Im using nxlog version 3.0 on WinServ2012 R2 Standard, i can forward the event logs under Eventviewer –> windows logs –> application, system, security. But Im not able to forward other log that is on different log directory/levels for example(screenshot)
below is my nxlog configuration file nxlog.conf , im trying to grab the usb drive/pen drives insert/eject logs from Microsoft-Windows-DriverDriverFrameworks-UserMode/Operational
event log. Logs are populated but im not able to receive them at the syslog server.
Panic Soft
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE '%LOGDIR%/nxlog.log'
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogLevel INFO
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
<Schedule>
Every 1 hour
Exec if (file_exists(%LOGFILE%) and (file_size(%LOGFILE%) >= 5M)) file_cycle(%LOGFILE%, 8);
</Schedule>
</Extension>
<Input eventlog>
Module im_msvistalog
ReadFromLast TRUE
<QueryXML>
<QueryList>
<Query Id='1'>
<Select Path='Application'>*</Select>
<Select Path='Security'>*</Select>
<Select Path='System'>*</Select>
<Sekect Path='Microsoft-Windows-DriverDriverFrameworks-UserMode/Operational'>*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Input agentlogging>
Module im_internal
</Input>
<Output logcontents>
Module om_tcp
Host 10.10.10.100
Port 514
Exec to_syslog_snare();
</Output>
<Output agentlog>
Module om_tcp
Host 10.10.10.100
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path eventlog => logcontents
</Route>
<Route 2>
Path agentlogging => agentlog
</Route>
Best Answer
To send syslog from NXLog to a syslog server you'd need to use the xm_syslog extension module and invoke one of the formatters (
to_syslog_bsd()
,to_syslog_ietf()
,to_syslog_snare()
) depending on the desired format that your syslog server supports. For more details see the Syslog section in the User Guide.While some USB events stored in the Windows Eventlog, there are other data sources for USB events:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
and by monitoring this registry hive it is possible to detect changes to the USB configuration. The im_regmon input module supports registry monitoring in the NXLog EE.