I am currently in the process of setting up ELK for windows event logs for a production environment. I am just testing every thing, and i think i have the a nice simple configuration to start with:
So as i said pretty simple, and i can see the logs are in ES and Kibana. The only problem i have, is that i don't have all of the fields i would expect, so i only really have 'message' which contains the log information, and 'host' which is the server it comes from
From what i have read, i would expect to see severity,event id,etc,etc - but not getting any of these.
Any ideas? will i have to use the mutate option in the filter to get these? and if so, could you point me in the direction of an example?
This is probably more of an NXLog question. I suspect you need to configure it to encode outgoing messages as JSON. Consequently you also need to configure Logstash to interpret inbound messages as JSON, either by having the tcp input use the json code or by using a json filter.
using multiline as it fixes an issue i have with some eventlogs being split over multiple entires when i used the json codec, or the json_lines one. Or do you think this would have happened as i wasn't specifying json in nxlog?
Not with the current Logstash. It might be planned for future releases.
Or do you think this would have happened as i wasn't specifying json in nxlog?
Not sure exactly what you mean, but IIRC from the little work I did with NXLog about six months ago it works about the same as Logstash in that it internally keeps a messages as a set of key/value pairs. Those pairs are serialized upon output, but if the output format/codec doesn't support key/value-style structures it'll (more or less) just emit the "message" part and scrap the rest.
So, if NXLog collects structured data you'll want to use an output codec that supports structured data. On the Logstash side you'll want to use a codec and/or filter that matches what you get over the wire.
If you want more concrete help connecting NXLog and Logstash, please be more explicit about what Logstash is receiving. Starting with raw input without filters applied probably helps. People here know Logstash but usually not NXLog.
Have managed to resolve, so thank you very much for your help.
Just to confirm, my nxlog config wasn't quite right. I have changed it to:
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Input in>
Module im_msvistalog
Exec $raw_event = to_json();
Query <QueryList>\
<Query Id="0">\
<Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select>\
</Query>\
<Query Id="1">\
<Select Path="Application">*</Select>\
</Query>\
<Query Id="2">\
<Select Path="System">*</Select>\
</Query>\
</QueryList>
</Input>
<Output out>
Module om_tcp
Host server
Port 5140
</Output>
<Route 1>
Path in => out
</Route>
Then changed the codec in my logstash.conf from multiline to json_lines
All looks good - the only remaining thing to do is change the EventID field, its currently showing as a number so event id shows as 1,450 rather than 1450.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.