NXLog and Windows for Graylog



  • So there are a few options for Graylog and utilities to get the logs from Windows to Graylog (or anything else). One of the recommended tools is NXLog as it's FOSS.

    And while I was able to get Graylog setup and installed I can't for the life of me get my sample workstation to actually send any logs to my graylog server.

    Does anyone have any pointers on this?



  • Here is the sample config file:

    Panic Soft
    #NoFreeOnExit TRUE
    
    define ROOT     C:\Program Files (x86)\nxlog
    define CERTDIR  %ROOT%\cert
    define CONFDIR  %ROOT%\conf
    define LOGDIR   %ROOT%\data
    define LOGFILE  %LOGDIR%\nxlog.log
    LogFile %LOGFILE%
    
    Moduledir %ROOT%\modules
    CacheDir  %ROOT%\data
    Pidfile   %ROOT%\data\nxlog.pid
    SpoolDir  %ROOT%\data
    
    <Extension _syslog>
    	Module      xm_syslog
    </Extension>
    
    <Extension _gelf>
    	Module      xm_gelf
    </Extension>
    
    <Input in_eventlog>
    	Module      im_msvistalog
    </Input>
    
    <Input in_internal>
    	Module      im_internal
    </Input>
    
    <Processor p_2syslog>
    	Module      pm_transformer
    	Exec        $Hostname = hostname();
    	OutputFormat syslog_rfc5424
    </Processor>
    
    <Output out>
    	Module      om_udp
    	Host        host-ip-address
    	Port        12201
    #    Exec        to_syslog_snare();
    	OutputType	GELF_UDP
    </Output>
    
    <Route 1>
    	Path        in_internal, in_eventlog => p_2syslog => out
    </Route>
    

    And I do have an input setup in Graylog for glef udp using port 12201.

    Not sure what else really needs to be "setup" as the logging appears to be relatively successful

    2019-11-21 16:37:02 INFO nxlog-ce-2.10.2150 started
    2019-11-21 16:37:03 WARNING Due to a limitation in the Windows EventLog subsystem, a query cannot contain more than 256 sources.
    2019-11-21 16:37:03 WARNING The following sources are omitted to avoid exceeding the limit in the generated query:  Microsoft-Windows-FeatureConfiguration/Operational Microsoft-Windows-Fault-Tolerant-Heap/Operational Microsoft-Windows-FailoverClustering-Manager/Admin Microsoft-Windows-EventCollector/Operational Microsoft-Windows-EnrollmentWebService/Admin Microsoft-Windows-EnrollmentPolicyWebService/Admin Microsoft-Windows-EDP-Audit-TCB/Admin Microsoft-Windows-EDP-Audit-Regular/Admin Microsoft-Windows-EDP-Application-Learning/Admin Microsoft-Windows-EapMethods-Ttls/Operational Microsoft-Windows-EapMethods-Sim/Operational Microsoft-Windows-EapMethods-RasTls/Operational Microsoft-Windows-EapMethods-RasChap/Operational Microsoft-Windows-EapHost/Operational Microsoft-Windows-DxgKrnl-Operational Microsoft-Windows-DxgKrnl-Admin Microsoft-Windows-DSC/Operational Microsoft-Windows-DSC/Admin Microsoft-Windows-DiskDiagnosticResolver/Operational Microsoft-Windows-DiskDiagnosticDataCollector/Operational Microsoft-Wind


  • @DustinB3403 said in NXLog and Windows for Graylog:

    So there are a few options for Graylog and utilities to get the logs from Windows to Graylog (or anything else). One of the recommended tools is NXLog as it's FOSS.

    And while I was able to get Graylog setup and installed I can't for the life of me get my sample workstation to actually send any logs to my graylog server.

    Does anyone have any pointers on this?

    wazuh



  • When I was playing with graylog, I was using Beats



  • @IRJ said in NXLog and Windows for Graylog:

    wazuh

    Care to elaborate?



  • @flaxking said in NXLog and Windows for Graylog:

    When I was playing with graylog, I was using Beats

    Care to elaborate?



  • @DustinB3403 said in NXLog and Windows for Graylog:

    @flaxking said in NXLog and Windows for Graylog:

    When I was playing with graylog, I was using Beats

    Care to elaborate?

    Beats is essential what wazuh uses as well to send to elastic stack.



  • @DustinB3403 said in NXLog and Windows for Graylog:

    @flaxking said in NXLog and Windows for Graylog:

    When I was playing with graylog, I was using Beats

    Care to elaborate?

    Flexible and made to work with different solutions

    https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html

    https://logz.io/blog/filebeat-tutorial/