Recommendations for Windows Eventlogs
Posted: Tue Jan 27, 2015 5:23 am
Hello,
I did not immediately find documentation for sending Windows events to NLS. After browsing the forum a bit, I found out that I had to install nxlog, which I did and copied an example nxlog.conf. (=> EDIT: LOL, it seems there is a guide on the homepage of NLS)
It seems like the config file sends all Windows events to NLS. As I have no idea about sizing and the amount of storage needed for one Winows server if I wanted to keep the logs for let's say one month. How can I see in NLS how much MB / GB of logs one host is sending over x time?
How can I specify to only send the application and system events?
Grtz
Thanks.
I did not immediately find documentation for sending Windows events to NLS. After browsing the forum a bit, I found out that I had to install nxlog, which I did and copied an example nxlog.conf. (=> EDIT: LOL, it seems there is a guide on the homepage of NLS)
It seems like the config file sends all Windows events to NLS. As I have no idea about sizing and the amount of storage needed for one Winows server if I wanted to keep the logs for let's say one month. How can I see in NLS how much MB / GB of logs one host is sending over x time?
How can I specify to only send the application and system events?
Code: Select all
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
# Module xm_fileop
#</Extension>
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
# Watch your own files
<Input file1>
Module im_file
File '%ROOT%\data\nxlog.log'
SavePos TRUE
</Input>
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
</Input>
<Output out>
Module om_tcp
Host NLSIP
Port 3515
Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();
# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>
<Route 1>
Path internal, file1, eventlog => out
</Route>
Thanks.
