• Support
  • Forums
  • Blogs

nxlog.conf for Windows Server 2003

SherlockSherlock

New Life Form
Hello all,

I am having issues getting NXlog to work with Windows Server 2003. The root of the issue seems to be the nxlog.conf file supplied by Alienvault in the knowledgebase. That conf file wants to use im_msvistalog but that only works for Windows Vista on. I have figured out I need to use im_mseventlog for Windows Vista and earlier but can't seem to get it to work (simply replacing the function is no good). My question is does anyone have a NXlog conf for windows server 2003?

On a separate note, I have found this conf file (below) that fires up without errors on WIN2k3 but I am still testing it. Any help you can give me would be greatly appreciated. 

Thanks

JT



#
# Configuration for converting and sending Windows logs
# to AlienVault USM Anywhere.
#

define ROOT C:\Program Files\nxlog
define OUTPUT_DESTINATION_ADDRESS 10.3.50.19
define OUTPUT_DESTINATION_PORT 514

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
  Module    xm_syslog
</Extension>

<Input in_eventlog>
# For windows 2003 and earlier use the following:
  Module      im_mseventlog
  Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
    Exec if ($EventID == 5156) OR ($EventID == 5158) drop();
</Input>

<Output out_eventlog>
Module      om_udp
Host        %OUTPUT_DESTINATION_ADDRESS%
Port        %OUTPUT_DESTINATION_PORT%
Exec        $EventTime = integer($EventTime) / 1000000;
Exec        $Message = to_syslog_bsd();
</Output>

<Route eventlog>
  Path        in_eventlog => out_eventlog
</Route>


Share post:

Sign In or Register to comment.