Shipping Windows logs to Logstash via Nxlog

In order to correlate the logs of your system, you are either going to have to manually upload them to your correlation system or setup an automated way. Nxlog is one of a few agents that will enable automated shipping of logs. I particularly like it because it is light on the system and not a pain to setup. Below are the steps to get you going. I will be shipping the logs using the json format. There are many formats available, one just has to do research on which one satisfies their needs. The configuration we will use transports the logs over port 3515, so you will need to ensure that the port is open.

1. Navigate to http://nxlog.org/products/nxlog-community-edition/download and download the .msi version for Windows.

2. Install the downloaded .msi using the default options.

3. After installation is complete, open the configuration file located at C:\program files (x86)\nxlog\conf\nxlog.conf.

4. Replace the contents of the file with the below. The only thing you need to change IP address 111.111.111.111 with the IP of your Logstash server.

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension json>

    Module      xm_json
</Extension>

<Input internal>
    Module      im_internal
</Input>

<Input eventlog>
    Module      im_msvistalog
    # this kinda works for me, put * to get everything
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                    </Query>\
                </QueryList>
</Input>

<Output out>
    Module      om_tcp
    Host        111.111.111.111
    Port        3515
    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000000; \
                to_json();
</Output>

<Route 1>
    Path        eventlog, internal => out
</Route>

5. Save and close the file.

6. Open a command prompt as administrator and start the nxlog service by typing ‘net start nxlog’

7. Within a few seconds, nxlog will begin trying to connect to the Logstash server in order to begin sending logs.

8. Check your Logstash server (or Kibana) to see if it is receiving logs from the new system. If not, the nxlog log is located at C:\Program Files (x86)\nxlog\data\nxlog.txt.

9. If it is receiving, good!

10.Done!