0
responses

Hi, I am doing a test with the agent nxlog EE v.5.3.6735_windows_x64 and after the installation of the agent on the server I stopped receiving the windows audit logs (im_msvistalog module) that I was receiving regularly with the version of nxlog CE v.2.10.2150 and I am not getting the SQL logs either.
I attach the implemented configuration files:

nxlog.con (nxlog EE v.5.3.6735):

Panic Soft

define INSTALLDIR C:\Program Files\nxlog

#ModuleDir %INSTALLDIR%\modules
#CacheDir %INSTALLDIR%\data
#SpoolDir %INSTALLDIR%\data

define CERTDIR %INSTALLDIR%\cert
define CONFDIR %INSTALLDIR%\conf\nxlog.d

# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR %INSTALLDIR%\data
define MYLOGFILE %LOGDIR%\nxlog.log

# If you are not using NXLog Manager, disable the `include` line
# and enable LogLevel and LogFile.
include %CONFDIR%\*.conf

#LogLevel INFO
#LogFile %MYLOGFILE%

<Extension gelf>
Module xm_gelf
</Extension>

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

# This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`
# is changed in managed.conf via NXLog Manager, rotation of the new
# file should also be configured there.
<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
<Exec>
if ( file_exists('%MYLOGFILE%') and
(file_size('%MYLOGFILE%') >= 5M) )
{
file_cycle('%MYLOGFILE%', 8);
}
</Exec>
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>
</Extension>

<Input eventlog>
Module im_msvistalog
</Input>

<Input eventlogSQL>
Module im_odbc
ConnectionString Driver={ODBC Driver 17 for SQL Server}; Server=<server_name>; \
Trusted_Connection=yes; DATABASE=MASTER;
PollInterval 5
IdType timestamp
SQL SELECT event_time AS 'id', f.*, a.name AS action_name \
FROM fn_get_audit_file('X:\SQLDATA\Log\logfiles\Audit-*.sqlaudit', default, \
default) AS f \
INNER JOIN sys.dm_audit_actions AS a \
ON f.action_id = a.action_id \
WHERE event_time > ?
<Exec>
delete($id);
rename_field($event_time, $EventTime);
</Exec>
</Input>

<Output udp>
Module om_udp
Host XXX.XXX.XXX.XXX --> my_graylog_server
Port XXXX --> port
OutputType GELF_UDP
</Output>

<Output udpSQL>
Module om_udp
Host XXX.XXX.XXX.XXX --> my_graylog_server
Port XXXX --> port
OutputType GELF_UDP
</Output>

<Route eventlog_to_udp>
Path eventlog => udp
</Route>

<Route eventlog_to_udpSQL>
Path eventlogSQL => udpSQL
</Route>

nxlog.con (nxlog CEv.2.10.2150):

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

<Extension gelf>
Module xm_gelf
</Extension>

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>

<Input eventlog>
Module im_msvistalog
</Input>

<Output udp>
Module om_udp
Host XXX.XXX.XXX.XXX --> my_graylog_server
Port XXXX --> port
OutputType GELF_UDP
</Output>

<Route eventlog_to_udp>
Path eventlog => udp
</Route>

AskedAugust 6, 2021 - 7:37pm

Answers (0)