Hi, Have just installed NXLog Enterprise Trial - however I cannot start the service - getting error message : nxlog[1711122]: 2022-01-20 09:19:34 ERROR [CORE|main] This NXLog version has expired. Any idea how the trial license is applied? Any assistance would be greatly appreciated. Kind regards, Liam

I'm using NX log enterprise to collect Sysmon logs.I have a problem with EventID 12 , In the original (Windows view ) the event type is set to EventType: CreateKeyAs part of the NXlog output, in the Metadata the Event type is set to INFO and only in the msg field i can see the EventType: CreateKey  Please advice 

Good Afternoon Team.I have a nxlog service running on a windows server. It has input rule to collect syslog from several devices like this: <Input syslog514udp>Module im_udpPort 514Host 0.0.0.0<Exec> $raw_event =~ s/\r?\n/#012/g; parse_syslog_bsd();</Exec> </Input>  I am trying to forward the syslog of one specific device (10.10.10.10) to a public IP 190.20.30.40, but the filter is not working since nxlog is forwarding everything, configuration bellow: <Output OutNetomi>Exec if ($MessageSourceAddress == ‘10.10.10.10’) drop();Module  om_udpHost    190.20.30.40Port    514</Output> Do you know where the error is? Thank you.Diego.

When I start NXlog CE, I get a socket error when tryin gto connect to  the remote Graylog servernxlog.conf...######################################### Global directives                    #########################################User nxlogGroup nxloginclude /etc/nxlog/nxlog.d/*.confLogFile /var/log/nxlog/nxlog.logLogLevel INFO######################################### Modules                              ##########################################<Extension _syslog>#    Module      xm_syslog#</Extension><Extension json>   Module         xm_json</Extension><Extension syslog>   Module         xm_syslog</Extension><Input in1>   Module      im_udp    Port        1514   Exec        parse_syslog_bsd();</Input><Input in2>   Module      im_tcp   Port        1514</Input><Input kernel>   Module         im_kernel   Exec           parse_syslog_bsd();</Input><Input systemd>   Module         im_systemd</Input><Input devlog>   Module         im_uds   UDS            /dev/log   FlowControl    FALSE   Exec           $raw_event =~ s/\s+$//;   Exec           parse_syslog_bsd();</Input><Output fileout1>   Module      om_file   File        "/var/log/nxlog/logmsg.txt"   Exec        if $Message =~ /error/ $SeverityValue = syslog_severity_value("error");   Exec        to_syslog_bsd();</Output><Output fileout2>   Module      om_file   File        "/var/log/nxlog/logmsg2.txt"</Output><Output out>   Module         om_tcp   Host           192.79.220.162:1514   Exec           $Message = to_json(); to_syslog_bsd();</Output>######################################### Routes                               #########################################<Route 1>   Path        in1 => fileout1</Route><Route tcproute>   Path        in2 => fileout2</Route><Route r>    Path           kernel, systemd, devlog => out</Route>...nxlog.log...2023-10-27 09:56:23 WARNING nxlog-ce received a termination request signal, exiting...2023-10-27 09:56:24 ERROR Couldn't get systemd cursor;Cannot assign requested address2023-10-27 09:56:24 ERROR Couldn't remove pidfile /run/nxlog/nxlog.pid: Permission denied2023-10-27 09:56:25 INFO configuration OK2023-10-27 09:56:25 INFO nxlog-ce-3.2.2329 started2023-10-27 09:56:25 ERROR couldn't bind socket /dev/log;Address already in use2023-10-27 09:56:25 INFO reconnecting in 1 seconds2023-10-27 09:56:25 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:56:26 INFO reconnecting in 2 seconds2023-10-27 09:56:26 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:56:28 INFO reconnecting in 4 seconds2023-10-27 09:56:28 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:56:32 INFO reconnecting in 8 seconds2023-10-27 09:56:32 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:56:40 INFO reconnecting in 16 seconds2023-10-27 09:56:40 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:56:56 INFO reconnecting in 32 seconds2023-10-27 09:56:56 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:57:28 INFO reconnecting in 64 seconds2023-10-27 09:57:28 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known...    environment description...nxlog-ce is running on Oracle Linux Server version 8.8Package version is -3.2.2329-1.x86_64 ...relevant details...This is a new installation. The Graylog server is not receiving any logs from this machineThis problem does not involve parsing data.The problems is that the port I identified in the nxlog.conf file "1514" is being appended by "514" so the socket connection fails to the remote server. If I remove 1514 from the nxlog.conf file, the system still tries to connect at port 514 and gets denied errors since Graylog is seutp to listen on 1514...

I installed nxlog with the config below, but the logs I receive with my SysLogServer are not in UTF8 ?The Windowssystem is a german Windows 11, on this machine nxlog ist installed and running. Here is a sample output on the syslog server ( KiwiSyslog ) :10-31-2023 15:37:05 User.Info 192.168.75.20 Oct 31 15:37:04 PC-01 MSWinEventLog   1   Microsoft-Windows-PushNotification-Platform/Operational   1469   Tue Oct 31 15:37:04 2023   1025   Microsoft-Windows-PushNotifications-Platform   SYSTEM   User   Information   PC-01   N/A      Ein Stromversorgungsereignis wurde ausgel”st: MonitorSettingChange [PowerEventType] true [Enabled]   1846You can see that there are the german Umlaut are not displayed, ‘ausgel”st:’ have to diplay as 'ausgelöst:' Hope someone can help me.here is the nxlog.log:Panic Soft#NoFreeOnExit TRUEdefine ROOT     C:\Program Files\nxlogdefine CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data<Extension _syslog>   Module      xm_syslog</Extension><Extension _charconv>   Module      xm_charconv   AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec>   Module      xm_exec</Extension><Extension _fileop>   Module      xm_fileop   # Check the size of our log file hourly, rotate if larger than 5MB   <Schedule>       Every   1 hour       Exec    if (file_exists('%LOGFILE%') and \                  (file_size('%LOGFILE%') >= 5M)) \                   file_cycle('%LOGFILE%', 8);   </Schedule>   # Rotate our log file every week on Sunday at midnight   <Schedule>       When    @weekly       Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);   </Schedule></Extension># Snare compatible example configuration# Collecting event log<Input in>   Module      im_msvistalog</Input># # Converting events to Snare format and sending them out over TCP syslog<Output out>   Module      om_tcp   Host        192.168.75.20   Port        514   Exec        to_syslog_snare();</Output># # Connect input 'in' to output 'out'<Route 1>   Path        in => out</Route> 

Hi all, I tried to download the installer Windows, Ubuntu or all, but no download is able.internal Server Error !I need the Windows installer, could someone provide it here ?

Hi all,I am currently using Nxlog CE v3.2.2329 in a Virtual Machine Windows 10 21H2 for sending logs to a Rsyslog server using Syslog RFC5424 version.For this configuration, i use im_msvistalog for input and om_tcp with Exec to_syslog_ietf(); command to send them to the rsyslog server.<Input Source_Eventlogs> Module im_msvistalog </Input> <Output Dest_LogServer> Module om_tcp Host 192.168.1.1 Port 514 Exec to_syslog_ietf(); </Output> <Route send> Path Source_Eventlogs => Dest_LogServer </Route>In the rsyslog server i receipt logs using a template who send logs to the right folder and then the right file log$template DynamicFile,"/var/log/rsyslog/%HOSTNAME%/%syslogseverity-text%.log" *.info -?DynamicFileI met a first issue with security logs who where sent to a folder using the IP address. I assumed the issue was due to a failed resolving name and after adding the Nxlog client name to the /etc/hosts file and it solved the first issue.I met a second issue with Eventlogs who create many folder in the rsyslog folder because the logs are sent without hostname.For example i receive logs in a folder name VMICTimeProvider and when i look to the notice.log file i can see that there is no hostnamecat VMICTimeProvider/notice.log 2023-07-22T09:18:39.022270+00:00. VMICTimeProvider (Local) 2023-07-23T09:40:51.040169+00:00. VMICTimeProvider (Local) 2023-07-24T08:03:51.264202+00:00. VMICTimeProvider (Local) i tried to correct the receipt in the rsyslog side with receipt conditions like if $fromhost-ip=='1.2.3.4' then { actions } . -?WindowsLogs $template WindowsLogs,"/var/log/rsyslog/Windows/Windows/log" But I have to do a line for any Windows collection in the file, and i think if i want to transfert the logs to another file server i will have the logs lines with missing hostname and i will met the same problem. Thank you for your help. Kind regards. Adrien

Hello, I am using nxlog-ce 3.2.2329 on a Windows 10 system to forward logs to a syslog-ng server over TCP using the to_syslog_ietf() procedure. This is working well for most logs, but I am occasionally seeing logs being generated with carriage returns and newlines in the syslog structured data element. Here is an example captured from tcpdump. Note that this is just the beginning of the message, enough to show you where the cr lf's are in the PrivilegeList element:<14>1 2023-10-18T16:23:21.669254-04:00 SteveAcer Microsoft-Windows-Security-Auditing 952 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="4672" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="0" Task="12548" OpcodeValue="0" RecordNumber="2053808" ActivityID="{FE9334EF-0152-0002-AD35-93FE5201DA01}" ThreadID="30200" Channel="Security" Category="Special Logon" Opcode="Info" SubjectUserSid="S-1-5-18" SubjectUserName="SYSTEM" SubjectDomainName="NT AUTHORITY" SubjectLogonId="0x3e7" PrivilegeList="SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeDelegateSessionUserImpersonatePrivilege" EventReceivedTime="2023-10-18 16:23:23"The body of the message has cr lf's converted to spaces. In the documentation, I see reference to a ReplaceLineBreaks directive that defaults to converting the cr lfs to spaces, but that doesn't appear to apply to the syslog structured data. Is there a way I can remove these cr lfs from the PrivilegeList, or any element? My nxlog.conf is below:<Input eventlog> Module im_msvistalog </Input> <Output tcp> Module om_tcp Host 172.16.200.1 Exec to_syslog_ietf(); Port 514 </Output> <Route 1> Path eventlog => tcp </Route>Thanks,Steve 

Hi All,I am collecting and sending logs from a Windows Domain Controller (only security events). When I start the nxlog service, it shows an error related to the integer function. The agent appears to continue working normally, and the error does not appear again (unless I restart the service). What could be the reason for this error?Configurationdefine ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _json> Module xm_json </Extension> <Input windows_security_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast True SavePos True </Input> <Output out_chronicle_windevents> Module om_tcp Host 172.16.94.69 Port 41001 Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json(); </Output> <Route r2> Path windows_security_eventlog => out_chronicle_windevents </Route> 2023-10-05 10:53:15 INFO nxlog-ce-3.2.2329 started 2023-10-05 10:53:15 INFO connecting to 172.16.94.69:41001 2023-10-05 10:53:15 ERROR assignment failed at line 30, character 56 in C:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; binary operation failed at line 30, character 56 in C:\Program Files\nxlog\conf\nxlog.conf. expression evaluation has been aborted; function 'integer' failed at line 30, character 48 in C:\Program Files\nxlog\conf\nxlog.conf. expression evaluation has been aborted; 'integer' type argument is invalid Environment descriptionNXLog CE is running on Windows 2022 server Package version is 3.2.2329

Hi All,I am collecting and sending logs from a Windows Domain Controller (only security events). When I start the nxlog service, the logs are send in “real time”. However, Over time, a delay is generated, causing the accumulated delay to be hours after one day. What could happen to explain this behavior?Configurationdefine ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _json> Module xm_json </Extension> <Input windows_security_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast True SavePos True </Input> <Output out_chronicle_windevents> Module om_tcp Host 172.16.94.69 Port 41001 Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json(); </Output> <Route r2> Path windows_security_eventlog => out_chronicle_windevents </Route> Environment descriptionNXLog CE is running on Windows 2022 server Package version is 3.2.2329   

Hello, I need to add extra field to send External/gateway IP address to Graylog. Using output UDP: <Output out> Module om_udp Host *** Port 4514 OutputType GELF Exec $hostname = 'test_SRV'; </Output> Its even posible?

Hi we wanted to send logs coming from SentinelOne to Google Chronicle using SSL/TLS NXlog. We are just using the Community Edition and based on the documentation SSL/TLS is supported for CE. But we are not sure if this is going to work or how to configure the “CAFile", “CertFile”, “CertKeyFile” thing for this to work or how do we install it? Is it free or paid? Please check the configuration we wanted to implement below. <Input ssl> Module im_ssl Host localhost Port 6514 CAFile %CERTDIR%/ca.pem CertFile %CERTDIR%/client-cert.pem CertKeyFile %CERTDIR%/client-key.pem KeyPass secret InputType Syslog_TLS Exec parse_syslog_ietf(); </Input>

Hello,i have the problem, that i need to save eventlogs from 32Bit Windows 10 machine to a central logging solution (Graylog 5.1). This works great with x64 Windows 10 systems, but i don‘t find a solution with nxlog and 32Bit systems. Are there any previous versions available with x86 support or do i need to look for an other product? Thanks in advance!

Hi all,I am currently using Nxlog CE v3.2.2329 in a Virtual Machine Windows 10 21H2 for sending logs to a Rsyslog server using Syslog RFC5424 version.For this configuration, i use im_msvistalog for input and om_tcp with Exec to_syslog_ietf(); command to send them to the rsyslog server.<Input Source_Eventlogs> Module im_msvistalog </Input> <Output Dest_LogServer> Module om_tcp Host 192.168.1.1 Port 514 Exec to_syslog_ietf(); </Output> <Route send> Path Source_Eventlogs => Dest_LogServer </Route>In the rsyslog server i receipt logs using a template who send logs to the right folder and then the right file log$template DynamicFile,"/var/log/rsyslog/%HOSTNAME%/%syslogseverity-text%.log" *.info -?DynamicFileWhen i receive the logs, they have some replacement caracters like #015 or #011.I tried to do the setup with this exec command at the input and at the output and it doesn't convert the logsExec $raw_event = replace($raw_event, "\t", " ");Kind regardsAdrien

We have the issue Nxlog Error 1067: the process terminated unexpectedly.Is there a way to fix this without reinstalling?Does re-installation require a reboot?  

Hi, can you help with the problem of nxlog not sending loose txt files to graylog?My nxlog.conf snippet about sending loose txt files<Input zpliku>Module im_fileFile "D:\file.log"</Input><Route messages_to_udp>Path zpliku => out</Route I have output defined for Graylog as GELF and the other section sending eventlog works correctly. Only sending loose files doesn't work here

I need help to integrate my Windows Server with Nxlog Agent installed to forward events/logs to Google Chronicle. I read the documentation of NxLog of this integrations, but the topic that explains how to use nxlog to direct structure logs to chronicle, he talk to edit a XML file, but i dont know what file I need to edit.  

Hello,im currently try to send logs from our Exchange Server to a log Collector.Sadly when i check the NXlogs i see the error not enough fields in CSV Input. Dose anyone know what do in this case? ERROR if-else failed at line 43, character 3 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 39, character 35 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 30, got 1 in input Configuration Code:<Extension MessageTrackingLog>   Module      xm_csvFields   $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version    Delimiter   QuoteMethod None Thanks a lot :)

Hello,im currently try to send logs from our Exchange Server to a log Collector.Sadly when i check the NXlogs i see the error not enough fields in CSV Input. Dose anyone know what do in this case? ERROR if-else failed at line 43, character 3 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 39, character 35 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 30, got 1 in input Configuration Code:<Extension MessageTrackingLog>   Module      xm_csvFields   $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version    Delimiter   QuoteMethod None#This sample nxlog.conf file can be used to collect the Exchange Message Tracking Log and send it to Cybereason XDRf. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log define CertDir C:\Program Files (x86)\nxlog\cert #Define the modules that will be used by nxlog. <Extension json> Module xm_json </Extension> <Extension _syslog> Module xm_syslog </Extension> <Extension MessageTrackingLog> Module xm_csv Fields $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version Delimiter QuoteMethod None </Extension> <Input in_MessageTrackingLog> Module im_file File 'C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG' InputType LineBased SavePos TRUE PollInterval 1 <Exec> if $raw_event =~ /^#/ drop(); else { MessageTrackingLog->parse_csv(); $EventTime = parsedate($date + " " + $time); $SourceName = "MessageTrackingLog"; $raw_event = to_json(); } </Exec> </Input> <Output out_MesssageTrackingLog> Module om_udp #This is the IP address of the Cybereason XDR Collector Host X.X.X.X #This is the port configured on the Universal Event Source Port XXXX </Output> <Route 1> Path in_MessageTrackingLog=>out_MesssageTrackingLog </Route>Thanks a lot :)