NXLog is a third-party log collection tool that offers some useful options for collecting Windows event logs and forwarding them to Devo. Customers who already use NXLog might prefer to use it to send their Windows events to Devo. When NXLog is used, you must use the box.win_nxlog tag.
| Info |
|---|
For more information to support the procedures described in this article, see the NXLog product documentation. |
...
The following sample configuration file uses an input module to extract Application, System, Security, and Windows PowerShell events from the machine. Three output modules are included here to illustrate how to configure outputs to the Devo relay, to Devo directly, and to a local file. In each output, the Devo tag box.win_nxlog.* is set as the syslog $sourcename for each event collected. The third level of the tag is formed from the value of $Channel. Once in Devo, the events are accessed by selecting the corresponding box.win_nxlog.* tables in the finder.
...
Note that each output module reads the events converting them to the BSD Syslog format, but with the syslog message part containing the fields in JSON.
...
In case you need to test the NXLog connection, use the following. However, note that this may cause memory exhaustion if you don't remove it later.
| Code Block |
|---|
<Output file>
Module om_file
File 'C:\nxlog_events.log'
Exec $Message = to_json(); $SourceName="box.win_nxlog."+lc($Channel); delete($ProcessID); to_syslog_bsd();
</Output> |