Hi all,I am currently using Nxlog CE v3.2.2329 in a Virtual Machine Windows 10 21H2 for sending logs to a Rsyslog server using Syslog RFC5424 version.For this configuration, i use im_msvistalog for input and om_tcp with Exec to_syslog_ietf(); command to send them to the rsyslog server.<Input Source_Eventlogs> Module im_msvistalog </Input> <Output Dest_LogServer> Module om_tcp Host 192.168.1.1 Port 514 Exec to_syslog_ietf(); </Output> <Route send> Path Source_Eventlogs => Dest_LogServer </Route>In the rsyslog server i receipt logs using a template who send logs to the right folder and then the right file log$template DynamicFile,"/var/log/rsyslog/%HOSTNAME%/%syslogseverity-text%.log" *.info -?DynamicFileWhen i receive the logs, they have some replacement caracters like #015 or #011.I tried to do the setup with this exec command at the input and at the output and it doesn't convert the logsExec $raw_event = replace($raw_event, "\t", " ");Kind regardsAdrien

We have the issue Nxlog Error 1067: the process terminated unexpectedly.Is there a way to fix this without reinstalling?Does re-installation require a reboot?  

Hi, can you help with the problem of nxlog not sending loose txt files to graylog?My nxlog.conf snippet about sending loose txt files<Input zpliku>Module im_fileFile "D:\file.log"</Input><Route messages_to_udp>Path zpliku => out</Route I have output defined for Graylog as GELF and the other section sending eventlog works correctly. Only sending loose files doesn't work here

I need help to integrate my Windows Server with Nxlog Agent installed to forward events/logs to Google Chronicle. I read the documentation of NxLog of this integrations, but the topic that explains how to use nxlog to direct structure logs to chronicle, he talk to edit a XML file, but i dont know what file I need to edit.  

Hello,im currently try to send logs from our Exchange Server to a log Collector.Sadly when i check the NXlogs i see the error not enough fields in CSV Input. Dose anyone know what do in this case? ERROR if-else failed at line 43, character 3 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 39, character 35 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 30, got 1 in input Configuration Code:<Extension MessageTrackingLog>   Module      xm_csvFields   $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version    Delimiter   QuoteMethod None Thanks a lot :)

Hello,im currently try to send logs from our Exchange Server to a log Collector.Sadly when i check the NXlogs i see the error not enough fields in CSV Input. Dose anyone know what do in this case? ERROR if-else failed at line 43, character 3 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 39, character 35 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 30, got 1 in input Configuration Code:<Extension MessageTrackingLog>   Module      xm_csvFields   $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version    Delimiter   QuoteMethod None#This sample nxlog.conf file can be used to collect the Exchange Message Tracking Log and send it to Cybereason XDRf. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log define CertDir C:\Program Files (x86)\nxlog\cert #Define the modules that will be used by nxlog. <Extension json> Module xm_json </Extension> <Extension _syslog> Module xm_syslog </Extension> <Extension MessageTrackingLog> Module xm_csv Fields $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version Delimiter QuoteMethod None </Extension> <Input in_MessageTrackingLog> Module im_file File 'C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG' InputType LineBased SavePos TRUE PollInterval 1 <Exec> if $raw_event =~ /^#/ drop(); else { MessageTrackingLog->parse_csv(); $EventTime = parsedate($date + " " + $time); $SourceName = "MessageTrackingLog"; $raw_event = to_json(); } </Exec> </Input> <Output out_MesssageTrackingLog> Module om_udp #This is the IP address of the Cybereason XDR Collector Host X.X.X.X #This is the port configured on the Universal Event Source Port XXXX </Output> <Route 1> Path in_MessageTrackingLog=>out_MesssageTrackingLog </Route>Thanks a lot :)

Attempting to configure an SSL Listener with nxlog-ce-3.21.2329 and getting ERROR invalid keyword: ListenAddr at /etc/nxlog/nxlog.d/dhcplogs.conf:10Input portion of dhcplogs.conf file<Input SSL>  Module               im_ssl  Port                 2048  ListenAddr           0.0.0.0  CAFile               %CERTDIR%/myca.pem  CertFile             %CERTDIR%/user-cert.pem  CertKeyFile          %CERTDIR%/user-key.pem  InputType            Binary</Input> I've initially had Port after ListenAddr but all it did was change which line the error was reported on.Everything I've read and seen says it is supported and should work, does anyone have any ideas or pointers on why this isn't working?This is on Ubuntu 22.04 LTS Server if that makes any difference.TIA Tim

Dear Team, Issue :I'm trying to use NXLog Community Edition to send logs to Kiwi Syslog. I'm using the TCP connection method. I noticed that when I disconnect the destination for some period of time, after turning it back up after some hours, I can still see the logs that were generated during the destination downtime. This is happening even without the buffer module.I'm wondering what the use of the buffer module in the TCP module is. Is it necessary to use the buffer module to ensure that all logs are sent to the destination, even if the destination is temporarily unavailable?2. From the below configuration file, if we use a memory and disk-based buffer, how will the logs be allocated? And if it creates a buffer logs.q file, what is the maximum size of each file? =========================Configuration:## Please set the ROOT to your nxlog installation directory#define ROOT C:\Program Files\nxlogdefine ROOT C:\Program Files (x86)\nxlogModuledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\dataLogFile %ROOT%\data\nxlog.log<Extension syslog> Module xm_syslog</Extension><Input generate_data>   Module      im_testgen   #Maxcount 100   Exec        to_syslog_bsd();</Input># Monitor Windows event logs#<Input eventlog>#  Module im_msvistalog#</Input><Processor buffer>  Module      pm_buffer   #10 MB buffer   MaxSize  10000   Type   Disk MEM   #warn at 5MB  WarnLimit   5000</Processor><Output logs_output>   Module  om_file   File    "C:\Users\test\output_logs.log"</Output><Output tcp> Module om_tcp Host 192.168.x.x Port 1514</Output><Route 1> Path generate_data => buffer => logs_output => tcp</Route> (for testing I'm using test gen module)provide environment descriptionwindows 10 IOT EnterpriseVersionNxlog community latest version 

Hi all,I am currently using Nxlog CE v3.2.2329 in a Virtual Machine Windows 10 21H2 for sending logs to a Rsyslog server using Syslog RFC5424 version.For this configuration, i use im_msvistalog for input and om_tcp with Exec to_syslog_ietf(); command to send them to the rsyslog server.<Input Source_Eventlogs> Module im_msvistalog </Input> <Output Dest_LogServer> Module om_tcp Host 192.168.1.1 Port 514 Exec to_syslog_ietf(); </Output> <Route send> Path Source_Eventlogs => Dest_LogServer </Route>In the rsyslog server i receipt logs using a template who send logs to the right folder and then the right file log$template DynamicFile,"/var/log/rsyslog/%HOSTNAME%/%syslogseverity-text%.log" *.info -?DynamicFileI met a first issue with security logs who where sent to a folder using the IP address. I assumed the issue was due to a failed resolving name and after adding the Nxlog client name to the /etc/hosts file and it solved the first issue.I met a second issue with Eventlogs who create many folder in the rsyslog folder because the logs are sent without hostname.For example i receive logs in a folder name VMICTimeProvider and when i look to the notice.log file i can see that there is no hostnamecat VMICTimeProvider/notice.log 2023-07-22T09:18:39.022270+00:00. VMICTimeProvider (Local) 2023-07-23T09:40:51.040169+00:00. VMICTimeProvider (Local) 2023-07-24T08:03:51.264202+00:00. VMICTimeProvider (Local) i tried to correct the receipt in the rsyslog side with receipt conditions like if $fromhost-ip=='1.2.3.4' then { actions } . -?WindowsLogs $template WindowsLogs,"/var/log/rsyslog/Windows/Windows/log" But I have to do a line for any Windows collection in the file, and i think if i want to transfert the logs to another file server i will have the logs lines with missing hostname and i will met the same problem. Thank you for your help. Kind regards. Adrien

hello everyone,I am configuring nxlog to send IIS logs to Graylog.I managed to configure everything correctly but I would like to make the logs more readable on Graylog.I currently display them like this:would it be possible to somehow get the login name and ip of the user who logged in out of the “message” field?my  current nxlog configuration is this: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data include %CONFDIR%\*.conf define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Extension _gelf> Module xm_gelf </Extension> <Extension _json> Module xm_json </Extension> ####################################################################### IIS NXLOG ####################################################################### <Extension w3c> Module xm_csv Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Input iis> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC*\u_ex*" SavePos TRUE Exec $ShortMessage = $raw_event; Exec if $raw_event =~/^#/ drop();\ else\ {\ w3c-&gt;parse_csv();\ $EventTime = parsedate($date + " " + $time);\ $EventTime = parsedate($date + " " + $time + "Z");\ $SourceName = "IIS";\ $raw_event = to_json();\ } </Input> ####################################################################### /IIS NXLOG ####################################################################### Snare compatible example configuration Collecting event log <Input in> Module im_msvistalog </Input> Converting events to Snare format and sending them out over TCP syslog <Output out> Module om_tcp Host ha-centlog-vip.xxxxxxxx Port 12201 Exec to_json(); OutputType GELF_TCP Exec $Hostname = hostname_fqdn(); Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event; #Use the following line for debugging (uncomment the fileop extension above as well) #Exec file_write("C:\Program Files (x86)\nxlog\data\nxlog_output.log", $raw_event); </Output> <Route iis-to-graylog> Path iis => out </Route> Connect input 'in' to output 'out' <Route 1> Path in => outThanks

We have the following filter applied to our ms_vistalog_filtered.conf, which is working:  Exec if $EventID NOT IN (%MonitoredEventIds%) drop(); <Exec> $Hostname = hostname_fqdn(); to_json(); </Exec> If I attempt to add anything to this filter, logs stop coming in entirely.  I have tried using a single block, multiple exec commands, and multiple exec blocks.  I ultimately I need to filter out EventID 4663 for some of our noisy applications.  My single block filter looks like this: <Exec> if ($EventID NOT IN (%MonitoredEventIds%) or (($EventID == 4663) and ($raw_event =~ /c:\\\\program\sfiles\\\\java\\\\jre1\.8\.0_92\\\\bin\\\\java\.exe/i or $raw_event =~ /c:\\\\programdata\\\\oracle\\\\java\\\\javapath_target_185880968\\\\java\.exe/i or $raw_event =~ /c:\\\\program\sfiles\\\\java\\\\jdk1\.8\.0_92\\\\bin\\\\java\.exe/i or $raw_event =~ /d:\\\\java\\\\jdk1\.8\.0_181\\\\jre\\\\bin\\\\java\.exe/i or $raw_event =~ /c:\\\\program\sfiles\\\\git\\\\mingw64\\\\bin\\\\git\.exe/i or $raw_event =~ /c:\\\\programdata\\\\oracle\\\\java\\\\javapath_target_1471633062\\\\java\.exe/i or $raw_event =~ /c:\\\\windows\\\\system32\\\\netstat\.exe/i)) ) drop(); $Hostname = hostname_fqdn(); to_json(); </Exec>I have also tried something as simple as: Exec if $EventID NOT IN (%MonitoredEventIds%) drop(); Exec if $raw_event =~ /c:\\windows\\system32\\netstat.exe/i drop(); <Exec> $Hostname = hostname_fqdn(); to_json(); </Exec> There are many other iterations, but these I think illustrate the simplest filters we've tried.  Any change to the filter and restart of nxlog service results in all logs being dropped. not just eid 4663.  Is there something wrong in my syntax or some other issue I am missing? 

Hi!I would like to have some help with my NXLog confiugration. I dont get any errors or so but in the SIEM I don't receive any logs at all from the source. So I'm guessing that there Is some issues reading logs from the .csv file. Or It could be something else. So my purpose with this Is to ship logs in a local .csv file to a SIEM. My thought was that NXLog should be a great solutions with this due to all extensions and so on. My NXLog configuration file Is based on these modules,xm_csvxm_syslogxm_jsonim_file (pointing out the local .csv file)out_ssl (for shipping logs through tls encryption)Been following along with this guide, Delimiter-Separated Values (xm_csv) | NXLog DocsHas anyone done this before? Thanks

Hi there ,I am stranded with a problem of sending exchange server logs in syslog format over TCP. I performed a trial for fetching connect logs and using the csv module and send them over syslog format over TCP.Once I run the service , I dont get any output over TCP , nor any errors. I wanted to know what im doing wrong. Please help !(((PS I removed my destination IP and port )))define ROOT C:\Program Files\nxlog#define ROOT C:\Program Files (x86)\nxlogModuledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\dataLogFile %ROOT%\data\nxlog.log<Extension syslog>   Module  xm_syslog</Extension><Extension _exec>   Module  xm_exec</Extension><Extension csv>   Module    xm_csv   Fields    date-time, connector-id, session-id, sequence-number, \             local-endpoint, remote-endpoint, event, data, context</Extension><Input in>Module im_fileFile "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\Connectivity\CONNECTLOG*.LOG"       <Exec> csv->parse_csv(); to_syslog_ietf();</Exec></Input><Output out>   Module    om_tcp   Host      ####    Port      ####          Exec      to_syslog_bsd();</Output><Route 1>   Path      in => out</Route> 

Hi I'm getting a problem were the im_odbc module connects successfully to the DB via odbc but then straight away disconnects and give the error INFO [im_odbc|sccm_alerts] im_odbc successfully connected to the databaseWARNING [im_odbc|sccm_alerts] im_odbc detected a disconnection, attempting to reconnect in 10 secondsERROR [im_odbc|sccm_alerts] SQLDescribeParam failed, 07009:2:0:[Microsoft][ODBC Driver 17 for SQL Server]Invalid parameter number (odbc error code: -1) This is running on windows server 2019 and using MS SQL server 2017 (64bit)I have tried the ODBC driver 13/17/18 and tried just basic SQL query's to retrieve a single table (of just a couple or rows and columns ) The current DSN again works with PowerShell fine I've tried making my own and using system ones All permutations work using all ODBC drivers and SQL query's with PowerShell no problem  <Extension _json> Module xm_json </Extension> <Input sccm_alerts> Module im_odbc ConnectionString DSN=test;Trusted_Connection=yes; SQL SELECT ID,TypeID,TypeInstanceID,Name,FeatureArea, ObjectWmiClass,Severity FROM V_SMS_Alert </Input> <Output outfile> Module om_file File 'C:\scripts\out.log' Exec to_json(); </Output> <Route sccm> Path sccm_alerts, sccm_alerts => outfile </Route>It was al installed as a “standard” SCCM install which is working fine  Many thanks for any help, please let me know if you needs any more information Kind regards  

Hi,Can check if the current NXLog Manager can support RHEL 8.8?And any roadmap to support RHEL9 in future? ThanksRegards, Billy

I have a very small (Read - no budget) project that NXlog would be a perfect fit for. Parsing, reformatting, and moving logs from a third party app to our Splunk server. I have a config that is simple and would work perfectly - except I did not realize until today that the CE does not support HTTP headers. (I had been using the EE documentation apparently) I found this out via google search on this old thread:https://nxlog.co/community-forum/t/648-adding-custom-header-om-httpWhich was 4 years ago, and mentioned that HTTP header support is not in the CE yet. Are there any plans to add this? I seems like pretty basic HTTP functionality, even more so than HTTPS/SSL support (which must have been far more involved to implement). Without any idea on pricing at all on the EE (again, zero or close to it budget) and no “in between” edition, it seems like a shame that I cannot make this work with the CE.Any ideas? An alternate way to get logs into Splunk using the CE would also work for me. Any help greatly appreciated!

We have a Linux host we have installed nxlog-ce-3.2.2329_rhel7.x86_64.rpm with yum on. The install did not create the modules folder and it seems we have none of the required files. Is there a way that this all needs to be separately installed? Is it possible this nxlog-ce-3.2.2329_rhel7.x86_64.rpm package did not install fully?

hi,First of all I would like to know if NXLOG compatible with Windows server 2019. I have trouble with the performance of nxlog on windows 2019 while on 2012 everything is fine.The logs do not go up instantly even though the configuration is the same and there is no issue with the network.Does anyone knows what the issue might be?Thank you for your answers.

Hi Experts,I am reaching out to seek assistance with the installation of the NXLog Agent on my AWS EC2 Linux instance. I have encountered some challenges during the installation process and would greatly appreciate your guidance and support.The AWS EC2 instance I am using is running Amazon Linux version 2023. Here are the details of my Linux distribution:- Name: Amazon Linux- Version: 2023- ID: amzn- ID_LIKE: fedora- Version_ID: 2023- PLATFORM_ID: platform:al2023- PRETTY_NAME: Amazon Linux 2023- ANSI_COLOR: 0;33- CPE_NAME: cpe:2.3:o:amazon:amazon_linux:2023- HOME_URL: [https://aws.amazon.com/linux/](https://aws.amazon.com/linux/)- BUG_REPORT_URL: [https://github.com/amazonlinux/amazon-linux-2023](https://github.com/amazonlinux/amazon-linux-2023)- SUPPORT_END: 2028-03-01I kindly request your assistance in determining the correct RPM package I should download for this particular distribution and version of Linux.https://nxlog.co/downloads/nxlog-ce#nxlog-community-editionis there any documentation or resources that I can refer to for guidance on the installation process.Appreciate any help.