Windows Event Forwarding to Linux server using Nxlog
Introduction
Windows Event Forwarding (WEF) allows the collection of event logs from multiple Windows machines and their forwarding to a centralized server. Using Nxlog, you can send these logs to a Linux server for storage and analysis. This documentation provides a step-by-step guide to set up Windows Event Forwarding using Nxlog to send logs to a Linux server.
Prerequisites
- Windows Server or Workstation: The machine that will send logs.
- Linux Server: The machine that will receive logs.
- Nxlog: Download the latest version of Nxlog for Windows from Nxlog's official website.
- Network Connectivity: Ensure both machines can communicate over the network.
- Rsyslog: Download the latest version of Rsyslog for Linux server or workstation.
Installing Nxlog on Windows
Configuring Nxlog on Windows
-
Open Configuration File:
- Edit the Nxlog configuration file located at
C:\Program Files\nxlog\conf\nxlog.conf
.
- Edit the Nxlog configuration file located at
-
Configure File:
- Add the following lines to capture Windows Event Logs and send the logs :
# Input Module<Input eventlog>Module im_msvistalogReadFromLast True<QueryXML><QueryList><Query Id='1'><Select Path='Application'>*</Select><Select Path='Security'>*</Select><Select Path='System'>*</Select></Query></QueryList></QueryXML></Input># Output Module<Output out>Module om_udpHost 192.168.20.24Port 514# Exec $raw_event = "<" + $syslog_severity + ">" + $time + " " + $hostname + " " + $procname + ": " + $raw_event;Exec parse_syslog_ietf();</Output># Route<Route r>Path eventlog => out</Route># Include any other necessary modules/extensions<Extension _syslog>Module xm_syslog</Extension>
- Add the following lines to capture Windows Event Logs and send the logs :
Installing Rsyslog on Linux
-
Install Rsyslog:
- For Ubuntu, run:
-
Enable Rsyslog:
- Ensure Rsyslog is enabled and started:
Configuring Rsyslog on Linux
-
Open Configuration File:
- Edit /etc/rsyslog.conf or create a new config file in /etc/rsyslog.d/.
-
Configure Rsyslog to Listen for UDP:module(load="imudp") # Load UDP listener input(type="imudp" port="514")
-
Define Output File:
- Specify where to store the incoming logs:
-
Save and Exit:
- Save the configuration file and restart Rsyslog:
Firewall Configuration
Windows Firewall
-
Open Windows Defender Firewall:
- Go to Control Panel > System and Security > Windows Defender Firewall.
-
Allow Port 514:
- In the left pane, click Advanced settings.
- Select Inbound Rules and click on New Rule.
- Choose Port, then click Next.
- Select UDP and enter 514 in the Specific local ports field.
- Allow the connection and complete the rule setup.
Firewalld Configuration on Linux
-
Open Port 514 for UDP:
-
Reload Firewalld:
-
Verify Open Ports:
Verifying Event Forwarding
-
Check Nxlog Status on Windows:
-
Monitor Logs on Linux:
- Use the following command to view the log file:
-
Review Rsyslog Logs:
- If issues arise, check Rsyslog logs located at /var/log/syslog or /var/log/messages.