How to configure logstash to filter Windows event log
Posted: Tue Aug 02, 2016 3:50 am
Hi,
I am trying to have Nagios Log Server parsing Windows event log file but i am struggeling ...
Here is my NXlog config file
Here is my logstash.conf file
~
Whatever way i try to configure, no message appears in the dashboard and from system status i cannot see the status of elasticsearch database adn logstash collector.
Thank you
I am trying to have Nagios Log Server parsing Windows event log file but i am struggeling ...
Here is my NXlog config file
Code: Select all
## See the nxlog reference manual at
## http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
# Module xm_fileop
#</Extension>
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
# Watch your own files
<Input file1>
Module im_file
File '%ROOT%\data\nxlog.log'
SavePos TRUE
Exec $Message = $raw_event;
</Input>
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select>\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json() ;
</Input>
<Output out>
Module om_tcp
Host 158.166.125.86
Port 3515
# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>
<Route 1>
Path internal, file1, eventlog => out
</Route>
Code: Select all
input {
tcp {
port => 5544
type => 'WindowsEventLog'
codec => json {
charset => 'UTF-8'
}
}
}
filter {
if [type] == "WindowsEventLog" {
json {
source => "message"
}
if [SourceModuleName] == "eventlog" {
mutate {
replace => [ "message", "%{Message}" ]
}
mutate {
remove_field => [ "Message" ]
}
}
}
}
output {
if [type] == 'WindowsEventLog' {
elasticsearch {
host => 'localhost'
port => 9300
node_name => 's-agri-nagioslog1a'
cluster => 'nagios_elasticsearch'
index => 'logstash-evenlog-%{+YYYY.MM.dd}'
}
}
}Whatever way i try to configure, no message appears in the dashboard and from system status i cannot see the status of elasticsearch database adn logstash collector.
Thank you