Steps to Configure NXLOG on Windows Server 2003
1. Download NXLOG: Download NXLOG
Go to URL: http://nxlog.org/products/nxlog-community-edition/download
Download the latest version: nxlog-ce-x.x.xxxx.msi for 64-bit architecture
Go to the URL
https://github.com/igorgatis/NxlogAzureForwarder/blob/master/nsis/nxlog-ce-2.9.1347.msi
Download nxlog-ce-2.9.1347.msi for 32-bit architectures
2. Instalar NXLOG:
Double-click: nxlog-ce-2.9.1347.msi, then click [Install], then start the installation.
3. Edit the NXLOG configuration file "C:Program Files (x86)\nxlog.conf or C:Program Files "nxlog.conf.
## This is a sample configuration file. Please refer to the nxlog reference manual on the
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please ROOT the folder where your nxlog was installed,
## otherwise it will not start.
### Uncomment the path where NXLOG is installed
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Input in_eventlog>
# For windows 2003 and earlier use the following:
Module im_mseventlog
ReadFromLast TRUE
SavePos TRUE
Exec parse_syslog_bsd(); \
if ($EventID == 672 or $EventID == 673 or $EventID == 675 or $EventID == 528 or $EventID == 529 or $EventID == 538 or $EventID == 540 or $EventID == 551 or $EventID == 560 or $EventID == 612 or $EventID == 624 or $EventID == 626 or $EventID == 627 or $EventID == 628 or $EventID == 629 or $EventID == 630 or $EventID == 631 or $EventID == 632 or $EventID == 633 or $EventID == 634 or $EventID == 635 or $EventID == 636 or $EventID == 637 or $EventID == 638 or $EventID == 641 or $EventID == 642 or $EventID == 644 or $EventID == 645 or $EventID == 646 or $EventID == 647) { $SyslogFacilityValue = 13; } \
else if ($SourceName == "Service Control Manager") { $SyslogFacilityValue = 13; } \
else if ($SourceName =~ /^MSSQL*/) { $SyslogFacilityValue = 18; } \
else\
{\
drop();\
}
</Input>
<Output out_eventlog>
Module om_tcp
Host 192.168.2.1 (Configurar IP o FQDN del probe o master)
Port 514
Exec $Message = string($EventID) + ": " + $Message;
Exec if ($EventType == 'ERROR' or $EventType == 'AUDIT_FAILURE') { $SyslogSeverityValue = 3; } \
else if ($EventType == 'WARNING') { $SyslogSeverityValue = 4; } \
else if ($EventType == 'INFO' or $EventType == 'AUDIT_SUCCESS') { $SyslogSeverityValue = 5; }
Exec to_syslog_bsd();
</Output>
<Route eventlog>
Path in_eventlog => out_eventlog
</Route>
This configuration only outputs eventlogs, such as console auditing, object access and account management. It filters out most of the noise messages to reduce the load that NXLOG produces on Windows Server. When the Windows Server Eventlog is higher than 700 pcs/sec, please use the following nxlog configuration.
## This is a sample configuration file. See the nxlog reference manual about the
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
###Comment the path where NXLOG is installed
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Input in_eventlog>
# For windows 2003 and earlier use the following:
Module im_mseventlog
</Input>
<Output out_eventlog>
Module om_tcp
Host 192.168.2.64 (Configure IP or FQDN of the probe or master)
Port 514
Exec $Message = string($EventID) + ": " + $Message;
Exec if ( $SourceName =~ /^MSSQL*/ ) { $SyslogFacilityValue = 18; } \
else { $SyslogFacilityValue = 13; }
Exec if ($EventType == 'ERROR' or $EventType == 'AUDIT_FAILURE') { $SyslogSeverityValue = 3; } \
else if ($EventType == 'WARNING') { $SyslogSeverityValue = 4; } \
else if ($EventType == 'INFO' or $EventType == 'AUDIT_SUCCESS') { $SyslogSeverityValue = 5; }
Exec to_syslog_bsd();
</Output>
<Route eventlog>
Path in_eventlog => out_eventlog
</Route>
This configuration allows the output of all event logs. It requires better performance of the Windows Server hardware to run NXLOG.
4. Start NXLOG:
Step a : Start NXLOG via [Command Prompt] or Step b : Start NXLOG in [Services].
a. Click [Start] [All Programs] [Accessories] Right-click [Command Prompt].
Click [Run as administrator], run as system administrator.
Enter the command prompt:
ü net stop nxlog
ü net start nxlog
b. Click [Start] [All Programs] [Administrative Tools] [Services], right-click [ nxlog ]Click [Start] or [Restart].
Check if NXLOG is running normally:
Check the log file of NXLOG "C:\Program Files (x86)\nxlog\data\nxlog.log or C:\Program Files\nxlog\data\nxlog.log ". If there is no Error, it means that it is working normally.
For the English version of Windows Server 2003, choose the code [UTF8].
Note: Since NXLOG is not able to convert event code to UTF8 (Eventlog to Syslog Utility) code, please pay attention to the choice of the system language to avoid confusion.
Configuring nxlog.conf to send encrypted data
## This is a sample configuration file. See the nxlog reference manual about the
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
### Uncomment the path where NXLOG is installed
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Input in_eventlog>
# For windows 2003 and earlier use the following:
Module im_mseventlog
</Input>
<Output out_eventlog>
Module om_ssl
Host example.com (Configurar IP o FQDN del probe o master)
Port 514
CAFile %CERTDIR%/ca.pem
Exec $Message = string($EventID) + ": " + $Message;
Exec if ( $SourceName =~ /^MSSQL*/ ) { $SyslogFacilityValue = 18; } \
else { $SyslogFacilityValue = 13; }
Exec if ($EventType == 'ERROR' or $EventType == 'AUDIT_FAILURE') { $SyslogSeverityValue = 3; } \
else if ($EventType == 'WARNING') { $SyslogSeverityValue = 4; } \
else if ($EventType == 'INFO' or $EventType == 'AUDIT_SUCCESS') { $SyslogSeverityValue = 5; }
Exec to_syslog_bsd();
</Output>
<Route eventlog>
Path in_eventlog => out_eventlog
</Route>
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article