Problem with config nxlog

[jfig]

Hello guys!
I have problem with configure nxlog.cfg..
I would like to sent to server logs only from event viewer 'application' 'system' and only sent item 'error', 'cricital', 'warning'.
I generated in eventvwr 'error' via powershell, but still not working.. on the server kiwi doesn't appear logs..


My cfg:
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-re ... anual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
## Eventlog

<Extension _syslog>
Module xm_syslog
</Extension>
#<Extension _syslog>
# Module xm_json
#</Extension>

<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
Exec if ($EventType != 'Error' and $EventType != 'Warning' and $EventType != 'Critical') drop();
</Input>
<Output out>
Module om_udp
Host myipaddresskiwi
Port 514
## Exec to_syslog_bsd();
Exec to_syslog_snare();
## Exec to_json();
## Exec to_syslog_ietf();
</Output>
<Route 1>
Path eventlog => out
</Route>


Can you help me?
Thanks a lot!

[jmichaelson]

Let's start off with the basics. If you use a default configuration file do you get logs sent to your log server?

[ssunga]

More diagnostic info would also be helpful:
- What version of NLS
- What OS / distribution?

[jfig]

on the server i have version 'kiwi syslog server 9.8.1 and OS: WS 2019 x64
nxlog is version: 2.10.2150


I will add that other configs work, but show logs from event viewer 'information' and i don't need that.

[jmichaelson]

Can you show us a working config file for comparison?

[jfig]

Yes, please:

Code: Select all

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
 
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
 
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
## Eventlog

<Extension _syslog>
  Module  xm_syslog
</Extension>
#<Extension _syslog>
#  Module      xm_json
#</Extension>

<Input eventlog>
    Module  im_msvistalog
   
       Query <QueryList>\
            <Query Id='0'><Select Path='Security'>*</Select></Query>\
			  <Query Id='0'><Select Path='Application'>*</Select></Query>\
			    <Query Id='0'><Select Path='System'>*</Select></Query>\
        </QueryList>

    
</Input>
<Output out>
    Module      om_udp
    Host        ip_host
    Port        514
##	Exec    	to_syslog_bsd();
	Exec    	to_syslog_snare();
##	Exec    	to_json();
##	Exec		to_syslog_ietf();
</Output>
<Route 1>
    Path        eventlog => out
</Route>

[jmichaelson]

My suggestion would be to mimic Example 2 here: https://docs.nxlog.co/integrate/windows-eventlog.html. Like this:

Code: Select all

<Input eventlog>
    Module            im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id='1'>
                <Select Path='Application'>*</Select>
                <Select Path='Security'>*</Select>
                <Select Path='System'>*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

And adding in someting like this from Example 7:

Code: Select all

    <Exec>
        if ($EventID in (1, 5) and
            $Image == "C:\\Windows\\System32\\conhost.exe") or
           ($EventID == 3 and
            $DestinationPort == 80 and
            $DestinationIp == 10.0.0.1) {
           drop();
        }
    </Exec>

with the condition on the if set to match your event type filters. You may also need yo use double quoted on the filter strings as well.

I realize that this is very similar to what you already have, but I'm updating it to use the current documentation for nxlog.

[jfig]

Okay,
How can I now configure it to receive only error and warning events ?

like this?:

Code: Select all

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
 
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
 
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
## Eventlog

<Extension _syslog>
  Module  xm_syslog
</Extension>
#<Extension _syslog>
#  Module      xm_json
#</Extension>



<Input eventlog>
    Module  im_msvistalog
   
       Query <QueryList>\
            <Query Id='0'><Select Path='Security'>*</Select></Query>\
			  <Query Id='0'><Select Path='Application'>*</Select></Query>\
			    <Query Id='0'><Select Path='System'>*</Select></Query>\
        </QueryList>
    </QueryXML>
    <Exec>
        if ($Severity != 'ERROR') drop(); # Filter to capture only error messages
    </Exec>
</Input>

<Output out>
    Module      om_udp
    Host        my_ipaddress_server
    Port        514
##	Exec    	to_syslog_bsd();
	Exec    	to_syslog_snare();
##	Exec    	to_json();
##	Exec		to_syslog_ietf();
</Output>
<Route 1>
    Path        eventlog => error_filter => out
</Route>

or I don't know..
can you help me?
Thanks a lot

[jmichaelson]

Do you have it working there where it's only receiving Error events? If so, then add on to your condition:

Code: Select all

    <Exec>
        if ($Severity != 'ERROR' and $Severity != 'WARNING') drop(); # Filter to capture only error messages
    </Exec>
    

[jfig]

It's work!
Thank you in advance for help!