I use Graylog in my Environment for centralized logging infrastructure.
and while I playing at this time a lot of with VMware Horizon 7.9 I also created a new Windows 10 Master image with UEM etc. and I want to send all windows 10 instant clone logs to my existing Graylog infra.
So for windows logging there is at this time only NXLog for doing this job really great.
In case you need a working configuration here is mine:
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
######################################################
############## Extensions ############################
<Extension gelf>
Module xm_gelf
</Extension>
########## INPUTS ###########
<Input eventlogs>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog
</Input>
########################################
################# OUTPUTS ##############
<Output out>
Module om_tcp
Host log.XXXXX.int
Port 12201
#Exec to_syslog_snare();
OutputType GELF_TCP
</Output>
#######################################
#################### ROUTE ###########
<Route eventlogs>
Path eventlogs => out
</Route>The input in Graylog looks so:
and here you see an example extracted message in Graylog
I hope it helps someone!