Windows Event logs not appearing in dashboard

[tohan4]

I am sending logs from a Windwos 2008 R2 server using nxlog. I am not seeing them in the dashboard.

I found these entires in /var/log/logstash/logstash.log
{:timestamp=>"2014-10-30T03:30:32.191000-0400", :message=>"Error: No config files found: /usr/local/nagioslogserver/logstash/etc/conf.d/*\nCan you make sure this path is a logstash config file?"}
{:timestamp=>"2014-10-30T03:30:32.218000-0400", :message=>"You may be interested in the '--configtest' flag which you can\nuse to validate logstash's configuration before you choose\nto restart a running system."}

I am using an OVA 64-bit vmware template downloaded today.

Thanks.

[lgroschen]

Can you post the contents of your Global Configuration Inputs?

Get there by navigating to Administration > Global Configuration

Select the + sign next to the 'Windows Event Log (Default)' Input and paste the contents here.


Now, go to your windows machine and find the nxlog.conf file and attach it with the next post. It is usually located here:

Code: Select all

C:\Program Files (x86)\nxlog\conf\nxlog.conf

/Luke

[tohan4]

One thing I have noticed that the LS_CONFILE location in /etc/init.d/logstash was point to /etc/logstash/conf.d

Global Configuration input for WindowsEvent log:
tcp {
type => 'eventlog'
port => 3515
codec => json {
charset => 'CP1252'
}
}

nxlog.conf (on windows 2008 R2 Server):
## See the nxlog reference manual at
## http://nxlog.org/nxlog-docs/en/nxlog-re ... anual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
# Module xm_fileop
#</Extension>
<Extension json>
Module xm_json
</Extension>

<Extension syslog>
Module xm_syslog
</Extension>

<Input internal>
Module im_internal
</Input>

# Watch your own files
<Input file1>
Module im_file
File '%ROOT%\data\nxlog.log'
SavePos TRUE
</Input>

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
</Input>

<Output out>
Module om_tcp
Host 10.20.30.108
Port 3515
Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();

# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>

<Route 1>
Path internal, file1, eventlog => out
</Route>

[sreinhardt]

Let's check a few other possibilities as well.

Code: Select all

iptables -L | grep 3515
netstat -nao | grep 3515
tcpdump port 3515 (let this sit for 30 seconds to a few minutes, you should see additional lines coming through that show the IP of your windows host)

Please post the output from those.

[tohan4]

I am now seeing some event logs from the windows server but it appears to be only about 2% when I check the events logged locally via nxlog.

iptables -L | grep 3515 : returns nothing
[root@localhost ~]# netstat -nao | grep 3515
tcp 0 0 :::3515 :::* LISTEN off (0.00/0/0)
tcp 0 0 ::ffff:10.20.30.108:3515 ::ffff:10.20.30.90:51520 ESTABLISHED off (0.00/0/0)

tcpdump port 3515 : sits for about 1 minute then:
[root@localhost ~]# tcpdump port 3515
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes


02:14:36.848547 IP 10.20.30.90.51520 > 10.20.30.108.must-backplane: Flags [.], seq 2066133399:2066134859, ack 2217227171, win 256, length 1460
02:14:36.848599 IP 10.20.30.108.must-backplane > 10.20.30.90.51520: Flags [.], ack 1460, win 499, length 0
02:14:36.848616 IP 10.20.30.90.51520 > 10.20.30.108.must-backplane: Flags [P.], seq 1460:1952, ack 1, win 256, length 492
02:14:36.848624 IP 10.20.30.108.must-backplane > 10.20.30.90.51520: Flags [.], ack 1952, win 496, length 0
02:14:36.852884 IP 10.20.30.90.51520 > 10.20.30.108.must-backplane: Flags [.], seq 1952:3412, ack 1, win 256, length 1460
02:14:36.852898 IP 10.20.30.108.must-backplane > 10.20.30.90.51520: Flags [.], ack 3412, win 499, length 0
02:14:36.852925 IP 10.20.30.90.51520 > 10.20.30.108.must-backplane: Flags [.], seq 3412:4872, ack 1, win 256, length 1460
02:14:36.852933 IP 10.20.30.108.must-backplane > 10.20.30.90.51520: Flags [.], ack 4872, win 488, length 0
02:14:36.852943 IP 10.20.30.90.51520 > 10.20.30.108.must-backplane: Flags [P.], seq 4872:5233, ack 1, win 256, length 361
02:14:36.852951 IP 10.20.30.108.must-backplane > 10.20.30.90.51520: Flags [.], ack 5233, win 486, length 0
02:14:36.856184 IP 10.20.30.90.51520 > 10.20.30.108.must-backplane: Flags [.], seq 5233:6693, ack 1, win 256, length 1460
02:14:36.856205 IP 10.20.30.108.must-backplane > 10.20.30.90.51520: Flags [.], ack 6693, win 499, length 0
02:14:36.856261 IP 10.20.30.90.51520 > 10.20.30.108.must-backplane: Flags [.], seq 6693:8153, ack 1, win 256, length 1460
02:14:36.856273 IP 10.20.30.108.must-backplane > 10.20.30.90.51520: Flags [.], ack 8153, win 488, length 0
02:14:36.856288 IP 10.20.30.90.51520 > 10.20.30.108.must-backplane: Flags [P.], seq 8153:8514, ack 1, win 256, length 361
02:14:36.856297 IP 10.20.30.108.must-backplane > 10.20.30.90.51520: Flags [.], ack 8514, win 486, length 0
02:14:36.857931 IP 10.20.30.90.51520 > 10.20.30.108.must-backplane: Flags [P.], seq 8514:9974, ack 1, win 256, length 1460
02:14:36.857945 IP 10.20.30.108.must-backplane > 10.20.30.90.51520: Flags [.], ack 9974, win 499, length 0
02:14:36.859608 IP 10.20.30.90.51520 > 10.20.30.108.must-backplane: Flags [P.], seq 9974:11145, ack 1, win 256, length 1171
02:14:36.859622 IP 10.20.30.108.must-backplane > 10.20.30.90.51520: Flags [.], ack 11145, win 499, length 0
02:14:36.861069 IP 10.20.30.90.51520 > 10.20.30.108.must-backplane: Flags [P.], seq 11145:12316, ack 1, win 256, length 1171
02:14:36.861083 IP 10.20.30.108.must-backplane > 10.20.30.90.51520: Flags [.], ack 12316, win 499, length 0
02:14:36.862708 IP 10.20.30.90.51520 > 10.20.30.108.must-backplane: Flags [P.], seq 12316:13296, ack 1, win 256, length 980
02:14:36.862724 IP 10.20.30.108.must-backplane > 10.20.30.90.51520: Flags [.], ack 13296, win 499, length 0
02:14:36.864203 IP 10.20.30.90.51520 > 10.20.30.108.must-backplane: Flags [.], seq 13296:14756, ack 1, win 256, length 1460
02:14:36.864217 IP 10.20.30.108.must-backplane > 10.20.30.90.51520: Flags [.], ack 14756, win 499, length 0
02:14:36.864231 IP 10.20.30.90.51520 > 10.20.30.108.must-backplane: Flags [P.], seq 14756:15213, ack 1, win 256, length 457
02:14:36.864240 IP 10.20.30.108.must-backplane > 10.20.30.90.51520: Flags [.], ack 15213, win 496, length 0
02:14:36.866036 IP 10.20.30.90.51520 > 10.20.30.108.must-backplane: Flags [.], seq 15213:16673, ack 1, win 256, length 1460
02:14:36.866047 IP 10.20.30.108.must-backplane > 10.20.30.90.51520: Flags [.], ack 16673, win 499, length 0
02:14:36.866113 IP 10.20.30.90.51520 > 10.20.30.108.must-backplane: Flags [.], seq 16673:18133, ack 1, win 256, length 1460
^C
31 packets captured
74 packets received by filter
43 packets dropped by kernel

[scottwilkerson]

I am now seeing some event logs from the windows server but it appears to be only about 2% when I check the events logged locally via nxlog.

Just as an FYI, this will not "backfill" logs, it will only send "new" events.

[tohan4]

Am I going to get a solution to this issue or should I keep looking into alternatives like the ELK stack ??

Currently Nagios Log Server is not working. I would like to buy the product as I already have XI but in this state it is not working for me.

[scottwilkerson]

To be clear, you still have new events being created on the Windows machine that are not reaching the log server?

If so, can you verify the date/time are current on both.