The Blog

Providing visibility into windows event logs

If you have to support a few windows boxes, getting the windows event logs sent to a central location allows for monitoring and alerting. It can provide a lot of insight into the often dark world of windows.

C:\Program Files (x86)\nxlog\conf\nxlog.conf

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module      xm_syslog

<Input in>
    Module      im_msvistalog
# Dont send events less than severity 4 (warning)
#   Exec        if $SeverityValue < 4 drop();
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog

<Output out>
    Module      om_udp
    Port        514
    #IETF Syslog (RFC5424)
    Exec        to_syslog_ietf();
    #BSD Syslog (RFC3164)
    #Exec        to_syslog_bsd();
    #SNARE formatted messages
    #Exec        to_syslog_snare();

<Route 1>
    Path        in => out

Combine with graylog… voilà!

Leave a comment