【问题标题】:nxlog data (gelf) to graylog2 servernxlog 数据(gelf)到 graylog2 服务器
【发布时间】:2015-06-30 11:41:27
【问题描述】:

我正在使用 graylog2 vm 来获取我的防火墙系统日志,它运行得很好。 现在我想使用 nxlog 获取一些 windows 日志,但这根本不起作用。

我的猜测是我的 conf 文件中的 xml 代码是错误的,但我之前一直错.. 注意:我要从中获取日志的 VM 和 windows 服务器在同一个网络上:

    ## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module      xm_gelf
</Extension>

<Input in>
    Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog

Query <QueryList>\
  <Query Id="0" Path="Security">\
    <Select Path="Security">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="System">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-Diagnostics-Networking/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-Diagnostics-Performance/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-DiskDiagnostic/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-GroupPolicy/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-UAC/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-User Profile Service/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="HardwareEvents">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
  </Query>\
</QueryList>

</Input>


<EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data> 
  <Data Name="SubjectUserName">WIN-OUNNPISDHIG$</Data> 
  <Data Name="SubjectDomainName">WORKGROUP</Data> 
  <Data Name="SubjectLogonId">0x3e7</Data> 
  <Data Name="TargetUserSid">S-1-5-18</Data> 
  <Data Name="TargetUserName">SYSTEM</Data> 
  <Data Name="TargetDomainName">NT AUTHORITY</Data> 
  <Data Name="TargetLogonId">0x3e7</Data> 
  <Data Name="LogonType">5</Data> 
  <Data Name="LogonProcessName">Advapi</Data> 
  <Data Name="AuthenticationPackageName">Negotiate</Data> 
  <Data Name="WorkstationName" /> 
  <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> 
  <Data Name="TransmittedServices">-</Data> 
  <Data Name="LmPackageName">-</Data> 
  <Data Name="KeyLength">0</Data> 
  <Data Name="ProcessId">0x1dc</Data> 
  <Data Name="ProcessName">C:\Windows\System32\services.exe</Data> 
  <Data Name="IpAddress">-</Data> 
  <Data Name="IpPort">-</Data> 
</EventData>

<Output out-12201>
    Module      om_udp
    Host        192.168.0.4
    Port        12201
    OutputType  GELF
   </Output>


<Route r>
    Path        in => out-12201
</Route>

问题是我的 gelf udp 输入正在运行,但源中没有显示任何内容... 你看出什么不对了吗?

编辑/经过进一步调查和帮助。我将 nxlog.conf 修改为:

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module      xm_gelf
</Extension>

<Input in>
Module      im_msvistalog
# For windows 2003 and earlier use the following:
# Module      im_mseventlog

Query <QueryList>\
  <Query Id="0" Path="Security">\
    <Select Path="Security">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="System">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-Diagnostics-Networking/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-Diagnostics-Performance/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-DiskDiagnostic/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-GroupPolicy/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-UAC/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-User Profile Service/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
    <Select Path="HardwareEvents">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
  </Query>\
</QueryList>

</Input>


<Output out>
    Module      om_udp
    Host        192.168.0.4
    Port        12201
    OutputType  GELF
   </Output>


<Route r>
    Path        in => out
</Route>

除了我所谓的运行输入之外,我仍然在 graylog 中看不到任何内容。

【问题讨论】:

    标签: windows graylog2 nxlog


    【解决方案1】:

    &lt;EventData&gt; 的内容是如何出现在您的 nxlog.conf 中的?清理完毕后,您应该检查 nxlog.log 是否存在潜在错误,如果它仍然不起作用。

    【讨论】:

    • 是的,我把它放在那里,可能是因为误读或误​​解了教程。这是我在 nxlog.log 中找到的内容:2015-07-01 10:11:48 ERROR om_udp apr_socket_send failed 这很奇怪,我确定在我的防火墙和 VM 上打开了端口。
    • nxlog.log 中的新错误是....“未定义路由”。出现在安装在服务器上的 nxlog 上,而不是安装在客户端上的 nxlog 上。
    猜你喜欢
    • 2023-03-29
    • 1970-01-01
    • 1970-01-01
    • 2014-02-07
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2012-11-24
    • 1970-01-01
    相关资源
    最近更新 更多