In previous posts we have covered using rsyslog to forward logs from Linux servers into Graylog, and also how to use Trend Micro’s OSSEC to forward alert logs to Graylog from both Linux and Windows, but here we will show you how to forward Windows logs into Graylog.
We won’t be covering the use of IPSEC in this tutorial, but we will cover that in the future. If you haven’t installed Graylog yet then see the guide here:
First you’ll need to download Nxlog community edition from here:
Nxlog will facilitate the sending of your Windows logs to a logging server, which in this case is Graylog.
Once you have downloaded Nxlog it’s a one click install.
Accept the license agreement and install.
Once installed check the location of the root folder as described in the README file
If when you come to start Nxlog the service doesn’t start then this is the first thing to check.
Now we have to modify the config file located as in the README file above, named nxlog.conf.
In our test environment our Graylog server is on IP 10.1.1.57 however you will need to put the IP address of your Graylog Server instead. All the other settings can be left the same. GELF is simply the format we are telling Nxlog to use when sending the data to Graylog.
That’s it for configuring Nxlog, next is to allow Nxlog through the Windows firewall.
I hope you are using host-based firewall (security in layers right?) If you don’t know how to add a rule to Windows Firewall we will run through it very quickly here.
Open “Windows Firewall with Advanced Security” and right click “Outbound Rules” and select “New Rule”
Then “UDP”, “Specific remote ports” and type in “12201” (This is also the port specified in the Nxlog config file earlier) (CORRECTION: Image shows 11201 but this is incorrect. Should show 12201)
Allow the connection (We will cover the IPSEC connection at a later date)
Select the network Profile. (The profile your network is using. If you’re not sure then Windows Firewall will say which Firewall profile is active and that relates to your network profile. If Domain Firewall profile is active, then your network profile is domain).
Then give it a name and finish the Wizard. We still need to right click our new rule from the list and adjust a few settings.
The settings below tightens the port control a little more by us explicitly specifying the local port.
This locks things down a little further as we are specifying our Graylog Server by IP.
That’s it for Windows, go to “Services” , and restart Windows Firewall and then start the nxlog service.
Now we head over to Graylog to add our new input and accept the messages.
Before we do we need to open the port on our Graylog Server.
If you have been following the previous tutorials Graylog is installed on Ubuntu Server and is using ufw. The commands to open the port in this configuration is as follows. (Don’t forget that if you have chosen a different port you will need to specify that port number instead)
sudo ufw allow 12201/udp
Then check the status
sudo ufw status
Then login to Graylog’s web interface and go to “Inputs” as shown below
Select “GELF UDP” from the dropdown and then “Launch new Input”
Select the correct node (If you only have one server then you will only have one to choose from), and complete as below except for the IP address which will be the IP of your Graylog Server.
Save then start the new input. If you receive no errors head over to the Nxlog Log file (on your Windows machine) and check for errors. (Check the README file mentioned earlier for the location).
There you have it. All done.
At this point if you have not received any messages into Graylog yet then go over to your Windows Server and restart the nxlog service. This should create a message. If not then you have either setup something wrong so retrace your steps and check through this tutorial, or if you are not receiving any errors in Graylog then it’s likely that issue is with Windows firewall. Check the nxlog file for clues. Fixing issues is where you really start to learn so don’t give up if you have issues!