search

reighnman / Graylog_Content_Pack_WinDNS

A Windows DNS content pack for graylog.
MIT License
19 stars 10 forks source link

Dashboard empty? #4

Closed scottemackenzie closed 8 years ago

scottemackenzie commented 8 years ago

Sorry to ask, but we are trying to get your DNS and AD content packs working and having some challenges. We hope you can point us in the right direction.

Both "inputs" are logging data in graylog --> system --> inputs. However, neither dashboard is showing any data. Any ideas where the nxlog.conf (below) is incorrect?

The only thing that I can think of is that we have changed the name fields on both inputs from their original names (as they are the same) and we altered the ports on the one (as below):

Windows DNS Logs (GELF UDP) Port changed from 5414 to 5415

Windows Logs (GELF UDP) Port left standard 5414

nxlog.conf

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
Module xm_gelf
</Extension>

<Input inudp>
Module im_msvistalog
</Input>

<Input infile>
    Module  im_file
    File  "c:\dns-debug.log"
    SavePos TRUE
    InputType LineBased
</Input>

<Output outudp>
    Module      om_udp
    Host        10.20.2.31
    Port        5414
    OutputType  GELF
</Output>

<Output outfile>
    Module      om_udp
    Host        10.20.2.31
    Port        5415
    OutputType  GELF
</Output>

<Route udp>
    Path        inudp => outudp
</Route>

<Route file>
    Path        infile => outfile
</Route>

The extension tags are present in the config, however they do not show up above. [Uploading nxlog_conf.txt…]()

reighnman commented 8 years ago

What version of Windows Server?

For the DNS dashboard I believe I filter "SourceModuleName:dns", which is a field auto populated by nxLog depending on what you named the input.

For example in my config:

<Input dns>
    Module  im_file
    File  "C:\dns.txt"
    SavePos TRUE
    InputType LineBased
</Input>

If you name the input something else like I'm guessing Nxlog changes the sourcemodulename field as well.

reighnman commented 8 years ago

Trying renaming 

<Input infile>

to 

<Input dns>
reighnman commented 8 years ago

I will verify if that causes an issue when I begin working on 2.0 updates and if so I'll update the dashboards to exclude sourcemodulename so you can use what you want in nxlog

reighnman commented 8 years ago

I will look into this with the 2.0 release.

reighnman commented 8 years ago

No response

daac87 commented 7 years ago

im having the same issue... i am using DNS as the variable....


## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module      xm_gelf
    ShortMessageLength -1
</Extension>

<Input dns>
    Module      im_file
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog

    Module  im_file
#   File  "C:\dns.txt"
    File  "D:\dnslog.txt"
    SavePos TRUE
    InputType LineBased

</Input>

<Output out>
    Module      om_udp
    Host        ********
    Port        5414
#    Exec        to_syslog_snare();
    OutputType  GELF
</Output>

<Route 2>
    Path        dns => out
</Route>