2
responses

Hey All,

A bit of a newbee and trying to get NXLOG working with GrayLog. It is working and I'm seeing the information. The issue is that the information I'm seeing does not seem to match the PC's event logs.

Please see below Config File:

<Extension _exec>
Module xm_exec
</Extension>

<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>

<Extension _gelf>
Module xm_gelf
</Extension>

<Input win>
Module im_msvistalog
</Input>
#
# Converting events to Snare format and sending them out over TCP syslog
<Output graylog>
Module om_udp
Host X.X.X.X
Port 3514
OutputType GELF
</Output>

<Route graylog_route>
Path win => graylog
</Route>

Any ideas about what I'm doing wrong????

AskedMay 23, 2022 - 1:26am

Answers (2)

Hi LogicalSolutions,

what are the differences you determined? Can you provide examples?

Some recommendations besides:

Instead of

Host X.X.X.X
Port 3514

note it like

Host X.X.X.X:3514

Instead of using UDP, better to switch to TCP which has some advantages like max. length and connection keep-alive e.g. Such Input can be easily configured in Graylog. A working NXLog config in one of my threads: https://nxlog.co/question/8456/problems-immsvistalog-under-windows-server-2022

Hi, you are missing some options for the im_msvistalog module. Also there is no Query/QueryXML statement which is AFAIK not optional. Have a look at the docs again, especially the example 1: https://docs.nxlog.co/refman/v5.5/im/msvistalog.html