Question

WIndows Logs

  • 16 January 2024
  • 2 replies
  • 75 views

We would like to send log files from a directory such as C:\Logs to our logpoint server.
What needs to be entered in nxlog.conf?


2 replies

Userlevel 4
Badge +7

We don’t normally work directly with nxlog.conf (or nxlog) anymore, but the NXLog documentation is probably the best place for anything to do with it - specifically the file directive is documented here: https://docs.nxlog.co/refman/current/im/file.html . It also has a few examples, so hopefully that helps.

Userlevel 2

Hi Ronny, this will get you going with your task. :)

 

## LB Forsikring logs til Eget LogPoint system E-Boks Kviterings filer v 2.0
## Kai Gustafson 08/05-2023
## comments
## 64 Bit Version
define ROOT C:\Program Files\nxlog
ModuleDir %ROOT%\modules
CacheDir  %ROOT%\data
PidFile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data
define Cdrive C:\Logs
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf

# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR %ROOT%\data
define MYLOGFILE %LOGDIR%\nxlog.log

# By default, `LogFile %MYLOGFILE%` is set in log4ensics.conf. This
# allows the log file location to be modified via NXLog Manager. If you
# are not using NXLog Manager, you can instead set `LogFile` below and
# disable the `include` line.
LogFile %MYLOGFILE%
#include %CONFDIR%\log4ensics.conf

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Extension _json>
    Module xm_json
</Extension>

#Get C-drive logs files
<Input CdriveLogs>
   Module    im_file
   File        '%Cdrive%\*.log'
   SavePos TRUE
   ReadFromLast TRUE
   PollInterval 1
</Input>

#Internal NXlog messages
<Input Internal>
    Module im_internal
</Input>

<Input EventLog>
    Module im_msvistalog
# By default we collect 'Application', 'System', and 'Security'
    Query <QueryList> \
           <Query Id="0"> \
            <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> \
            <Select Path="Application">*</Select> \
            <Select Path="System">*</Select> \
            <Select Path="Security">*</Select> \
          </Query> \
    </QueryList>
    Exec $Hostname   = hostname_fqdn();
</Input>

#Syslog to LogPoint server
<Output out>
    Module      om_udp
    Host        xx.xx.xx.xx:514
    Exec         to_json();$Message=$raw_event;to_syslog_bsd(); 
</Output>

<Output Cdrive_out>
    Module      om_udp
    Host        xx.xx.xx.xx:514
    Exec        $SourceName = 'CdriveFiles';
    Exec        to_syslog_bsd(); 
</Output>

<Route 1>
    Path        eventlog, internal => out
</Route>

<Route 2>
    Path        CdriveLogs => Cdrive_out
</Route>

Regards Kai

Reply