Question

Normalizing Windows logs using nxlog agent


Userlevel 1

When using the nxlog agent for Windows (instead of the LogPoint Agent for Windows) how can I get the logs properly normalised?


2 replies

Userlevel 1

#nxlog

Hi Henrik, 

 

The easiest way is to use the LPA_Windows compiled normaliser which is also used for the LogPoint Agent,

However this requires that the nxlog agent is configured to provide the event logs in the expected format, which can be done by creating an nxlog.conf file which must be located in the same folder as the nxlog agent when starting the service on the Windows server.

Below is a template which should be stored in a file called nxlog.conf and also needs to be edited to provide the IP address of the LogPoint server before restarting the agent. This configuration will collect the event logs in XML format and then package them in JSON before sending them as syslog over TCP/514.

The nxlog agent is installed as a service and can be restarted under Services in Windows.

 

 

## This is a sample configuration file. See the nxlog reference manual about the

## configuration options. It should be installed locally and is also available

## online at http://nxlog.org/docs/

 

## Please set the ROOT to the folder your nxlog was installed into,

## otherwise it will not start.

 

## define ROOT C:\Program Files\nxlog

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules

CacheDir %ROOT%\data

Pidfile %ROOT%\data\nxlog.pid

SpoolDir %ROOT%\data

LogFile %ROOT%\data\nxlog.log

 

<Extension _syslog>

    Module xm_syslog

</Extension>

<Extension _json>

    Module xm_json

</Extension>

 

<Input in_win>

    Module im_msvistalog

    <QueryXML>

       <QueryList>

         <Query Id='0'>

                <Select Path="Application">*</Select>

                <Select Path="System">*</Select>

                <Select Path="Security">*</Select>

        </Query>

       </QueryList>

   </QueryXML>

</Input>

 

<Output out_Logpoint>

    Module om_tcp

        Host LogpointIP/HOSTNAME

        Port 514

        Exec to_json();$Message=$raw_event;to_syslog_bsd();

</Output>

 

<Route 1>

    Path in_win => out_Logpoint

</Route>

Reply