Hello, I have the following config file. What i want it to do is not send anything that has the word error in it.   <Input watchfile_m_NAME1>   Module im_file   File 'LOGLOCATION'   Exec $Message = $raw_event;   Exec if $raw_event !~ /ERROR/ drop();   #Exec $SyslogSeverityValue = 6;   Exec if file_name() =~ /.*\\(.*)/ $SourceName = $1;    #Exec if $raw_event =~ /ERROR/ $SyslogSeverityValue = 3;   The issue I am having is that it still sends the lines that say the word ERROR, but it sends them as an info message.  I wan them to not send them at all.  What am I doing wrong?

Hi, We are trying to connect NXLog with Logmatic.io with a SSL connection. The certificate provided by Logmatic is valid and works with Rsyslog, Syslog-NG or Open-SSL. However, no matter how hard we try to connect NXLog we have no success and not enough debugging information to troubleshoot it ourselves. Here is our config: <Output out> Module om_ssl Host api.logmatic.io Port 10515 CAFile <path_to_your_.crt_file> ####Add the API key before the event Exec $raw_event="<your_api_key> "+$raw_event; </Output> We tried a lot more configuration with AllowUntrusted TRUE/FALSE, CertFile, etc... But the result is always the same: 2015-12-18 18:25:39 INFO connecting to api.logmatic.io:10515 2015-12-18 18:25:39 INFO successfully connected to api.logmatic.io:10515 2015-12-18 18:25:39 INFO reconnecting in 1 seconds 2015-12-18 18:25:40 INFO connecting to api.logmatic.io:10515 2015-12-18 18:25:40 INFO successfully connected to api.logmatic.io:10515 2015-12-18 18:25:41 INFO reconnecting in 1 seconds 2015-12-18 18:25:42 INFO connecting to api.logmatic.io:10515 2015-12-18 18:25:42 INFO successfully connected to api.logmatic.io:10515   Do you have any idea about what it could be? You can find the certificate here: http://doc.logmatic.io/docs/logging-from-windows#section-enabling-security Sorry to bother you with that but we spent a lot of time doing our homework before asking this question. Thanks!!  

I have a fairly simple question regarding sending an XML file to my SysLog Receiver (Nitro box).  Currently, I'm attempting to send this file to my Nitro box, but I'm not actually seeing the Syslog being sent to Nitro.  I have tcpdump watching for the packets being sent and I'm not getting any information across.  I verified that packets were being sent and captured to the Nitro box with a generic Syslog generator.  Here is my current .conf file. ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog>  Module xm_syslog </Extension> <Extension xm_xml>  Module xm_xml </Extension> <Input in> Module im_file File "C:\\Users\\Administrator\\Desktop\\NXLogTest\\test.xml" </Input> <Output out>      Module om_udp      Host xxx.xxx.xxx.xxx  Port 514  Exec to_syslog_bsd(); </Output> <Route 1>     Path        in => out </Route>   After saving this file, I restart the service, but nothing is being sent.  I also checked the logs and there was no error or warnings, the service stops, exits, and restarts nicely.  I'd appreciate some help so I have a clear path moving forward.   Thanks!

Hi,  I'm using im_file module to read windows log file to elasticsearch, and I need to get source file name and some fix string like log type to elastic search as well. I used below configuration, but i couldn't find the FileName in elasticsearch, can someone help? thanks a lot! <Input TestFileInput>     Module          im_file     File              'E:\test\app*.log'     Exec            $FileName = file_name(); </Input>

Hi, I can't find the changelog for the community version: nxlog-ce-2.9.1504. Where is it published? thanks and br, Patrick

Hi, I have a system that produces logs files. I send them via tcp to specific port.  Directory path with logs looks like:  C:\Logs\<ID>\*.log Where ID is the unique 3-digit identifier. How to get this ID and send it with every log event? My current config:  define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Input logs>       Module    im_file     File    'C:\\Logs\\*\\*.log'     ReadFromLast True     SavePos True     Recursive True     Exec    if $raw_event =~ /^#/ drop(); </Input>  <Processor buffer_logs>     Module      pm_buffer     MaxSize    102400     Type    Mem     WarnLimit    51200 </Processor> <Output out_logs>       Module  om_tcp     Host    localhost     Port    10010     OutputType  LineBased </Output>  <Route r_logs>       Path    logs => buffer_logs => out_logs </Route>  

Hi, I was just wondering whether you intend to publish the source code for the current (2.9.1347) version? Regards, Al

Hi! I have more than 5000 Handles in nxlog.exe I analysed with Sysinternals Process Explorer. Most of Handles are from Type Thread. When i look at threads i only see 10 threads in nxlog.exe but 5000 Thread Handles. Can you verify that issue? Version: nxlog-ce-2.9.1347

nxlog file has an error , but it's work ok, There is something wrong with the error ？？？ 2015-12-01 13:37:21 INFO nxlog-ce-2.9.1347 started 2015-12-01 13:37:21 INFO connecting to 10.58.8.216:5000 2015-12-01 15:05:07 ERROR if-else failed at line 45, character 244 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 45, character 101 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer, invalid modifier: ';' 2015-12-01 15:27:39 ERROR if-else failed at line 45, character 244 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 45, character 101 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer, invalid modifier: ';' 2015-12-01 17:21:17 ERROR if-else failed at line 45, character 244 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 45, character 101 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer, invalid modifier: ';' 2015-12-01 17:22:36 ERROR if-else failed at line 45, character 244 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 45, character 101 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer, invalid modifier: ';' 2015-12-01 17:54:05 ERROR if-else failed at line 45, character 244 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 45, character 101 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer, invalid modifier: ';' 2015-12-01 19:14:30 ERROR if-else failed at line 45, character 244 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 45, character 101 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer, invalid modifier: ';' nxlog config file:---------------- ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension json>     Module      xm_json </Extension> <Extension syslog>     Module      xm_syslog </Extension> <Extension w3c>     Module xm_csv     Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-referrer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken     FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer     Delimiter ' '     QuoteChar   '"'     UndefValue  - </Extension> <Input in> #    Module      im_msvistalog # For windows 2003 and earlier use the following: #   Module      im_mseventlog     Module    im_file     File    "C:\\inetpub\\logs\\LogFiles\\W3SVC3\\\u_ex*.log"     SavePos  TRUE     Exec if $raw_event =~ /^#/ drop();                    \        else                            \        {                            \             w3c->parse_csv();                    \             $EventTime = parsedate($date + " " + $time);    \             $SourceName = "IIS";                \             $Message = to_json();            \        }   </Input> <Output out>     Module      om_tcp     Host        10.58.8.111     Port        5002 #    Exec        to_syslog_snare(); </Output> <Route 1>     Path        in => out </Route>  

hi, we have here some ipv6 only networks where we tried nxlog CE agent for windows. Seems that there is no ipv6 support for log targets. Ic there support planed for ipv6?

Hi, I have installed NXLog on Windows server 2003 with this configuration (example from NXLog reference manual) <Input in> #    Module      im_msvistalog # For windows 2003 and earlier use the following: Module      im_mseventlog  Query <QueryList> <Query Id="0"> <Select Path="Security">*</Select> </Query> </Querylist>  </Input> I received "ERROR invalid keyword: Query" in nxlog.log : 2015-11-27 10:57:38 ERROR invalid keyword: Query at C:\Program Files\nxlog\conf\nxlog.conf:21 This configuration is working fine with "Module      im_msvistalog" on Windows Server 2008 and later. (http://www.developpez.net/forums/d1545842/systemes/windows/windows-serveur/solution-nxlog-graylog/) How can I  fix this problem ?   Thank you,  

2015-11-25 12:47:03 INFO nxlog-ce-2.9.1347 started 2015-11-25 12:47:03 INFO connecting to 10.1.252.239:5000 2015-11-25 12:47:03 ERROR if-else failed at line 45, character 241 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 45, character 98 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 15, got 12 in input '192.168.2.xx GET /page/v1/chengjiao/index.aspx placeholder=b1m8u8z2g7 80 - 220.181.108.81 Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html) 200 0 0 328'  

I am new and I apologies in advance if this question has been asked already. Problem: I am us nxlog to forward windows eventlogs (json format) to central logging system. Not all object are resolved in the message … example. Object: Object Server: DS Object Type: %{e0fa1e8c-9b45-11d0-afdd-00c04fd930c9} Object Name: %{cc0985a1-b646-4957-bb95-ac8fe9ad147a} Question: Is that normal or is there something I can do to resolve those references?

when i manually execute python script it works fine (cat /var/log/nxlog/pktdesign-alerts.log1|./sec-parse.py) , but whe nxlog calls keep on seeing the error messages below and scripot does not execute,    ===> when nxlog config was whats listed below produced error "2015-11-23 20:52:41 ERROR subprocess '4843' returned a non-zero exit value of 127" <Output alertout-pktdesign>     Module      om_file     File        "/var/log/nxlog/pktdesign-alerts.log1"     Exec        exec_async("/bin/sh", "-c", 'echo "' + $raw_event +  '"|./sec-parse.py' ); </Output>     ===> when nxlog config was what's listed below produced error  "2015-11-23 21:25:41 ERROR subprocess '8319' returned a non-zero exit value of 1" <Output alertout-pktdesign>     Module      om_file     File        "/var/log/nxlog/pktdesign-alerts.log1"     Exec        exec_async("/bin/sh", "-c", 'echo "' + $raw_event +  '"|/etc/nxlog/sec-parse.py' ); </Output>   any help is appreciated. thanks  

Hi, I'm setting up nxlog on a window box to read files to send to elasticsearch, and I have some questions: 1) is there a limit on the number of im_file inputs that a output (om_tcp) can handle? And is nxlog reading those monitored files concurrently or in serial one after each other? 2) we can setup multiple paths in nxlog, different path means parallel processing, e.g. each path is handled by different threads?? 3) can we install mutiple nxlog services in one box? Thanks a lot!

Hi there, I have several hosts where lots of logs are generated. On every of this hosts logs are placed into one directory and have different names with *.log extension. My point is to use nxlog on that hosts to forward logs into one central storage but I have problem with populating files names. I would like that file source/first.log to be populated to destination/first.log. Similarly source/second.log -> destination/second.log etc. Below is my config file. Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log define LOG_SERVER \\\\192.168.199.10 <Extension _syslog> Module xm_syslog </Extension> <Input app-logs> Module im_file File "d:\\Logs\\\\*.log" InputType LineBased <Schedule> Every 30 sec Exec log_info("scheduled execution at " + now()); </Schedule> Exec $fileName = file_name(); </Input> <Output out> Module om_file CreateDir TRUE File "%LOG_SERVER%\\Shared\\Logs\\" + $fileName </Output> <Route 1> Path app-logs => out </Route> Logs are not populating and I have in nxlog logs something like that 2015-11-20 15:11:00 ERROR CreateDir is TRUE but couldn't create directory: \\192.168.199.10\Shared\Logs\d:\Logs\; The specified path is invalid. Will be gratefull for help with my issue.  

Hi everyone, I've got a box running Kibana and Elasticsearch, with the information being handed across by fluentd.  It's all working pretty well, and I've moved on to pushing Windows events through - which is where I'm struggling. I'm using nxlog on a windows machine, and it's pushing the data directly to elasticsearch - unfortunately I cannot for love nor money get the date to be handled as a date, rather than a string; the nxlog output is:     URL    http://192.0.0.10:9200     ContentType application/json     Exec   set_http_request_path(strftime($EventTime, "/windowsevents-%Y.%m.%d/" + $SourceModuleName)); delete($EventReceivedTime); rename_field("timestamp","@timestamp"); to_json(); I create a new index with a pattern of *windowsevents*\*, but the *EventTime* field is stated as a string, not a date - so I can't sort data by age.  *@timestamp* clearly isn't getting populated, as the *timestamp* field isn't being used.  Has anyone used a similar setup?  Is there a way to push the data on as a date? Apologies if I've missed out pertinent information - it's all a bit new to me.

Hello, I am trying to update the nxlog software via gpo startscript on our clients. Powershell: (Get-WmiObject -Class Win32_Product | where {$_.Name -like "nxlog"} | where {$_.Version -ne "2.9.1427"}).Uninstall() Start-Process \\server0001\NETLOGON\SoftwarePackets\nxlog-2.9.msi /quiet   Batch: WMIC /interactive:off product where 'name like "%%nxlog%%" and not version like "%%2.9.1427%%"' call uninstall msiexec.exe /package \\server0001\NETLOGON\SoftwarePackets\NXLOG\nxlog-2.9.msi /quiet   The Scripts are working fine, if manually started on the client. Only in the group policy the scripts run trought, but doesn´t install the software. (Other Software like Java, PDF24 etc. is working fine this way)   Kind regards

Hi! What about support for MS SQL Profiler trace (*.trc) files? Please, can nxlog to read from these files? Thanks.

I cannot seem to get NXLog to ship IIS Logs to LogAnalyzer.  It is collecting Event logs perfectly.  I have commented out all event logs in an attempt to isolate just IIS flow and there is nothing. define ROOT C:\\Program Files (x86)\\nxlog define ROOT_STRING C:\\Program Files (x86)\\nxlog define CERTDIR %ROOT%\\cert   Moduledir %ROOT%\\modules CacheDir %ROOT%\\data Pidfile %ROOT%\\data\\nxlog.pid SpoolDir %ROOT%\\data LogFile %ROOT%\\data\\nxlog.log   # Include fileop while debugging, also enable in the output module below #<Extension fileop> # Module xm_fileop #</Extension>   <Extension json>  Module xm_json </Extension>   #<Extension syslog> # Module xm_syslog #</Extension>   <Input internal>  Module im_internal  Exec $Message = to_json(); </Input>   <Input IIS>    Module im_file  File C:\inetpub\logs\LogFiles\W3SVC1\*  SavePos True  InputType LineBased </Input>     # Windows Event Log #<Input eventlog> # Uncomment im_msvistalog for Windows Vista/2008 and later # Module im_msvistalog   #Uncomment im_mseventlog for Windows XP/2000/2003 #Module im_mseventlog   # Exec $Message = to_json(); # Exec if ($EventID == 5156) drop(); # Exec if ($EventID == 4656) drop(); # Exec if ($EventID == 4658) drop(); #</Input>   <Output out>  Module om_tcp  Host x.x.x.x  Port 514 </Output>   <Route 1>  Path internal, eventlog => out </Route>   I am sure I am missing something simple.  I have tried file path quotes (single and double), several different Input configs with varying levels of detail, I have tried variations of the wildcard to pull the log file, I even tried changing to double slashes in the file path (grasping at straws with that one).....   Any ideas would be appreicated...