All HowTo's Cybersecurity Linux

Windows NXLog to Graylog

This article explains how to send logs from a Windows system to Graylog using NXLog on the Windows system. We’re starting with a working Graylog server and a Windows system.

Install NXLog on Windows using the defaults (or change as you like). Update the configuration file at “C:\Program Files\nxlog\conf\nxlog.conf” to match the following. Make a backup of it first. Update the IP address and Port number.

Panic Soft

define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data

include %CONFDIR%\\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data


<Extension gelf>
Module xm_gelf
</Extension>


<Input in>
Module im_msvistalog
</Input>


<Output out>
Module om_tcp
Host 10.1.2.3
Port 9514
OutputType GELF 
</Output>


<Route 1>
Path in => out
</Route>

Restart the Windows NXLog service.

Moving over to the Graylog server. Create a new Input of type “GELF_TCP”. Set the Port to match that from the “nxlog.conf” file above. No other changes are required.

Make sure firewalls on both the sending and receiving systems allow the described traffic. Windows logs will be verbose on a busy system so make sure there’s sufficient disk space on the Graylog server.

Leave a Reply

Your email address will not be published. Required fields are marked *