[graylog2] Re: Question about sending ALL windows event log data
Also wanted to point out you need to make sure your gpos are set to log the events and that they are logging successes and failures. On Monday, August 15, 2016 at 10:31:22 AM UTC-4, Jordan Grondin wrote: > > Hello Jamie, > > Have you managed to see all the logs of your domain controller? > > I faced the same problem. > > Regards, > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/35b83602-5e2e-4a3d-bf5b-670ae4bc37a1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Question about sending ALL windows event log data
I will take a look. That is good to know Linwood, and I appreciate the response. Jordan, I am not able to see all the logs yet. I'm getting quite a bit, but I'm not getting events relating to groups (additions, modifications, and deletions) and some other stuff. If you managed to fix yours let me know what you did to fix it, I'm curious. Also as an FYI, I posted this conf file on nxlog's forum and they stated that it should pick up all logs and send to graylog (i.e. no errors/misconfigured). -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/628b2122-f44e-489d-8ceb-b041b61ef1cc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Question about sending ALL windows event log data
Hello Jamie, Have you managed to see all the logs of your domain controller? I faced the same problem. Regards, -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/0c6b028c-1885-4f23-ac1a-a081935d391f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Question about sending ALL windows event log data
Check the nxlog file itself, I found when I ran basically this there is a warning on startup that a large number of log files are being ignored due to limits in windows API. I didn't dig into whether I cared, as I was still testing and would probably be explicit which logs I asked for. But See if you are getting a list of not-sent in the nx log on the windows (not graylog) server. On Wednesday, August 10, 2016 at 3:20:19 PM UTC-4, Jamie P wrote: > > I wanted to make sure if the following config would have nxlog send all > event logs on a Windows Server (Domain Controller or otherwise) to a > graylog instance. > > ## This is a sample configuration file. See the nxlog reference manual > about the > ## configuration options. It should be installed locally and is also > available > ## online at http://nxlog.org/docs/ > > ## Please set the ROOT to the folder your nxlog was installed into, > ## otherwise it will not start. > > #define ROOT C:\Program Files\nxlog > define ROOT C:\Program Files (x86)\nxlog > > Moduledir %ROOT%\modules > CacheDir %ROOT%\data > Pidfile %ROOT%\data\nxlog.pid > SpoolDir %ROOT%\data > LogFile %ROOT%\data\nxlog.log > > # > #Module xm_syslog > # > > > Module xm_gelf > > > > Module im_msvistalog > # For windows 2003 and earlier use the following: > # Module im_mseventlog > > > > Module om_udp > Host192.168.1.79 > Port 12201 > OutputType GELF > # Execto_syslog_snare(); > > > > Pathin => out > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/2069a9b4-83bf-478e-81e3-e829712bfb40%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: Question about sending ALL windows event log data
Are there any corrections that I should make to this config to ensure all Windows Events from a server are being sent to a graylog instance? On Wednesday, August 10, 2016 at 3:20:19 PM UTC-4, Jamie P wrote: > > I wanted to make sure if the following config would have nxlog send all > event logs on a Windows Server (Domain Controller or otherwise) to a > graylog instance. > > ## This is a sample configuration file. See the nxlog reference manual > about the > ## configuration options. It should be installed locally and is also > available > ## online at http://nxlog.org/docs/ > > ## Please set the ROOT to the folder your nxlog was installed into, > ## otherwise it will not start. > > #define ROOT C:\Program Files\nxlog > define ROOT C:\Program Files (x86)\nxlog > > Moduledir %ROOT%\modules > CacheDir %ROOT%\data > Pidfile %ROOT%\data\nxlog.pid > SpoolDir %ROOT%\data > LogFile %ROOT%\data\nxlog.log > > # > #Module xm_syslog > # > > > Module xm_gelf > > > > Module im_msvistalog > # For windows 2003 and earlier use the following: > # Module im_mseventlog > > > > Module om_udp > Host192.168.1.79 > Port 12201 > OutputType GELF > # Execto_syslog_snare(); > > > > Pathin => out > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/affa0856-7ceb-44cd-b9c2-ecbb376f7f9e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
