The Blog

Providing visibility into windows event logs


If you have to support a few windows boxes, getting the windows event logs sent to a central location allows for monitoring and alerting. It can provide a lot of insight into the often dark world of windows.

https://nxlog.co/products/nxlog-community-edition

C:\Program Files (x86)\nxlog\conf\nxlog.conf

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Input in>
    Module      im_msvistalog
# Dont send events less than severity 4 (warning)
#   Exec        if $SeverityValue < 4 drop();
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
</Input>

<Output out>
    Module      om_udp
    Host        syslog.example.com
    Port        514
    #IETF Syslog (RFC5424)
    Exec        to_syslog_ietf();
    #BSD Syslog (RFC3164)
    #Exec        to_syslog_bsd();
    #SNARE formatted messages
    #Exec        to_syslog_snare();
</Output>

<Route 1>
    Path        in => out
</Route>

Combine with graylog… voilà!

Leave a comment