Windows NPS + NXlog to Graylog

Andrew CheremisovSecurity, UncategorizedLeave a Comment

Saving Windows NPS logs to any folder

Downloading NXlog Community Edition from hereĀ

Changing NXlog config file at C:\Program Files (x86)\nxlog\conf\nslog.conf

#NoFreeOnExit TRUE

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\\cert
define CONFDIR  %ROOT%\\conf
define LOGDIR   %ROOT%\\data
define LOGFILE  %ROOT%\\logs\\nxlog.log

Moduledir %ROOT%\\modules
CacheDir  %ROOT%\\data
Pidfile   %ROOT%\\data\
SpoolDir  %ROOT%\\data

<Extension _fileop>
    Module      xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);

    # Rotate our log file every week on Sunday at midnight
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);

<Extension multiline>
    Module          xm_multiline
    HeaderLine      /^<Event>/
    EndLine         /^</Event>/

<Extension xmlparser>
    Module          xm_xml

<Extension json>
    Module          xm_json

#Configuring from where to take the information
#Change folder to where you store NPS logs
<Input NPS>
    Module          im_file
    File "C:\Logs\IN*.log"
    InputType LineBased
  Exec $Message = $raw_event;
  SavePos TRUE    
  ReadFromLast TRUE
        # Discard everything that doesn't seem to be an xml event
        if $raw_event !~ /^<Event>/ drop();

        # Parse the xml event

        # Rewrite some fields
        #$EventTime = parsedate($timestamp);

        # Convert to JSON

# Where you want to send. In my case port TCP 9000
<Output Graylog>
    Module      om_tcp
    Port        9000

<Route 1>
    Path        NPS => Graylog

Configure input in Graylog to accept syslog messages on port 9000 (or any other port that you configured in NXlog)

Configure Graylog JSON extractor



Leave a Reply

Your email address will not be published. Required fields are marked *