nxlog / no correct logs
Posted: Tue Apr 19, 2016 1:53 am
Hello
I am trying to send logs from Windows PC to Nagios Log Server.
I managed to do so from other network devices, but couldn't from any windows PC (windows 8.1 and windows 10 Pro).
my nxlog.conf is:
===============================================================================
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
# Watch your own files
<Input file1>
Module im_file
File '%ROOT%\data\nxlog.log'
SavePos TRUE
Exec $Message = $raw_event;
</Input>
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
</Input>
<Output out>
Module om_tcp
Host 172.22.1.40
Port 3515
Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();
# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>
<Route 1>
Path internal, file1, eventlog => out
</Route>
====================================================================================
I also created 2 Fw rules at iptables for 3515 TCP/UPD,
but the only type of logs that i receive at dashboard is like these:
-----------------------------------------------------------------
2016-04-18T11:03:02.216+03:00 172.22.1.136 eventlog 2016-04-18 11:03:35 ERROR Couldn't read next event, corrupted eventlog?; The data is invalid.
2016-04-18T11:03:02.023+03:00 172.22.1.136 eventlog Couldn't read next event, corrupted eventlog?
The data is invalid.
2016-04-18T11:02:57.219+03:00 172.22.1.136 eventlog 2016-04-18 11:03:29 INFO connecting to 172.22.1.40:3515
2016-04-18T11:02:57.218+03:00 172.22.1.136 eventlog 2016-04-18 11:03:29 INFO nxlog-ce-2.9.1504 started
2016-04-18T11:02:56.205+03:00 172.22.1.136 eventlog connecting to 172.22.1.40:3515
2016-04-18T11:02:56.205+03:00 172.22.1.136 eventlog 2016-04-18 11:03:28 WARNING nxlog-ce received a termination request signal, exiting...
2016-04-18T11:02:56.205+03:00 172.22.1.136 eventlog nxlog-ce-2.9.1504 started
2016-04-18T11:02:56.204+03:00 172.22.1.136 eventlog 2016-04-18 11:03:28 WARNING stopping nxlog service
2016-04-18T11:02:54.802+03:00 172.22.1.136 eventlog nxlog-ce received a termination request signal, exiting...
2016-04-18T11:02:54.801+03:00 172.22.1.136 eventlog stopping nxlog service
--------------------------------------------------------------------
I even tried to change the input of the nxlog.conf to something more specific
<Input eventlog>
Module im_msvistalog
Query <QueryList> \
<Query Id="0"> \
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> \
<Select Path="Application">*</Select> \
<Select Path="System">*</Select> \
<Select Path="Security">*</Select> \
</Query> \
</QueryList>
</Input>
But still i couldn't receive any meaningful log from the PC... only the following ones
---------------------------------------------------------------------------------------------------
2016-04-18T11:01:58.698+03:00 172.22.1.136 eventlog
2016-04-18T11:01:58.523+03:00 172.22.1.136 eventlog
2016-04-18T11:01:58.365+03:00 172.22.1.136 eventlog
2016-04-18T10:58:42.649+03:00 172.22.1.136 eventlog 2016-04-18 10:59:15 INFO nxlog-ce-2.9.1504 started
2016-04-18T10:58:42.649+03:00 172.22.1.136 eventlog 2016-04-18 10:59:15 INFO connecting to 172.22.1.40:3515
2016-04-18T10:58:42.649+03:00 172.22.1.136 eventlog 2016-04-18 10:59:15 ERROR failed to subscribe to msvistalog events,the channel was not found [15007]; The specified channel could not be found. Check channel configuration.
2016-04-18T10:58:41.645+03:00 172.22.1.136 eventlog failed to subscribe to msvistalog events,the channel was not found [15007]
The specified channel could not be found. Check channel configuration.
2016-04-18T10:58:41.643+03:00 172.22.1.136 eventlog connecting to 172.22.1.40:3515
The event logs are now different from the previous but still not the correct one.
Regards,
I am trying to send logs from Windows PC to Nagios Log Server.
I managed to do so from other network devices, but couldn't from any windows PC (windows 8.1 and windows 10 Pro).
my nxlog.conf is:
===============================================================================
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
# Watch your own files
<Input file1>
Module im_file
File '%ROOT%\data\nxlog.log'
SavePos TRUE
Exec $Message = $raw_event;
</Input>
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
</Input>
<Output out>
Module om_tcp
Host 172.22.1.40
Port 3515
Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();
# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>
<Route 1>
Path internal, file1, eventlog => out
</Route>
====================================================================================
I also created 2 Fw rules at iptables for 3515 TCP/UPD,
but the only type of logs that i receive at dashboard is like these:
-----------------------------------------------------------------
2016-04-18T11:03:02.216+03:00 172.22.1.136 eventlog 2016-04-18 11:03:35 ERROR Couldn't read next event, corrupted eventlog?; The data is invalid.
2016-04-18T11:03:02.023+03:00 172.22.1.136 eventlog Couldn't read next event, corrupted eventlog?
The data is invalid.
2016-04-18T11:02:57.219+03:00 172.22.1.136 eventlog 2016-04-18 11:03:29 INFO connecting to 172.22.1.40:3515
2016-04-18T11:02:57.218+03:00 172.22.1.136 eventlog 2016-04-18 11:03:29 INFO nxlog-ce-2.9.1504 started
2016-04-18T11:02:56.205+03:00 172.22.1.136 eventlog connecting to 172.22.1.40:3515
2016-04-18T11:02:56.205+03:00 172.22.1.136 eventlog 2016-04-18 11:03:28 WARNING nxlog-ce received a termination request signal, exiting...
2016-04-18T11:02:56.205+03:00 172.22.1.136 eventlog nxlog-ce-2.9.1504 started
2016-04-18T11:02:56.204+03:00 172.22.1.136 eventlog 2016-04-18 11:03:28 WARNING stopping nxlog service
2016-04-18T11:02:54.802+03:00 172.22.1.136 eventlog nxlog-ce received a termination request signal, exiting...
2016-04-18T11:02:54.801+03:00 172.22.1.136 eventlog stopping nxlog service
--------------------------------------------------------------------
I even tried to change the input of the nxlog.conf to something more specific
<Input eventlog>
Module im_msvistalog
Query <QueryList> \
<Query Id="0"> \
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> \
<Select Path="Application">*</Select> \
<Select Path="System">*</Select> \
<Select Path="Security">*</Select> \
</Query> \
</QueryList>
</Input>
But still i couldn't receive any meaningful log from the PC... only the following ones
---------------------------------------------------------------------------------------------------
2016-04-18T11:01:58.698+03:00 172.22.1.136 eventlog
2016-04-18T11:01:58.523+03:00 172.22.1.136 eventlog
2016-04-18T11:01:58.365+03:00 172.22.1.136 eventlog
2016-04-18T10:58:42.649+03:00 172.22.1.136 eventlog 2016-04-18 10:59:15 INFO nxlog-ce-2.9.1504 started
2016-04-18T10:58:42.649+03:00 172.22.1.136 eventlog 2016-04-18 10:59:15 INFO connecting to 172.22.1.40:3515
2016-04-18T10:58:42.649+03:00 172.22.1.136 eventlog 2016-04-18 10:59:15 ERROR failed to subscribe to msvistalog events,the channel was not found [15007]; The specified channel could not be found. Check channel configuration.
2016-04-18T10:58:41.645+03:00 172.22.1.136 eventlog failed to subscribe to msvistalog events,the channel was not found [15007]
The specified channel could not be found. Check channel configuration.
2016-04-18T10:58:41.643+03:00 172.22.1.136 eventlog connecting to 172.22.1.40:3515
The event logs are now different from the previous but still not the correct one.
Regards,