Windows Forwarder

Windows Forwarder

CloudStat currently supports the forwarding of Microsoft Active Directory events using the open source NXLog Forwarder for Windows.

Requirements: Microsoft Windows Server 2003+

Step 1: Download & Install NXLog

Install the forwarder by clicking on the MSI file.

Step 2: Configure NXLog

Open the configuration file:
x64: C:\Program Files (x86)\nxlog\conf\nxlog.conf
x32: C:\Program Files\nxlog\conf\nxlog.conf

Make the following changes in the configuration file:

nxlog.conf
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html


## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.


define ROOT C:\Program Files (x86)\nxlog
#define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
 
<Extension json>
  Module xm_json
</Extension>
 
<Input eventlog>
  #Uncomment im_msvistalog for Windows Vista/2008 and later
  Module im_msvistalog
  #Uncomment im_mseventlog for Windows XP/2000/2003
  #Module im_mseventlog
  # Possible  filter
  #Query <QueryList><Query Id="0"><Select Path="Security">*</Select><Select Path="System">*</Select><Select Path="Application">*</Select></Query></QueryList>
  Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
  
</Input> 
 
<Output out>
  Module  om_tcp
  Host  logs.teknas.com
  Port  514
</Output> 
 
<Route 1>
  Path eventlog => out
</Route>

Step 3: Restart the NXLog Service

Start > Administrative Tools > Services
Service Name: nxlog

Step 4: Add a Data Source

Inside your CloudStat Portal, create a new data source for Microsoft Active Directory.
CloudStat > Data Sources > Add New