In order to correlate the logs of your system, you are either going to have to manually upload them to your correlation system or setup an automated way. Nxlog is one of a few agents that will enable automated shipping of logs. I particularly like it because it is light on the system and not a pain to setup. Below are the steps to get you going. I will be shipping the logs using the json format. There are many formats available, one just has to do research on which one satisfies their needs. The configuration we will use transports the logs over port 3515, so you will need to ensure that the port is open.
1. Navigate to http://nxlog.org/products/nxlog-community-edition/download and download the .msi version for Windows.
2. Install the downloaded .msi using the default options.
3. After installation is complete, open the configuration file located at C:\program files (x86)\nxlog\conf\nxlog.conf.
4. Replace the contents of the file with the below. The only thing you need to change IP address 126.96.36.199 with the IP of your Logstash server.
Installation of ELK is not too bad. There are a few guides online that walk through the processes but you will be hard pressed to find one to covers it all the way through. Some great links to help with this endeavor are:
For those who are inclined to install ELK in Windows, these sites are pretty useful.
In a previous post I did a comparison of ELK and Splunk. I will take a few minutes here to kind of explain what ELK is. ELK stack (Elasticsearch, Logstash, Kibana) is simply amazing. Each program making up ELK brings their own uniqueness and are vital parts to making the thing work. Elasticsearch provides the search capability for Kibana. Logstash is the receiver of all the logs being ingested into ELK. Kibana is the visual portion of the stack allowing for the searching, correlation, and dashboards. The picture below brings it all together for us.