Windows

Microsoft Windows has a service that maintains local logs and events called EventLog. The EventLog acts as a local repository of all the logs produced by the system itself, including the operating system and its various services.

Collecting and forwarding data from Windows systems requires an agent that can:

Collect logs and events from Windows EventLog
Collect logs and events placed in local files and folders by applications
Foward real-time syslog-compatible data to an external system

Use NXLog

You can download NXLog and its documentation at: http://nxlog.org/products/nxlog-community-edition/download

Below is a sample config that grabs Windows EventLogs and two application log files, then sends them over UDP to Unomaly.

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
SuppressRepeatingLogs    FALSE

<Extension syslog>
    Module      xm_syslog
</Extension>

<Input eventlog>
    Module       im_msvistalog
</Input>

<Input logfile>
    InputType    LineBased
    Module       im_file
    File         'C:\Path\To\file.log'
    PollInterval 10
    DirCheckInterval 10
    CloseWhenIdle TRUE
</Input>

<Output uout>
    Module      om_udp
    Host        unomaly_host
    Port        514
    Exec    to_syslog_bsd();
</Output>

<Route 1>
    Path        eventlog, logfile => uout
</Route>

Multiline log files

You can configure NXLog to support log files containing log lines that span multiple lines. For example, you can add the following snippet to nxlog.conf:

<Extension multiline>
  Module xm_multiline
  HeaderLine /^<event>/
  EndLine /^</event>/
</Extension>

<Input in4>
 Module im_file
 InputType multiline
 # Discard everything that doesn't seem to be an xml event
 Exec if $raw_event !~ /^<event>/ drop();
 File "C:\\myfile.log"
 CloseWhenIdle TRUE
</Input>

Windows

Use NXLog

Multiline log files

Did this article help you?

Table of Contents