Recommendations for Windows Eventlogs

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
User avatar
WillemDH
Posts: 2320
Joined: Wed Mar 20, 2013 5:49 am
Location: Ghent
Contact:
Contact WillemDH

Recommendations for Windows Eventlogs

Post by WillemDH »

Hello,

I did not immediately find documentation for sending Windows events to NLS. After browsing the forum a bit, I found out that I had to install nxlog, which I did and copied an example nxlog.conf. (=> EDIT: LOL, it seems there is a guide on the homepage of NLS)

It seems like the config file sends all Windows events to NLS. As I have no idea about sizing and the amount of storage needed for one Winows server if I wanted to keep the logs for let's say one month. How can I see in NLS how much MB / GB of logs one host is sending over x time?

How can I specify to only send the application and system events?

Code: Select all

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
	# Module xm_fileop
#</Extension>

<Extension json>
	Module xm_json
</Extension>

<Extension syslog>
	Module xm_syslog
</Extension>

<Input internal>
	Module im_internal
</Input>

# Watch your own files
<Input file1>
	Module im_file
	File '%ROOT%\data\nxlog.log'
	SavePos TRUE
</Input>

# Windows Event Log
<Input eventlog>
	# Uncomment im_msvistalog for Windows Vista/2008 and later
	Module im_msvistalog
	# Uncomment im_mseventlog for Windows XP/2000/2003
	# Module im_mseventlog
</Input>

<Output out>
    Module      om_tcp
    Host        NLSIP
    Port        3515
	Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
    Exec $raw_event = to_json();
    # Uncomment for debug output
    # Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>

<Route 1>
    Path internal, file1, eventlog => out
</Route>
Grtz

Thanks.
Nagios XI 5.8.1
https://outsideit.net
Top
cmerchant
Posts: 546
Joined: Wed Sep 24, 2014 11:19 am

Re: Recommendations for Windows Eventlogs

Post by cmerchant »

This snippet uses im_mseventlog (use im_msvistalog for Windows 2008), and the sources statement will filter Application and system events.

Code: Select all

<Input in>
Module im_mseventlog
#Only process Eventlogs from Applications and System Event logs
Sources Application,System
Exec $app = "apptag";
</Input>
Top
User avatar
WillemDH
Posts: 2320
Joined: Wed Mar 20, 2013 5:49 am
Location: Ghent
Contact:
Contact WillemDH

Re: Recommendations for Windows Eventlogs

Post by WillemDH »

Seems this answers my question. Thank Cmerchant. You can go ahead and close the thread.. ;)
Nagios XI 5.8.1
https://outsideit.net
Top
Locked

Return to “Nagios Log Server”