Hello,
I'd like to send my Windows server 2008 AD server logs to ELK via Nxlog, but I only see "Security" log send to KIbana, but I want "Active directory domain services,DHCP server, DNS Server, Application, Security,Setup and System logs, please check the screenshot:
Now Windows side nxlog.conf as below:
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
Module om_tcp Host 10.155.3.228 Port 3515 Exec to_json();<Route 1>
Path internal, in=> out
Logstash.conf
input {
tcp {
codec => json_lines { charset => "UTF-8" }
port => "3515"
type => "windowseventlog"
codec => "line"
tags => [ "tcpjson" ]
}
}
filter {
if [type] == "windowseventlog" {
json{
source => "message"
}
if [SourceModuleName] == "eventlog" {
mutate {
replace => [ "message", "%{Message}" ]
}
mutate {
remove_field => [ "Message" ]
}
}
}
}
output {
if [type] == "windowseventlog" {
elasticsearch {
hosts => localhost
index => "windowseventlog"
}
stdout { codec => rubydebug }
}
}
Even I changed Nxlog.conf "Input in" settings as below, but it won't work.
Module im_msvistalog Query \ \ *\ \ # Exec to_json();Do you know why?