Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

README: how to ask questions effectively

Hi All,

please adhere to the guidelines below to get faster responses to your queries.

1 State the problem clearly:

I am trying to collect logs from a log file using im_file and NXLog reads the whole file after each restart.

2 Provide your configuration

in a code block:
```
configuration text
```

3 provide the contents of nxlog.log in a code block

2023-04-12 08:00:27 INFO [CORE|main] configuration OK
2023-04-12 08:00:27 INFO [CORE|main] nxlog-5.7.7898 (68bb24e7e@REL_v5.7) started on Linux
2023-04-12 08:00:27 INFO [om_batchcompress|to_relay] connecting to lab1.home(192.168.14.52):2514
2023-04-12 08:00:27 INFO [om_batchcompress|to_relay] tcp connection established with lab1.home(192.168.14.52):2514
2023-04-12 08:00:27 INFO [xm_admin|admin] connecting to lab1.home(192.168.14.52):4041
2023-04-12 08:00:27 INFO [xm_admin|admin] tcp connection established with lab1.home(192.168.14.52):4041
2023-04-12 08:00:28 INFO [im_fim|fim] Module 'fim': FIM scan started
2023-04-12 08:00:28 ERROR [im_fim|fim] Module 'fim' could not open file '/opt/nxlog/bin/upgrade-nxsec.sh': Permission denied
2023-04-12 08:00:28 INFO [im_fim|fim] Module 'fim': FIM scan finished in 0.05 seconds. Scanned folders: 15 Scanned files: 102 Read file bytes: 15674631

4 provide environment description

NXLog CE is running on Windows 2022 server 

Package version is 3.2.2329

5 provide relevant details

This configuration has been working before we updated from version 2.11

Now it does not

6 if your problem involves parsing data provide samples of your input and expected output as well as what you actually get

My data looks like this:

{"message": “message1”, "time": Thu 20 Apr 10:48:43 CEST 2023}

I am getting an error:

> error message here

I would like to receive the time in UNIX time (seconds since Epoch)

Using this format enables us to get started much faster, and perhaps address your issue in the very first response we write

Would that not be great? :)

 

Thanks for your cooperation!

Gabor


gahorvathDeactivated Nxlog ✓ created
Pinned Replies: 0
View post »
last updated
{{7*7}}

;<<svgonload=alert(1)>123 created
Replies: 0
View post »
last updated
"TestTh"

test


;<<svgonload=alert(1)>123 created
Replies: 1
View post »
last updated
Windows logs EventReceivedTime is late than EventTime - im_msvistalog

I am using nxlog to get my Windows logs from a Domain Controller into a SIEM. I am using the im_msvistalog module. 

Problem

I am receiving logs with large amount of delay. The EventReceivedTime is much later than the EventTime. Please have a look at one of the sample logs output from nxlog. 

<14>Jun 24 10:56:26 EXHost1.Example.net Microsoft-Windows-Security-Auditing[0x28c0]: {
"EventTime":"2025-06-24T10:56:26.039509+02:00",
"Hostname":"EXHost1.Example.net","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4674,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{91548763-9812-1113-B4AC-12BAC98DDE11}","Version":0,"TaskValue":13056,"OpcodeValue":0,"RecordNumber":355721231415,"ExecutionProcessID":4,"ExecutionThreadID":13033,"Channel":"Security","Message":"An operation was attempted on a privileged object.","Category":"Sensitive Privilege Use","Opcode":"Info","SubjectUserSid":"S-1-5-21-3604662650-2432062322-1707920734-40372","SubjectUserName":"Test_Subject","SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x12ab121bc","ObjectServer":"Security","ObjectType":"-","ObjectName":"-","HandleId":"0x1168","AccessMask":"1048577","PrivilegeList":"SeBackupPrivilege","ProcessId":"0x28c0","ProcessName":"C:\\EXAMPLE\\HELLO\\HELLOBIN\\yxnw3018\\dispatch\\knex3alo.exe",
"EventReceivedTime":"2025-06-24T13:04:13.896816+02:00",
"SourceModuleName":"i_win","SourceModuleType":"im_msvistalog"}

The delays are not consistent. The delays can be ranging from about 10 minutes to sometimes 2 or 3 hours. I have tried to find a pattern but failed to do so. 

The resources in the Windows device is sufficient and there has been no outstanding logs in nxlog/nxlog.log file. 

Config

Here is the snippet of my config that I am using. Any help would be highly appreciated. 

...
<Extension _syslog>
    Module  xm_syslog
</Extension>

<Extension _json>
	Module xm_json
</Extension>

<Input in>
	Module im_msvistalog
</Input>

<Output out>
	Module om_tcp
	Host	10.xx.xx.xx
	Port	514
	Exec 	to_json();$Message=$raw_event;to_syslog_bsd();
</Output>

<Route 1>
	Path in=>out
</Route>

Rasan created
Replies: 3
View post »
last updated
nxlog service is stopping with - WARNING nxlog-ce received a termination request signal, exiting...

I am having problems with the nxlog service being stopped randomly with the log entry: 

"WARNING nxlog-ce received a termination request signal, exiting...” 

I have nxlog installed on Windows 2016 server sending powershell windows event logs to Rapid7 IDR SIEM collector 

I have looked in application, security and system windows event logs, but I can't see what is stopping it. I am new to nxlog, so it could well be my config:

Panic Soft

#NoFreeOnExit TRUE

define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf\nxlog.d
define LOGDIR   %ROOT%\data

include %CONFDIR%\\*.conf
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%
LogLevel DEBUG

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
   Module      xm_syslog
</Extension>

# Input: PowerShell logs only
<Input powershell_logs>
   Module      im_msvistalog
   PollInterval 30
   Query       <QueryList>\
                   <Query Id="0">\
                       <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select>\
                       <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>\
                       <Select Path="Windows PowerShell">*</Select>\
                   </Query>\
               </QueryList>
</Input>

# Output: Send to SIEM at 10.20.2.10:1563
<Output to_siem>
   Module      om_udp
   Host        10.20.2.10
   Port        1563
   Exec        to_syslog_snare();
</Output>

# Route: PowerShell logs => SIEM
<Route 1>
   Path        powershell_logs => to_siem
</Route>
 


Jack123 created
Replies: 3
View post »
last updated
Windows log filtering

Hi there!Need help in managing windows logs… I need to receive logs that are only fall into warning and critical category. I understand that I need to use <Query> to filter logs, BUT I don't quite understand how to throw away info logs… It must be if $some_value_from_log == ‘INFO’ drop();Or maybe<QueryXML>       <QueryList>           <Query Id='1'>               <Select Path='System'>'WARNING'</Select>           </Query>       </QueryList>   </QueryXML>As for now my <Input> collect everything that fall into system logs category via select path… Any ideas? 


irina1 created
Replies: 2
View post »
last updated
ReadOrder directive in im_file not working

Hi, as per title, if I use the ReadOrder directive in an input with im_file module, I receive the error: 

ERROR invalid keyword: ReadOrder 

Do you have any suggestion on why?Input module example: 

<Input files>
    Module		im_file
    ActiveFiles	36
    ReadOrder	MtimeNewestFirst
    Recursive	True
    SavePos		True
    File		'C:\inetpub\logs\LogFiles\\*.log'
</Input>

 

Thanks

 


ldave created
Replies: 0
View post »
last updated
NxLog CE version 3.2.X statement of Supporting windows server 2025

Hi,

We are using NXLog-CE version 3.2.2329 and we prepare to deploy NX log agent in Windows server 2025.

Is Nxlog CE version 3.2.2329 supporting log collection in Windows server 2025?

If this version is not supported, what is the minimum version of NXLog CE to support Windows server 2025?

Thanks.


Ken1 created
Replies: 1
View post »
last updated
Framing Error in received TCP message

Hi All,

I installed nxlog on my windows server 2003 and send logs to the rsyslog server but it gives error logs like below

Apr 29 16:23:06 log-collector rsyslogd[658]: imtcp imtcp: Framing Error in received TCP message from peer: (hostname) <ip>, (ip) <ip>: delimiter is not SP but has ASCII value 68. [v8.2112.0]"}

here <ip> = server names and I have basic conf, 

Please help me these.


Yima created
Replies: 1
View post »
last updated
Wrong character encodings in localized windows events

I am trying to collect Windows 11 events on a localized system (in my case: German) and send them to Logstash.

Sometimes there are German umlauts within the value fields that are converted wrongly.This means that the JSON is no longer valid and Logstash cannot parse it.

In example, the “Domain” key contains the German word NT-AUTORITÄT (umlaut before the last T). This is translated to “AUTORIT0xC4T”, where 0xc4 seems to be a part of U+00C4. This is the unicode expression of Ä. The correct  UTF-8 character is 0xC3C4. Interestingly, lower case umlauts are translated correctly. At least in the “message” field.

Because 0xC4 alone is not a valid UTF-8 character, this cannot work. The parser in Logstash is then missing a byte and fails.

I played around with “AutodetectCharsets” of xm_charconv in the nxlog.conf file: nothing changedThen I set "convert_fields("auto", "utf-8");" within the <input> block: did not change anything, too.An then I set "convert_fields("utf-8", "utf-8");" within the <input> block. That fixed the wrong Ä in AUTORITÄT, but broke all small umlauts.

This is my nxLog configuration:

<Extension json_encoder>
   Module      xm_json
</Extension>
<Input eventlog>
   Module im_msvistalog
Exec $Message = replace($Message, "\r\n", " "); 
   <QueryXML> 
    <QueryList>
           <Query Id="0" Path="Application">
               <Select Path="Application">*</Select>
           </Query>
  <Query Id="1" Path="System">
               <Select Path="System">*</Select>
           </Query>
  <Query Id="2" Path="Security">
               <Select Path="Security">*</Select>
           </Query>
  <Query Id="3" Path="Setup">
               <Select Path="Setup">*</Select>
           </Query>
       </QueryList>
</QueryXML>
</Input>
<Output out>
   Module      om_tcp
   Host        10.10.2.10
   Port        5000
   Exec        to_json();
</Output>
<Output localfile>
   Module  om_file
   File 'C:\nxlog.txt'
   Exec to_json();
</Output>
<Route route1>
   Path eventlog => localfile
</Route>

And this is an example of a faulty line in c:\nxlog.txt

{"EventTime":"2025-05-05 18:27:39","Hostname":"Frodo","Keywords":-9223372036854775808,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":37,"SourceName":"Microsoft-Windows-Time-Service","ProviderGuid":"{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":163093,"ProcessID":17416,"ThreadID":9680,"Channel":"System","Domain":"NT-AUTORITĔ","AccountName":"Lokaler Dienst","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"Der Zeitanbieter \"NtpClient\" empfängt derzeit gültige Zeitdaten von pool.ntp.org,0x9 (ntp.m|0x9|0.0.0.0:123->194.164.164.175:123).","Opcode":"Info","TimeSource":"pool.ntp.org,0x9 (ntp.m|0x9|0.0.0.0:123->194.164.164.175:123)","EventReceivedTime":"2025-05-05 18:27:41","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"}

It is not such easy to post encoding problems. But in Notepad++ the output is shown as this:

And as you can see, there are valid lower case umlauts in the message field: “empfängt derzeit gültige”How can I fix this? :( 

Thank you very much!

   Thorsten


Thorsten1 created
Replies: 0
View post »
last updated
did not receive requests from agent manager in the past 300 seconds, disconnecting

I'm running an agent as the system account of the computer, on windows server 2022.

After the next set of actions, I get the next errors:

did not receive requests from agent manager in the past 300 seconds, disconnecting
2025-04-09 10:23:31 ERROR [xm_admin|admin] couldn't open file 'C:\Program Files\nxlog\cert\agent-ca.pem' for reading

Is anyone familiar with this error?


Qt8LdTIq created
Replies: 1
View post »
last updated
Handling Escape Characters in Log Data

I'm collecting log data using im_file that includes “domain\username” in a field. I run it through xm_csv to parse the csv formatted data into fields, then I extract that data with regex into a domain field and a username field, which works for all but those usernames that start with escape characters, n r t and b. I had been tweaking the regex at first thinking it was failing for some reason, but it really seems like the field is double quoted and is allowing escape characters to exist, even though I have it set to use a single quote when I parse the csv data.

Windows Server 2019 Standard, NXLog CE version 3.2.2329.

Input/Output example

Input
2025/04/14,10:21:18,Disconnect,01DB045CCE64165800505699187E001,CD-PL-22-0030,domain\raymondc,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,50,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,

Output
{"version":"v1","authentication_target":"vpn01","time":"2025-04-14 10:21:18","DeviceName":"CD-PL-22-0030","account":"domain\raymondc","event_type":"VPN_SESSION_TERMINATION"}

Config

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf\nxlog.d
define LOGDIR   %ROOT%\data

include %CONFDIR%\\*.conf
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _json>
    Module xm_json
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
    Module      xm_exec
</Extension>

<Extension _fileop>
    Module      xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>

<Extension csv>
Module xm_csv
Fields Date,Time,Event,DeviceID,DeviceName,UserName,POPAddress,VirtualAddress,Status_TimeConnected(sec),Status_BatteryRemaining(%),Status_CompressionState,Interface_Name,Interface_MACAddress,Interface_Reserved,Interface_Speed,Interface_SignalStrength,AP_NetworkName(SSID),AP_MACAddress(BSSID),AP_Vendor,AP_SecurityType,AP_Subnet,AP_RadioChannel,Location_Latitude,Location_Longitude,Location_Altitude,Status_EncryptionState,Reserved,Flags_NetMotion,Flags_Custom,Networking_TotalInTCPBytes,Networking_TotalOutTCPBytes,Networking_TotalInUDPBytes,Networking_TotalOutUDPBytes,Networking_TotalInBytes,Networking_TotalOutBytes,Networking_IMPReceives,Networking_IMPDelivers,Networking_IMPInDuplicateFrames,Networking_IMPOutPeerRetransmittedFrames,Networking_IMPInDuplicateBytes,Networking_IMPOutRetransmittedBytes,Networking_IMPOutRequests,Networking_IMPOutRetransmittedFrames,Status_TerminateReason,Status_TerminateStatus,Networking_IMPInCompressedFrames,Networking_IMPInDecompressibleBytes,Networking_IMPInDecompressedBytes,Networking_IMPOutCompressedFrames,Networking_IMPOutCompressibleBytes,Networking_IMPOutCompressedBytes,Networking_IMPInDataFrames,Networking_IMPInFragmentedFrames,Networking_IMPFragmentedFramesReassemblyReq'd,Networking_IMPFragmentedFramesReassemblyOK,Networking_IMPFragmentedFramesReassemblyTimeouts,Networking_IMPFragmentedFramesReassemblyFailures,Networking_IMPInSyncFrames,Networking_IMPInEstablishedFrames,Networking_IMPInAbortFrames,Networking_IMPInMortisFrames,Networking_IMPInPostMortemFrames,Networking_IMPInEchoRequests,Networking_IMPInEchoResponses,Networking_IMPInBroadcastFrames,Networking_IMPOutDataFrames,Networking_IMPOutFragmentedFrames,Networking_IMPOutFragmentCreates,Networking_IMPOutFragmentOKs,Networking_IMPOutFragmentFailures,Networking_IMPOutSyncFrames,Networking_IMPOutEstablishedFrames,Networking_IMPOutAbortFrames,Networking_IMPOutMortisFrames,Networking_IMPOutPostMortemFrames,Networking_IMPOutEchoRequests,Networking_IMPOutEchoResponses,Networking_IMPOutBroadcastFrames,Errors_InFrameHeader,Errors_InFrameAddress,Errors_InUnknownProtocols,Errors_InFramesDiscarded,Errors_OutFramesDiscarded,Errors_OutFramesNoRoute,EntityID,AuthenticationMode,DeviceAuthIdentity
QuoteMethod String
QuoteChar '
</Extension>

<Input in>
Module im_file
File 'C:\Program Files\NetMotion Server\logs\nmact*.log'
ActiveFiles 2
ReadOrder MTimeNewestFirst
InputType LineBased
CloseWhenIdle True
PollInterval 30
<Exec>
# Add basic fields and drop unwanted lines.
if (
	($raw_event =~ /Connect,/i)
)
{
	$version = ("v1");
	$authentication_target = "vpn01";
}
else
{
	drop();
}

# Regex to pull out the date and time and parse it into a datetime field.
if (
	($raw_event =~ /^(\S{4})\/(\S{2})\/(\S{2}),(\S{2}):(\S{2}):(\S{2})/)
)
{
$EventTime = ($1 + "-" + $2 + "-" + $3 + " " + $4 + ":" + $5 + ":" + $6 + "-07:00");
$EventTime = parsedate($EventTime);
}

csv->parse_csv();

# Extract domain+username and normalize to lower case.
if ($UserName =~ /([\w-]+)\b\\{1}\b([\w-]+)/)
{
log_info("captured: " + $1 + " and " + $2);
$account_domain = lc($1);
$UserName = lc($2);
}
else if ($UserName =~ /^(\w*)@(\S*)$/)
{
log_info("captured: " + $1 + " and " + $2);
$account_domain = lc($2);
$UserName = lc($1);
}
else
{
log_warning("unable to capture username: " + $UserName);
}

# Set username to devicename for unattended authentication.
if ($AuthenticationMode == "8") $UserName = $DeviceName;

# Update blank username to device name
if (not defined($UserName)) $UserName = $DeviceName;

# Assign event type and authentication result.
if (
	($Event =~ /Connect/)
)
{
	$event_type = "VPN_SESSION_IP_ASSIGNED";
	$authentication_result = "SUCCESS";
}
else
{
	$event_type = "VPN_SESSION_TERMINATION";
}

# Convert terminate reason to integer and check against list.
$Status_TerminateReason = integer($Status_TerminateReason);
if ($Status_TerminateReason IN (122, 113)) $UserName = $DeviceName;

# Keep version, authentication_target, EventTime, DeviceName, UserName, event_type, account_domain, VirtualAddress, POPAddress, authentication_result
rename_field("EventTime", "time");
rename_field("UserName", "account");
rename_field("VirtualAddress", "assigned_ip");
rename_field("POPAddress", "source_ip");
delete($DeviceAuthIdentity);
delete($SourceModuleName);
delete($SourceModuleType);
delete($Date);
delete($Time);
delete($EventReceivedTime);
delete($Event);
delete($DeviceID);
delete($AuthenticationMode);
delete($EntityID);
delete($Status_TerminateStatus);
# Future enhancement could be to mark logs with terminate reasons, especially for logon failures.
delete($Status_TerminateReason);

if (
	($source_ip =~ /^(\S{7,15})\:(\d{1,5})/)
)
{
	$source_ip = $1;
}
to_json();
</Exec>
</Input>

<Output resultfile_out>
Module  om_file
file 'C:\Windows\Temp\nxlog-results.json'
</Output>

<Route 1>
Path in=> resultfile_out
</Route>

My log shows the field captured, but with a semicolon instead of “raymondc”.

2025-04-14 10:19:47 WARNING stopping nxlog service
2025-04-14 10:19:47 WARNING nxlog-ce received a termination request signal, exiting...
2025-04-14 10:19:49 WARNING not starting unused module out
2025-04-14 10:19:49 INFO nxlog-ce-3.2.2329 started
2025-04-14 10:21:49 WARNING unable to capture username: domain;aymondc
2025-04-14 10:25:22 WARNING stopping nxlog service
2025-04-14 10:25:23 WARNING nxlog-ce received a termination request signal, exiting...
2025-04-14 10:25:24 WARNING not starting unused module out
2025-04-14 10:25:24 INFO nxlog-ce-3.2.2329 started

Caleb created
Replies: 2
View post »
last updated
Help converting Windows Event to JSON

Hi,

I’m leveraging the to_json() function to convert Windows Events to JSON before sending them. This generally works well, and most of the log is converted to JSON correctly. However, there’s a portion of the log where NXLog doesn’t format the data into proper JSON, instead inserting control characters like \r\n. This breaks the JSON formatting and results in an undesirable output.

Here’s an example of a Windows Event that’s been converted to JSON. As you can see, the Message field includes control characters and retains the original structure of the event rather than being properly formatted as JSON:

{"Channel":"Security","Message": "System audit policy was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tclient01$\r\n\tAccount Domain:\t\tmydomain\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAudit Policy Change:\r\n\tCategory:\t\tAccount Logon\r\n\tSubcategory:\t\tKerberos Service Ticket Operations\r\n\tSubcategory GUID:\t{foo}\r\n\tChanges:\t\tSuccess removed, Failure removed","Category":"Audit Policy Change"}

Here’s an example of the output I’d like to achieve:

{"Channel":"Security","Message":"System audit policy was changed.", "Subject":{"Security ID": "S-1-5-18","Account Name":"client01$","Account Domain":"mydomain","Logon ID":"0x3E7"},"Audit Policy Change":{"Category":"Account Logon","Subcategory":"Kerberos Service Ticket Operations","Subcategory GUID":"{foo}","Changes":"Success removed, Failure removed"},"Category":"Audit Policy Change"}

Does anyone know if and how I can achieve this?

NXLog CE is running on Windows Server 2022. Package version is 3.2.2329.


Ryan1234 created
Replies: 1
View post »
last updated
libssl vulnerability

We're showing that NXLog CE has a DLL, libssl-1_1-x64.dll, that is using OpenSSL version 1.1.1q, which is vulnerable to CVE-2022-2097. Is there any plan to move to a newer version, or are there decent instructions for compiling the source code for Windows?


cschelin created
Replies: 1
View post »
last updated
Using @startup or @reboot in a schedule

Hello. I am using nxlog community edition 3.2.2329_ubuntu20_amd64.deb on ubuntu 20.04.6. I am trying to rotate and purge logs on a daily basis. This is a dev environment that shuts down from 6pm to 7am daily. I tried using a Schedule block with a directive of When to @startup but that throws an error when starting nxlog. Also tried @reboot and got the same error. 

Here are snippets of the  nxlog.conf with @reboot. 

<Output fileout1>   Module om_file   File "/var/log/nxlog/syslog.txt"   Exec if $Message =~ /error/ $SeverityValue = syslog_severity_value("error");   Exec to_syslog_bsd();<Schedule>        # This can likewise be used for `@weekly` or `@monthly` time periods.         When @reboot

        # The following crontab-style is the same as `@daily` above.        # When "0 0 * * *"

         # The `Every` directive could also be used in this case.         #Every @startup

        Exec    rotate_to(file_name() + strftime(now(), '_%Y-%m-%d'));    </Schedule></Output>…

<Output fileout2>   Module om_file   File "/var/log/nxlog/logmsg2.txt"</Output><Extension fileop>Module xm_fileop<Schedule> When @reboot # Delete logs older than 14 days (24x60x60x30)        Exec    file_remove('/var/log/nxlog/*.txt*', now() - 1209600);</Schedule></Extension> 

Here is the output from console when I try to start nxlog

ubuntu@ip-172-31-17-93:~$ sudo systemctl restart nxlogJob for nxlog.service failed because the control process exited with error code.See "systemctl status nxlog.service" and "journalctl -xe" for details.ubuntu@ip-172-31-17-93:~$ sudo systemctl status nxlog.service● nxlog.service - NXLog daemon    Loaded: loaded (/lib/systemd/system/nxlog.service; enabled; vendor preset: enabled)    Active: failed (Result: exit-code) since Fri 2025-02-28 09:49:47 PST; 29s ago   Process: 2821 ExecStartPre=/usr/bin/nxlog -v (code=exited, status=1/FAILURE)

Feb 28 09:49:47 ip-172-31-17-93 systemd[1]: Starting NXLog daemon...Feb 28 09:49:47 ip-172-31-17-93 nxlog[2821]: 2025-02-28 09:49:47 ERROR couldn't parse value for directive 'When': @reboot not supported at /etc/nxlog/nxlog.conf:43Feb 28 09:49:47 ip-172-31-17-93 systemd[1]: nxlog.service: Control process exited, code=exited, status=1/FAILUREFeb 28 09:49:47 ip-172-31-17-93 systemd[1]: nxlog.service: Failed with result 'exit-code'.Feb 28 09:49:47 ip-172-31-17-93 systemd[1]: Failed to start NXLog daemon. 

Seems like it does not like the When directive, but not sure why since it is in the documentation. nxlog starts fine if I use @daily, but since the system is shut down during the day change, the operations are not performed. 

Thanks!


Tony Curoso created
Replies: 1
View post »
last updated
Windows 10 11 Server 2022 nxlog community edition missing events in syslog

Hello 

I startet central logging with nxlog community edition on windows 

most works fine

finding a working nxlog.conf to graylog needs a lot of ours

so I hope to find better help here in the community forum 

but missing several events in syslog

for example

Dns Client Events Event ID 1014

AppCrash Outlook Exe Event ID 1001

 

At the Moment  i need to send all Windows events to the graylog syslog server 

can you give me an example config file for logging all Windows events ? 

thanks

 

my config file 

++++++++++

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf\nxlog.d
define LOGDIR   %ROOT%\data

# define Application Crash Events
define AppCrashes               1000, 1001, 1002

include %CONFDIR%\\*.conf
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
   Module      xm_syslog
</Extension>

<Extension _charconv>
   Module      xm_charconv
   AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
   Module      xm_exec
</Extension>

<Extension _fileop>
   Module      xm_fileop

   # Check the size of our log file hourly, rotate if larger than 5MB
   <Schedule>
       Every   1 hour
       Exec    if (file_exists('%LOGFILE%') and \
                  (file_size('%LOGFILE%') >= 5M)) \
                   file_cycle('%LOGFILE%', 8);
   </Schedule>

   # Rotate our log file every week on Sunday at midnight
   <Schedule>
       When    @weekly
       Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
   </Schedule>
</Extension>

<Extension _gelf>
 Module  xm_gelf
</Extension>

<Input win>
  Module   im_msvistalog

  Query <QueryList>\
   <Query Id="0">\
   <Select Path="Application">*</Select>\
   <Select Path="System">*</Select>\
   <Select Path="Security">*</Select>\
   </Query>\
   </QueryList>

</Input>

<Output  graylog>
  Module om_tcp
  Host  syslog.geodata.local
  Port  3515
  OutputType GELF
</Output>

<Route graylog_route>
Path win => graylog
</Route>

 

 

 

 


Andreas created
Replies: 1
View post »
last updated
WARNING : truncating oversized string (nnnn) to StringLimit (aaaa) in nxlog.log

Hi,

 

I'm seeing a lot of the above messages in my nxlog.log (Linux Enterprise Edition). I had tried to increase the StringLimit but every time the values of nnnn will be higher than aaaa.

May I know if anyone is able to enlighten me on this?

 

Thanks !


DSSLIM created
Replies: 2
View post »
last updated
Using NXLog to monitor multiple files and send to Graylog
I've been using NXLog to monitor a simple log file from an application and send it to Graylog using GELF. Very simple, very efficient, and it works just like I want it to. Now I want to monitor a 2nd log file from another application and send that to a separate input in Graylog (also using GELF). I thought it would be quick and simple to add the 2nd log file as another om_file imput and add a 2nd output to route the log file to. But for some reason, I just can't get the 2nd input/output to work. Here is my nxlog.conf file: ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ######################################## # Modules # ######################################## Module xm_gelf Module im_file File "/var/log/logfile1.txt" Module im_file File "/var/log/logfile2.txt" Module om_udp Host 192.168.0.100 Port 12201 OutputType GELF Module om_udp Host 192.168.0.100 Port 12203 OutputType GELF ######################################## # Routes # ######################################## Path APP1=> Graylog1 Path APP2 => Graylog2 What I've found is that if I also route the logfile2.txt to Graylog1, it works just fine. So both log files can be sent to Graylog1. But when I add that 2nd output, Graylog2, and route logfile2.txt to it, I never get any of those messages in Graylog. I know this isn't a Graylog forum, but am I missing something in my nxlog.conf or should I be looking more at the Graylog server?

Knightshift97 created
Replies: 2
View post »
last updated
Logs sent with a very long delay

Hi

I am pretty new to nxlog, so I lack some knowledge.

We have been using NXLog to send logs using sysmon to our IBM Qradar.

On a few machines, we've seen some logs that arrived today, but are from 1-2 weeks ago.

How exactly does NXLog keeps logs that have not been sent. Are there any steps we can use to investigate why these logs were sent with such a long delay?

In most cases it all works without a problem, but on very rare occasions we receive a few really old events.

Thank you


w4rh0und created
Replies: 1
View post »
last updated
Securonix SIEM ( NXLOG CE) Delay in Ingestion

Hi All,

We are using NXlog CE to forward from windows server to SIEM. But we are facing issue in delay of ingestion of events.  

Error of NXlog file details is given. Please assist.


L2.cdc@valuepointsystems.com created
Replies: 0
View post »
last updated