response
Our setup: we have Windows Server 2019 servers that are forwarding some "Security" events to a single Windows Server 2019 event collector. On that single Windows Server 2019 event collector, we have installed NXLog, which is forwarding to Graylog.
Summary: servers --> event collector server (where NXLog is installed) --> Graylog server
All selected events are getting to the event collector, but only some are getting to Graylog. So the problem is somewhere on or after the event collector server.
Here is the complete NXLog config:
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _gelf>
Module xm_gelf
ShortMessageLength 500
</Extension>
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='ForwardedEvents'>*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output out>
Module om_tcp
Host graylog.local
Port 12201
OutputType GELF_TCP
</Output>
<Route 1>
Path in => out
</Route>
Is anything obvious missing?
Comments (1)
Hello,
Config looks fine, could you please share some examples of events which aren't making to nxlog but should?
Regards, Arch