1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Additional Config Examples - Log Types

Discussion in 'Install Logstash and Kibana on a Windows server.' started by RivCentreIT, Aug 21, 2015.

  1. RivCentreIT

    RivCentreIT New Member Member

    Hi there, first I wanted to say thank you for the best guide so far on the Internet for a Windows setup of ELK! Really, no other documentation or explanation comes close to your guide, and it works the first go around!

    I was wondering if you had examples of additional log types, including screenshots, that are being handed off to a single server setup. What I am attempting to do is forward logs/ events from the following devices (Catalyst 4500, ASA 5505, Windows 2008 R2 IIS/ EventVwr, Barracuda Web Filter). I am not sure how to handle multiple logs in a single config file, the documentation for Linux divides the log configs into separate files, input, filter, output, how do I achieve the same in Windows?
  2. sbagmeijer

    sbagmeijer Machine

    Thank you very much for the kind words, happy to see some people start to reply it has been awfully quiet :).

    Unfortunately I currently have no windows environment available currently using mac os.

    However I could try give some examples I hope writing will help as I cannot make screenshots right now.

    For the Catalyst 4500 you can use the build in rsyslog shipper the command is "logging" if I am correct then you simply specify that it ships to the logstash server and it's port.

    In the logstash config you would do a input something like this:
      syslog {
        type => syslog
        port => 5544
    This is the port you should use in your Catalyst.

    It is the same for the ASA 5505 (I never used it) but according to the documentation I did see here:

    I am afraid I never used "Barracuda Web Filter" but if you read this:

    Just keep in mind in logstash you can make as many inputs as you want, so you could do every device to a different port for example with the same config as I showed above.

    Now when it comes to IIS logs or Windows event logs you should probably use Nxlog as I described in the guide, the guide example already shows how you can ship IIS logs, you can use the same config and then add as many different kind of logs you wish to ship.

    ## This is a sample configuration file. See the nxlog reference manual about the
    ## configuration options. It should be installed locally and is also available
    ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
    ## Please set the ROOT to the folder your nxlog was installed into,
    ## otherwise it will not start.
    #define ROOT C:\Program Files\nxlog
    define ROOT C:\Program Files (x86)\nxlog
    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data
    LogFile %ROOT%\data\nxlog.log
    <Extension json>
        Module xm_json
    <Input iis_ulyaoth>
          Module    im_file
          File    "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log"
        ReadFromLast True
        SavePos True
        Exec    if $raw_event =~ /^#/ drop();
    <Input eventlog>
    Module im_msvistalog
    Exec to_json();
    <Output out_logstash>
        Module  om_tcp
        Port    5544
        OutputType  LineBased
    <Route eventlog>
        Path    eventlog => out_logstash
    <Route IIS>
        Path    iis_ulyaoth => out_logstash
    (this config is out of my head based on my guide i am not sure if the event logging 100% works like this but it is an example)

    You see it has now two log types if you understand it one input is "eventlog" and one is "IIS" and the same for the "Route" the exact way you can do for any kind of logs you might need to google little. You probably also have to make a separate output since I use "Linebased" for IIS, it probably wont fit for event logs.

    I hope it help, please ask anything else if you require more help I am sorry I cannot show it more detailed as I not have the right tools currently.

Share This Page