Using NxLog to send Windows Event Logs to Logstash

Using NxLog to send Windows Event Logs to Logstash

configure logstash

input {
tcp {
codec => json_lines { charset => "UTF-8" }
# codec => json_lines { charset => CP1252 }
port => 5000
tags => [ "tcpjson" ]
type => "nxlog"
}
}
filter {
if [type] == "nxlog" {
json {
source => "message"
}
if [SourceModuleName] == "eventlog" {
mutate {
replace => [ "message", "%{Message}" ]
}
mutate {
remove_field => [ "Message" ]
}
}
date {
locale => "en"
# timezone => "Etc/GMT"
timezone => "Asia/Shanghai"
match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => ["YOUR_ELASTICSEARCH_SERVER"]
}
}

install nxlog-ce

download here

modify nxlog.conf

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Input eventlog>
Module im_msvistalog
# SavePos TRUE
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
Exec to_json();
</Input>
<Output out>
Module om_tcp
Host YOUR_LOGSTASH_SERVER
Port 5000
</Output>
<Route 1>
Path eventlog => out
</Route>

verify configuration file syntax and start service

"C:\Program Files (x86)\nxlog\nxlog.exe" -v && net start nxlog

make some noise on your windows node

then you will see it in elasticsearch

docs

nxlog-reference-manual
using-nxlog-with-elasticsearch-and-kibana
audit-logging-on-windows-with-sysmon-and-nxlog
logstash-event-dependent-configuration
sending-windows-event-logs-to-logsene-using-nxlog-and-logstash