1
response

Have created this simple agent to send agent logs to a central server.
Is it possible to bulk this and only send once per hour ?
What requirements to use the same as agentless ?
When I add a second agent, how does the NXlog server separate the logs ?
I then want to forward all logs on NXlog server to SIEM or Elastic , how to forward ? possible to bult this aswell

<Input syslog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'><Select Path='System'>*[System[(Level &lt;= 3)]]</Select></Query>
<Query Id='1'><Select Path='Application'>*[System[(Level &lt;= 3)]]</Select></Query>
<Query Id='2'><Select Path='Security'>*[System[(Level &lt;= 3)]]</Select></Query>
</QueryList>
</QueryXML>
</Input>

<Output forward>
Module om_tcp
Host x.x.x.x
Port 1514
</Output>

#################### ROUTE ###########
<Route r>
Path syslog => forward
</Route>

AskedSeptember 18, 2020 - 10:34am

Answer (1)

Hello,

Answering your questions:

  1. Yes, it would be possible, I suppose the <schedule> block might do the job, but in this case, you'd most likely need to use some buffer file or something similar; generally, that's not trivial case. It doesn't sound reasonable to send logs that rare, perhaps you'd like to reconsider the idea?
  2. I don't see a simple solution to make the same stuff agentless; probably you'd need some external tools
  3. NXLog isn't a server; each node sending data to the log collector (SIEM, anything other you use) should be easily identified as a unique log source
  4. One can forward logs using different approaches, just to mention, using protocols such as tcp, udp or http. The Community Edition supports several formats, for instance JSON, or GELF, which can be used directly to feed you Graylog instance. If you're interested in a bigger number of ready to use integrations, please take a look at what Enterprise Edition offers - I'm sure you're gonna find what you need there.

Regards,

Rafal