Config in graylog

Go to System > Inputs,  click “Select input” dropdown, and

  • select “GELF UDP.”
  • Tick “Global”.
  • Give it a Title: windows Events
  • Bind address, leave it as
  • Port: give it anything legal, I will choose 3514, which prepends a 3 to syslog port 514.
  • leave others as default.


Since your graylog is listening to port 3514, you need to allow it on firewall:


on Centos:  type:

firewall-cmd --zone=public --permanent --add-port=3514/udp

firewall-cmd --reload


Config on Windows:


Download and install nxlog,  navigate to C:\Program Files\nxlog\conf\nxlog.conf


Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data

define LOGFILE %LOGDIR%\nxlog.log

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\
SpoolDir %ROOT%\data

<Extension _syslog>
Module xm_syslog

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32

<Extension _exec>
Module xm_exec

#<Extension _fileop>
# Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
# <Schedule>
# Every 1 hour
# Exec if (file_exists('%LOGFILE%') and \
# (file_size('%LOGFILE%') >= 5M)) \
# file_cycle('%LOGFILE%', 8);
# </Schedule>

#Below for windows event viewer

<Extension _gelf>
Module xm_gelf

<Input eventlog>
Module im_msvistalog

Every 5 min
First 2022-09-14 09:00:00
Exec log_info("scheduled execution at " + now());

##Below query can be copied from event viewer,"filter current custom view" > under filter tab, select the filter, go to XML tab, and copy.
<Query Id='1'>
<Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Security">*[System[band(Keywords,4503599627370496)]]</Select>
<Select Path="System">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]</Select>


<Output graylog>
#Enter the IP address and the the port on which the syslog server is listening to.
Module om_udp
Port 3514
OutputType GELF

#the path here is from the name of the <Input> above to the name of the <Output> , so it is eventlog =>graylog

<Route graylog_route>
Path eventlog => graylog

After you save the config file, restart the nxlog service.


Email notification:


Email transport


sudo vi /etc/graylog/server/server.conf

transport_email_enabled = true #This is important!
transport_email_hostname = 319 #Take note of this address!
transport_email_port = 465 #Yours may vary
transport_email_use_auth = true
transport_email_use_tls = true
transport_email_use_ssl = true
transport_email_auth_username = [email protected] #This is an account you’ve created for the purpose of sending automated emails
transport_email_auth_password = Y0urPassw0rd!
transport_email_subject_prefix = [graylog]
transport_email_from_email = [email protected]

Once you finish the above, close the text file and run:
$ sudo systemctl graylog-server restart


Modify field


let’s say you want to modify the hostname from to DC01, given that you only have a single domain, and want the dashboard to be nice and neat.

System > inputs

click “manage extractors” button.

Then click “Get started” button, select an input, select an input you created before, click button “Load Message”

Then click “select extractor type” after the source message field, then click “Regular expression”.

On the top it will show the original message: modify below.

  • In the regular expression box, type: (.*?)\.
  • Store as field: source
  • Extractor title: Extract Hostname from FQDN

Click “Create extractor”


Configure Pipelines


Pipelines can be used to drop messages,  remove field, and much more, see here for the functions:


I will use a drop message as an example here:

I want to drop message with full_message field containing keywords “CN=ADFS ProxyTrust – NHSADFSWAP”


Create a rule

To do so, Click System > pipelines, then click the “Manage Rules” button, then click “Create Rule” button.

In the description box, type a descriptive title.

In the Rule source, type below:


rule "Drop ADFS ProxyTrust - NHSADFSWAP Messages"
contains(to_string($message.full_message),"CN=ADFS ProxyTrust - NHSADFSWAP")

Then click Save & Close.

Add pipelines


Click Manage Pipelines button at the top right corner, Then click “Add new pipeline”, type a Title and description, click save, now you are in the pipeline edit page.


Click the “edit connections” button, select a stream,  by default it is “All messages”, click save.

Then click “Add new stage”, and select the “Stage rules”, find the rule you created above, click save.