On our Graylog server we have GELF over TCP enabled. I use the following as a prototype Windows Server config file, with all relevant log paths defined for various services. We then just erase the lines we dont' want. I don't think I've seen a sample template, so this would have been useful when I was first building. Important to note, we didn't find any useful logs in event log for sharepoint, sccm, SQL Server, IIS, or Dynamics CRM, they log separately:

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

<Extension _syslog>
Module xm_syslog

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32

<Extension _exec>
Module xm_exec

<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);

# Rotate our log file every week on Sunday at midnight
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);

<Extension gelf>
Module xm_gelf

<Input inWindowsAudit>
Module im_msvistalog
ReadFromLast True
Query <QueryList>\
<Query Id="0">\

# Delete Unwanted Rows

# Standard Server Logs
<Select Path="Security">*</Select>\
<Select Path="System">*[System/Level=4]</Select>\
<Select Path="Application">*[Application/Level=2]</Select>\
<Select Path="Setup">*[System/Level=3]</Select>\

# Hardware Logs
<Select Path="HardwareEvents">*</Select>\

# Key Management
<Select Path="Key Management Service">*</Select>\

# Windows Powershell
<Select Path="Windows PowerShell">*</Select>\

# Internet Explorer
<Select Path="Internet Explorer">*</Select>\

# Active Directory
<Select Path="Active Directory Web Services">*</Select>\
<Select Path="DFS Replication">*</Select>\
<Select Path="Directory Service">*</Select>\
<Select Path="DNS Server">*</Select>\
<Select Path="File Replication Service">*</Select>\

# Server Manager
<Select Path="Microsoft-ServerManagementExperience">*</Select>\

# Exchange Logs
<Select Path="EWS Monitoring Events">*</Select>\
<Select Path="MSExchange Management">*</Select>\

<Select Path="Volume Activation Management Tool">*</Select>\

# Lync/Skype
<Select Path="Lync Server">*</Select>\

# Blank Template
<Select Path="">*</Select>\

# For windows 2003 and earlier use the following:
# Module im_mseventlog
Exec $CustomerID = 'my_customer';
Exec $LogType = 'Windows Audit';

<Output outGraylog>
Module om_tcp
Port 12201
OutputType GELF_TCP

<Route 1>
Path inWindowsAudit => outGraylog

AskedMay 23, 2020 - 7:05pm

Answer (1)