NxLog Help - Logs Not Fully Ingesting

696039d4m5s8 · June 29, 2023, 6:00pm

I’m attempting to ship Windows and App logs to Graylog via NxLog. I know it’s at least partially working because I’ll randomly receive logs in Graylog, but not all of them. I’m running Windows Server 2019 and I’m trying to send some Event Logs, Sysmon, and FileZilla logs to Graylog via TCP GELF. I’ve tried running nxlog as a server and under the administrator user.

Can someone please sanity check my nxlog config file?

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data

define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

Module pm_transformer Exec $Hostname = hostname(); OutputFormat syslog_snare Module xm_syslog Module xm_json Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 Module xm_exec Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') >= 5M)) \
                file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>

######################################################
############## Extensions ############################

Module xm_gelf ########## INPUTS ########### Module im_file File “C:\Program Files (x86)\FileZilla Server\Logs*” Module im_msvistalog

   ReadFromLast True
   BatchSize 25
   SavePos True
   PollInterval 2
   
   #TolerateQueryErrors True
   
<QueryXML>
    <QueryList>
      <Query Id="0">
	<Select Path="Security">*</Select>
      </Query>
    <Query Id="1">
	<Select Path="Application">*</Select>
      </Query>
      <Query Id="2">
	<Select Path="Setup">*</Select>
      </Query>
      <Query Id="3">
	<Select Path="System">*</Select>
      </Query>
    <Query Id="13">
        <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select>
        </Query>
    <Query Id="14">
        <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
        </Query>
    <Query Id="15">
        <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
        </Query>
    </QueryList>

#######################################
################# OUTPUTS ##############

Module om_tcp
Host 10.0.4.3
Port 1518
OutputType GELF

Module om_tcp Host 10.0.4.3 Port 1520 #Exec to_syslog_snare(); OutputType GELF ####################################### #################### ROUTE ########### # # Path eventlog => eventlog_transformer => out #

<Route 1>
Path eventlog => out

<Route 2>
Path FTP => out_ftp