sysmon to nxlog logs nothing to file nor tcp

Question

been trying to set up a windows host logfile with sysmon. This is succesful. Logging occurs in eventlogfile windows sysmon operational.

Step two is to get nxlog to read it and send it to a remote syslog server. But nothing happens. For troubleshooting I am trying to log to a local file also nothing.

here is my nxlog config file,

#

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel DEBUG

<Extension _syslog>
  Module      xm_syslog
</Extension>

<Input eventlog>
 Module      im_msvistalog
<QueryXML>
    <QueryList>
        <Query Id="0">
            <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
        </Query>
    </QueryList>
  </QueryXML>
</Input>

<Output syslog>
 Module      om_tcp
 Host        192.168.0.61
 Port        514
 Exec        to_syslog_bsd();
</Output>

<Output file>
 Module  om_file
 File    'C:\test\sysmon.json'
 Exec    to_json();
</Output>

<Route 1>
 Path        eventlog => syslog
</Route>

<Route 2>
 Path        eventlog => file
</Route>

all the log says is 2017-10-31 21:59:21 INFO nxlog-ce-2.9.1716 started 2017-10-31 21:59:21 INFO connecting to 192.168.0.61:514

But no logfile, no logging to tcp ..

getting wiser slowly. Apparantly the service blocks the configfile while running. So it refuses a new config. First stop server, then edit with a editor running as root, then restart server. Now I am getting debug info in the log file — , Nov 02 '17 at 20:16
debug says: procedure 'to_json()' does not exist or takes different arguments — , Nov 02 '17 at 20:19
got it working now. The whole problem was that the nxlog does not read in a new config file easily. I de-installed nxlog and re-installed it. You need to write to the config file with a text-editor loaded as root, All on windows7 this. — , Nov 02 '17 at 22:00

score 0 · Answer 1 · answered Oct 31 '17 at 21:50

0

I guess your syslog server does not accept the tcp connection which blocks the whole pipeline due to flow-control, including the other route that writes into the local file.

answered Oct 31 '17 at 21:50

b0ti

2,319
1
18
18

sysmon to nxlog logs nothing to file nor tcp

1 Answers1