[graylog2] Re: how to keep the log message in one field?
Mark,,
Thank you for mentioning it in case I want to do the same thing.
Logs between server 2008 and later appear to be different from earlier
versions. The need a different
confi file.
Arie..
Op dinsdag 2 juni 2015 01:04:12 UTC+2 schreef graylog...@gmail.com:
>
> Hello
>
> Thanks for info but my case is different (I think!)
> If I'm not wrong your configuration for NXLOG is to fetch live eventlogs,
>
> in my case I have a huge archive (5TB) of windows logs that have been
> already exported as text file, so I'm not accessing the live eventlogs on a
> windows system.
>
>
> Best regards
> Mark
>
>
>
> On Sunday, May 31, 2015 at 1:49:06 AM UTC+10, graylog...@gmail.com wrote:
>>
>> Hello
>>
>> I'm having a problem with graylog and nxlog feed
>>
>> I have a huge archive of windows event logs, I have been trying to import
>> these logs into graylog using nxlog and gelf
>>
>> It all works well, nxlog pickup the logs and imports them but the
>> messages are being split in several records rather tha a single one,
>>
>>
>> Example if the event log contains the follow
>>
>>
>> *{"1331892664000, 4624, "Success", "Security",
>> "Microsoft-Windows-Security-Auditing", "An account was successfully logged
>> on.*
>>
>> *Subject:*
>> * Security ID: S-1-0-0*
>> * Account Name: -*
>> * Account Domain: -*
>> * Logon ID: 0x0*
>>
>> *Logon Type: 3*
>>
>>
>> *This event is generated when a logon session is created. It is generated
>> on the computer that was accessed.*
>>
>> *Key length indicates the length of the generated session key. This will
>> be 0 if no session key was requested." "} *
>>
>>
>> It gets loaded into graylog as:
>>
>> Record 1: *{"1331892664000, 4624, "Success", "Security",
>> "Microsoft-Windows-Security-Auditing", "An account was successfully logged
>> on.*
>> Record 2: *Subject*
>> Record 3*: **Security ID: S-1-0-0*
>>
>> etc.
>> etc
>>
>>
>> I just would like to have all the message stored in one record
>>
>> Do you have any idea how this could be achieved?
>>
>> Thanks!
>> Mark
>>
>>
>>
>>
>>
>>
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: how to keep the log message in one field?
Hello
Thanks for info but my case is different (I think!)
If I'm not wrong your configuration for NXLOG is to fetch live eventlogs,
in my case I have a huge archive (5TB) of windows logs that have been
already exported as text file, so I'm not accessing the live eventlogs on a
windows system.
Best regards
Mark
On Sunday, May 31, 2015 at 1:49:06 AM UTC+10, graylog...@gmail.com wrote:
>
> Hello
>
> I'm having a problem with graylog and nxlog feed
>
> I have a huge archive of windows event logs, I have been trying to import
> these logs into graylog using nxlog and gelf
>
> It all works well, nxlog pickup the logs and imports them but the messages
> are being split in several records rather tha a single one,
>
>
> Example if the event log contains the follow
>
>
> *{"1331892664000, 4624, "Success", "Security",
> "Microsoft-Windows-Security-Auditing", "An account was successfully logged
> on.*
>
> *Subject:*
> * Security ID: S-1-0-0*
> * Account Name: -*
> * Account Domain: -*
> * Logon ID: 0x0*
>
> *Logon Type: 3*
>
>
> *This event is generated when a logon session is created. It is generated
> on the computer that was accessed.*
>
> *Key length indicates the length of the generated session key. This will
> be 0 if no session key was requested." "} *
>
>
> It gets loaded into graylog as:
>
> Record 1: *{"1331892664000, 4624, "Success", "Security",
> "Microsoft-Windows-Security-Auditing", "An account was successfully logged
> on.*
> Record 2: *Subject*
> Record 3*: **Security ID: S-1-0-0*
>
> etc.
> etc
>
>
> I just would like to have all the message stored in one record
>
> Do you have any idea how this could be achieved?
>
> Thanks!
> Mark
>
>
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [graylog2] Re: how to keep the log message in one field?
Can you explain or show what the difference is for 2008/2012 or did I
misunderstand you and the config you describe below applies also to
2008/2012?
Thanks,
- Marco
On 06/01/2015 12:41 PM, Arie wrote:
That is one way to do it, this works up to server 2003, server 2008
and so on is a little different,
this way there is better handling of the logs.
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
Module xm_gelf
Moduleim_mseventlog
Sources Application,System
Module om_udp
Host10.64.91.18
Port8000
OutputType GELF
Pathin => out
Op maandag 1 juni 2015 09:04:28 UTC+2 schreef graylog...@gmail.com:
Hello
Found the issue, it was the configuration of NXLOG, I had to tell
NXLOG that the input was multiline and the headline/endline were
{}, I changed the nxlog.conf as below:
Module xm_gelf
Module xm_multiline
HeaderLine /^{/
EndLine /^}/
Module im_file
File"/media/winlogs/*"
SavePos TRUE
Recursive TRUE
InputType multiline
Module om_udp
Host127.0.0.1
Port12201
OutputType GELF
#
#Module om_file
#File "/tmp/output"
#
On Sunday, May 31, 2015 at 1:49:06 AM UTC+10, graylog...@gmail.com
wrote:
Hello
I'm having a problem with graylog and nxlog feed
I have a huge archive of windows event logs, I have been
trying to import these logs into graylog using nxlog and gelf
It all works well, nxlog pickup the logs and imports them but
the messages are being split in several records rather tha a
single one,
Example if the event log contains the follow
/{"1331892664000, 4624, "Success", "Security",
"Microsoft-Windows-Security-Auditing", "An account was
successfully logged on./
/
/
/Subject:/
/Security ID:S-1-0-0/
/Account Name:-/
/Account Domain:-/
/Logon ID:0x0/
/
/
/Logon Type:3/
/
/
/
/
/This event is generated when a logon session is created. It
is generated on the computer that was accessed./
/
/
/Key length indicates the length of the generated session key.
This will be 0 if no session key was requested." "} /
/
/
It gets loaded into graylog as:
Record 1: /{"1331892664000, 4624, "Success", "Security",
"Microsoft-Windows-Security-Auditing", "An account was
successfully logged on./
Record 2: /Subject/
Record 3/: //Security ID:S-1-0-0/
/
/
etc.
etc
/
/
/
/
I just would like to have all the message stored in one record
Do you have any idea how this could be achieved?
Thanks!
Mark
/
/
/
/
--
You received this message because you are subscribed to the Google
Groups "graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to graylog2+unsubscr...@googlegroups.com
.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: how to keep the log message in one field?
That is one way to do it, this works up to server 2003, server 2008 and so
on is a little different,
this way there is better handling of the logs.
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
Module xm_gelf
Moduleim_mseventlog
Sources Application,System
Module om_udp
Host10.64.91.18
Port8000
OutputType GELF
Pathin => out
Op maandag 1 juni 2015 09:04:28 UTC+2 schreef graylog...@gmail.com:
>
> Hello
>
> Found the issue, it was the configuration of NXLOG, I had to tell NXLOG
> that the input was multiline and the headline/endline were {}, I changed
> the nxlog.conf as below:
>
>
> Module xm_gelf
>
>
>
> Module xm_multiline
> HeaderLine /^{/
> EndLine /^}/
>
>
>
>
> Module im_file
> File"/media/winlogs/*"
> SavePos TRUE
> Recursive TRUE
> InputType multiline
>
>
>
> Module om_udp
> Host127.0.0.1
> Port12201
> OutputType GELF
>
>
> #
> #Module om_file
> #File "/tmp/output"
> #
>
>
>
>
> On Sunday, May 31, 2015 at 1:49:06 AM UTC+10, graylog...@gmail.com wrote:
>>
>> Hello
>>
>> I'm having a problem with graylog and nxlog feed
>>
>> I have a huge archive of windows event logs, I have been trying to import
>> these logs into graylog using nxlog and gelf
>>
>> It all works well, nxlog pickup the logs and imports them but the
>> messages are being split in several records rather tha a single one,
>>
>>
>> Example if the event log contains the follow
>>
>>
>> *{"1331892664000, 4624, "Success", "Security",
>> "Microsoft-Windows-Security-Auditing", "An account was successfully logged
>> on.*
>>
>> *Subject:*
>> * Security ID: S-1-0-0*
>> * Account Name: -*
>> * Account Domain: -*
>> * Logon ID: 0x0*
>>
>> *Logon Type: 3*
>>
>>
>> *This event is generated when a logon session is created. It is generated
>> on the computer that was accessed.*
>>
>> *Key length indicates the length of the generated session key. This will
>> be 0 if no session key was requested." "} *
>>
>>
>> It gets loaded into graylog as:
>>
>> Record 1: *{"1331892664000, 4624, "Success", "Security",
>> "Microsoft-Windows-Security-Auditing", "An account was successfully logged
>> on.*
>> Record 2: *Subject*
>> Record 3*: **Security ID: S-1-0-0*
>>
>> etc.
>> etc
>>
>>
>> I just would like to have all the message stored in one record
>>
>> Do you have any idea how this could be achieved?
>>
>> Thanks!
>> Mark
>>
>>
>>
>>
>>
>>
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: how to keep the log message in one field?
Hello
Found the issue, it was the configuration of NXLOG, I had to tell NXLOG
that the input was multiline and the headline/endline were {}, I changed
the nxlog.conf as below:
Module xm_gelf
Module xm_multiline
HeaderLine /^{/
EndLine /^}/
Module im_file
File"/media/winlogs/*"
SavePos TRUE
Recursive TRUE
InputType multiline
Module om_udp
Host127.0.0.1
Port12201
OutputType GELF
#
#Module om_file
#File "/tmp/output"
#
On Sunday, May 31, 2015 at 1:49:06 AM UTC+10, graylog...@gmail.com wrote:
>
> Hello
>
> I'm having a problem with graylog and nxlog feed
>
> I have a huge archive of windows event logs, I have been trying to import
> these logs into graylog using nxlog and gelf
>
> It all works well, nxlog pickup the logs and imports them but the messages
> are being split in several records rather tha a single one,
>
>
> Example if the event log contains the follow
>
>
> *{"1331892664000, 4624, "Success", "Security",
> "Microsoft-Windows-Security-Auditing", "An account was successfully logged
> on.*
>
> *Subject:*
> * Security ID: S-1-0-0*
> * Account Name: -*
> * Account Domain: -*
> * Logon ID: 0x0*
>
> *Logon Type: 3*
>
>
> *This event is generated when a logon session is created. It is generated
> on the computer that was accessed.*
>
> *Key length indicates the length of the generated session key. This will
> be 0 if no session key was requested." "} *
>
>
> It gets loaded into graylog as:
>
> Record 1: *{"1331892664000, 4624, "Success", "Security",
> "Microsoft-Windows-Security-Auditing", "An account was successfully logged
> on.*
> Record 2: *Subject*
> Record 3*: **Security ID: S-1-0-0*
>
> etc.
> etc
>
>
> I just would like to have all the message stored in one record
>
> Do you have any idea how this could be achieved?
>
> Thanks!
> Mark
>
>
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: how to keep the log message in one field?
Hi Mark,
Not experiencing this behavior here.
What is your nxlog config, and are you using a GELF TCP/UDP input?
Is NXlog the latest version? there was a problem with GELF in a earlier
version.
Op zaterdag 30 mei 2015 17:49:06 UTC+2 schreef graylog...@gmail.com:
>
> Hello
>
> I'm having a problem with graylog and nxlog feed
>
> I have a huge archive of windows event logs, I have been trying to import
> these logs into graylog using nxlog and gelf
>
> It all works well, nxlog pickup the logs and imports them but the messages
> are being split in several records rather tha a single one,
>
>
> Example if the event log contains the follow
>
>
> *{"1331892664000, 4624, "Success", "Security",
> "Microsoft-Windows-Security-Auditing", "An account was successfully logged
> on.*
>
> *Subject:*
> * Security ID: S-1-0-0*
> * Account Name: -*
> * Account Domain: -*
> * Logon ID: 0x0*
>
> *Logon Type: 3*
>
>
> *This event is generated when a logon session is created. It is generated
> on the computer that was accessed.*
>
> *Key length indicates the length of the generated session key. This will
> be 0 if no session key was requested." "} *
>
>
> It gets loaded into graylog as:
>
> Record 1: *{"1331892664000, 4624, "Success", "Security",
> "Microsoft-Windows-Security-Auditing", "An account was successfully logged
> on.*
> Record 2: *Subject*
> Record 3*: **Security ID: S-1-0-0*
>
> etc.
> etc
>
>
> I just would like to have all the message stored in one record
>
> Do you have any idea how this could be achieved?
>
> Thanks!
> Mark
>
>
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
