CYBERDEV s.p.r.l.

Graylog and event viewer of windows

ByPatrick

Graylog and event viewer of windows

Well, now that I have a nice service that centralizes my logs, I might as well add windows event viewer:

Download and install this on servers that need to return their logs: https://nxlog.co/system/files/products/files/348/nxlog-ce-2.10.2150.msi

Add a little confirguration:C:Program Files (x86)nxlog-confxlog.conf

<Extension gelf="">xm_gelf module</Extension>

<Input win>im_msvistalog module
	Query <QueryList><Query id="0"><Select path="Application">*</Select></Query></QueryList>Exec $Hostname - hostname();

<Input in_sys>im_msvistalog module
Query <QueryList><Query id="0"><Select path="System">*</Select></Query></QueryList>Exec $Hostname - hostname();


<Output graylog="">
om_tcp module
Host 192.168.1.119
Port 12201
OutputType GELF_TCP
</Output>

<Route graylog_route="">
Path win > graylog
</Route>

<Route graylog_route="">
Path in_sys > graylog
</Route>

It gives me an error message at the beginning: "WARNING Due to a limitation in the Windows EventLog subsystem, a query cannot contain more than 256 sources." that's why I had to add the 

<QueryList><Query id="0"><Select path="Application">*</Select></Query></QueryList>

(thanks to https://nxlog.co/question/4644/nxlog-service-keep-stopping-every-few-days)

About the author

Patrick administrator

Related News

5 March 2021
0

Disk use with docker too high?

By Patrick

Recent Posts

Archives

Proudly powered by WordPress | Theme: Appointment Blue by Webriti