windows logs – Technote

Us NXlog with Graylog2

How to configure Graylog:

Graylog 2

My configuration on the Graylog server:

The graylog2 IP address: 192.168.10.112

Listening Port: 514/TCP

The nxlog does not have GUI interface, and runs as service. After install the nxlog, it does not start automatically, we need to edit the configure file, then start the service.

1 . Edit the configure file:

C:\Program Files (x86)\nxlog\conf\nxlog.conf

By default it’s looks like below, we are going to fill the information according to our environment

<Input in>
 Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog

ReadFromLast TRUE
</Input>

<Output out>
#Enter the IP address and the the port on which the syslog server is listening to.
 Module om_tcp
 Host 192.168.0.1
 Port 514
 Exec to_syslog_bsd();
</Output>

First we fill the following info into the <input in> tags like bellow:

<Input in> 
<QueryXML>
<QueryList>
<Query Id='1'>
 
</Query>
</QueryList>
</QueryXML>
</Input>

Then we find the info between the tags <Query Id=’1′></Query>.

In this example, we are going to forward the warning, error, and critical logs from Application, and system to the syslog server, at same time, I want to log the unsuccessful login from Security tab to the syslog server as well, the related number is shown below:

Warning: level 3
Error: level 2
Critical: level 1

If you are not familiar with the syntax, we can find the configure in following way:

Go to the event viewer: Windows Logs > Application, in the right pane, click Filter current log...,in the Filter tab, tick Critical, Warning, Error,

then click the tab XML at the top, Copy the line <Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select> into the tags <Query Id='1'> </Query>

How to configure the Event level:

How to filter the Unsuccessful login:

Go to the event viewer: Windows Logs > Security, in the right pane, click Filter current log...,in the Filter tab, choose Audit Failure in the Keywords box.

Now let’s have a look at the xml format, click the tab XML at top of the window:

Just copy the <Select Path="Security">*[System[band(Keywords,4503599627370496)]]</Select> into the tags <Query Id='1'> </Query>

Then do the similar to the System part.

The final configuration file looks like :

<Input in>
 Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog

ReadFromLast TRUE
 <QueryXML>
 <QueryList>
 <Query Id='1'>
 <Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
 <Select Path="Security">*[System[band(Keywords,4503599627370496)]]</Select>
 <Select Path='System'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
 </Query>
 </QueryList>
 </QueryXML>
</Input>

<Output out>
#Enter the IP address and the the port on which the syslog server is listening to.
 Module om_tcp
 Host 192.168.10.112
 Port 514
 Exec to_syslog_bsd();
</Output>

2. Start the NXLOG service

Click the start menu, type services.msc, press enter.

Find the nxlog, click start the service.

Make use of the logs

With this centralized log, we can troubleshooting windows issue.

Troubleshooting with windows logs

Troubleshooting with Windows Logs