Step-by-Step Guide: Sending Windows Event Logs to Graylog With NXLOG
Ғылым және технология
lawrence.video/
This is a guide for sending logs from Windows to Graylog using NXLog and the Graylog GELF format. The tutorial uses sysmon-modular which also adds the MITRE ATT&CK to the log files based on certain commands being run.
Forum post with links & downloads used in the video:
lawrence.video/graylogwindows
How To Install Graylog Tutorial
• Graylog: Your Comprehe...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag/
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 www.techsupplydirect.com?aff=2
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
Chapters
00:00 Sending Windows Event Logs to Graylog With NXLOG
02:16 Sysmon and Sysmon-Modular
03:27 Download NXLOG
04:16 Gralog GELF input Setup
04:53 Installing Sysmon and NXLOG
07:00 Showing MITRE ATT&CK Log Data
#graylog #logging #siem
Пікірлер: 27
Thanks Tom. I've been procrastinating this and now will finally hop on windows logs.
Can see this is not a huge help to your channel but I appreciate it :) thanks for doing these.
Thanks for the instructions! Question however: Now getting > 1000 index (elastic) error messages in my Windows index. I'm logging Windows 11 workstation logs as a test for the moment, but would that issue also occur if I were to do Windows Server logs only? Any suggestion on how to address the current situation? Much obliged. OpenSearchException[OpenSearch exception [type=illegal_argument_exception, reason=Limit of total fields [1000] has been exceeded]]
I had no problems getting this up and running, thanks for the video. BUT, my windows servers quickly filled up with huge 'sysmon' folders. These are protected folders and can't even be deleted by admin. Also, you can't stop the Sysmon service. So, how do you manage this situation? Is there a suggested approach?
Awesome video. Been putting off doing this. Got it all set up now! I have a question: why use sysmon at all? Right now I did what your video said except for the sysmon part and it seems as though my Windows event logs are being sent to Graylog, I don't know much about sysmon.
@LAWRENCESYSTEMS
3 ай бұрын
you are only getting very basic logs without it, we cover the details of Sysmon in this video kzread.info/dash/bejne/Y46Dytiim9ardbw.html
@DevanteWeary
3 ай бұрын
@@LAWRENCESYSTEMS - Oh dang... so NGLog doesn't just... send all the Window event log data over? It picks and chooses? Crazy. Good to know!
Do I need to set a script for sysmon to always run everytime the windows is rebooted or is that sysmon command also install a service into the windows?
@LAWRENCESYSTEMS
4 ай бұрын
Sysmon will run on startup by default.
@cinlung
4 ай бұрын
@@LAWRENCESYSTEMS Thanks and thank you for the videos. I am finding your videos are very useful and insightful.
Why not use Graylog's built-in sidecar to centralize management and configs?
@LAWRENCESYSTEMS
4 ай бұрын
More work to setup and not clear if the MITRE data can be added
@GeneralDon7
4 ай бұрын
Was thinking the same, you can still use sysmon to create the event logs, but then your sidecar which supports nxlog collector can ship them to graylog. I currently use this setup since some application don't put everything in event log so I'm using filebeat.
@DevanteWeary
3 ай бұрын
Why not make your own video showing how? Because I have no idea what the Sidecar is even though I use Graylog.
Hey I am still having issues with trying to get the logs to appear even though I followed all the steps in the video. I installed syslog/nxlog on my device, configured the custom xml file with my graylog server IP, I tried allowing port 12201 on the server/windows firewall defender. Still nothing any ideas?
Can you use nxlog to export windows IIS logs to GrayLog?
@LAWRENCESYSTEMS
Ай бұрын
Not something that I have tried.
This is great information. Thank you for posting this. A small point of feedback, in my experience working with people from MITRE and other FFRDC's, I believe the organization generally pronounced more "My-tar". Thanks again for the useful info though! I'd love to see you continue this path with more of a "network security monitoring for small businesses with pfsense/sysmon/etc" series.
I perfer Wazuh over Graylog. Security and security extensions are way better.
@LAWRENCESYSTEMS
4 ай бұрын
They have different use cases so it's not really a comparison.
@SmoothOper4t0r
4 ай бұрын
@@LAWRENCESYSTEMSI know, but in the end you will want to use for security purposes, not just log collection. Wazuh will take you there sooner.
@stefanforest7582
4 ай бұрын
Graylog has a security version, but that is not open source. But if you know that, what specifically do you miss?
@luma5756
Ай бұрын
They really aren't the same thing at all.
@Wahinies
19 күн бұрын
The blog networkwizkid shows a comparison of message output and wazuh is fairly hard to read with zero formatting but Wazuh as a SIEM is stellar. I tried the SOCFortress method of forwarding wazuh to graylog and it was working until an update then wazuh lost its marbles and was taking too much time to troubleshoot. I wish I could get the best of both worlds.