Sending Windows Server Logs to Nagios Log Server

Collecting logs from Windows Server is crucial for monitoring system health and security. Integrating these logs with Nagios Log Server allows for centralized analysis, real-time alerts, and efficient troubleshooting. This article covers the setup process, from configuring Windows Event Log forwarding to analyzing logs in Nagios Log Server.

To see how this is done in Nagios Log Server, check out this tutorial:

Step 1: Add a Log Source in Nagios Log Server

1. Log in to your Nagios Log Server web interface.

2. On the Home page, locate the section for adding log sources.

3. Click the + Windows button to begin the configuration process. .

Step 2: Install NXLog CE on Windows Server

1. On the Nagios Log Server Windows Source page, find the Getting Started section and download NXLog CE from the provided link.

2. Run the installer on your Windows Server.

3. Click Next to the Welcome Screen.

3. Accept the License Agreement and click Next

4. Pick the destination folder to install Nagios Log Server (Default C:\Program Files\nxlog\)

5. Click Install:

5. Click Finish after a successful installation.

Step 3: Configure NXLog CE

1. On the Nagios Log Server Windows Source page, locate the Configuration Setup section.

2. Copy the provided configuration code:

Right-click and select Copy.

Click the Select All button in the top-right of the code block.

3. On your Windows Server, open Notepad as an administrator.

4. Open the NXLog configuration file:

• Navigate to C:\Program Files\nxlog\conf\
• Select All Files (.) in the file type dropdown.
• Open nxlog.conf.

5. Paste the copied configuration into the file.

6. Save and close Notepad.

Step 4: Confirm the NXLog Service is running

1. In the Windows Services App. Locate the nxlog service and confirm it’s Running.

If not, you can manually start it by right-clicking on nxlog and select Starat:

2. You can also run sc query nxlog. Confirm the value of STATE is RUNNING

If needed, you can manually start the service by running net start nxlog

Step 5: Verify Logs in Nagios Log Server

1. You can verify a successful connection by going back in the Nagios Log Server > Add Log Source > Windows. In the Verify Incoming Logs section. Add the IP Address of your Windows Server and click Verify

2. Now navigate to Home. Under Unique Hosts > select View

3. Select the IP Address/Hostname of your windows server.

4. Confirm Event logs are being received:

Troubleshooting

Check NXLog Configuration File

1. Open C:\Program Files\nxlog\conf\nxlog.conf in Notepad.

2. Ensure the configuration matches the one provided by Nagios Log Server.

3. Look for syntax errors: Run NXLog manually to check for issues:

"C:\Program Files (x86)\nxlog\nxlog.exe" -v

4. If any errors appear, correct them in nxlog.conf and restart the service.

Verify Firewall

If logs are not reaching Nagios Log Server, try:

1. On your Windows Server, confirm outbound port 3515 is open by running:

Get-NetFirewallRule -Direction Inbound, Outbound | Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -eq 3515 }

2. To Allow traffic for NXLog on your windows server, which uses by default outbound port 3515:

netsh advfirewall firewall add rule name="Allow NXLog" dir=out action=allow protocol=tcp localport=3515

Enable Debugging in NXLog

If issues persist, enable debugging in NXLog:

1. Open C:\Program Files\nxlog\conf\nxlog.conf

2. Add:

LogLevel DEBUG

3. Restart NXLog:

4. Check logs in: C:\Program Files\nxlog\data\nxlog.log

If you have additional questions or other support-related questions, please visit Nagios Support. The Nagios Support Knowledgebase is also a great support resource.