provider is triggered. For example 1102 (Audit log was cleared event) would show up if that ever happened. Hopefully you won't see that unexpectedly in your prod!

    With your latest configuration it means that have expanded your filtering, which is why you are seeing more events coming through, which is what you want if that is your intention. The original script was created as ADDC tend to be noisy so you may have people only want to collect specific events based on IDs.