``` NXLOG version: NXLog CE 3.0.2272

OS version: Windows 2019 server

Issue: filename() returns "unknown" in imfile module

Config:

<Input in_AppABC>
  Module im_file
  <Exec>
    log_info('Filename is' + file_name());
  </Exec>
  File "C:\logs\AppABC.log"
</Input>

```

``` I am using NxLog to read and output logs from various source files (im_file module). I configured NxLog with "ReadFromLast" hint so it is capturing new logs since last "SavePos".

Now I want to change this little bit, I want to read just the newest entry in my log files since "SavePos". How can I achieve this? Is there a hint / filter that can help? ```

``` I have a imfile to omtcp route on the community edition. My applications starts generating logs at 5am and runs every 15 minutes. I have observed that it essentially skips the first X lines and syncs things only after the x lines starting 5:15 and works fine throughout the day. There is nothing in logs at 5am. I have tried routing it to another om_file on the same machine, it works ok.

Can you please help me fix it?

Here is the config:

#

Global directives

#

User nxlog Group nxlog

LogFile /var/log/nxlog/nxlog.log LogLevel INFO

#

Modules

#

Module xm_syslog

Module xm_fileop

#

Input

#

Module imfile File "/var/log/tomcat/my-important-app-*.log" ReadFromLast True SavePos True Exec $Filename = "myApp/" +filebasename(filename()); Exec $Hostname = hostnamefqdn();

#

Output

#

Output to destination

Module om_tcp Host [destination host] Port [destination port] OutputType Binary

#

Routes

#

Path in-my-important-app => out-destination ```

``` Hello - new to nxlog. Trying to end nxlog process when EOF reached on input file. Any help appreciated.

Thanks, Andrew ```

``` Hello

I'm using "NXLog CE" for send a file by syslog. So far I got this:

<Input filezilla>
    Module      im_file
    File        "C:\\Program Files (x86)\\FileZilla Server\\Logs\\fzs-*.log"
    SavePos     TRUE
    Exec        $Message = '%FileZilla: ' + $raw_event;
</Input>
<Output outfiles>
    Module      om_tcp
    Host        10.226.6.210
    Port        514
    Exec        to_syslog_bsd();
</Output>

The file has lines like "(125419) 13/03/2018 12:32:59 - prtg (10.4.171.245)> QUIT" I want to get (on my syslog sever) "%FileZilla: (125419) 13/03/2018 12:32:59 - prtg (10.4.171.245)> QUIT" Instead, I got: "Mar 13 12:33:00 DSCRESJ %FileZilla: (125419) 13/03/2018 12:32:59 - prtg (10.4.171.245)> QUIT"

I think the "Mar 13 12:33:00 DSCRESJ" part is the header from tosyslogbsd(). Anyway, I wonder If there a way to remove that header.

Regards. ```

``` Hi,

It seems that nxlog does not send to the output all lines of a file which is monitored. Here is an example of what I want to send to my syslog server : 30,01/16/18,09:24:23,Requête de mise à jour DNS,192.168.31.66,volant2.enterprise.local,,,0,6,,, 10,01/16/18,09:24:23,Assigner,192.168.31.66,volant2.enterprise.local,F01FAF2F23D7,,2412417530,0,,, 32,01/16/18,09:24:23,Mise à jour DNS réussie,192.168.31.66,volant2.enterprise.local,,,0,6,,, 30,01/16/18,09:25:55,Requête de mise à jour DNS,192.168.31.68,volant3.enterprise.local,,,0,6,,, 10,01/16/18,09:25:55,Assigner,192.168.31.68,volant3.enterprise.local,5C514FDCA690,,2181532597,0,,, 32,01/16/18,09:25:55,Mise à jour DNS réussie,192.168.31.68,volant3.enterprise.local,,,0,6,,, And here is what I have received : 2018-01-16T09:24:23+01:00 DC 30,01/16/18,09: 24:23,Requ▒te de mise ▒ jour DNS,192.168.31.66,volant2.enterprise.local,,,0,6,,, 2018-01-16T09:24:23+01:00 DC 10,01/16/18,09: 24:23,Assigner,192.168.31.66,volant2.enterprise.local,F01FAF2F23D7,,2412417530,0,,, 2018-01-16T09:24:23+01:00 DC 32,01/16/18,09: 24:23,Mise ▒ jour DNS r▒ussie,192.168.31.66,volant2.enterprise.local,,,0,6,,, 2018-01-16T09:25:55+01:00 DC 32,01/16/18,09: 25:55,Mise ▒ jour DNS r▒ussie,192.168.31.68,volant3.enterprise.local,,,0,6,,,

Here is my whole nxlog configuration ``` define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

Module xm_syslog

Module im_msvistalog

For windows 2003 and earlier use the following:

Module im_mseventlog

define DHCPDIR C:\Windows\Sysnative\dhcp

Module imfile File '%DHCPDIR%\DhcpSrvLog-*.log' SavePos TRUE ReadFromLast TRUE PollInterval 1 Exec $Message = $rawevent; $SyslogFacilityValue = 17;

Module omudp Host 192.168.2.12 Port 514 Exec tosyslog_bsd();

Path inDhcp => outSyslogSrv ```

Did I miss something ?

Thanks ```

```

I have a very basic setup. I was easily able to get the general syslog functionality working.

I have been unable to get the file transport working. I've spent several days trying alternative configurations and Googling for help; all to no avail.

I also tested with om_file - trying to just grab the file and output it locally - the outcome was just a blank file.

Any help will be greatly appreciated.

Here is my config:

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO

<Extension gelf>
    Module  xm_gelf
</Extension>

<Extension _syslog>
module xm_syslog
</extension>

<Input 1>
    Module    im_file
    file    "C:\\MSSQL\\ERRORLOG"
</Input>

<Output 2>
    Module om_tcp
    Host 192.168.1.50
    Port 5550
    OutputType  GELF_TCP
</Output>

<Route 3>
  Path 1 => 2
</Route>

```

```

We are pushing logs from file with the im_file module to logstash and then to elasticsearch. However, some of these logs only have second accuracy, and therefore not returned in order by elasticsearch when sorted by just the time. To get around this problem, we would like to add the position of the log event to a field that we store (for example beginning line number or byte offset within the source file). Is there a way I can add a separate field for this in the events pushed by nxlog, either in the input or output configuration?

```

```

Scenario:

I have NXLog EE installed on a host in Windows domain.

I need to read DHCP logs from the DC(s), UNC path: \\<server name>\C$\Windows\System32\dhcp\DhcpSrvLog-*.log

Since it is not possible to specify alternate credentials for accessing remote files (as it is for eventlog, i.e. im_msvistalog module), nxlog has to be started using an account with special privileges on the DC's file system - 4 options:
 1. for nxlog service, use domain admin account (local admin role does not exist on DC)
     - nxlog.conf - use UNC path: `\\<server name>\C$\Windows\System32\dhcp\DhcpSrvLog-*.log`
 2. for nxlog service, use local admin account on the agent's host + share C:\Windows\System32\dhcp\ on the DC, enabling read only permissions for nxlog account only
     - nxlog.conf - use share name: `\\<server name>\dhcp\DhcpSrvLog-*.log`
 3. install nxlog agent on the DC, run nxlog as a service, use local admin account
 4. smaller footprint ? -> install http://nxlog-ce.sourceforge.net/nxlog-docs/en/nxlog-reference-manual.html#nxlog_processor on the DC

None of these options are win-wins for customer production environment, as they require opening the restricted environment of the DC.

My question is: are there any nxlog configuration options, which would enable me to fetch the file remotely, similar to these for DC's Security event log?:

<Input dc1>
    Module      im_msvistalog
    RemoteServer  <ip>
    Remoteuser <user>
    RemotePassword <pwn>
    RemoteDomain  <domain>
    Query        <QueryList><Query Id="0" Path="Security"><Select Path="Security">*</Select></Query></QueryList>
</Input>

```

```

Hello nxlog world,

Shamed to say, I've spent entire yesterday trying to figure out how to read Windows DHCP log files and ship the events to ElasticSearch.

Problem was with using direct path for folder C:\Windows\System32\dhcp\. Managed to get nxlog to read by sharing the folders (read-only permissions) to the user account used for nxlog service account logon.

As the events were not showing in ES, I'm stuck with trying to write the events into another file, in order to confirm that the source files are being read correctly.

OS: Win Srv 2008 R2 Ent

nxlog: v 2.9.1347

Here is the nxlog.conf:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

# debugging only:
LogLevel DEBUG
NoCache TRUE

  <Input msdhcp>
      Module      im_file
      File        '\\DC5\dhcp\DhcpSrvLog-*.log'
      SavePos     TRUE
      InputType   LineBased
      Exec if $raw_event =~ /^#/ drop();
      Exec $message = $raw_event;
  </Input>

  <Input dns>
      Module      im_file
      File        '\\DC5\dns\dns.log'
      SavePos     TRUE
      InputType   LineBased
      Exec if $raw_event =~ /^#/ drop();
      Exec $message = $raw_event;
  </Input>

  <Output file_test>
      Module      om_file
      File        'C:\Program Files (x86)\nxlog\data\test_file_output.txt'
#      Sync    TRUE
      OutputType   LineBased
  </Output>

<Route test>
     Path  msdhcp,dns => file_test
</Route>

As a result, only DNS events are written in the output file:

21.1.2016. 11:34:00 A6A8 PACKET  0000000003B27E90 UDP Snd 192.168.105.12  3f0d R Q [8085 A DR  NOERROR] A      (8)PLANKING(3)lab(5)rador(0)

21.1.2016. 11:34:00 A6A8 PACKET  0000000003EDA2C0 UDP Rcv 192.168.105.12  3c32   Q [0001   D   NOERROR] A      (8)PLANKING(3)lab(5)rador(0)

21.1.2016. 11:34:00 A6A8 PACKET  0000000003EDA2C0 UDP Snd 192.168.105.12  3c32 R Q [8085 A DR  NOERROR] A      (8)PLANKING(3)lab(5)rador(0)

..but only the new ones, i.e. as the source DNS log file is being appended.

I have tried modifying the SavePos parameter to FALSE of both input modules, but to no avail - same result.

Questions:

1. What would be the correct configuration of global NoCache and module specific SavePos parameters, in order to read and output the complete source file, regardless of prior attempts?

2. What is the reason DHCP logs (using wildcard) are not being read (or at least written in the output), as opposed to the same configuration for DNS logs?

I will provide nxlog debug level log if needed. No visible errors there.

Any help greatly appreciated!

```

```

I'm using NXLog to read log files and send to to Logstash. Normally this works fine, but I'm now trying to send logs from a file, where the new events gets added at the top of the file, not the bottom. Now it's not sending anything.

This is from my NXLog config.

<Input file>
Module  im_file
File "C:\\TEMP\\export.txt"
InputType LineBased
Exec $Message = $raw_event;
SavePos TRUE    
ReadFromLast TRUE
Exec if $raw_event =~ /^#/ drop();                    

Is it possible to read from bottom to top?

```

```

I am using the following im_file configuration to try to collect Windows DHCP Server logs:

## Input module for Microsoft DHCP server audit logs
<Input dhcp>
    Module im_file
    File "C:\\Windows\\System32\\Dhcp\\DhcpSrvLog-*.log"
    SavePos TRUE
    PollInterval 180
    Exec to_syslog_bsd();
</Input>

I also tried this without escaping the backslashes and even with "/" characters instead. I also tried using a specific filename but nothing seems to work, since I get the "input file does not exist" error.

When I try the same config but with the location being at C:\Dhcp\DhcpSrvLog-*.log, everything works. nxlog service is being run as LocalSystem. Any hints on what I would need to do next to get the logs working from their native location?

```