How to configure logstash to filter Windows event log

[kibambe]

Hi,

I am trying to have Nagios Log Server parsing Windows event log file but i am struggeling ...

Here is my NXlog config file

Code: Select all

## See the nxlog reference manual at 
## http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
 
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
 
# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
#    Module xm_fileop
#</Extension>
 
<Extension json>
    Module      xm_json
</Extension>
 
<Extension syslog>
    Module xm_syslog
</Extension>
 
<Input internal>
    Module im_internal
</Input>
 
# Watch your own files
<Input file1>
    Module   im_file
    File     '%ROOT%\data\nxlog.log'
    SavePos  TRUE
    Exec     $Message = $raw_event;
</Input>
 
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
    Module im_msvistalog
Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select>\
			<Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
# Uncomment im_mseventlog for Windows XP/2000/2003
#   Module im_mseventlog

Exec  $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec  $raw_event = to_json() ;
</Input>

<Output out>
    Module om_tcp
    Host 158.166.125.86
    Port 3515
# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>
 
<Route 1>
    Path internal, file1, eventlog => out
</Route>

Here is my logstash.conf file

Code: Select all

input {
    tcp {
        port => 5544
        type => 'WindowsEventLog'
        codec => json {
            charset => 'UTF-8'
        }
    }
}

filter {
  if [type] == "WindowsEventLog" {
    json {
      source => "message"
    }
    if [SourceModuleName] == "eventlog" {
      mutate {
        replace => [ "message", "%{Message}" ]
      }
      mutate {
        remove_field => [ "Message" ]
      }
    }
  }
}


output {
    if [type] == 'WindowsEventLog' {
        elasticsearch {
            host => 'localhost'
            port => 9300
            node_name => 's-agri-nagioslog1a'
            cluster => 'nagios_elasticsearch'
            index => 'logstash-evenlog-%{+YYYY.MM.dd}'
       }
    }
}

~
Whatever way i try to configure, no message appears in the dashboard and from system status i cannot see the status of elasticsearch database adn logstash collector.

Thank you

[hsmith]

You have NXLog configured to sent to port 3515, and NLS configured to listen on port 5544.

[tmcdonald]

Closing due to inactivity. Please let me know via PM if you would like this re-opened.