NXLog is a third-party log collection tool that offers some useful options for collecting Windows event logs and forwarding them to Devo. Customers who already use NXLog might prefer to use it to send their Windows events to Devo. When NXLog is used, you must use the box.win_nxlog tag.
Info |
---|
For more information to support the procedures described in this article, see the NXLog product documentation. |
...
The following sample configuration file uses an input module to extract Application, System, Security, and Windows PowerShell events from the machine. Three output modules are included here to illustrate how to configure outputs to the Devo relay, to Devo directly, and to a local file. In each output, the Devo tag box.win_nxlog.* is set as the syslog $sourcename for each event collected. The third level of the tag is formed from the value of $Channel. Once in Devo, the events are accessed by selecting the corresponding box.win_nxlog.*
tables in the finder.
To use this sample file as a guide, keep in mind that you need to edit some key parameter values:
...
Code Block |
---|
## This is a sample configuration file. See the NXLog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your NXLog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
DateFormat YYYY-MM-DD hh:mm:ss.sUTC
GenerateDateInUTC TRUE
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_msvistalog
ReadFromLast True
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
<Select Path="Windows PowerShell">*</Select>\
</Query>\
</QueryList>
</Input>
<Output devo_relay>
Module om_tcp
Host RELAY_IP_ADDRESS
Port 13000
Exec $Message = to_json(); $SourceName="box.win_nxlog."+lc($Channel); delete($ProcessID); to_syslog_bsd();
</Output>
<Output ssl_devo>
Module om_ssl
Host XX.elb.relay.logtrust.net
Port 443
CAFile C:\Program Files (x86)\nxlog\cert\CHAIN.crt
CertFile C:\Program Files (x86)\nxlog\cert\DOMAIN.crt
CertKeyFile C:\Program Files (x86)\nxlog\cert\DOMAIN.key
KeyPass secret
AllowUntrusted TRUE
Exec $Message = to_json(); $SourceName="box.win_nxlog."+lc($Channel); delete($ProcessID); to_syslog_bsd();
</Output>
<Output file>
Module om_file
File 'C:\nxlog_events.log'
Exec $Message = to_json(); $SourceName="box.win_nxlog."+lc($Channel); delete($ProcessID); to_syslog_bsd();
</Output>
<Route 1>
Path in => devo_relay
</Route>
|
Note |
---|
Route parameter Routes define the flow and processing order of the log messages. Each route instance must have a unique name and a These are the three allowed output blocks:
Learn more about the |
...