Back to listing

Active Directory Auditing (NXLOG)

Content Pack



23 Sep 14:25

Last Push

11 May 09:38

Marketplace Rating



Your Rating

Please sign in to rate this add-on.


Selmack 3 months ago

under "Output out" section. Sorry my words got cut off.

Selmack 3 months ago

michmich9337: if you copied and used the nxlog.conf file listed with no modifications, you need to specify the name of your graylog server instance or IP instead of "" for "Host" under "".

michmich9337 3 months ago

Hi !
Does it need a query to be functionnal ?
Because i simply copy/paste nxlog.conf and no data is send :/

Thanks !

nsolver 3 months ago

Hi Guys!!! I´m finding how install this Content Pack. Can, someone explain me how to install in my graylog ? Thanks!!!

Guruleenyc 4 months ago

This is working great on Graylog 2.2.3. But I just don't have data for the DNS related dashboards and I think its due to my nxlog filter not sending associated eventID's.

Guruleenyc 4 months ago

Just installed this on Graylog 2.2.3 and it appears to be working at first glance. Will report back on usage. Thank you!

Guruleenyc 4 months ago

Does this work with Graylog 2.2.3?

omfgzlolz 4 months ago

Hopefully this will help somebody out, this is our configuration that we use for our domain controllers:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Module xm_gelf

Module im_msvistalog
Exec if not ($Severity == 'ERROR' or $Severity == 'CRITICAL' or $EventID IN (624, 630, 631, 634, 635, 638, 658, 662, 4624, 4625, 4720, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4740, 4741, 4742, 4743, 4754, 4755, 4756, 4757, 4758, 4764, 4767)) drop();
Exec if ($EventID == 4769) drop();

Module om_udp
Port 5414
OutputType GELF

Path in => out

theherodied 6 months ago

Never mind. I forgot to allow leading wildcard searches in the server.conf

theherodied 6 months ago

I'm receiving malformed search queries for the dns dashboard. It doesn't like "SubjectUserName:*$"
Any ideas?

The given query was malformed at the following position:

EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\-)

Error Message:
Cannot parse 'EventID:5137 AND ObjectClass:dnsNode AND created AND NOT (SubjectUserName:*$ OR SubjectUserName:SYSTEM OR SubjectUserName:\-)': '*' or '?' not allowed as first character in WildcardQuery

tbaraki 7 months ago

This is working perfectly and auditing logon events for our domain controllers themselves. It is not capturing any data from workstations or other servers on the domain, however. Is this the correct behavior by default? If so, how can this be expanded to all domain-joined workstations and servers? Thanks.

webmastir 10 months ago

@Nacy1: Yes. Did you enable the correct security policies on the DC(s)?

"Domain Controller security policy with the following enabled: ** Audit Account Logon Events ** Audit Account Managmenet ** Audit Logon Events ** Audit Object Access ** Audit Policy Change ** Audit System Events"

Nacy1 about 1 year ago

Does this work for Windows 12 R2 as I have installed and nothing is happening. dashboard is empty. Are there any extra steps to populate the dashboard.

JulioQc about 1 year ago

Worked very well thank you :)
Might be interesting to make this fully PCI compliant!

mbuyukkarakas almost 2 years ago

Hello, after downloading the .json file, I'm trying to upload to my graylog server (v1.2) and after importing successfully I dont see nothing happens.
No dashboards, no inputs, no streams.

Any idea about this ?
Thank you.

123dev almost 2 years ago

Thanks, Logged.
As for Graylog including all Extractors for all content packs, I think it also does the same for Inputs, GROK patterns.
Perhaps it's best to separate those into a content pack of their own, and update the docs, to include the dependent pack only once (just a thought).


reighnman almost 2 years ago

@ltb76 , I use the same input for AD and DNS auditing which I've created separate content packs for. Unfortunately graylog includes all extractors for the given input so I need to remember to manually remove them if they don't apply.

reighnman almost 2 years ago

@123dev, please open an issue on github project page. Are you using pre-2008 domain controllers?

123dev almost 2 years ago

Looks like a great content pack,
I wonder where the facility information is supposed to come from?
nxlog is forwarding all the events to graylog, and I can see them in graylog, yet the dashboards don't display anything.

Digging further I noticed that all the queries are checking for the facility filed.
"AND facility:Microsoft\\-Windows\\-Security\\-Auditing"
Our logs does nxlog config file needs to be customized to add that field?
Or is this dependent the Domain controller version to include it in the events?

Anyways I tried to edit the dashboard query to remove the "AND facility:Microsoft\\-Windows\\-Security\\-Auditing"
but on dashboard update I got the following error message.
"Could not update widget
Updating widget "Group Deleted" failed with status: Gateway Timeout"
Not sure if this a graylog bug or something wrong with the widget
I have no problems updating widgets that we have created.

Next I removed all the dashboards added by this content pack and deleted the content pack
edited the json file and updated all the queries to remove
"AND facility:Microsoft\\-Windows\\-Security\\-Auditing"
Saved and imported back.

Dashboards still don't show any data, however clicking the play button on any widget in the dashboard opens up graylog query that shows data, so that tells me that the updated query is correct.

Why is the dashboard not showing any data? all values are "N/A"


ltb76 almost 2 years ago

nice work :)
It contains the dashboard for DNS, but it looks like the GROK patterns for DNS logs are missing though.

smarechal almost 2 years ago

Very great! Thanks a lot!

Please sign in to comment.

Back to listing