Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Problem with config nxlog

https://support.nagios.com/forum/viewtopic.php?t=75570

Page 1 of 2

Problem with config nxlog

Posted: Wed Aug 14, 2024 2:07 am
by jfig
Hello guys!
I have problem with configure nxlog.cfg..
I would like to sent to server logs only from event viewer 'application' 'system' and only sent item 'error', 'cricital', 'warning'.
I generated in eventvwr 'error' via powershell, but still not working.. on the server kiwi doesn't appear logs..


My cfg:
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-re ... anual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
## Eventlog

<Extension _syslog>
Module xm_syslog
</Extension>
#<Extension _syslog>
# Module xm_json
#</Extension>

<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
Exec if ($EventType != 'Error' and $EventType != 'Warning' and $EventType != 'Critical') drop();
</Input>
<Output out>
Module om_udp
Host myipaddresskiwi
Port 514
## Exec to_syslog_bsd();
Exec to_syslog_snare();
## Exec to_json();
## Exec to_syslog_ietf();
</Output>
<Route 1>
Path eventlog => out
</Route>


Can you help me?
Thanks a lot!

Re: Problem with config nxlog

Posted: Thu Aug 15, 2024 1:47 pm
by jmichaelson
Let's start off with the basics. If you use a default configuration file do you get logs sent to your log server?

Re: Problem with config nxlog

Posted: Thu Aug 15, 2024 2:09 pm
by ssunga
More diagnostic info would also be helpful:
- What version of NLS
- What OS / distribution?

Re: Problem with config nxlog

Posted: Tue Aug 20, 2024 1:50 am
by jfig
on the server i have version 'kiwi syslog server 9.8.1 and OS: WS 2019 x64
nxlog is version: 2.10.2150


I will add that other configs work, but show logs from event viewer 'information' and i don't need that.

Re: Problem with config nxlog

Posted: Mon Aug 26, 2024 1:13 pm
by jmichaelson
Can you show us a working config file for comparison?

Re: Problem with config nxlog

Posted: Tue Aug 27, 2024 1:29 am
by jfig
Yes, please:

Code: Select all

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
 
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
 
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
## Eventlog

<Extension _syslog>
  Module  xm_syslog
</Extension>
#<Extension _syslog>
#  Module      xm_json
#</Extension>

<Input eventlog>
    Module  im_msvistalog
   
       Query <QueryList>\
            <Query Id='0'><Select Path='Security'>*</Select></Query>\
			  <Query Id='0'><Select Path='Application'>*</Select></Query>\
			    <Query Id='0'><Select Path='System'>*</Select></Query>\
        </QueryList>

    
</Input>
<Output out>
    Module      om_udp
    Host        ip_host
    Port        514
##	Exec    	to_syslog_bsd();
	Exec    	to_syslog_snare();
##	Exec    	to_json();
##	Exec		to_syslog_ietf();
</Output>
<Route 1>
    Path        eventlog => out
</Route>

Re: Problem with config nxlog

Posted: Tue Aug 27, 2024 3:14 pm
by jmichaelson
My suggestion would be to mimic Example 2 here: https://docs.nxlog.co/integrate/windows-eventlog.html. Like this:

Code: Select all

<Input eventlog>
    Module            im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id='1'>
                <Select Path='Application'>*</Select>
                <Select Path='Security'>*</Select>
                <Select Path='System'>*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>
And adding in someting like this from Example 7:

Code: Select all

    <Exec>
        if ($EventID in (1, 5) and
            $Image == "C:\\Windows\\System32\\conhost.exe") or
           ($EventID == 3 and
            $DestinationPort == 80 and
            $DestinationIp == 10.0.0.1) {
           drop();
        }
    </Exec>
with the condition on the if set to match your event type filters. You may also need yo use double quoted on the filter strings as well.

I realize that this is very similar to what you already have, but I'm updating it to use the current documentation for nxlog.

Re: Problem with config nxlog

Posted: Wed Aug 28, 2024 2:38 am
by jfig
Okay,
How can I now configure it to receive only error and warning events ?

like this?:

Code: Select all

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
 
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
 
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
## Eventlog

<Extension _syslog>
  Module  xm_syslog
</Extension>
#<Extension _syslog>
#  Module      xm_json
#</Extension>



<Input eventlog>
    Module  im_msvistalog
   
       Query <QueryList>\
            <Query Id='0'><Select Path='Security'>*</Select></Query>\
			  <Query Id='0'><Select Path='Application'>*</Select></Query>\
			    <Query Id='0'><Select Path='System'>*</Select></Query>\
        </QueryList>
    </QueryXML>
    <Exec>
        if ($Severity != 'ERROR') drop(); # Filter to capture only error messages
    </Exec>
</Input>

<Output out>
    Module      om_udp
    Host        my_ipaddress_server
    Port        514
##	Exec    	to_syslog_bsd();
	Exec    	to_syslog_snare();
##	Exec    	to_json();
##	Exec		to_syslog_ietf();
</Output>
<Route 1>
    Path        eventlog => error_filter => out
</Route>

or I don't know..
can you help me? :)
Thanks a lot

Re: Problem with config nxlog

Posted: Wed Aug 28, 2024 12:48 pm
by jmichaelson
Do you have it working there where it's only receiving Error events? If so, then add on to your condition:

Code: Select all

    <Exec>
        if ($Severity != 'ERROR' and $Severity != 'WARNING') drop(); # Filter to capture only error messages
    </Exec>

Re: Problem with config nxlog

Posted: Fri Aug 30, 2024 12:40 am
by jfig
It's work!
Thank you in advance for help!
All times are UTC-05:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited