Recent threads
Fields in curly braces not working
jmorrison
I used a configuration right out of the documentation. This error is logged at startup. I have to remove all fields referenced in curly braces ${}2023-03-31 13:45:13 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:60; couldn't parse statement at line 62, character 13 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '$' (0x24) Config: # Convert integer type fields if (${Framed-MTU}) ${Framed-MTU} = integer(${Framed-MTU});
jmorrison
Output udpfile rotate_to wrong filename
hate
Hi,I am using NXLog with the Example 108. “File Rotation Based on Size” from the NXLog Community Edition Reference Manual.In rare cases i have the problem that rotate_to uses the wrong filename and overwrite some other logfile. In the example below “logid.log” to “Mod-002”. See nxlog.logVersion: nxlog-ce-3.1.2319nxlog.logZeile 3644025: 2023-03-14 10:28:02 INFO om_file successfully rotated file 'C:\Program Files\nxlog\data\10.87.243.24\logid.log' to 'C:\Program Files\nxlog\data\10.87.243.24\Mod-002.20230314102802.log'nxlog.conf## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
Please set the ROOT to the folder your nxlog was installed into,
otherwise it will not start.
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension exec>
Module xm_exec
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Extension fileop>
Module xm_fileop
</Extension>
<Input udp>
Module im_udp
Host 10.87.243.20
Port 514
Exec parse_syslog();
Exec dir_make('%LOGDIR%' + $Hostname);
</Input>
<Output udpfile>
Module om_file
CreateDir TRUE
File '%LOGDIR%' + $Hostname + '' + $SourceName + '.log'
Exec if udpfile->file_size() > 5M {
$newfile = '%LOGDIR%' + $Hostname + '' + $SourceName + '.' + strftime(now(), "%Y%m%d%H%M%S") + '.log';
udpfile->rotate_to($newfile);
exec_async('%CONFDIR%\bzip2.exe', $newfile);
}
</Output>
<Route udp>
Path udp => udpfile
</Route>Any ideas what's going wrong here?Thanks
hate
NXLog -> GrayLog for Windows
alarosa
Hello,I am trying to send my custom application Windows logs to GrayLog. I am using GELF TCP. Our event text is getting cut off. It looks like our custom events write all of the data to the section GrayLog calls “short message” I did see the article that said there is a 64 character limit and we did change that with Exec $short_message = $raw_message; in the output section. This did increase the number of characters shown but there are still plenty more characters getting cut off. We have NXlog writing to a local file right now so were able to verify that it is NXlog that is cutting off the data. Is there a way to fix this? Here is my conf file:Panic Soft#NoFreeOnExit TRUEdefine ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data<Extension _syslog> Module xm_syslog</Extension><Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec> Module xm_exec</Extension><Extension _gelf> Module xm_gelf ShortMessageLength 1024 UseNullDelimiter false</Extension><Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule></Extension><Input in> Module im_msvistalog</Input><Output file> Module om_file File 'c:/temp/nxlog.txt'</Output><Output out> Module om_tcp Host xxxxxxxxxxxxxxxxx Port 5555 OutPutType GELF_TCP Exec $short_message = $raw_message;</Output><Route 1> Path in => file</Route>This is what the event data shows: [The description for EventID 0 from source xxxxxxx cannot be found: The parameter is incorrect, ] There are several more lines after this that are just not coming over. I am very inexperienced with this software. Thank you for your help.
alarosa
Multiple Outputs
gavin.lacey@telegraph.co.uk
I have the following config forwarding all events to siemPanic Soft#NoFreeOnExit TRUEdefine ROOT C:\Program Files\nxlogdefine WINDNS_OUTPUT_DESTINATION_ADDRESS 1.1.1.5define WINDNS_OUTPUT_DESTINATION_PORT 10518define CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\datadefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data<Extension _json> Module xm_json </Extension> <Input windows_security_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="System">*</Select> <Select Path="Security">*</Select> <Select Path="ForwardedEvents">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast False SavePos False </Input><Output out_siem_windevents> Module om_udp Host %WINDNS_OUTPUT_DESTINATION_ADDRESS% Port %WINDNS_OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json(); </Output> <Route r2> Path windows_security_eventlog => out_siem_windevents </Route> I need to push sysmon events to a seperate feed within Siem, would the below be an aceptable config to use? Not sure if the route statements need route r3 or if they can all exist within route r2 define ROOT C:\Program Files\nxlogdefine WINDNS_OUTPUT_DESTINATION_ADDRESS 1.1.1.5define WINDNS_OUTPUT_DESTINATION_PORT 10518define CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\datadefine WINDNS_OUTPUT_DESTINATION_ADDRESS2 1.1.1.5define WINDNS_OUTPUT_DESTINATION_PORT2 10519define LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data<Extension _json> Module xm_json</Extension><Input windows_security_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="System">*</Select> <Select Path="Security">*</Select> <Select Path="ForwardedEvents">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast False SavePos False</Input><Output out_siem_windevents> Module om_udp Host %WINDNS_OUTPUT_DESTINATION_ADDRESS% Port %WINDNS_OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json();</Output><Output out_siem_windevents2> Module om_udp Host %WINDNS_OUTPUT_DESTINATION_ADDRESS2% Port %WINDNS_OUTPUT_DESTINATION_PORT2% Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json();</Output><Route r2> Path windows_security_eventlog => out_siem_windevents Path windows_security_eventlog => out_siem_windevents2</Route>
gavin.lacey@telegraph.co.uk
WARNING not starting unused module dbi
yang server
nxlog-ce-3.1.2319 add custom conf to ` /etc/nxlog/nxlog.d`; systemctl restart nxlog;systemctl status nxlog;got message: how to enable the im_dbi module ?the config looks like:config file: `/etc/nxlog/nxlog.d/icslog.conf`:
<Input dbi>
Module im_dbi
Driver mysql
Option host 127.0.0.1
Option username root
Option password pp
Option dbname logs
SQL SELECT * FROM ics_alarm_log
</Input>
<Output file>
Module om_file
File '/tmp/ics_alarm_log.csv'
</Output>
yang server