Transfer Windows event logs to Linux to centralize log management The setting at that time.
Introduce a tool called "NXlog" to Windows. Download from here ↓ https://nxlog.co/products/nxlog-community-edition/download
Select the Windows version, place it on the server, and install it.
There are no particular choices, and the installation will be completed in an instant.
When you're done, edit the configuration file.
C:\Program Files (x86)\nxlog\conf\nxlog.conf
Modify the file contents as follows.
nxlog.conf
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Extension charconv>
Module xm_charconv
AutodetectCharsets shift_jis, utf-8
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input in>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*[System[(Level=1 or Level=2 or Level=3)]]</Select>\
<Select Path="System">*[System[(Level=1 or Level=2 or Level=3)]]</Select>\
<Select Path="Security">*[System[(Level=1 or Level=2 or Level=3)]]</Select>\
</Query>\
</QueryList>
Exec $raw_event = "json=" + to_json(); $SyslogFacilityValue = 21;
Exec convert_fields("utf-8", "utf-8");
</Input>
<Processor t>
Module pm_transformer
OutputFormat syslog_bsd
Exec $Message=(": "+$raw_event);
</Processor>
<Output out>
Module om_udp
Host xxx.xxx.xxx.xxx
Port 514
</Output>
<Route r>
Path in => t => out
</Route>
Specify the IP address and port of the server you want to send in the place of " Output out "
.
"QueryList"
of
Select Path="Application"
Select Path="System"
Select Path="Security"
You can output each event log and specify Level with.
If you turn it off, the event will not be spit out. Level is below reference
↓
Critical = Level1
Error = Level2
Warning = Level 3
Information = Level4
Next is the setting of the Linux server of the transfer destination. Add the following to rsyslog.conf </ font>
rsyslog.conf
## Remote host logging
:fromhost-ip, isequal, "xxx.xxx.xxx.xxx" /var/log/xxxx.log
& stop
Specify the IP address of the NXLOG server and the log output destination.
Besides, you can narrow down the facility and change the output format by editing this file.
Finally
Restart nxlog service on Windows
Reboot rsyslog on Linux
systemctl restart rsyslog
The specified log file should have been created and the contents of the event log should have been spit out. Like this
Jul 3 11:00:29 dango NRPE_NT[0]: [err] : json={"EventTime":"2018-07-03 11:00:28","Hostname":"dango","Keywords":36028797018963968,"EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":3,"SourceName":"NRPE_NT","Task":4,"RecordNumber":8618,"ProcessID":0,"ThreadID":0,"Channel":"Application","ERROR_EVT_UNRESOLVED":true,"EventReceivedTime":"2018-07-03 11:00:29","SourceModuleName":"in","SourceModuleType":"im_msvistalo
It's hard to see, but you can fix it by tweaking rsyslog.conf.
That's it
Recommended Posts