NXLog and Windows for Graylog
-
So there are a few options for Graylog and utilities to get the logs from Windows to Graylog (or anything else). One of the recommended tools is NXLog as it's FOSS.
And while I was able to get Graylog setup and installed I can't for the life of me get my sample workstation to actually send any logs to my graylog server.
Does anyone have any pointers on this?
-
Here is the sample config file:
Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _gelf> Module xm_gelf </Extension> <Input in_eventlog> Module im_msvistalog </Input> <Input in_internal> Module im_internal </Input> <Processor p_2syslog> Module pm_transformer Exec $Hostname = hostname(); OutputFormat syslog_rfc5424 </Processor> <Output out> Module om_udp Host host-ip-address Port 12201 # Exec to_syslog_snare(); OutputType GELF_UDP </Output> <Route 1> Path in_internal, in_eventlog => p_2syslog => out </Route>And I do have an input setup in Graylog for glef udp using port 12201.
Not sure what else really needs to be "setup" as the logging appears to be relatively successful
2019-11-21 16:37:02 INFO nxlog-ce-2.10.2150 started 2019-11-21 16:37:03 WARNING Due to a limitation in the Windows EventLog subsystem, a query cannot contain more than 256 sources. 2019-11-21 16:37:03 WARNING The following sources are omitted to avoid exceeding the limit in the generated query: Microsoft-Windows-FeatureConfiguration/Operational Microsoft-Windows-Fault-Tolerant-Heap/Operational Microsoft-Windows-FailoverClustering-Manager/Admin Microsoft-Windows-EventCollector/Operational Microsoft-Windows-EnrollmentWebService/Admin Microsoft-Windows-EnrollmentPolicyWebService/Admin Microsoft-Windows-EDP-Audit-TCB/Admin Microsoft-Windows-EDP-Audit-Regular/Admin Microsoft-Windows-EDP-Application-Learning/Admin Microsoft-Windows-EapMethods-Ttls/Operational Microsoft-Windows-EapMethods-Sim/Operational Microsoft-Windows-EapMethods-RasTls/Operational Microsoft-Windows-EapMethods-RasChap/Operational Microsoft-Windows-EapHost/Operational Microsoft-Windows-DxgKrnl-Operational Microsoft-Windows-DxgKrnl-Admin Microsoft-Windows-DSC/Operational Microsoft-Windows-DSC/Admin Microsoft-Windows-DiskDiagnosticResolver/Operational Microsoft-Windows-DiskDiagnosticDataCollector/Operational Microsoft-Wind -
@DustinB3403 said in NXLog and Windows for Graylog:
So there are a few options for Graylog and utilities to get the logs from Windows to Graylog (or anything else). One of the recommended tools is NXLog as it's FOSS.
And while I was able to get Graylog setup and installed I can't for the life of me get my sample workstation to actually send any logs to my graylog server.
Does anyone have any pointers on this?
wazuh
-
When I was playing with graylog, I was using Beats
-
-
@flaxking said in NXLog and Windows for Graylog:
When I was playing with graylog, I was using Beats
Care to elaborate?
-
@DustinB3403 said in NXLog and Windows for Graylog:
@flaxking said in NXLog and Windows for Graylog:
When I was playing with graylog, I was using Beats
Care to elaborate?
Beats is essential what wazuh uses as well to send to elastic stack.
-
@DustinB3403 said in NXLog and Windows for Graylog:
@flaxking said in NXLog and Windows for Graylog:
When I was playing with graylog, I was using Beats
Care to elaborate?
Flexible and made to work with different solutions
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html
