Hi!
I've configured NetXMS to act as central syslog server. Remote ubuntu and centos machines are sending information and everything is displayed correctly.
Regarding windows - i use nxlog agent on windows server 2016 machine.
Key configuration:
<Input in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
</Input>
<Processor proc>
Module pm_transformer
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
OutputFormat syslog_rfc5424
</Processor>
<Output udp>
Module om_udp
Host xx.xx.xx.xx
Port 514
Exec $raw_event = replace($raw_event,"\r\n"," ");
Exec $raw_event = replace($raw_event,"\t"," ");
</Output>
<Route in_to_udp>
Path in => proc => udp
</Route>
Example of syslog text message received:
Tag for such is marked as "1". Is there a way to configure that Tag will be some other received field ?
Maybe there is some good template available how to configure better nxlog WEF to work with NetXMS ? Should i use other format as output there ?
Thank You in advance.
I've configured NetXMS to act as central syslog server. Remote ubuntu and centos machines are sending information and everything is displayed correctly.
Regarding windows - i use nxlog agent on windows server 2016 machine.
Key configuration:
<Input in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
</Input>
<Processor proc>
Module pm_transformer
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
OutputFormat syslog_rfc5424
</Processor>
<Output udp>
Module om_udp
Host xx.xx.xx.xx
Port 514
Exec $raw_event = replace($raw_event,"\r\n"," ");
Exec $raw_event = replace($raw_event,"\t"," ");
</Output>
<Route in_to_udp>
Path in => proc => udp
</Route>
Example of syslog text message received:
1 2018-09-09T05:56:00.660046+00:00 EC2AMAZ-O9GPR2C - 752 - [NXLOG@14506 Keywords=""-9214364837600034816"" EventType=""AUDIT_SUCCESS"" EventID=""4776"" ProviderGuid=""{54849625-5478-4994-A5BA-3E3B0328C30D}"" Version=""0"" Task=""14336"" OpcodeValue=""0"" RecordNumber=""565505"" ActivityID=""{6F6FC6C1-1842-0000-06B6-D6784218D401}"" ThreadID=""8936"" Channel=""Security"" Category=""Credential Validation"" Opcode=""Info"" PackageName=""MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"" TargetUserName=""Administrator"" Workstation=""EC2AMAZ-O9GPR2C"" Status=""0x0"" EventReceivedTime=""1536472562"" SourceModuleName=""in"" SourceModuleType=""im_msvistalog""] The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: EC2AMAZ-O9GPR2C Error Code: 0x0"
Tag for such is marked as "1". Is there a way to configure that Tag will be some other received field ?
Maybe there is some good template available how to configure better nxlog WEF to work with NetXMS ? Should i use other format as output there ?
Thank You in advance.