New demo implementation, 4 sources, no events

[bpizzutiWHI]

I've got 3 Windows servers set up as sources, they are showing up on the Home page of the log server. Config file is as follows:

Code: Select all

## See the nxlog reference manual at 
## http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
 
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
 
# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
#    Module xm_fileop
#</Extension>
 
<Extension json>
    Module      xm_json
</Extension>
 
<Extension syslog>
    Module xm_syslog
</Extension>
 
<Input internal>
    Module im_internal
</Input>
 
# Watch your own files
<Input file1>
    Module   im_file
    File     '%ROOT%\data\nxlog.log'
    SavePos  TRUE
    Exec     $Message = $raw_event;
</Input>
 
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
    Module im_msvistalog
 
# Uncomment im_mseventlog for Windows XP/2000/2003
#   Module im_mseventlog
</Input>

<Output out>
    Module om_tcp
    Host 10.200.25.92
    Port 3515
	
    Exec  $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
    Exec  $raw_event = to_json();
	
	# Uncomment for debug output
	# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>
 
<Route 1>
    Path internal, file1, eventlog => out
</Route>

I'm not seeing any events from any of the servers except for the local log server itself (127.0.0.1). And I know for a fact that there's events in the servers I added.

[bpizzutiWHI]

Oh, here's an extract from nxlog_output with debug mode enabled:

Code: Select all

l":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"SYSTEM","AccountType":"Well Known Group","Opcode":"Info","EventReceivedTime":"2017-03-03 15:23:31","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.\r\n\r\n   Protocol: TLS 1.0\r\n   CipherSuite: 0x5\r\n   Exchange strength: 2048"}
{"EventTime":"2017-03-03 15:23:34","Hostname":"vm33npc01-cv2.whisystems.com","Keywords":-9223372036854775808,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":36880,"SourceName":"Schannel","ProviderGuid":"{1F678132-5938-4686-9FDC-C8FF68F15C85}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":3106801,"ProcessID":856,"ThreadID":3652,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"SYSTEM","AccountType":"Well Known Group","Opcode":"Info","EventReceivedTime":"2017-03-03 15:23:36","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.\r\n\r\n   Protocol: TLS 1.0\r\n   CipherSuite: 0x2F\r\n   Exchange strength: 2048"}
{"EventTime":"2017-03-03 15:23:35","Hostname":"vm33npc01-cv2.whisystems.com","Keywords":-9223372036854775808,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":36880,"SourceName":"Schannel","ProviderGuid":"{1F678132-5938-4686-9FDC-C8FF68F15C85}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":3106802,"ProcessID":856,"ThreadID":3652,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"SYSTEM","AccountType":"Well Known Group","Opcode":"Info","EventReceivedTime":"2017-03-03 15:23:36","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.\r\n\r\n   Protocol: TLS 1.0\r\n   CipherSuite: 0x2F\r\n   Exchange strength: 2048"}
{"EventTime":"2017-03-03 15:23:48","Hostname":"vm33npc01-cv2.whisystems.com","Keywords":-9223372036854775808,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":36867,"SourceName":"Schannel","ProviderGuid":"{1F678132-5938-4686-9FDC-C8FF68F15C85}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":3106803,"ProcessID":856,"ThreadID":6996,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"SYSTEM","AccountType":"Well Known Group","Opcode":"Info","Type":"client","EventReceivedTime":"2017-03-03 15:23:49","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"Creating an SSL client credential."}
{"EventTime":"2017-03-03 15:23:51","Hostname":"vm33npc01-cv2.whisystems.com","Keywords":-9223372036854775808,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":36880,"SourceName":"Schannel","ProviderGuid":"{1F678132-5938-4686-9FDC-C8FF68F15C85}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":3106804,"ProcessID":856,"ThreadID":3652,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"SYSTEM","AccountType":"Well Known Group","Opcode":"Info","EventReceivedTime":"2017-03-03 15:23:53","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.\r\n\r\n   Protocol: TLS 1.0\r\n   CipherSuite: 0x35\r\n   Exchange strength: 1024"}
{"EventTime":"2017-03-03 15:23:55","Hostname":"vm33npc01-cv2.whisystems.com","Keywords":-9223372036854775808,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":36880,"SourceName":"Schannel","ProviderGuid":"{1F678132-5938-4686-9FDC-C8FF68F15C85}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":3106805,"ProcessID":856,"ThreadID":3652,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"SYSTEM","AccountType":"Well Known Group","Opcode":"Info","EventReceivedTime":"2017-03-03 15:23:56","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.\r\n\r\n   Protocol: TLS 1.0\r\n   CipherSuite: 0x2F\r\n   Exchange strength: 2048"}
{"EventTime":"2017-03-03 15:24:00","Hostname":"vm33npc01-cv2.whisystems.com","Keywords":-9223372036854775808,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":36880,"SourceName":"Schannel","ProviderGuid":"{1F678132-5938-4686-9FDC-C8FF68F15C85}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":3106806,"ProcessID":856,"ThreadID":4044,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"SYSTEM","AccountType":"Well Known Group","Opcode":"Info","EventReceivedTime":"2017-03-03 15:24:01","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"An SSL server handshake completed successfully. The negotiated cryptographic parameters are as follows.\r\n\r\n   Protocol: TLS 1.2\r\n   CipherSuite: 0xC028\r\n   Exchange strength: 521"}
{"EventTime":"2017-03-03 15:24:00","Hostname":"vm33npc01-cv2.whisystems.com","Keywords":-9223372036854775808,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":36880,"SourceName":"Schannel","ProviderGuid":"{1F678132-5938-4686-9FDC-C8FF68F15C85}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":3106807,"ProcessID":856,"ThreadID":4044,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"SYSTEM","AccountType":"Well Known Group","Opcode":"Info","EventReceivedTime":"2017-03-03 15:24:01","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.\r\n\r\n   Protocol: TLS 1.0\r\n   CipherSuite: 0x5\r\n   Exchange strength: 2048"}
{"EventTime":"2017-03-03 15:24:00","Hostname":"vm33npc01-cv2.whisystems.com","Keywords":-9223372036854775808,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":36880,"SourceName":"Schannel","ProviderGuid":"{1F678132-5938-4686-9FDC-C8FF68F15C85}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":3106808,"ProcessID":856,"ThreadID":4044,"Channel":"System","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"SYSTEM","AccountType":"Well Known Group","Opcode":"Info","EventReceivedTime":"2017-03-03 15:24:01","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.\r\n\r\n   Protocol: TLS 1.0\r\n   CipherSuite: 0x5\r\n   Exchange strength: 2048"}
{"EventTime":"2017-03-03 15:24:06","Hostname":"vm33npc01-cv2","SeverityValue":3,"Severity":"WARNING","SourceName":"nxlog-ce","ProcessID":9324,"EventReceivedTime":"2017-03-03 15:24:06","SourceModuleName":"internal","SourceModuleType":"im_internal","message":"stopping nxlog service"}
{"EventTime":"2017-03-03 15:24:06","Hostname":"vm33npc01-cv2","SeverityValue":3,"Severity":"WARNING","SourceName":"nxlog-ce","ProcessID":9324,"EventReceivedTime":"2017-03-03 15:24:06","SourceModuleName":"internal","SourceModuleType":"im_internal","message":"nxlog-ce received a termination request signal, exiting..."}

[mcapra]

Can you share the output of the following commands executed from the CLI of your Nagios Log Server machine:

Code: Select all

grep '' /usr/local/nagioslogserver/logstash/etc/conf.d/*
tail -n 100 /var/log/logstash/logstash.log
tail -n 100 /var/log/elasticsearch/*.log
service logstash status
service elasticsearch status
netstat -an | grep 3515

Can you also run the following commands and share the resulting /tmp/42788.pcap file:

Code: Select all

yum install tcpdump
timeout 15 tcpdump -w /tmp/42788.pcap -i any 'port 3515'

[damindd]

I was having this issue as well. New Nagios Log Server, couple of Windows sources, no events displayed. When I ran the commands that mcapra posted I noticed that the time of the Nagios Log Server was several hours in the future. After editing /etc/ntp.conf to point at our time server and rebooting, events began to show up in the dashboard.

Hope this is helpful.

[dwhitfield]

@damindd, thanks so much!

@bpizzutiWHI, was that useful for you?