Integrating Windows Events

In windows there are no system daemon present, so we are using a plugin or agent i.e. nxlog forwarder.

Steps to configure nxlog forwarder on your windows system

  1. Install Nxlog from here.
  2. Open the Nxlog configuration file at this path
: C:\Program Files (x86)\nxlog\conf\nxlog.conf
  1. Replace the entire configuration file content with this:
## This is a sample NXLog configuration file created by Loggly. June 2013
## See the nxlog reference manual about the configuration options.
## It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
define ROOT C:\Program Files (x86)\nxlog
define ROOT_STRING C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO
# Include fileop while debugging, also enable in the output module below
<Extension fileop>
 Module xm_fileop
</Extension>
<Extension json>
 Module xm_json
</Extension>
<Extension syslog>
 Module xm_syslog
</Extension>
<Input internal>
 Module im_internal
 Exec $Message = to_json(); 
</Input>
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
 Module im_msvistalog
#Uncomment im_mseventlog for Windows XP/2000/2003
 #Module im_mseventlog
 Exec $raw_event = to_json();
</Input>
<Processor buffer>
Module pm_buffer
# 100MB disk buffer
MaxSize 102400
Type disk
</Processor>
<Output out>
 Module om_tcp 
 Host data.cloudlytics.com
 Port 12345 
 Exec $raw_event = "<STREAM_TOKEN>:TAGS,TAGS " + $raw_event; 
 #Use the following line for debugging (uncomment the fileop extension above as well)
 #Exec file_write("C:/Program Files (x86)/nxlog/data/nxlog_output.log", $raw_event);
</Output>
<Route 1>
 Path internal, eventlog => buffer => out
</Route>

Now  Replace the above variables:

STREAM_TOKEN: Replace it with the stream token of Cloudlytics that you find at the time of stream creation.

TAGS: Replace them with suitable tags.

  1. After changing the config file save it.
  2. Restart Nxlog: Open the Services tool in the Start menu, find nxlog in the list, and then restart the service.

Table of Contents

A Trusted Security Partner of Global Businesses

Simplify Management of Your Cloud Operations With Us.

Living on the Edge LOGO