LogServer Dashboard Help Filtering

[kwhogster]

LogServer 1.4.2

I have 12 Hosts reporting to the Log Server Windows 2012 and Windows 2008 etc.

When I look at the dashboard I only see security type events Audit Success Audit Failure Info

I do not see the application or system log events from the Windows server.

Am I missing something?

Can I filter just to see Warnings and Errors only?

[dwhitfield]

Have you already read our document on filters? https://assets.nagios.com/downloads/nag ... ilters.pdf

[kwhogster]

dwhitfield

Yes show that

And example would be helpful here.

I would like to see just warnings and errors on all windows servers.

Thanks

[mcapra]

If i'm looking at a bunch of Windows event logs from a specific host, there's a whole bunch of fields I can analyze on the left-hand side of the screen:

2016_10_28_09_19_46_Dashboard_Nagios_Log_Server.png

If I wanted to filter specific values for a given field, say EventType, I could click that field and use the magnifying glass to only search EventType entries with that specific value (AUDIT_SUCCESS, INFO, ERROR, etc):

2016_10_28_09_21_31_Dashboard_Nagios_Log_Server.png

[kwhogster]

When I do that I only see
Value
Audit_Success
Info
Audit_Failure

It seems that all this is pulling in

Client settings maybe?

[mcapra]

Probably client side, but there are things we can do to fix it on the NLS end of things depending on the logs. Can you show a full expansion of one of the events like so:

2016_10_31_09_56_27_Dashboard_Nagios_Log_Server.png

We might need to examine a different field depending on what your event logs look like. If you could also share your nxlog configuration (and Windows version) that would be helpful.

[kwhogster]

nls1.png

The nxlog config

Windows 2012 R@ Windows 2008 R2 Windows 2003 Windows 10 Windows 8 Windows 7
Meraki Router Cisco Switch's all report

Code: Select all

## See the nxlog reference manual at 
## http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
 
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
 
# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
#    Module xm_fileop
#</Extension>
 
<Extension json>
    Module      xm_json
</Extension>
 
<Extension syslog>
    Module xm_syslog
</Extension>
 
<Input internal>
    Module im_internal
</Input>
 
# Watch your own files
<Input file1>
    Module   im_file
    File     '%ROOT%\data\nxlog.log'
    SavePos  TRUE
    Exec     $Message = $raw_event;
</Input>
 
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
    Module im_msvistalog
 
# Uncomment im_mseventlog for Windows XP/2000/2003
#   Module im_mseventlog
</Input>

<Output out>
    Module om_tcp
    Host 10.2.8.74
    Port 3515
	
    Exec  $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
    Exec  $raw_event = to_json();
	
	# Uncomment for debug output
	# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>
 
<Route 1>
    Path internal, file1, eventlog => out
</Route>

Had to split the image was longer than the monitor

[rkennedy]

I'm a bit confused on what you're looking to do exactly. First you mention this -

I do not see the application or system log events from the Windows server.

I just tested with a stock NXLOG install, and it is indeed logging things from the 'Application' section of Event Viewer. If you want to turn on additional things, this link might help - https://www.ultimatewindowssecurity.com ... erver-2008

As for the filtering goes, we can break text out of your fields in to their own for querying. Which part of the 'message' field are you looking to isolate in to its own?

Here's a screenshot to help illustrate the applicaton logs making it into NLS -

nls-eventviewer-application.PNG

[kwhogster]

rkennedy

Let me try to clarify

When I view NLS using the dash board I have 12 devices reporting so far so good.

On my dashboard I see the logs but I only see security log entries

I scrolled thru the entire log and that is all that is reporting.

All successful once in a while I see a security failure but not often.

I rerally do not need to have NLs show me those at this time

I just want to see the application log and system log entries

Also I would like to just see warnings and or errors from the application log and systems log.

[mcapra]

So let's say I have two Windows hosts sending their events logs to NLS:

192.168.67.99 running Server 2012
192.168.67.98 running Server 2008

By clicking the aforementioned magnifying glass next to the "host" field, I can isolate my results to 192.168.67.99 fairly easily. I can edit this filter to capture both hosts by setting the query of this filter to "192.168.67.98" OR "192.168.67.99". Now my dashboard will show only the entries for those two hosts. I save this dashboard because I think it's very neat and useful. By saving this dashboard, I can access it later on.

2016_11_02_12_56_40_Dashboard_Nagios_Log_Server.png

On my dashboard I see the logs but I only see security log entries

I scrolled thru the entire log and that is all that is reporting.

All successful once in a while I see a security failure but not often.

I rerally do not need to have NLs show me those at this time

So I don't want to see security entries period. I can filter out entries with "Security" as the Channel by clicking the little crossmark next to the magnifying glass to exclude those entries:

2016_11_02_12_55_25_Dashboard_Nagios_Log_Server.png

I save this dashboard again for use later. Now this dashboard will get all logs on 192.168.67.98 and 192.168.67.99 where the Channel IS NOT Security.

The queries and filters at work here:

2016_11_02_12_59_28_Dashboard_Nagios_Log_Server.png