NXLOG version: NXLog CE 3.0.2272 OS version: Windows 2019 server Issue: file_name() returns "unknown" in im_file module Config: <Input in_AppABC> Module im_file <Exec> log_info('Filename is' + file_name()); </Exec> File "C:\logs\AppABC.log" </Input>

I am using NxLog to read and output logs from various source files (im_file module). I configured NxLog with "ReadFromLast" hint so it is capturing new logs since last "SavePos". Now I want to change this little bit, I want to read just the newest entry in my log files since "SavePos". How can I achieve this? Is there a hint / filter that can help?

I have a im_file to om_tcp route on the community edition. My applications starts generating logs at 5am and runs every 15 minutes. I have observed that it essentially skips the first X lines and syncs things only after the x lines starting 5:15 and works fine throughout the day. There is nothing in logs at 5am. I have tried routing it to another om_file on the same machine, it works ok. Can you please help me fix it? Here is the config: ######################################## # Global directives # ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ######################################## # Modules # ######################################## <Extension _syslog> Module xm_syslog </Extension> <Extension _fileop> Module xm_fileop </Extension> ######################################## # Input # ######################################## <Input in-my-important-app> Module im_file File "/var/log/tomcat/my-important-app-*.log" ReadFromLast True SavePos True Exec $Filename = "myApp/" +file_basename(file_name()); Exec $Hostname = hostname_fqdn(); </Input> ######################################## # Output # ######################################## # Output to destination <Output out-destination> Module om_tcp Host [destination host] Port [destination port] OutputType Binary </Output> ######################################## # Routes # ######################################## <Route to_destination> Path in-my-important-app => out-destination </Route>

Hello - new to nxlog. Trying to end nxlog process when EOF reached on input file. Any help appreciated. Thanks, Andrew

Hello I'm using "NXLog CE" for send a file by syslog. So far I got this: &lt;Input filezilla&gt; Module im_file File &quot;C:\\Program Files (x86)\\FileZilla Server\\Logs\\fzs-*.log&quot; SavePos TRUE Exec $Message = '%FileZilla: ' + $raw_event; &lt;/Input&gt; &lt;Output outfiles&gt; Module om_tcp Host 10.226.6.210 Port 514 Exec to_syslog_bsd(); &lt;/Output&gt; The file has lines like "(125419) 13/03/2018 12:32:59 - prtg (10.4.171.245)> QUIT" I want to get (on my syslog sever) "%FileZilla: (125419) 13/03/2018 12:32:59 - prtg (10.4.171.245)> QUIT" Instead, I got: "Mar 13 12:33:00 DSCRESJ %FileZilla: (125419) 13/03/2018 12:32:59 - prtg (10.4.171.245)> QUIT" I think the "Mar 13 12:33:00 DSCRESJ" part is the header from to_syslog_bsd(). Anyway, I wonder If there a way to remove that header. Regards.

Hi, It seems that nxlog does not send to the output all lines of a file which is monitored. Here is an example of what I want to send to my syslog server : 30,01/16/18,09:24:23,Requête de mise à jour DNS,192.168.31.66,volant2.enterprise.local,,,0,6,,, 10,01/16/18,09:24:23,Assigner,192.168.31.66,volant2.enterprise.local,F01FAF2F23D7,,2412417530,0,,, 32,01/16/18,09:24:23,Mise à jour DNS réussie,192.168.31.66,volant2.enterprise.local,,,0,6,,, 30,01/16/18,09:25:55,Requête de mise à jour DNS,192.168.31.68,volant3.enterprise.local,,,0,6,,, 10,01/16/18,09:25:55,Assigner,192.168.31.68,volant3.enterprise.local,5C514FDCA690,,2181532597,0,,, 32,01/16/18,09:25:55,Mise à jour DNS réussie,192.168.31.68,volant3.enterprise.local,,,0,6,,, And here is what I have received : 2018-01-16T09:24:23+01:00 DC 30,01/16/18,09: 24:23,Requ▒te de mise ▒ jour DNS,192.168.31.66,volant2.enterprise.local,,,0,6,,, 2018-01-16T09:24:23+01:00 DC 10,01/16/18,09: 24:23,Assigner,192.168.31.66,volant2.enterprise.local,F01FAF2F23D7,,2412417530,0,,, 2018-01-16T09:24:23+01:00 DC 32,01/16/18,09: 24:23,Mise ▒ jour DNS r▒ussie,192.168.31.66,volant2.enterprise.local,,,0,6,,, 2018-01-16T09:25:55+01:00 DC 32,01/16/18,09: 25:55,Mise ▒ jour DNS r▒ussie,192.168.31.68,volant3.enterprise.local,,,0,6,,, Here is my whole nxlog configuration define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog # For windows 2003 and earlier use the following: # Module im_mseventlog </Input> define DHCPDIR C:\Windows\Sysnative\dhcp <Input inDhcp> Module im_file File '%DHCPDIR%\DhcpSrvLog-*.log' SavePos TRUE ReadFromLast TRUE PollInterval 1 Exec $Message = $raw_event; $SyslogFacilityValue = 17; </Input> <Output outSyslogSrv> Module om_udp Host 192.168.2.12 Port 514 Exec to_syslog_bsd(); </Output> <Route 1> Path inDhcp => outSyslogSrv </Route> Did I miss something ? Thanks

I have a very basic setup. I was easily able to get the general syslog functionality working. I have been unable to get the file transport working. I've spent several days trying alternative configurations and Googling for help; all to no avail. I also tested with om_file - trying to just grab the file and output it locally - the outcome was just a blank file. Any help will be greatly appreciated. Here is my config: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO <Extension gelf>     Module  xm_gelf </Extension> <Extension _syslog> module xm_syslog </extension> <Input 1>     Module    im_file     file    "C:\\MSSQL\\ERRORLOG" </Input> <Output 2>     Module om_tcp     Host 192.168.1.50     Port 5550     OutputType  GELF_TCP </Output> <Route 3>   Path 1 => 2 </Route>    

We are pushing logs from file with the im_file module to logstash and then to elasticsearch. However, some of these logs only have second accuracy, and therefore not returned in order by elasticsearch when sorted by just the time. To get around this problem, we would like to add the position of the log event to a field that we store (for example beginning line number or byte offset within the source file). Is there a way I can add a separate field for this in the events pushed by nxlog, either in the input or output configuration?

Scenario: I have NXLog EE installed on a host in Windows domain. I need to read DHCP logs from the DC(s), UNC path: \\<server name>\C$\Windows\System32\dhcp\DhcpSrvLog-*.log Since it is not possible to specify alternate credentials for accessing remote files (as it is for eventlog, i.e. im_msvistalog module), nxlog has to be started using an account with special privileges on the DC's file system - 4 options:  1. for nxlog service, use domain admin account (local admin role does not exist on DC)      - nxlog.conf - use UNC path: `\\<server name>\C$\Windows\System32\dhcp\DhcpSrvLog-*.log`  2. for nxlog service, use local admin account on the agent's host + share C:\Windows\System32\dhcp\ on the DC, enabling read only permissions for nxlog account only      - nxlog.conf - use share name: `\\<server name>\dhcp\DhcpSrvLog-*.log`  3. install nxlog agent on the DC, run nxlog as a service, use local admin account  4. smaller footprint ? -> install http://nxlog-ce.sourceforge.net/nxlog-docs/en/nxlog-reference-manual.html#nxlog_processor on the DC None of these options are win-wins for customer production environment, as they require opening the restricted environment of the DC. My question is: are there any nxlog configuration options, which would enable me to fetch the file remotely, similar to these for DC's Security event log?: <Input dc1> Module im_msvistalog RemoteServer <ip> Remoteuser <user> RemotePassword <pwn> RemoteDomain <domain> Query <QueryList><Query Id="0" Path="Security"><Select Path="Security">*</Select></Query></QueryList> </Input>

Hello nxlog world, Shamed to say, I've spent entire yesterday trying to figure out how to read Windows DHCP log files and ship the events to ElasticSearch. Problem was with using direct path for folder C:\Windows\System32\dhcp\. Managed to get nxlog to read by sharing the folders (read-only permissions) to the user account used for nxlog service account logon. As the events were not showing in ES, I'm stuck with trying to write the events into another file, in order to confirm that the source files are being read correctly.   OS: Win Srv 2008 R2 Ent nxlog: v 2.9.1347 Here is the nxlog.conf: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log # debugging only: LogLevel DEBUG NoCache TRUE <Input msdhcp> Module im_file File '\\DC5\dhcp\DhcpSrvLog-*.log' SavePos TRUE InputType LineBased Exec if $raw_event =~ /^#/ drop(); Exec $message = $raw_event; </Input> <Input dns> Module im_file File '\\DC5\dns\dns.log' SavePos TRUE InputType LineBased Exec if $raw_event =~ /^#/ drop(); Exec $message = $raw_event; </Input> <Output file_test> Module om_file File 'C:\Program Files (x86)\nxlog\data\test_file_output.txt' # Sync TRUE OutputType LineBased </Output> <Route test> Path msdhcp,dns => file_test </Route> As a result, only DNS events are written in the output file: 21.1.2016. 11:34:00 A6A8 PACKET 0000000003B27E90 UDP Snd 192.168.105.12 3f0d R Q [8085 A DR NOERROR] A (8)PLANKING(3)lab(5)rador(0) 21.1.2016. 11:34:00 A6A8 PACKET 0000000003EDA2C0 UDP Rcv 192.168.105.12 3c32 Q [0001 D NOERROR] A (8)PLANKING(3)lab(5)rador(0) 21.1.2016. 11:34:00 A6A8 PACKET 0000000003EDA2C0 UDP Snd 192.168.105.12 3c32 R Q [8085 A DR NOERROR] A (8)PLANKING(3)lab(5)rador(0) ..but only the new ones, i.e. as the source DNS log file is being appended. I have tried modifying the SavePos parameter to FALSE of both input modules, but to no avail - same result.   Questions: 1. What would be the correct configuration of global NoCache and module specific SavePos parameters, in order to read and output the complete source file, regardless of prior attempts? 2. What is the reason DHCP logs (using wildcard) are not being read (or at least written in the output), as opposed to the same configuration for DNS logs?     I will provide nxlog debug level log if needed. No visible errors there.   Any help greatly appreciated!

I'm using NXLog to read log files and send to to Logstash. Normally this works fine, but I'm now trying to send logs from a file, where the new events gets added at the top of the file, not the bottom. Now it's not sending anything. This is from my NXLog config. <Input file> Module im_file File "C:\\TEMP\\export.txt" InputType LineBased Exec $Message = $raw_event; SavePos TRUE ReadFromLast TRUE Exec if $raw_event =~ /^#/ drop(); Is it possible to read from bottom to top?

I am using the following im_file configuration to try to collect Windows DHCP Server logs: ## Input module for Microsoft DHCP server audit logs <Input dhcp>     Module im_file     File "C:\\Windows\\System32\\Dhcp\\DhcpSrvLog-*.log"     SavePos TRUE     PollInterval 180     Exec to_syslog_bsd(); </Input> I also tried this without escaping the backslashes and even with "/" characters instead. I also tried using a specific filename but nothing seems to work, since I get the "input file does not exist" error. When I try the same config but with the location being at C:\Dhcp\DhcpSrvLog-*.log, everything works. nxlog service is being run as LocalSystem. Any hints on what I would need to do next to get the logs working from their native location?