Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
README: how to ask questions effectively
gahorvath Nxlog ✓ created
Hi All,please adhere to the guidelines below to get faster responses to your queries.1 State the problem clearly:I am trying to collect logs from a log file using im_file and NXLog reads the whole file after each restart.2 Provide your configurationin a code block:
```
configuration text
```3 provide the contents of nxlog.log in a code block2023-04-12 08:00:27 INFO [CORE|main] configuration OK
2023-04-12 08:00:27 INFO [CORE|main] nxlog-5.7.7898 (68bb24e7e@REL_v5.7) started on Linux
2023-04-12 08:00:27 INFO [om_batchcompress|to_relay] connecting to lab1.home(192.168.14.52):2514
2023-04-12 08:00:27 INFO [om_batchcompress|to_relay] tcp connection established with lab1.home(192.168.14.52):2514
2023-04-12 08:00:27 INFO [xm_admin|admin] connecting to lab1.home(192.168.14.52):4041
2023-04-12 08:00:27 INFO [xm_admin|admin] tcp connection established with lab1.home(192.168.14.52):4041
2023-04-12 08:00:28 INFO [im_fim|fim] Module 'fim': FIM scan started
2023-04-12 08:00:28 ERROR [im_fim|fim] Module 'fim' could not open file '/opt/nxlog/bin/upgrade-nxsec.sh': Permission denied
2023-04-12 08:00:28 INFO [im_fim|fim] Module 'fim': FIM scan finished in 0.05 seconds. Scanned folders: 15 Scanned files: 102 Read file bytes: 156746314 provide environment descriptionNXLog CE is running on Windows 2022 server Package version is 3.2.23295 provide relevant detailsThis configuration has been working before we updated from version 2.11Now it does not6 if your problem involves parsing data provide samples of your input and expected output as well as what you actually getMy data looks like this:{"message": “message1”, "time": Thu 20 Apr 10:48:43 CEST 2023}I am getting an error:> error message hereI would like to receive the time in UNIX time (seconds since Epoch)Using this format enables us to get started much faster, and perhaps address your issue in the very first response we writeWould that not be great? :) Thanks for your cooperation!Gabor
gahorvath Nxlog ✓ created
Nxlog stops sending data to a route if another route is actively rejecting connections
kond_nxlog created
Nxlog stops sending data to a route if another route is actively rejecting connections.The other output stops sending data after a while (from a few minutes to a day), although TCP-connection is supported.We use 2 routes at the same time with 1 input.There is our nxlog config: “The in1 module is used by both routes. ”Planforms: Windows 2016/2019 and Windows 2022nxlog.conf<Route r1>
Path in => out1
</Route>
<Route r2>
Path in => out2
</Route>Logs:2024-11-21 13:28:53 INFO nxlog-ce-3.2.2329 started
2024-11-21 13:28:53 INFO connecting to Graylogserver:12523
2024-11-21 13:28:53 INFO connecting to Graylogserver:12527
2024-11-21 13:28:54 INFO reconnecting in 1 seconds
2024-11-21 13:28:54 ERROR couldn't connect to tcp socket on Graylogserver:12523; No connection could be made because the target machine actively refused it.
2024-11-21 13:28:55 INFO connecting to Graylogserver:12523
2024-11-21 13:28:56 INFO reconnecting in 2 seconds
2024-11-21 13:28:56 ERROR couldn't connect to tcp socket on Graylogserver:12523; No connection could be made because the target machine actively refused it.
2024-11-21 13:28:58 INFO connecting to Graylogserver:12523
kond_nxlog created
No logs are collected from Fortinet units, but tcpdump on NXlog collector shows ingoing traffic coming from them
DS_534595 created
I have a setup using NXlog instances as collectors in a large number of security zones.
<Input in0>
Module im_tcp
Host XXX.XXX.XXX.XXX
</Input>
but for some reason this does not capture logs coming in on port 514 from Fortinet units; all other logs (from Windows and Linux servers) are received and processed just fine.
tcpdump -nvvA host [Fortinet unit IP]
shows log traffic coming in on the NIC from the given IP address.
What am I missing?
DS_534595 created
Sumo Logic Integration
A1 created
Hello!I am working on integrating NXLog with Sumo Logic. I followed the instructions on how to integrate with Sumo Logic in the setup documentation, but the logs are not being forwarded to Sumo Logic correctly, even though I receive the INFO successfully connected message. I believe it may be related to the token. My input is from an SSL connection (which is successfully connecting, I tested by diverting it to a file which I'm currently using as an intermediary until I figure this out). I have tried both options below. Module om_ssl Host syslog.collection.us1.sumologic.com Port 6514 CAFile %CERTDIR%\digicert_ca.crt Exec to_syslog_ietf(); Exec $raw_event =~ s/(\[.*])//g; \ $raw_event = replace($raw_event, \ '{', '[%SUMO_TOKEN%] {', 1); Module om_ssl Host syslog.collection.us1.sumologic.com Port 6514 CAFile %CERTDIR%\digicert_ca.crt Exec to_syslog_ietf(); Exec $raw_event =~ s/(\[NXLOG@14506.*?\])//g; \ $raw_event = replace($raw_event, \ '{', '[%SUMO_TOKEN%] {', 1);
A1 created
Ubuntu 24.04 LTS Support
prot-jsalens created
Good day,I was wondering if the CE will be releasing a version for Ubuntu 24.04 since this is a LTS release.Thanks,Jesse
prot-jsalens created
NXLog and local mail server (postfix) issues
Konstantinos12 created
Hello everyone,New to NXlog, doing the trial now and on setup I have encountered an issue with setting up the mail server and stuck there… It is a ubuntu server (AWS EC2) with postfix installed that relays to google.Postfix works as when trying: echo "This is the body of the email" | mail -s "This is the subject line" user@ourdomain.com -r nxlog@ourdomain.com - I get the email, not an issue.When I go to the mail server config of the web UI I always get “Failed to send email”, also the same when I try to change the email or password. I see nothing in the mail log so it seems it is not even trying to send the email?The settings I try are:Host: 127.0.0.1Port: 25Sender: nxlog@ourdomain.comUsername/Password: (empty) - as we don't auth for the local interface, this is just a local relay Any advice on how to proceed since I'm stuck on this step… :( Thank you!
Konstantinos12 created
pm_null Deprecation Alternative
George1 created
With pm_null being marked for deprecation, does anyone know what the suggested alternative would be for creating modular configurations that use multiple processors?e.ginput => p1 => p2 => outputWhere p1 and p2 are pm_null modules that contain execs to perform some transformation on the event?
George1 created
NXLog Platform API key is invalid
MICHAEL123 created
Hi something wrong with my API key? copy and paste to the config. run the command below and get this error. Please help Thankserror:source ./master.cnf.sh && CALLED_FROM_MAKEFILE=1 ./scripts/00_check_api_key.sh[2024-11-17 17:39:21] [ERROR] Your NXLog Platform API key is invalid: MDE5MzI2MjktZGJmMy03ZmY2LThiZTMtM2Q3MDkxZjBmOTQzOm5ISlJCSVdpR1orR1RnZEUzaHUzenJHUVd2T2xBYlpHQTVGUUhLcVBuQmM9. Please double check your input.[2024-11-17 17:39:21] [ERROR] Status code returned by cloud platform.beta.nxlog.company: 401[2024-11-17 17:39:21] [INFO] You have 2 attempt(s) left to input a valid NXLog PLatform API keyEnter your NXLog PLatform API key: make: *** [Makefile:209: check-api-key] Error 1root@nxlog:/home/ubuntu# sudo nxp_manage.sh wizard
MICHAEL123 created
nxlog inserts #011 and #015 in logs
Engel created
Dear Community,I am using NXlog community edition and am experiencing the problem that using the following configuration, the log sent to rsyslog arrives with the characters #011 as tab and #015 as carriage return: <Extension _syslog> Module xm_syslog</Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension> <Extension _exec> Module xm_exec</Extension> <Extension json> Module xm_json</Extension> <Input internal> Module im_internal</Input> <Input eventlog> Module im_msvistalogQuery <QueryList>\ <Query Id="0">\ <Select Path="Application">*</Select>\ <Select Path="System">*</Select>\ <Select Path="Security">*</Select>\</Query>\</QueryList> Exec if ($EventID == 5156) OR ($EventID == 5158) drop(); Exec $HOSTNAME=hostname(); Exec $Message = replace($Message, "#011", " "); Exec $raw_event = replace($raw_event, "#011", " ");# Exec $Message =~ s/(\t|\R)/ /g;# Exec $Message =~ s/(\t|\R|\011|\015)/ /g;</Input> <Output out> Module om_tcp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $Message = replace($Message, "#011", " "); Exec $raw_event = replace($raw_event, "#011", " "); Exec to_syslog_snare(); Exec $Message = replace($Message, "#011", " "); Exec $raw_event = replace($raw_event, "#011", " ");</Output> <Route 1> Path eventlog, internal => out</Route> Can you tell me how to solve the problem? It seems not to remove the tab and carriage return characters.Thank you very much.
Engel created
route to local file.
kjloh created
Hi there, I have the following log server setup which recevice log from various servers and route to another server as well as written to a local file.<router>path from_other_servers => output_another_server, local_zip_encrypted_file<\route>it seems for smaller log size, I have to restarts the nxlog before the file can be written locally. (the file is empty when I tried to decrypt and uncompress the file)(1) is it possible to force flush into local file in regular basis?(2) though I don't see the log written to local file, can I check if the log is forwarded to another server in this case?Thanks in advanceBest regards,Loh
kjloh created
Enabling HTTPS for NXLog Manager - using custom certificate
nervevector created
Hello! I’m looking through the steps to “Enabling HTTPS for NXLog Manager” using a CA signed cert. The documentation provided is rather limited (https://docs.nxlog.co/manager/current/installation/https.html)Any additional information you can share would be appreciated.Thanks!
nervevector created
IPv6?
doomfront created
Curious if IPv6 is supported yet? If not, is there an ETA on when it will be supported?
doomfront created
exclude in im_file
HenkPuister created
I'm trying to configure an Exclude in im_file. I want to exclude logs with a date and number at the end of the filename. These files are already processed.Config:<Input PPS> Module im_file InputType multi_PPS File '%LOGDIR%\\*.log' # PPSPortaalManager_24-05-24_2.log Exclude '*_??-??-??_*.log' #. I've tried several notations, eg. double quotes instead of single, escaping the questionmarks. But none of them work. Searching for examples leads to 1 of 2 examples, which are very common examples, and none of them with wildcards.Using nxlog-ce-3.2.2329 .Has anyone a good, and working, example how to user Exclude in im_file?
HenkPuister created
OM_AZURE problem with CA
Brad created
I've been testing sending logs directly to Sentinel and am having a problem with NXLOG not liking the CA. The error is not one I'm finding a lot of online help with.“no certificate or crl found” appears in the the log file, repeatedly.Maybe an issue with the CA I'm pointing to? Is there a specific one for Azure Sentinel that I'm overlooking, and if so, where is that obtained?Thanks in advance.--B
Brad created
apr_sockaddr_info failed
NOurdine created
Hello there i try to forward logs radius to my elastic siem , i got this error when executing nxlog.exe -f :2024-10-07 11:16:37 INFO nxlog-ce-3.2.2329 started2024-10-07 11:16:37 INFO reconnecting in 1 seconds2024-10-07 11:16:37 ERROR apr_sockaddr_info failed for 172.19.14.51 # IP du serveur distant:514; Unknow Host. Here is the config (without ip for privacy) : <Extension _syslog> Module xm_syslog</Extension><Extension xml> Module xm_xml</Extension><Input radius_log> Module im_file File "D:\NPS\NPS Logs\IN2410.log" SavePos TRUE ReadFromLast TRUE PollInterval 1 Exec parse_xml("/Event"); </Input><Output remote_syslog> Module om_udp Host # IP SRV FORWARD Port 514</Output><Route radius_to_remote> Path radius_log => remote_syslog</Route> Is it possible to get everything in the source folder not just one ? Because the name change everymonth , example : october :IN2410.logNovember: IN2411.log December: IN2412.log etc Please Thnaks a lot
NOurdine created
QRadar NXlog windows configuration for forward events coming as host events not from actual system
vk245@outlook.com created
Hello All, In NXlog Qradar windows configuration , we have setup forwarded events as well but the for the forwarded events the source is coming as host instead of client meachine or actual source. I would request your help in fixing this. I am using the below configuration define ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data<Extension _syslog> Module xm_syslog</Extension><Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec> Module xm_exec</Extension><Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule></Extension># Snare compatible example configuration# Collecting event log<Input in> Module im_msvistalog<QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'>*</Select> <Select Path='Security'>*[System/Level<4]</Select> <Select Path='System'>*</Select> <Select Path='ForwardedEvents'>*</Select> </Query> </QueryList> </QueryXML> <Exec> if $Category == undef $Category = 0; if $EventType == 'CRITICAL' { $EventTypeNum = 1; $EventTypeStr = "Critical"; } else if $EventType == 'ERROR' { $EventTypeNum = 2; $EventTypeStr = "Error"; } else if $EventType == 'INFO' { $EventTypeNum = 4; $EventTypeStr = "Informational"; } else if $EventType == 'WARNING' { $EventTypeNum = 3; $EventTypeStr = "Warning"; } else if $EventType == 'VERBOSE' { $EventTypeNum = 5; $EventTypeStr = "Verbose"; } else { $EventTypeNum = 0; $EventTypeStr = "Audit"; } if $OpcodeValue == 0 $Opcode = "Info"; if $TaskValue == 0 $TaskValue = "None"; $EpochTime = string(integer($EventTime)); $EpochTime =~ /^(?<sec>\d+)(?<ms>\d{6})$/; $EpochTime = $sec; if $TaskValue == 12288 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSTATECHANGE"; } else if $TaskValue == 12289 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSUBSYSTEMEXTENSION"; } else if $TaskValue == 12290 { $TaskStr = "SE_ADT_SYSTEM_INTEGRITY"; } else if $TaskValue == 12291 { $TaskStr = "SE_ADT_SYSTEM_IPSECDRIVEREVENTS"; } else if $TaskValue == 12292 { $TaskStr = "SE_ADT_SYSTEM_OTHERS"; } else if $TaskValue == 12544 { $TaskStr = "SE_ADT_LOGON_LOGON"; } else if $TaskValue == 12545 { $TaskStr = "SE_ADT_LOGON_LOGOFF"; } else if $TaskValue == 12546 { $TaskStr = "SE_ADT_LOGON_ACCOUNTLOCKOUT"; } else if $TaskValue == 12547 { $TaskStr = "SE_ADT_LOGON_IPSECMAINMODE"; } else if $TaskValue == 12548 { $TaskStr = "SE_ADT_LOGON_SPECIALLOGON"; } else if $TaskValue == 12549 { $TaskStr = "SE_ADT_LOGON_IPSECQUICKMODE"; } else if $TaskValue == 12550 { $TaskStr = "SE_ADT_LOGON_IPSECUSERMODE"; } else if $TaskValue == 12551 { $TaskStr = "SE_ADT_LOGON_OTHERS"; } else if $TaskValue == 12552 { $TaskStr = "SE_ADT_LOGON_NPS"; } else if $TaskValue == 12553 { $TaskStr = "SE_ADT_LOGON_CLAIMS"; } else if $TaskValue == 12554 { $TaskStr = "SE_ADT_LOGON_GROUPS"; } else if $TaskValue == 12800 { $TaskStr = "SE_ADT_OBJECTACCESS_FILESYSTEM"; } else if $TaskValue == 12801 { $TaskStr = "SE_ADT_OBJECTACCESS_REGISTRY"; } else if $TaskValue == 12802 { $TaskStr = "SE_ADT_OBJECTACCESS_KERNEL"; } else if $TaskValue == 12803 { $TaskStr = "SE_ADT_OBJECTACCESS_SAM"; } else if $TaskValue == 12804 { $TaskStr = "SE_ADT_OBJECTACCESS_OTHER"; } else if $TaskValue == 12805 { $TaskStr = "SE_ADT_OBJECTACCESS_CERTIFICATIONAUTHORITY"; } else if $TaskValue == 12806 { $TaskStr = "SE_ADT_OBJECTACCESS_APPLICATIONGENERATED"; } else if $TaskValue == 12807 { $TaskStr = "SE_ADT_OBJECTACCESS_HANDLE"; } else if $TaskValue == 12808 { $TaskStr = "SE_ADT_OBJECTACCESS_SHARE"; } else if $TaskValue == 12809 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLPACKETDROPS"; } else if $TaskValue == 12810 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLCONNECTION"; } else if $TaskValue == 12811 { $TaskStr = "SE_ADT_OBJECTACCESS_DETAILEDFILESHARE"; } else if $TaskValue == 12812 { $TaskStr = "SE_ADT_OBJECTACCESS_REMOVABLESTORAGE"; } else if $TaskValue == 12813 { $TaskStr = "SE_ADT_OBJECTACCESS_CBACSTAGING"; } else if $TaskValue == 13056 { $TaskStr = "SE_ADT_PRIVILEGEUSE_SENSITIVE"; } else if $TaskValue == 13057 { $TaskStr = "SE_ADT_PRIVILEGEUSE_NONSENSITIVE"; } else if $TaskValue == 13058 { $TaskStr = "SE_ADT_PRIVILEGEUSE_OTHERS"; } else if $TaskValue == 13312 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSCREATION"; } else if $TaskValue == 13313 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSTERMINATION"; } else if $TaskValue == 13314 { $TaskStr = "SE_ADT_DETAILEDTRACKING_DPAPIACTIVITY"; } else if $TaskValue == 13315 { $TaskStr = "SE_ADT_DETAILEDTRACKING_RPCCALL"; } else if $TaskValue == 13316 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PNPACTIVITY"; } else if $TaskValue == 13317 { $TaskStr = "SE_ADT_DETAILEDTRACKING_TOKENRIGHTADJ"; } else if $TaskValue == 13568 { $TaskStr = "SE_ADT_POLICYCHANGE_AUDITPOLICY"; } else if $TaskValue == 13569 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHENTICATIONPOLICY"; } else if $TaskValue == 13570 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHORIZATIONPOLICY"; } else if $TaskValue == 13571 { $TaskStr = "SE_ADT_POLICYCHANGE_MPSSCVRULEPOLICY"; } else if $TaskValue == 13572 { $TaskStr = "SE_ADT_POLICYCHANGE_WFPIPSECPOLICY"; } else if $TaskValue == 13573 { $TaskStr = "SE_ADT_POLICYCHANGE_OTHERS"; } else if $TaskValue == 13824 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_USERACCOUNT"; } else if $TaskValue == 13825 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_COMPUTERACCOUNT"; } else if $TaskValue == 13826 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP"; } else if $TaskValue == 13827 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_DISTRIBUTIONGROUP"; } else if $TaskValue == 13828 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_APPLICATIONGROUP"; } else if $TaskValue == 13829 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_OTHERS"; } else if $TaskValue == 14080 { $TaskStr = "SE_ADT_DSACCESS_DSACCESS"; } else if $TaskValue == 14081 { $TaskStr = "SE_ADT_DSACCESS_DSCHANGES"; } else if $TaskValue == 14082 { $TaskStr = "SE_ADT_DS_REPLICATION"; } else if $TaskValue == 14083 { $TaskStr = "SE_ADT_DS_DETAILED_REPLICATION"; } else if $TaskValue == 14336 { $TaskStr = "SE_ADT_ACCOUNTLOGON_CREDENTIALVALIDATION"; } else if $TaskValue == 14337 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBEROS"; } else if $TaskValue == 14338 { $TaskStr = "SE_ADT_ACCOUNTLOGON_OTHERS"; } else if $TaskValue == 14339 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBCREDENTIALVALIDATION"; } else if $TaskValue == 65280 { $TaskStr = "SE_ADT_UNKNOWN_SUBCATEGORY"; } else { $TaskStr = "Unknown[" + $taskValue + "]"; } if $KeywordsStr == undef { if $TaskValue == 0 { $KeywordsStr = 'None'; } else { $KeywordsStr = '0'; } } if $TaskStr == undef { $TaskStr = $TaskValue; } if $EventType == 'AUDIT_SUCCESS' { $KeywordsStr = "Audit Success"; $EventTypeNum = 8; } else { $KeywordsStr = "Audit Failure"; $EventTypeNum = 16; } $Message = "AgentDevice=WindowsLog" + "\tAgentLogFile=" + $Channel + "\tSource=" + $SourceName + "\tComputer=" + hostname_fqdn() + "\tOriginatingComputer=" + host_ip() + "\tUser=" + $AccountName + "\tDomain=" + $Domain + "\tEventIDCode=" + $EventID + "\tEventType=" + $EventTypeNum + "\tEventCategory=" + $TaskValue + "\tRecordNumber=" + $RecordNumber + "\tTimeGenerated=" + $EpochTime + "\tTimeWritten=" + $EpochTime + "\tLevel=" + $EventTypeStr + "\tKeywords=" + $KeywordsStr + "\tTask=" + $TaskStr + "\tOpcode=" + $Opcode + "\tMessage=" + $Message; $Hostname = host_ip(); delete($SourceName); delete($Severity); delete($SeverityValue); to_syslog_bsd(); </Exec></Input>
vk245@outlook.com created
Unable to ingest logs from file having 150MB
krishnap created
Hi Team,Need help!We're unable to ingest the logs from the file ‘output.json,’ which is 150MB in size. But i am able to send the logs from file ‘output.json’ which is 10MB in size to the forwarder.Below is the NXLog Community Edition Config file. Please help me is there anything to modify the Config file.define ROOT C:\Program Files\nxlogdefine ADCONTEXT_OUTPUT_DESTINATION_ADDRESS <Forwarder IP>define ADCONTEXT_OUTPUT_DESTINATION_PORT <Port>Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\dataLogFile %ROOT%\data\nxlog.log<Extension json> Module xm_json</Extension><Input in_adcontext> Module im_file File "C:\AD\output.json" DirCheckInterval 3600 PollInterval 3600</Input><Output out_chronicle_adcontext> Module om_tcp Host %ADCONTEXT_OUTPUT_DESTINATION_ADDRESS% Port %ADCONTEXT_OUTPUT_DESTINATION_PORT%</Output><Route ad_context_to_chronicle> Path in_adcontext => out_chronicle_adcontext</Route>
krishnap created
NxLog CE version 2.X statement of Supporting windows server 2022
Ken1 created
Hi,We are using NXLog-CE version 2.10.2150 and we prepare to deploy NX log agent in Windows server 2022.Is Nxlog 2.10.2150 supporting log collection for Windows server 2022?If the version is not supported, what is the minimum NX log agent to support Windows server 2022?Thanks.
Ken1 created
The NXLOG Process 100% CPU Load after Server restart.
Wolfgang E created
Hi NXLOG Community,the NXLOG Process 100% CPU Load after Server restart on Windows Systems.The Problemcause is simple but i dont understand why.A Handfull of Servers whit much logfiles (nxlogconfiguration use Wildcard for logfolder(s)).The Logfiles are written in the Cachefile and looks okay. But it feels like digs through all log files.Small footage of a Configuration:<Input catalina>
Module im_file
File 'C:\Tomcat\logs\\catalina*.log'
Recursive True
PollInterval 30
SavePos True
CloseWhenIdle True
<Exec>
#parse date
if $raw_event =~ /(\d\d\-\S\S\S-\d\d\d\d \d\d:\d\d:\d\d)/ $EventTime = strptime($1, '%d-%b-%Y%t%H:%M:%S');
# Now set the severity to something custom. This defaults to 'INFO' if unset.
if $raw_event =~ /\sSEVERE\s/ $Severity = 'CRITICAL';
else if $raw_event =~ /\sERROR\s/ $Severity = 'ERROR';
else if $raw_event =~ /\sWARN\s/ $Severity = 'WARNING';
else $Severity = 'INFO';
# The facility can be also set, otherwise the default value is 'USER'.
$SyslogFacility = 'AUDIT';
</Exec>
</Input>We use the Last CE Version.: nxlog-ce-3.2.2329Thanks, regards Wolfgang
Wolfgang E created
nxlog platform start up issue
EH_272573 created
Have installed nx onprem on ubuntu 22.04.5 LTS and cant login after the install finishes. Not sure how many pods are suppose to run but I see a postgress and vault 1c9df1fc6f5d nxlogacr.azurecr.io/vault:1.13.3 3 hours ago Up 2 hours ago (healthy) nxlog-1_2_2-vault-1eef5bec91376 nxlogacr.azurecr.io/postgres:16.3-alpine -c config_file=/e... 3 hours ago Up 2 hours ago (healthy) nxlog-1_2_2-postgres-1 Below is what shows listening and I don't see any web services. dp UNCONN 0 0 10.89.0.1:53 0.0.0.0:* users:(("dnsmasq",pid=1291,fd=4)) udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=627,fd=13)) udp UNCONN 0 0 [fe80::d433:a2ff:fe02:9e0d]%cni-podman1:53 [::]:* users:(("dnsmasq",pid=1291,fd=10)) tcp LISTEN 0 32 10.89.0.1:53 0.0.0.0:* users:(("dnsmasq",pid=1291,fd=5)) tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=627,fd=14)) tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=750,fd=3)) tcp LISTEN 0 32 [fe80::d433:a2ff:fe02:9e0d]%cni-podman1:53 [::]:* users:(("dnsmasq",pid=1291,fd=11)) tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd"I see the following error in nxp.logHA Mode standbyActive Node Address <none>Raft Committed Index 31Raft Applied Index 31Error authenticating: error looking up token: Error making API request.URL: GET http://0.0.0.0:8200/v1/auth/token/lookup-selfCode: 500. Errors:I got the following during the install[2024-09-25 00:28:55] [INFO] Vault container ID: 62f8bd5e1e00[2024-09-25 00:28:55] [INFO] Executing command (/init/bootstrap.sh) in container 62f8bd5e1e00...make: *** [Makefile:231: seed-vault] Error 2
EH_272573 created