monitoring

Using NxLog to send Windows Event Logs to Logstash

Using NxLog to send Windows Event Logs to Logstash

configure logstash

input {
  tcp {
    codec => json_lines { charset => "UTF-8" }
    # codec => json_lines { charset => CP1252 }
    port => 5000
    tags => [ "tcpjson" ]
    type => "nxlog"
  }
}
filter {
  if [type] == "nxlog" {
    json {
      source => "message"
    }
    if [SourceModuleName] == "eventlog" {
      mutate {
        replace => [ "message", "%{Message}" ]
      }
      mutate {
        remove_field => [ "Message" ]
      }
    }
    date {
      locale => "en"
      # timezone => "Etc/GMT"
      timezone => "Asia/Shanghai"
      match => [ "EventTime", "YYYY-MM-dd HH:mm:ss" ]
    }
    
  }
}
output {
  elasticsearch {
    hosts => ["YOUR_ELASTICSEARCH_SERVER"]
  }
}

install nxlog-ce

download here

modify nxlog.conf

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
    Module	xm_json
</Extension>
<Input eventlog>
    Module      im_msvistalog
#    SavePos	TRUE
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
    Exec	to_json();
</Input>
<Output out>
    Module      om_tcp
    Host        YOUR_LOGSTASH_SERVER
    Port        5000
</Output>
<Route 1>
    Path        eventlog => out
</Route>

verify configuration file syntax and start service

"C:\Program Files (x86)\nxlog\nxlog.exe" -v && net start nxlog

make some noise on your windows node

then you will see it in elasticsearch

docs

nxlog-reference-manual
using-nxlog-with-elasticsearch-and-kibana
audit-logging-on-windows-with-sysmon-and-nxlog
logstash-event-dependent-configuration
sending-windows-event-logs-to-logsene-using-nxlog-and-logstash