Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
README: how to ask questions effectively
gahorvath
Hi All,please adhere to the guidelines below to get faster responses to your queries.1 State the problem clearly:I am trying to collect logs from a log file using im_file and NXLog reads the whole file after each restart.2 Provide your configurationin a code block:
```
configuration text
```3 provide the contents of nxlog.log in a code block2023-04-12 08:00:27 INFO [CORE|main] configuration OK
2023-04-12 08:00:27 INFO [CORE|main] nxlog-5.7.7898 (68bb24e7e@REL_v5.7) started on Linux
2023-04-12 08:00:27 INFO [om_batchcompress|to_relay] connecting to lab1.home(192.168.14.52):2514
2023-04-12 08:00:27 INFO [om_batchcompress|to_relay] tcp connection established with lab1.home(192.168.14.52):2514
2023-04-12 08:00:27 INFO [xm_admin|admin] connecting to lab1.home(192.168.14.52):4041
2023-04-12 08:00:27 INFO [xm_admin|admin] tcp connection established with lab1.home(192.168.14.52):4041
2023-04-12 08:00:28 INFO [im_fim|fim] Module 'fim': FIM scan started
2023-04-12 08:00:28 ERROR [im_fim|fim] Module 'fim' could not open file '/opt/nxlog/bin/upgrade-nxsec.sh': Permission denied
2023-04-12 08:00:28 INFO [im_fim|fim] Module 'fim': FIM scan finished in 0.05 seconds. Scanned folders: 15 Scanned files: 102 Read file bytes: 156746314 provide environment descriptionNXLog CE is running on Windows 2022 server Package version is 3.2.23295 provide relevant detailsThis configuration has been working before we updated from version 2.11Now it does not6 if your problem involves parsing data provide samples of your input and expected output as well as what you actually getMy data looks like this:{"message": “message1”, "time": Thu 20 Apr 10:48:43 CEST 2023}I am getting an error:> error message hereI would like to receive the time in UNIX time (seconds since Epoch)Using this format enables us to get started much faster, and perhaps address your issue in the very first response we writeWould that not be great? :) Thanks for your cooperation!Gabor
gahorvath
Information missing from certain Windows events
rom
We are an MSSP that uses NXLog CE (3.2.2329) installed on a Windows Server acting as a Windows Event Collector (WEC) to forward events from the forwarded events channel to a syslog collector that sends everything to our SIEM.TL;DRCertain Windows Events send to our SIEM via NXLog are missing the <EventData> information whereas Event Viewer shows a complete event on the logsource host where NXLog is installed on. Longer versionThe current setup is:Domain Controllers forward their security events using Windows Event Forwarding to our WEC using a source initiated event subscription where the content format is set to ‘Events’ instead of the default ‘RenderedText’ (this change helped solve similar issues where data was missing from events send via NXLog).We've verified that these security events are present in the forwarded events channel on the WEC with a complete XML of the events.NXLog CE (3.2.2329) is installed on this WEC using the following nxlog.conf file:Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Input Security>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="ForwardedEvents">
<Select Path="ForwardedEvents">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output DL>
Module om_tcp
Host 123.123.123.123
Port 514
Exec to_syslog_snare();
</Output>
<Route eventlog_to_DL>
Path Security => DL
</Route>NXLog sends logs to a syslog collector in the same networkThis syslog collector has SIEM agent software forwarding events to our SIEMIn our SIEM we can see all events coming in from the syslog collector, including NXLog Windows events, however some appear to be missing data found in the <EventData> field in the XML of the actual event.The event id's we're having issues with are Windows event ID 4662,4768 and 4776.Other event id's are coming in ‘complete’ as expected such as this event id 4672:<14>Dec 8 11:32:42 dc2.example.com MSWinEventLog 1 Security 5986982 Fri Dec 08 11:32:42 2023 4672 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2.example.com Special Logon Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2155563959-1375260949-369746351-17469 Account Name: server123$ Account Domain: EXAMPLE Logon ID: 0x4D8729AC Privileges: SeSecurityPrivilege SeDebugPrivilege 773449975Or event id 5140:<14>Dec 8 11:32:37 dc2.example.com MSWinEventLog 1 Security 5986753 Fri Dec 08 11:32:37 2023 5140 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2.example.com File Share A network share object was accessed. Subject: Security ID: S-1-5-21-2155563959-1375260949-369746351-18565 Account Name: netwrixsvc Account Domain: EXAMPLE Logon ID: 0x4D86D440 Network Information: Object Type: File Source Address: 172.30.10.10 Source Port: 51173 Share Information: Share Name: \*\ADMIN$ Share Path: ??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 773449390 Whereas we receive the following information for the troubled event id's:4776<11>Dec 8 11:32:29 dc2.example.com MSWinEventLog 3 Security 5986385 Fri Dec 08 11:32:29 2023 4776 Microsoft-Windows-Security-Auditing N/A N/A Failure Audit dc2.example.com Credential Validation N/A 7734490444662<14>Dec 8 11:32:42 dc2.example.com MSWinEventLog 1 Security 5986976 Fri Dec 08 11:32:42 2023 4662 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2.example.com Directory Service Access N/A 7734499584768<14>Dec 8 11:32:41 dc2.example.com MSWinEventLog 1 Security 5986915 Fri Dec 08 11:32:41 2023 4768 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2.example.com Kerberos Authentication Service N/A 773449814 Due to the vast amount of events received by the WEC, extracting a subset of events for troubleshooting provided more challenging than expected. Nevertheless, the customer responsible for the WEC was able to provide me with an .evtx file containing some of the event id 4768 logs. These appear perfectly fine as shown in the screenshot and XML output below:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2023-12-07T10:32:31.691008600Z" />
<EventRecordID>4520638617</EventRecordID>
<Correlation />
<Execution ProcessID="700" ThreadID="1424" />
<Channel>Security</Channel>
<Computer>dc1.example.com</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">netwrixsvc</Data>
<Data Name="TargetDomainName">example</Data>
<Data Name="TargetSid">S-1-5-21-2155563959-1375260949-369746351-18565</Data>
<Data Name="ServiceName">krbtgt</Data>
<Data Name="ServiceSid">S-1-5-21-2155563959-1375260949-369746351-502</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x0</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="PreAuthType">2</Data>
<Data Name="IpAddress">::ffff:172.30.10.10</Data>
<Data Name="IpPort">49712</Data>
<Data Name="CertIssuerName">
</Data>
<Data Name="CertSerialNumber">
</Data>
<Data Name="CertThumbprint">
</Data>
</EventData>
</Event> What could possibly be the cause for these issues? Where can I check next?
rom
Webpage Error
ricky.ho@blackbox.com
I had to restart the VM running our NXLog Manager (CentOS7).Now I'm getting the following message when attempting to access our NXLog Manager URL: HTTP ERROR 500Problem accessing /nxlog-manager/login.html. Reason: Server Error Caused by:org.apache.tiles.request.render.CannotRenderException: ServletException including path '/WEB-INF/layouts/default.jsp'.
ricky.ho@blackbox.com
perl_call() method is not working in windows 11
Ankur Gangwar
Purpose: To add geographical information (geoip) with the logs.Problem: I am trying to add geoip in the logs coming from linux and windows hosts. For that I have gone through https://docs.nxlog.co/ce/current/index.html#xm_perl. In both (windows and linux hosts). i am not able to run nxlog, after modifying the nxlog config according to the given link.Windows-11: First, I have installed perl-5.28.2.1, after that i have modified the config. When i am trying to restart nxlog service, It is showing the following error in log file:2023-12-04 07:09:22 ERROR Failed to load module from C:\Program Files\nxlog\modules\extension\xm_perl.dll, The specified module could not be found. ; The specified module could not be found.
2023-12-04 07:09:22 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:62; couldn't parse statement at line 65, character 0 in C:\Program Files\nxlog\conf\nxlog.conf; function 'perl_call()' does not exist or takes different arguments
2023-12-04 07:09:22 ERROR module 'sys_in' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:81
2023-12-04 07:09:22 ERROR route 1 is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:81
2023-12-04 07:09:22 WARNING no routes defined!
2023-12-04 07:09:22 WARNING not starting unused module sys_in
2023-12-04 07:09:22 WARNING not starting unused module sys_outconfig is as follows:Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension perl>
Module xm_perl
PerlCode C:\Program Files\nxlog\modules\extension\perl\processlogs.pl
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
Sending the system logs over tcp
<Input sys_in>
Module im_msvistalog
<Exec>
$raw_event = "windows " + to_json();
perl_call("process")
</Exec>
</Input>
#setting the output to rsyslog server
<Output sys_out>
Module om_tcp
Host <ip-address of rsyslog server>
Port 514
# First we parse the input natively from nxlog
Exec parse_syslog_bsd();
# Now call the 'process' subroutine defined in 'processlogs.pl'
Exec to_json();
</Output>
<Route 1>
Path sys_in => sys_out
</Route>Linux-Ubuntu(22.04): I have not installed perl as it is already installed. So i modified the config, and restarted the nxlog service, but in the logs it is showing as:2023-12-04 14:41:52 ERROR the perl interpreter failed to parse /etc/nxlog/processlogs.pl
2023-12-04 14:41:52 INFO nxlog-ce-3.2.2329 started
2023-12-04 14:41:52 INFO connecting to <ip-address of rsyslog server>:514
2023-12-04 14:41:52 ERROR the perl interpreter failed to parse /etc/nxlog/processlogs.plConfig is as follows:## This is a sample configuration file. See the nxlog reference manual about the
configuration options. It should be installed locally under
/usr/share/doc/nxlog-ce/ and is also available online at
http://nxlog.org/docs
########################################
Global directives
########################################
User nxlog
Group nxlog
include /etc/nxlog/nxlog.d/*.conf
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO
########################################
Modules
########################################
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension perl>
Module xm_perl
PerlCode /etc/nxlog/processlogs.pl
</Extension>
<Input in1>
Module im_file
File "/var/log/auth.log"
<Exec>
$raw_event = " ankurlapauthlogs " + $raw_event;
</Exec>
</Input>
<Output fileout1>
Module om_tcp
Host <ip-address of rsyslog server>
Port 514
Exec perl_call("process");
Exec to_syslog_bsd();
</Output>
########################################
Routes
########################################
<Route 1>
Path in1 => fileout1
</Route>P.S. i am using the same processlogs.pl file as given in the refrence manual.
Ankur Gangwar
NXLog Enterprise Trial - License
malizim
Hi,
Have just installed NXLog Enterprise Trial - however I cannot start the service - getting error message :
nxlog[1711122]: 2022-01-20 09:19:34 ERROR [CORE|main] This NXLog version has expired.
Any idea how the trial license is applied?
Any assistance would be greatly appreciated.
Kind regards,
Liam
malizim
Problem when parsing Sysmon message Event 12
dudu.zbeda@cognyte.com
I'm using NX log enterprise to collect Sysmon logs.I have a problem with EventID 12 , In the original (Windows view ) the event type is set to EventType: CreateKeyAs part of the NXlog output, in the Metadata the Event type is set to INFO and only in the msg field i can see the EventType: CreateKey Please advice
dudu.zbeda@cognyte.com
drop action to forwarding logs to a remote server is not working
montealegre.diego@gmail.com
Good Afternoon Team.I have a nxlog service running on a windows server. It has input rule to collect syslog from several devices like this: <Input syslog514udp>Module im_udpPort 514Host 0.0.0.0<Exec> $raw_event =~ s/\r?\n/#012/g; parse_syslog_bsd();</Exec> </Input> I am trying to forward the syslog of one specific device (10.10.10.10) to a public IP 190.20.30.40, but the filter is not working since nxlog is forwarding everything, configuration bellow: <Output OutNetomi>Exec if ($MessageSourceAddress == ‘10.10.10.10’) drop();Module om_udpHost 190.20.30.40Port 514</Output> Do you know where the error is? Thank you.Diego.
montealegre.diego@gmail.com
Port configuration in nxlog.conf file is being appended by "514"
JackT@Boeing
When I start NXlog CE, I get a socket error when tryin gto connect to the remote Graylog servernxlog.conf...######################################### Global directives #########################################User nxlogGroup nxloginclude /etc/nxlog/nxlog.d/*.confLogFile /var/log/nxlog/nxlog.logLogLevel INFO######################################### Modules ##########################################<Extension _syslog># Module xm_syslog#</Extension><Extension json> Module xm_json</Extension><Extension syslog> Module xm_syslog</Extension><Input in1> Module im_udp Port 1514 Exec parse_syslog_bsd();</Input><Input in2> Module im_tcp Port 1514</Input><Input kernel> Module im_kernel Exec parse_syslog_bsd();</Input><Input systemd> Module im_systemd</Input><Input devlog> Module im_uds UDS /dev/log FlowControl FALSE Exec $raw_event =~ s/\s+$//; Exec parse_syslog_bsd();</Input><Output fileout1> Module om_file File "/var/log/nxlog/logmsg.txt" Exec if $Message =~ /error/ $SeverityValue = syslog_severity_value("error"); Exec to_syslog_bsd();</Output><Output fileout2> Module om_file File "/var/log/nxlog/logmsg2.txt"</Output><Output out> Module om_tcp Host 192.79.220.162:1514 Exec $Message = to_json(); to_syslog_bsd();</Output>######################################### Routes #########################################<Route 1> Path in1 => fileout1</Route><Route tcproute> Path in2 => fileout2</Route><Route r> Path kernel, systemd, devlog => out</Route>...nxlog.log...2023-10-27 09:56:23 WARNING nxlog-ce received a termination request signal, exiting...2023-10-27 09:56:24 ERROR Couldn't get systemd cursor;Cannot assign requested address2023-10-27 09:56:24 ERROR Couldn't remove pidfile /run/nxlog/nxlog.pid: Permission denied2023-10-27 09:56:25 INFO configuration OK2023-10-27 09:56:25 INFO nxlog-ce-3.2.2329 started2023-10-27 09:56:25 ERROR couldn't bind socket /dev/log;Address already in use2023-10-27 09:56:25 INFO reconnecting in 1 seconds2023-10-27 09:56:25 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:56:26 INFO reconnecting in 2 seconds2023-10-27 09:56:26 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:56:28 INFO reconnecting in 4 seconds2023-10-27 09:56:28 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:56:32 INFO reconnecting in 8 seconds2023-10-27 09:56:32 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:56:40 INFO reconnecting in 16 seconds2023-10-27 09:56:40 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:56:56 INFO reconnecting in 32 seconds2023-10-27 09:56:56 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:57:28 INFO reconnecting in 64 seconds2023-10-27 09:57:28 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known... environment description...nxlog-ce is running on Oracle Linux Server version 8.8Package version is -3.2.2329-1.x86_64 ...relevant details...This is a new installation. The Graylog server is not receiving any logs from this machineThis problem does not involve parsing data.The problems is that the port I identified in the nxlog.conf file "1514" is being appended by "514" so the socket connection fails to the remote server. If I remove 1514 from the nxlog.conf file, the system still tries to connect at port 514 and gets denied errors since Graylog is seutp to listen on 1514...
JackT@Boeing
Logging in UTF8 not working
Carsten_Radke
I installed nxlog with the config below, but the logs I receive with my SysLogServer are not in UTF8 ?The Windowssystem is a german Windows 11, on this machine nxlog ist installed and running. Here is a sample output on the syslog server ( KiwiSyslog ) :10-31-2023 15:37:05 User.Info 192.168.75.20 Oct 31 15:37:04 PC-01 MSWinEventLog 1 Microsoft-Windows-PushNotification-Platform/Operational 1469 Tue Oct 31 15:37:04 2023 1025 Microsoft-Windows-PushNotifications-Platform SYSTEM User Information PC-01 N/A Ein Stromversorgungsereignis wurde ausgel”st: MonitorSettingChange [PowerEventType] true [Enabled] 1846You can see that there are the german Umlaut are not displayed, ‘ausgel”st:’ have to diplay as 'ausgelöst:' Hope someone can help me.here is the nxlog.log:Panic Soft#NoFreeOnExit TRUEdefine ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data<Extension _syslog> Module xm_syslog</Extension><Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec> Module xm_exec</Extension><Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule></Extension># Snare compatible example configuration# Collecting event log<Input in> Module im_msvistalog</Input># # Converting events to Snare format and sending them out over TCP syslog<Output out> Module om_tcp Host 192.168.75.20 Port 514 Exec to_syslog_snare();</Output># # Connect input 'in' to output 'out'<Route 1> Path in => out</Route>
Carsten_Radke
No download possible
Carsten_Radke
Hi all, I tried to download the installer Windows, Ubuntu or all, but no download is able.internal Server Error !I need the Windows installer, could someone provide it here ?
Carsten_Radke
Many files sending logs to a Rsyslog server
Adrien-10
Hi all,I am currently using Nxlog CE v3.2.2329 in a Virtual Machine Windows 10 21H2 for sending logs to a Rsyslog server using Syslog RFC5424 version.For this configuration, i use im_msvistalog for input and om_tcp with Exec to_syslog_ietf(); command to send them to the rsyslog server.<Input Source_Eventlogs>
Module im_msvistalog
</Input>
<Output Dest_LogServer>
Module om_tcp
Host 192.168.1.1
Port 514
Exec to_syslog_ietf();
</Output>
<Route send>
Path Source_Eventlogs => Dest_LogServer
</Route>In the rsyslog server i receipt logs using a template who send logs to the right folder and then the right file log$template DynamicFile,"/var/log/rsyslog/%HOSTNAME%/%syslogseverity-text%.log"
*.info -?DynamicFileI met a first issue with security logs who where sent to a folder using the IP address. I assumed the issue was due to a failed resolving name and after adding the Nxlog client name to the /etc/hosts file and it solved the first issue.I met a second issue with Eventlogs who create many folder in the rsyslog folder because the logs are sent without hostname.For example i receive logs in a folder name VMICTimeProvider and when i look to the notice.log file i can see that there is no hostnamecat VMICTimeProvider/notice.log
2023-07-22T09:18:39.022270+00:00. VMICTimeProvider (Local)
2023-07-23T09:40:51.040169+00:00. VMICTimeProvider (Local)
2023-07-24T08:03:51.264202+00:00. VMICTimeProvider (Local) i tried to correct the receipt in the rsyslog side with receipt conditions like if $fromhost-ip=='1.2.3.4'
then {
actions
}
. -?WindowsLogs
$template WindowsLogs,"/var/log/rsyslog/Windows/Windows/log" But I have to do a line for any Windows collection in the file, and i think if i want to transfert the logs to another file server i will have the logs lines with missing hostname and i will met the same problem. Thank you for your help. Kind regards. Adrien
Adrien-10
nxlog embedding carriage returns and newlines in IETF syslog
roadgeek
Hello, I am using nxlog-ce 3.2.2329 on a Windows 10 system to forward logs to a syslog-ng server over TCP using the to_syslog_ietf() procedure. This is working well for most logs, but I am occasionally seeing logs being generated with carriage returns and newlines in the syslog structured data element. Here is an example captured from tcpdump. Note that this is just the beginning of the message, enough to show you where the cr lf's are in the PrivilegeList element:<14>1 2023-10-18T16:23:21.669254-04:00 SteveAcer Microsoft-Windows-Security-Auditing 952 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="4672" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="0" Task="12548" OpcodeValue="0" RecordNumber="2053808" ActivityID="{FE9334EF-0152-0002-AD35-93FE5201DA01}" ThreadID="30200" Channel="Security" Category="Special Logon" Opcode="Info" SubjectUserSid="S-1-5-18" SubjectUserName="SYSTEM" SubjectDomainName="NT AUTHORITY" SubjectLogonId="0x3e7" PrivilegeList="SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeDelegateSessionUserImpersonatePrivilege" EventReceivedTime="2023-10-18 16:23:23"The body of the message has cr lf's converted to spaces. In the documentation, I see reference to a ReplaceLineBreaks directive that defaults to converting the cr lfs to spaces, but that doesn't appear to apply to the syslog structured data. Is there a way I can remove these cr lfs from the PrivilegeList, or any element? My nxlog.conf is below:<Input eventlog>
Module im_msvistalog
</Input>
<Output tcp>
Module om_tcp
Host 172.16.200.1
Exec to_syslog_ietf();
Port 514
</Output>
<Route 1>
Path eventlog => tcp
</Route>Thanks,Steve
roadgeek
NXLOG - Integer line throws an error
siem_20
Hi All,I am collecting and sending logs from a Windows Domain Controller (only security events). When I start the nxlog service, it shows an error related to the integer function. The agent appears to continue working normally, and the error does not appear again (unless I restart the service). What could be the reason for this error?Configurationdefine ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _json>
Module xm_json
</Extension>
<Input windows_security_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Security">*</Select>
</Query>
</QueryList>
</QueryXML>
ReadFromLast True
SavePos True
</Input>
<Output out_chronicle_windevents>
Module om_tcp
Host 172.16.94.69
Port 41001
Exec $EventTime = integer($EventTime) / 1000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000;
Exec to_json();
</Output>
<Route r2>
Path windows_security_eventlog => out_chronicle_windevents
</Route> 2023-10-05 10:53:15 INFO nxlog-ce-3.2.2329 started
2023-10-05 10:53:15 INFO connecting to 172.16.94.69:41001
2023-10-05 10:53:15 ERROR assignment failed at line 30, character 56 in C:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; binary operation failed at line 30, character 56 in C:\Program Files\nxlog\conf\nxlog.conf. expression evaluation has been aborted; function 'integer' failed at line 30, character 48 in C:\Program Files\nxlog\conf\nxlog.conf. expression evaluation has been aborted; 'integer' type argument is invalid
Environment descriptionNXLog CE is running on Windows 2022 server Package version is 3.2.2329
siem_20
NXLOG on Windows - Logs sent with a very long delay
siem_20
Hi All,I am collecting and sending logs from a Windows Domain Controller (only security events). When I start the nxlog service, the logs are send in “real time”. However, Over time, a delay is generated, causing the accumulated delay to be hours after one day. What could happen to explain this behavior?Configurationdefine ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _json>
Module xm_json
</Extension>
<Input windows_security_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Security">*</Select>
</Query>
</QueryList>
</QueryXML>
ReadFromLast True
SavePos True
</Input>
<Output out_chronicle_windevents>
Module om_tcp
Host 172.16.94.69
Port 41001
Exec $EventTime = integer($EventTime) / 1000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000;
Exec to_json();
</Output>
<Route r2>
Path windows_security_eventlog => out_chronicle_windevents
</Route> Environment descriptionNXLog CE is running on Windows 2022 server Package version is 3.2.2329
siem_20
Adding field as source IP gateway address
JustasS
Hello,
I need to add extra field to send External/gateway IP address to Graylog.
Using output UDP:
<Output out>
Module om_udp
Host ***
Port 4514
OutputType GELF
Exec $hostname = 'test_SRV';
</Output>
Its even posible?
JustasS
configuring integration of SentinelOne to NXLog via SSL/TLS
jake
Hi we wanted to send logs coming from SentinelOne to Google Chronicle using SSL/TLS NXlog. We are just using the Community Edition and based on the documentation SSL/TLS is supported for CE. But we are not sure if this is going to work or how to configure the “CAFile", “CertFile”, “CertKeyFile” thing for this to work or how do we install it? Is it free or paid? Please check the configuration we wanted to implement below. <Input ssl> Module im_ssl Host localhost Port 6514 CAFile %CERTDIR%/ca.pem CertFile %CERTDIR%/client-cert.pem CertKeyFile %CERTDIR%/client-key.pem KeyPass secret InputType Syslog_TLS Exec parse_syslog_ietf(); </Input>
jake
Looking for solution for x86 Windows 10
CHris84nu
Hello,i have the problem, that i need to save eventlogs from 32Bit Windows 10 machine to a central logging solution (Graylog 5.1). This works great with x64 Windows 10 systems, but i don‘t find a solution with nxlog and 32Bit systems. Are there any previous versions available with x86 support or do i need to look for an other product? Thanks in advance!
CHris84nu
receipt of special characters in logs
Adrien-10
Hi all,I am currently using Nxlog CE v3.2.2329 in a Virtual Machine Windows 10 21H2 for sending logs to a Rsyslog server using Syslog RFC5424 version.For this configuration, i use im_msvistalog for input and om_tcp with Exec to_syslog_ietf(); command to send them to the rsyslog server.<Input Source_Eventlogs>
Module im_msvistalog
</Input>
<Output Dest_LogServer>
Module om_tcp
Host 192.168.1.1
Port 514
Exec to_syslog_ietf();
</Output>
<Route send>
Path Source_Eventlogs => Dest_LogServer
</Route>In the rsyslog server i receipt logs using a template who send logs to the right folder and then the right file log$template DynamicFile,"/var/log/rsyslog/%HOSTNAME%/%syslogseverity-text%.log"
*.info -?DynamicFileWhen i receive the logs, they have some replacement caracters like #015 or #011.I tried to do the setup with this exec command at the input and at the output and it doesn't convert the logsExec $raw_event = replace($raw_event, "\t", " ");Kind regardsAdrien
Adrien-10
Nxlog Error 1067: the process terminated unexpectedly
parint@lhbank.co.th
We have the issue Nxlog Error 1067: the process terminated unexpectedly.Is there a way to fix this without reinstalling?Does re-installation require a reboot?
parint@lhbank.co.th
nxlog does not send log file to graylog
Tadeusz
Hi, can you help with the problem of nxlog not sending loose txt files to graylog?My nxlog.conf snippet about sending loose txt files<Input zpliku>Module im_fileFile "D:\file.log"</Input><Route messages_to_udp>Path zpliku => out</Route I have output defined for Graylog as GELF and the other section sending eventlog works correctly. Only sending loose files doesn't work here
Tadeusz