How to forward windows log using Nxlog to rsyslog server(linux)?

windows logging syslog nxlog

9,345

To send syslog from NXLog to a syslog server you'd need to use the xm_syslog extension module and invoke one of the formatters (to_syslog_bsd(), to_syslog_ietf(), to_syslog_snare()) depending on the desired format that your syslog server supports. For more details see the Syslog section in the User Guide.

While some USB events stored in the Windows Eventlog, there are other data sources for USB events:

Windows Event Tracing (ETW). NXLog EE has a module called im_etw that can collect ETW logs directly. See this post for the list of related ETW providers.
Windows registry. USB devices are enumerated under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB and by monitoring this registry hive it is possible to detect changes to the USB configuration. The im_regmon input module supports registry monitoring in the NXLog EE.

9,345

sherpaurgen

Updated on September 18, 2022

Comments

sherpaurgen almost 2 years

Im using nxlog version 3.0 on WinServ2012 R2 Standard, i can forward the event logs under Eventviewer --> windows logs --> application, system, security. But Im not able to forward other log that is on different log directory/levels for example(screenshot)

below is my nxlog configuration file nxlog.conf , im trying to grab the usb drive/pen drives insert/eject logs from Microsoft-Windows-DriverDriverFrameworks-UserMode/Operational event log. Logs are populated but im not able to receive them at the syslog server.

Panic Soft
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE '%LOGDIR%/nxlog.log'
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogLevel INFO

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
    Module      xm_exec
</Extension>
<Extension _fileop>
    Module      xm_fileop
    <Schedule>
        Every   1 hour
        Exec    if (file_exists(%LOGFILE%) and (file_size(%LOGFILE%) >= 5M)) file_cycle(%LOGFILE%, 8);
    </Schedule>
</Extension>
<Input eventlog>
    Module       im_msvistalog
    ReadFromLast TRUE
    <QueryXML>
       <QueryList>
         <Query Id='1'>
            <Select Path='Application'>*</Select>
            <Select Path='Security'>*</Select>
            <Select Path='System'>*</Select>
            <Sekect Path='Microsoft-Windows-DriverDriverFrameworks-UserMode/Operational'>*</Select>
         </Query>
       </QueryList>
   </QueryXML>
</Input>

<Input agentlogging>
    Module      im_internal
</Input>

<Output logcontents>
    Module       om_tcp
    Host         10.10.10.100
    Port         514
    Exec         to_syslog_snare();
</Output>

<Output agentlog>
    Module       om_tcp
    Host         10.10.10.100
    Port         514
    Exec         to_syslog_snare();
</Output>
<Route 1>
    Path        eventlog => logcontents
</Route>

<Route 2>
    Path        agentlogging => agentlog
</Route>

b0ti over 6 years

Regarding the syslog forwarding see the Syslog section in the User Guide. See this question on reddit about monitoring USB events with NXLog.