In order to correlate the logs of your system, you are either going to have to manually upload them to your correlation system or setup an automated way. Nxlog is one of a few agents that will enable automated shipping of logs. I particularly like it because it is light on the system and not a pain to setup. Below are the steps to get you going. I will be shipping the logs using the json format. There are many formats available, one just has to do research on which one satisfies their needs. The configuration we will use transports the logs over port 3515, so you will need to ensure that the port is open.
1. Navigate to http://nxlog.org/products/nxlog-community-edition/download and download the .msi version for Windows.
2. Install the downloaded .msi using the default options.
3. After installation is complete, open the configuration file located at C:\program files (x86)\nxlog\conf\nxlog.conf.
4. Replace the contents of the file with the below. The only thing you need to change IP address 220.127.116.11 with the IP of your Logstash server.
## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension json> Module xm_json </Extension> <Input internal> Module im_internal </Input> <Input eventlog> Module im_msvistalog # this kinda works for me, put * to get everything Query <QueryList>\ <Query Id="0">\ <Select Path="Application">*</Select>\ <Select Path="System">*</Select>\ <Select Path="Security">*</Select>\ </Query>\ </QueryList> </Input> <Output out> Module om_tcp Host 18.104.22.168 Port 3515 Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; \ to_json(); </Output> <Route 1> Path eventlog, internal => out </Route>
5. Save and close the file.
6. Open a command prompt as administrator and start the nxlog service by typing ‘net start nxlog’
7. Within a few seconds, nxlog will begin trying to connect to the Logstash server in order to begin sending logs.
8. Check your Logstash server (or Kibana) to see if it is receiving logs from the new system. If not, the nxlog log is located at C:\Program Files (x86)\nxlog\data\nxlog.txt.
9. If it is receiving, good!