windows eventlog to graylog and splunk | Log collection solutions

#1 lokeliu 3 years ago

Hello

windows ---> nxlog-------->graylog&splunk(syslog)

how can i do?
this conf is right?

p.s. graylog 192.168.1.20 splunk 192.168.1.21

------------------------------------My conf------------------------------------------------------------------ Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_gelf

</Extension>

<Extension _syslog> Module xm_syslog

</Extension>

Module im_msvistalog

</Input>

<Output out> Module om_udp Host 192.168.1.20 Port 10554 OutputType GELF </Output>

<Output out1> Module om_udp Host 192.168.1.21 Port 10554 Exec to_syslog_snare(); </Output>

Permalink

#2 rafDeactivated Nxlog ✓ 3 years ago

#1 lokeliu

Hello windows ---> nxlog-------->graylog&splunk(syslog) how can i do? this conf is right? p.s. graylog 192.168.1.20 splunk 192.168.1.21 ------------------------------------My conf------------------------------------------------------------------ Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_gelf </Extension> <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog </Input> <Output out> Module om_udp Host 192.168.1.20 Port 10554 OutputType GELF </Output> <Output out1> Module om_udp Host 192.168.1.21 Port 10554 Exec to_syslog_snare(); </Output> <Route 1> Path in => out </Route> <Route 2> Path in => out1 </Route>

Hello,

I don't see any obvious mistakes in your conf, however, I haven't tried it.

Please, make sure your Splunk and Graylog instances are configured to receive messages on a certain IP:PORT, in the chosen format.

In case anything doesn't work - you might want to check your nxlog.log file - please refer to the manual for some guidance.