TEST

Is there a combination of inputs and extensions that can be used to collect RADIUS accounting messages via UDP listener?

We use Microsoft NPS today, but could benefit from the forking and advanced parsing of NXLog.   We send RADIUS accounting messages from multiple network devices and the differences in data layout are bit too much for NPS.

Hi, 

Doing my first steps with NXlog.

I have managed to collect all “Security” windows event log and also managed to update the “Version” parameter to my own parameter - Just for a test purposes 

Now I need to perform 3 tasks 

1. Collect all “Security” windows event log - Done
2. Update the “Version” parameter from int to string - Done 
3. Update the “Hostname” parameter of specific event ID (for example EventID":4656) to “test”  - Please advice 

Thank you 

<Input eventlog>   Module  im_msvistalog   <QueryXML>       <QueryList>           <Query Id='0'>    <Select Path='Security'>*</Select>           </Query>       </QueryList>   </QueryXML><Exec>       $Hostname = "test" ;      # This task should be only for eventID 4656       $Version = string($Version);       to_json();   </Exec></Input>

Good Afternoon.

I currently run a NX log solution that was setup by the vendor of our cloud IDS. I do know that we have a collection of logs coming from workstations to a central server and that server uploads the logs to the IDS. That being said, I have set up a gray log server on an Ubuntu box and I want to send my Windows DNS logs to that server so that I have a way to search DNS queries made by workstations should on of them become compromised. (via malware, ransomware, etc) I realize that there is already a config fiile for nx log that sends the event viewer logs so I am assuming that I would have to use that same file to have nx send dns logs to a different location (if that is even possible).   So my questions are, Is it possible to do that? If so, is the collection service that has to be stopped in order to edit the config file?

I would send these logs to the same online IDS service but we are already going over our quota every month and management doesn't see the need to upgrade our service. Therefore, I am left to figure out another way to stay on top of DNS threat hunting. 

Any input will be greatly appreciated.

Hi folks,

how can we download the latest agent version without going true the manual download page.

Since the change of your webpage, the previous links do not work anymore.

This crucial, to have the latest agents in place.

Thank you

Nick

Hello all,

I have an application that sends log files to a directory formatted at YYYY-MM-DD.log (year, month, day). I'm watching the directory with the following stanza in the configuration file, but it does not recognize when the date changes and a new file is created. A service restart gets it reading the new file. 

The configuration is as follows:
<Input cvdupdate>
    Module  im_file
    File    "/var/log/cvdupdate/*.log"
</Input>

I'm running NXLog on a Ubuntu 18.04 system. The version is 3.0.2272. 

Hello,

This is not a installation question.

Using wget, as I have done for past 6 years was grab a NXLog-CE installation and install on my Linux core servers.   Yesterday 11/22/2022 I was unable to do this. I also noticed the Web Site has changed for downloading community versions and now  I need to make account. I'm assuming at this point,  Steps  needed  are install NXLog on any core servers I need to make account  on NXLog  site, Download the package needed. Transfer the NXLog package to  a closed environment that we have,  Upload NXLog package to a internal repo and distribute it as needed?  

 I'm also assuming this is a security procedure taken by NXLog?   If anyone could enlighten me on the new changes  that would be great.

Thanks

-Greg

I am trying to use the example in https://docs.nxlog.co/ce/current/index.html#om_file for file rotation on Windows (nxlog-ce-3.1.2319).

I receive the following error

ERROR Couldn't parse Exec block at xxx.conf:104; couldn't parse statement at line 107, character 29 in xxx.conf; module file not found
ERROR module 'testfile' has configuration errors

using this configuration.   The output works fine if I don't use the functions,  so I assume om_file must be loading (by default?).

<Output testfile>
    Module  om_file
    File    "E:/nxlog_output/active/nxlog-out.txt"
    <Exec>
        # Format output
        to_json();

        # Rotate file based on size, move to staging folder
        if (file->file_size() > 10M)
        {
            $stagingFolder = 'E:/nxlog_output/staged/';
            $newfile = $stagingFolder + 'data_' + strftime(now(), '%Y%m%d%H%M%S') + '.log';
            file->rotate_to($newfile);
        }
    </Exec>
</Output>

Apologies if I'm being dense, but I need some help with navigation of this site.

• The upper-right search box on this page, (https://nxlog.co/community-forum/) never submits.   Is there another search function I can use?
• Google search results all point to URLs like https://nxlog.co/question/4970/iis-logs-containing-quotes-are-not-processing,  which return a 404 when I click through.

Hi,

I have installed nxlog service (nxlog-ce-3.1.2319.msi) on windows core 2019 machine. I have a config:

define EVENT_REGEX /^.*(<EventData>.+<\/EventData>)$/

<Extension xml>
    Module  xm_xml
</Extension>

<Extension json>
    Module  xm_json
</Extension>

<Input k8s_containers>
    Module  im_file
    File    "c:\var\log\containers\*.log"
    <Exec>
        if $raw_event =~ %EVENT_REGEX%
        {
             parse_xml($1);
        }
        else
        {
            drop();
        }

        $log_type = "k8s_container";
        $hostname = hostname();
        $host_ip  = host_ip();
        $log_file = file_name();

        if $log_file =~ /(.+)_(.+)_(.+)-(.+).log$/
        {
            $k8s_pod = $1;
            $k8s_namespace = $2;
            $k8s_container = $3;
            $k8s_container_id = $4;
        }

        to_json();

    </Exec>
</Input>

<Output file>
    Module  om_file
    File    "c:\\k\\nxlog.log"
</Output>

<Route containerlog>
    Path k8s_containers => file
</Route>

Everythings work fine, but log line has “log_file”: “unknown”. And because of that I didn't get $k8s_* fields.

How should I debug/resolv this issue?

Does nxlog community edition support IBM AIX & SUN Solaris?

Forgive my ignorance but I'm looking to use NX Log to capture all windows events under System, Application and Security whether they be Audit, Info, error or critical. Am I correct in my assumption that with no filter's it should collect everything?
    <Select Path='Application'>*</Select>
        <Select Path='Security'>*</Select>
        <Select Path='System'>*</Select>
or do I need to specify on single lines each severity level? for example:
    <Select Path='Application'>*[System/Level=4]</Select>
    <Select Path='Application'>*[System/Level=3]</Select>
    <Select Path='Application'>*[System/Level=2]</Select>

and so on?

Hi guys, 

We have NXLog CE 3.0.2272 installed on a server which was originally installed by another user manually. We have tried uninstalling it via the uninstall string MsiExec.exe /X {xxxxx} via ConnectWise which appeared to have uninstalled ok. Since then, we have installed a newer CE version 3.1.2319 however after installation the nxlog service is non-existent. We suspect the uninstallation via string may have broken this. Several attempts using the original installer to repair or uninstall/reboots does not fix this. 

Is there a way we can start fresh to remove NXLog completely then install? Any help would be appreciated :)

TIA
Jordan

Hellow everyone!

I have a scenario that uses Citrix MCS where I installed the agent on the master image that provides clone images that should go with the nxlog agent installed and running. But the agent goes up with some errors as below:

2022-09-23 13:51:38 ERROR couldn't connect to udp socket on <IP:XYZ:514>; The socket operation was attempted to an unreachable network.
2022-09-23 13:51:46 WARNING Due to the limitation in the Windows EventLog subsystem, the query cannot contain more than 256 sources.
2022-09-23 13:51:46 WARNING The following sources are omitted to avoid exceeding the limit in the generated query: Setup WitnessClientAdmin
2022-09-23 13:52:14 WARNING received a system shutdown request
2022-09-23 13:52:14 WARNING stopping nxlog service
2022-09-23 13:52:14 WARNING nxlog-ce received a termination request signal, exiting...
2022-11-02 23:16:38 INFO nxlog-ce-2.11.2190 started
2022-11-02 23:16:44 WARNING Due to the limitation in the Windows EventLog subsystem, the query cannot contain more than 256 sources.
2022-11-02 23:16:44 WARNING The following sources are omitted to avoid exceeding the limit in the generated query: Setup WitnessClientAdmin
2022-11-02 23:27:15 ERROR EvtNext failed with error 15007: The specified channel could not be found. Check channel configuration.
2022-11-02 23:27:16 WARNING Due to the limitation in the Windows EventLog subsystem, the query cannot contain more than 256 sources.
2022-11-02 23:27:16 WARNING The following sources are omitted to avoid exceeding the limit in the generated query: WitnessClientAdmin
2022-11-02 23:27:16 ERROR Failed to retrieve eventlog fields; The handle is invalid.

Has anyone had a problem like this using Citrix MCS?

Thanks
James \0/

Hello!
We have permanent memory leaks on Windows Event Collect server with any 5 version NXLog. If we install any 4 version - it work without memory leak, but very slowly - it's accumulating queue on single filter for windows events. How we can help to fix it in next release?

Hi,

I use NXLog to send log of an Oracle Database to Graylog.

When i send the log to a INPUT in Graylog, the logs in Graylog are not in the same order as the source logfile.

I have configured an output to send event in an other logfile and in the new log the event are ine the same order as the source logfile.


Configuration to the UDP Output Graylog where the event are not in the same order as the source logfile.

    <Extension gelf>
        Module        xm_gelf
        ShortMessageLength 200
    </Extension>

    <Input ora-database-rman>
        Module          im_file
        File            "/oracle/rman/logs/DATABASE_*.log"
    </Input>

    <Output ext-graylog>
            Module om_udp
            Host XX.XX.XX.XX
            Port XXXXX
        OutputType    GELF_UDP
    </Output>

    <Route database-rman
        Path            ora-database-rman => ext-graylog
    </Route>



Configuration to the om_file module loca where the event are in the same order as the source logfile.

    <Input ora-database-rman>
        Module          im_file
        File            "/oracle/rman/logs/DATABASE_*.log"
            Exec sleep(100);
    </Input>

    <Output fileout>
        File            'tmp/output'
        Module          om_file
    </Output>

    <Route database-rman
        Path            ora-database-rman => fileout
    </Route>


Do you have an idea how to get the event in the order to the OUTPUT TCP ?

Thanks for your help,

Matt

Hi, I'm using NXLOG Community to transfer logs in and out, from Windows clients to a Linux server with an NXLOG agent for log collection. 
The logs arrive correctly, the only thing is that for the event viewer (example) 4624, I see logs with the same time, even in milliseconds, but the message varies only for a few lines of the "message" field. 
I wanted to avoid using the repeat module because I would create the same a log recording increasing the database.

This is client configuration file :

define ROOT C:\\Program Files\\nxlog
define ROOT_STRING C:\\Program Files\\nxlog
define CERTDIR %ROOT%\\cert

Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\nxlog.pid
SpoolDir %ROOT%\\data
LogFile %ROOT%\\data\\nxlog.log

define MonitoredEventIds 4624, 4647

<Extension _syslog>
Module xm_syslog
</Extension>

<Extension json>
    Module  xm_json
</Extension>

<Input eventlog>
Module  im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path="Security">*</Select>
</Query>
</QueryList>
</QueryXML>
Exec if $EventID NOT IN (%MonitoredEventIds%) drop();
Exec if $TargetUserName == "SYSTEM" drop();
Exec if $TargetUserName =~ /\$/ drop(); 
Exec if $TargetUserName =~ /UMFD/ drop();
Exec if $TargetUserName =~ /DWM/ drop();
Exec if $LogonType == "5" drop();
</Input>

<Output out>
Module om_tcp
Host (10.*****)
Port 1514
Exec    to_json();
</Output>

<Route eventlog_to_out>

this is server nxlog.conf

User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel INFO

########################################
# Modules                              #
########################################
<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension json>
    Module      xm_json
</Extension>

<Input in1>
    Module      im_tcp
    Host         0.0.0.0
    Port         1514
<Exec>
        parse_json();
    </Exec>
</Input>

<Output dbi>
    Module      om_dbi
    SQL         INSERT INTO SystemEvents (ReceivedAt, DeviceReportedTime, EventID, EventUser, EventSource, EventLogType, FromHost, NTSeverity, Priority, Message) \
                VALUES (NOW(), NOW(),  $EventID, $TargetUserName, $SourceName, $EventType, $Hostname, $Severity, $SeverityValue, $Message )
    Driver      mysql
    Option      host 127.0.0.1
    Option      username ****
    Option      password *******
    Option      dbname Syslog
</Output>

########################################
# Routes                               #
########################################
<Route 1>
    Path        in1 => dbi
</Route>

it's possible to not register duplicates at the origin?
it's possible to delete duplicates also in mysql database?

thanks you

#Hello, tanks in advance .
#I am sending multiple logs from windows server to a linux collector
#I have no issues with windows system logs , 
#Seems i can not send via snare windows system logs, and test plain text logs.
#Is there any way to do that?




But when i switch to snare i can see no description about the warning
2022-10-21T09:21:21+00:00 Winserver MSWinEventLog#0111#011N/A#0111#011Fri Oct 21 09:21:21 2022#011N/A#011N/A#011N/A#011N/A#011N/A#011N/A#011N/A#011#011N/A#011N/A#015

The same line with snare commented:
2022-10-21T09:18:23.208210+00:00 Winserver WARNING: Can't open file \\?\C:\...\UPPS\UPPS.BIN: Permission denied#015



#My config:


Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\App\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
    Module      xm_exec
</Extension>

<Input internal>
    Module  im_internal
    Exec $Hostname = hostname_fqdn();
</Input>

<Input vistalog>
    Module  im_msvistalog
</Input>

<Input eventlog>
    Module  im_mseventlog
</Input>

<Input testFile>
  Module im_file
  SavePos True
  RenameCheck True
  Recursive True
  PollInterval 0.5 #near real time
  File "C:\\test\\myfile.txt"
  ReadFromLast True
</Input>

<Output out>
    Module  om_tcp
    Host    linux
    Port    514
    #Exec    to_syslog_snare();
</Output>

<Route r>
   # Path    internal, eventlog, vistalog, testFile => out
   Path testFile => out
</Route>

Hi,

 i have below replace function for replacing "|0" to "Zero".

Exec $Message = replace($Message, "|0 ", "Zero");

now, i want to replace "|0" to "|15" with Zero.

do i need to add 15 more Exec replace function, or is there is any way to replace using single exec using regex? 

Greetings!

I have a vulnerability in jQuery to be addressed in the nxlog manager v5 (5.5.5398).

This is related to XSS vulnerabilities from the version of jQuery installed (1.8.3, 1.9.2 ui) .

Will upgrading Manager to 5.6.5633 resolve the issue and update jQuery to 3.5.0+ ?

If not, please can you provide steps to update jQuery manually?

Thanks!
Shyam (on behalf of Shashidhar Ghiliyal)