This article explains how to send logs from a Windows system to Graylog using NXLog on the Windows system. We’re starting with a working Graylog server and a Windows system.
Install NXLog on Windows using the defaults (or change as you like). Update the configuration file at “C:\Program Files\nxlog\conf\nxlog.conf” to match the following. Make a backup of it first. Update the IP address and Port number.
Panic Soft define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data include %CONFDIR%\\*.conf define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension gelf> Module xm_gelf </Extension> <Input in> Module im_msvistalog </Input> <Output out> Module om_tcp Host 10.1.2.3 Port 9514 OutputType GELF </Output> <Route 1> Path in => out </Route>
Restart the Windows NXLog service.
Moving over to the Graylog server. Create a new Input of type “GELF_TCP”. Set the Port to match that from the “nxlog.conf” file above. No other changes are required.
Make sure firewalls on both the sending and receiving systems allow the described traffic. Windows logs will be verbose on a busy system so make sure there’s sufficient disk space on the Graylog server.