Sending Event logs to Graylog2 from Windows is easy, thanks to a lot of log tools like syslog-ng, rsyslog, … and NXlog. In this tutorial, we will show you how to install and configure NXlog to send Windows Event logs to Graylog 2 Server.
If you don’t installed yet Graylog2 , you can check the following topics:
- How To Install and Configure Graylog Server on Ubuntu 16.04 LTS
- How To Install and Configure Graylog Server on CentOS 7/ RHEL7
- How to Configure Nginx As Reverse Proxy for Graylog2
1./ Install and Configure NXLog
– On your Windows machine, install the NXLog package from the official download page.
– Once you are done with the installation, open the nxlog.conf located in
C:\Program Files (x86)\nxlog\conf\nxlog.conf ###################################################### ############## Extensions ############################ <Extension _gelf> Module xm_gelf </Extension> ########## INPUTS ########### <Input in> Module im_msvistalog # For windows 2003 and earlier use the following: # Module im_mseventlog </Input> ######################################## ################# OUTPUTS ############## <Output out>
The above configuration will collect all Application and System logs. If you want something more complicated, refer to the NXLog documentation at https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html
– Go to the service administration Tool and start the NXLog Service
Create a new Graylog Input
– In order for Graylog to receive the messages and logs from the device, a new source should be added to the Graylog server using the web interface.
-1/ Login to Graylog Web Interface using the below link (change according to the IP of the server you are using):
http://your_graylog_ip:9000
-2/ Click on System/Inputs , and choose Inputs
-3/ Choose GELF UDP and click on Launch new input
– A new popup will show. Choose a relevant Title for your input, choose the Bind address to be the IP of the Graylog server and finaly save.
We hope this tutorial was enough Helpful. If you need more information, or have any questions, just comment below and we will be glad to assist you!
13 comments
This was a GREAT help. Thank you for boiling it all down into a one page example.
I think there may be a syntax error in the sample config. The second “” should probably be replaced with “”. I had to make that one change to get your sample to work.
Thank you for good example
Hi
IN nxlog-ce-2.10.2102.msi have different system con fig file. please let has know what is new code for need update. if we update old code. nxlog service not starting
Hi Ranjith,
You need just to modify the nxlog.conf as indicated .
By enabling the extension module ” xm_gelf ” and after create a new output and input . If you have any issue with starting the service check the nxlog file
I do exactly what you do but have error Loading field information failed with status: cannot GET http://ip:9000/api/system/fields (500)
Hi Michal,
We guess that your having problem with the configuration of Graylog not with Nxlog Configuration. check your Graylog configuration file.
I do only this steps you wrote in tutorial. Can I past here my server.conf?
If you have teamviewer we could help you just send as the id and password using the contact form.
This is my config file https://pastebin.com/yjH7JvST can you pleas tell what wrong whit it ?
Check this link to install and configure Graylog http://yallalabs.com/linux/how-to-install-and-configure-graylog-server-on-ubuntu-16-04-lts/
when you say ‘ip address of your graylog machine’ , is it the server or the windows pc you are trying to add to graylog
Hi,
we mean the ip address of your graylog server
Thank you very much