Send Eventlog to (r)Syslog

How to send events stored under the “Applications and Services Logs” Tree to an (r)syslog ?

We have found the main flaw of ntsyslog, it could only transfert NT compatible Events and top level logs from “Applications and Services Logs”, but it’s nearly impossible to send events stored in an logs deeper in that tree…

We turned on nxlog ( http://nxlog.org/about ) who is able to send those logs. In its config, we just had to indicate that we will used the post-vista eventlog and which logs we want to transfert by providing a XML query, for example :

 <Input in>
    Module      im_msvistalog
#Filter Events 
    Query	<QueryList>\
	<Query Id="0">\
		<Select Path="Security">*</Select>\
		<Select Path="System">*[System/Level=4]</Select>\
		<Select Path="Application">*[Application/Level=4]</Select>\
	</Query>\
</QueryList>\
</Input>

How to build the query ? easily… With the windows eventviewer !
Step 1 : Create a new custom view with the selected logs :
vue_en

Step 2 : Re-open and Edit filter
vue2_en

Click on XML tab
vue3_en

Just paste the query in nxlog config file

<Input in>
    Module      im_msvistalog
#Filter Events 
    Query	<QueryList>\
	<Query Id="0">\
		<Select Path="Security">*</Select>\
		<Select Path="System">*</Select>\
		<Select Path="Application">*</Select>\
		<Select Path="Microsoft-Windows-GroupPolicy/Operational">*</Select>\
	</Query>\
</QueryList>\
</Input>

NXLOG could also transform the message to be compatible with BSD-syslog, we need to load the module xm_syslog and configure it to modifiy message into a “syslog_bsd message” :

<Extension syslog>
    Module	xm_syslog
</Extension>

<Input in>
    Module      im_msvistalog
    Exec	to_syslog_bsd();
</Input>


<Output out>
    Module      om_udp
    Host        rsyslog.example.org
    Port	514
</Output>

<Route 1>
    Path        in => out
</Route>

For graylog user, nxlog can directly send message in GELF Format :

<Extension gelf>
    Module      xm_gelf
</Extension>


<Input in>
    Module      im_msvistalog
</Input>


<Output out>
    Module      om_udp
    Host        graylog.example.org
    Port	12201
    OutputType	GELF
</Output>

<Route 1>
    Path        in => out
</Route>

Enjoy !

event_send

Leave a Reply

Your email address will not be published. Required fields are marked *