Sending data to Devo / Event sources / Windows / NXLog for Windows event collection

NXLog for Windows event collection

NXLog is a third-party log collection tool that offers some useful options for collecting Windows event logs and forwarding them to Devo. Customers who already use NXLog might prefer to use it to send their Windows events to Devo. When NXLog is used, you must use the box.win_nxlog tag.

For more information to support the procedures described in this article, see the NXLog product documentation.

In this case we install NXLog on the Windows source machine and modify the nxlog.conf file to collect events from the desired logs and forward them to our Devo endpoint, either the Devo relay or to Devo directly.

The following sample configuration file uses an input module to extract Application, System, Security, and Windows PowerShell events from the machine. Three output modules are included here to illustrate how to configure outputs to the Devo relay, to Devo directly, and to a local file. In each output, the Devo tag box.win_nxlog.* is set as the syslog $sourcename for each event collected. The third level of the tag is formed from the value of $Channel. Once in Devo, the events are accessed by selecting the corresponding box.win_nxlog.* tables in the finder.

To use this sample file as a guide, keep in mind that you need to edit some key parameter values:

Edit the define directive at the beginning of the file to set ROOT to the path where you installed NXLog.
In the devo_relay output module:
- Enter the IP address of the Devo relay as the Host.
- The port should be 13000 when you simply want the relay to forward the events to Devo.
In the ssl_devo output module:
- For the Host, replace the XX in the hostname with your Devo cloud region. For example, us.elb.relay.logtrust.net.
- Edit the paths/filenames for CAFile, CertFile, and CertKeyFile to reference the locations of your Devo domain's certificate files.

nxlog.conf (sample)

## IMPORTANT Set the IP address of the Devo Relay

define DEVO_RELAY_IP ###.###.###.###

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
#define ROOT_STRING C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define ROOT_STRING C:\Program Files (x86)\nxlog
define CERTDIR C:\Program Files (x86)\nxlog\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

########## BEGIN EXTENSIONS ##########

<Extension json>
    Module xm_json
</Extension>

<Extension syslog>
    Module xm_syslog
</Extension>

########## END EXTENSIONS ##########

########## BEGIN INPUTS ##########

# Windows Event Log
<Input in>
 Module      im_msvistalog
 ReadFromLast     True
  Query            <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                        <Select Path="Windows PowerShell">*</Select>\
                    </Query>\
                </QueryList>
</Input>

########## END INPUTS ##########


########## BEGIN OUTPUTS ##########

# WINDOWS EVENT LOGS 
<Output devo_relay>
    Module      om_tcp
    Host        %DEVO_RELAY_IP%
    Port        13000
    Exec        $Message = to_json(); $SourceName="box.win_nxlog."+lc($Channel); delete($ProcessID); to_syslog_bsd();
</Output>

<Output ssl_devo>
    Module          om_ssl
    Host            XX.elb.relay.logtrust.net
    Port            443
    CAFile          C:\Program Files (x86)\nxlog\cert\chain.crt
    CertFile        C:\Program Files (x86)\nxlog\cert\<file name>.crt
    CertKeyFile     C:\Program Files (x86)\nxlog\cert\<file name>.key
    KeyPass         SECRET
    AllowUntrusted  TRUE
    <Exec> 
                    $Message = to_json(); $SourceName="box.win_nxlog."+lc($Channel); delete($ProcessID); to_syslog_bsd();
    </Exec>
</Output>

<Output file>
    Module          om_file
    File            'C:\nxlog_events.log'
    <Exec> 
                    $Message = to_json(); 
                    $SourceName="box.win_nxlog."+lc($Channel); 
                    delete($ProcessID); 
                    to_syslog_bsd();
   </Exec>
</Output>


########## END OUTPUTS ##########

########## BEGIN ROUTES ##########

<Route 1>
    Path in => devo_relay, ssl_devo, file
</Route>

########## END ROUTES ##########

Route parameter

Routes define the flow and processing order of the log messages. Each route instance must have a unique name and a Path. In the example above, we indicated the devo_relay as output (line 65), but you can add multiple paths as required.

These are the three allowed output blocks:

devo_relay
ssl_devo
file

Learn more about the Route parameter here.

Note that each output module reads the events converting them to the BSD Syslog format, but with the syslog message part containing the fields in JSON.

In case you need to test the NXLog connection, use the following. However, note that this may cause memory exhaustion if you don't remove it later.

<Output file> 
    Module             om_file 
    File               'C:\nxlog_events.log' 
    Exec               $Message = to_json(); $SourceName="box.win_nxlog."+lc($Channel); delete($ProcessID); to_syslog_bsd(); 
</Output>

box.win_nxlog

Download as PDF

NXLog for Windows event collection

Related articles

Export