How can I send my custom Windows AD server event logs to Logstash?


(flyfish) #1

Hello,

I'd like to send my Windows server 2008 AD server logs to ELK via Nxlog, but I only see "Security" log send to KIbana, but I want "Active directory domain services,DHCP server, DNS Server, Application, Security,Setup and System logs, please check the screenshot:

Now Windows side nxlog.conf as below:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Module xm_json Module im_internal Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json(); Module im_msvistalog

Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();

Module om_tcp Host 10.155.3.228 Port 3515 Exec to_json();

<Route 1>
Path internal, in=> out

Logstash.conf

input {
tcp {
codec => json_lines { charset => "UTF-8" }
port => "3515"
type => "windowseventlog"
codec => "line"
tags => [ "tcpjson" ]
}
}

filter {

if [type] == "windowseventlog" {
json{
source => "message"
}
if [SourceModuleName] == "eventlog" {
mutate {
replace => [ "message", "%{Message}" ]
}
mutate {
remove_field => [ "Message" ]
}
}

}

}

output {
if [type] == "windowseventlog" {
elasticsearch {
hosts => localhost
index => "windowseventlog"

}
stdout { codec => rubydebug }
}
}

Even I changed Nxlog.conf "Input in" settings as below, but it won't work.

Module im_msvistalog Query \ \ *\ \ # Exec to_json();

Do you know why?


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.