nxlog数据(gelf)到graylog2服务器

时间:2015-06-30 11:41:28

标签: windows graylog2 nxlog

我使用graylog2 vm来获取我的防火墙系统日志,它运行得很好。 现在我想使用nxlog获取一些Windows日志,但根本不起作用。

我的猜测是我在conf文件中的xml代码是错误的,但之前我错了..注意:我想从中获取日志的VM和Windows服务器在同一网络上:

    ## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module      xm_gelf
</Extension>

<Input in>
    Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog

Query <QueryList>\
  <Query Id="0" Path="Security">\
    <Select Path="Security">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="System">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-Diagnostics-Networking/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-Diagnostics-Performance/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-DiskDiagnostic/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-GroupPolicy/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-UAC/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-User Profile Service/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="HardwareEvents">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
  </Query>\
</QueryList>

</Input>


<EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data> 
  <Data Name="SubjectUserName">WIN-OUNNPISDHIG$</Data> 
  <Data Name="SubjectDomainName">WORKGROUP</Data> 
  <Data Name="SubjectLogonId">0x3e7</Data> 
  <Data Name="TargetUserSid">S-1-5-18</Data> 
  <Data Name="TargetUserName">SYSTEM</Data> 
  <Data Name="TargetDomainName">NT AUTHORITY</Data> 
  <Data Name="TargetLogonId">0x3e7</Data> 
  <Data Name="LogonType">5</Data> 
  <Data Name="LogonProcessName">Advapi</Data> 
  <Data Name="AuthenticationPackageName">Negotiate</Data> 
  <Data Name="WorkstationName" /> 
  <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> 
  <Data Name="TransmittedServices">-</Data> 
  <Data Name="LmPackageName">-</Data> 
  <Data Name="KeyLength">0</Data> 
  <Data Name="ProcessId">0x1dc</Data> 
  <Data Name="ProcessName">C:\Windows\System32\services.exe</Data> 
  <Data Name="IpAddress">-</Data> 
  <Data Name="IpPort">-</Data> 
</EventData>

<Output out-12201>
    Module      om_udp
    Host        192.168.0.4
    Port        12201
    OutputType  GELF
   </Output>


<Route r>
    Path        in => out-12201
</Route>

问题是我的gelf udp输入正在运行,但源中没有显示任何内容... 你看错了吗?

编辑/经过进一步调查和帮助。我将nxlog.conf修改为:

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module      xm_gelf
</Extension>

<Input in>
Module      im_msvistalog
# For windows 2003 and earlier use the following:
# Module      im_mseventlog

Query <QueryList>\
  <Query Id="0" Path="Security">\
    <Select Path="Security">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="System">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-Diagnostics-Networking/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-Diagnostics-Performance/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-DiskDiagnostic/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-GroupPolicy/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-UAC/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-User Profile Service/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="HardwareEvents">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
  </Query>\
</QueryList>

</Input>


<Output out>
    Module      om_udp
    Host        192.168.0.4
    Port        12201
    OutputType  GELF
   </Output>


<Route r>
    Path        in => out
</Route>

我&#39;除了我所谓的运行输入之外,仍然没有在graylog中看到任何东西。

1 个答案:

答案 0 :(得分:0)

你的nxlog.conf中的<EventData>内容是如何结束的?一旦清理完毕,您应该检查nxlog.log是否仍然无法正常工作。

相关问题
最新问题