1
response

Our setup: we have Windows Server 2019 servers that are forwarding some "Security" events to a single Windows Server 2019 event collector. On that single Windows Server 2019 event collector, we have installed NXLog, which is forwarding to Graylog.

Summary: servers --> event collector server (where NXLog is installed) --> Graylog server

All selected events are getting to the event collector, but only some are getting to Graylog. So the problem is somewhere on or after the event collector server.

Here is the complete NXLog config:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _gelf>
Module xm_gelf
ShortMessageLength 500
</Extension>

<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='ForwardedEvents'>*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>

<Output out>
Module om_tcp
Host graylog.local
Port 12201
OutputType GELF_TCP
</Output>

<Route 1>
Path in => out
</Route>

Is anything obvious missing?

AskedOctober 11, 2020 - 4:49pm

Comments (1)

Answers (0)