Sending Windows Event Logs to Graylog

Links & Downloads for the “Sending Windows Event Logs to Graylog” video.

Download Sysmon from here: Sysmon - Sysinternals | Microsoft Learn
Download NXLog Community edition from here Download - Nxlog Community Edition

For the video tutorial I used the Sysmon Modular default+ version.

A popular alternative is from Swift On Security

To install Sysmon with the default+ version open up and elevated command prompt and run

sysmon.exe -accepteula -i sysmonconfig-with-filedelete.xml

The install NXLog using the default options. The replace C:\Program Files\nxlog\conf\nxlog.conf with the one from my GitHub and update the IP address (and port if you changed defaults) to in that config to point at your Graylog instance.

Then restart the NXLog service.

The MITRE ATT&CK Log Data Demo referenced in the video
https://attack.mitre.org/techniques/T1033/

Hi everyone,

I don’t know if things have changed since 2022 regarding this subject, but I followed the steps provided by Tom and the Graylog input doesn’t receive any data.

I installed Graylog on my own computer via WSL, so it’s on 127.0.0.1

After installing Sysmon, I can see the logs in the Event Viewer. I installed NXLog right after that and changed the Graylog server IP to 127.0.0.1 in the config file.

All services have been restarted, and I also created the GELF UDP Input in Graylog.

I must be missing something of course…is there something else that I should check other than what I just said?

Thanks!

Read the “COLLECTOR SIDECAR AND WINLOGBEAT” section