Recent threads

"module file not found" when using file->file_size() or other file functions in Exec

I am trying to use the example in https://docs.nxlog.co/ce/current/index.html#om_file for file rotation on Windows (nxlog-ce-3.1.2319).

I receive the following error

ERROR Couldn't parse Exec block at xxx.conf:104; couldn't parse statement at line 107, character 29 in xxx.conf; module file not found
ERROR module 'testfile' has configuration errors

using this configuration.   The output works fine if I don't use the functions,  so I assume om_file must be loading (by default?).

<Output testfile>
    Module  om_file
    File    "E:/nxlog_output/active/nxlog-out.txt"
    <Exec>
        # Format output
        to_json();

        # Rotate file based on size, move to staging folder
        if (file->file_size() > 10M)
        {
            $stagingFolder = 'E:/nxlog_output/staged/';
            $newfile = $stagingFolder + 'data_' + strftime(now(), '%Y%m%d%H%M%S') + '.log';
            file->rotate_to($newfile);
        }
    </Exec>
</Output>

 


hukel
Community forum
Replies: 6
View post »
gahorvath
How to collect RADIUS Accounting messages over UDP?
Is there a combination of inputs and extensions that can be used to collect RADIUS accounting messages via UDP listener?

We use Microsoft NPS today, but could benefit from the forking and advanced parsing of NXLog.   We send RADIUS accounting messages from multiple network devices and the differences in data layout are bit too much for NPS.

hukel
Community forum
Replies: 5
View post »
gahorvath
Help using this forum - searching and following Google results

Apologies if I'm being dense, but I need some help with navigation of this site.


hukel
Community forum
Replies: 1
View post »
gahorvath
file_name does't work. nxlog-ce-3.1.2319.msi

Hi,

I have installed nxlog service (nxlog-ce-3.1.2319.msi) on windows core 2019 machine. I have a config:

define EVENT_REGEX /^.*(<EventData>.+<\/EventData>)$/

<Extension xml>
    Module  xm_xml
</Extension>

<Extension json>
    Module  xm_json
</Extension>

<Input k8s_containers>
    Module  im_file
    File    "c:\var\log\containers\*.log"
    <Exec>
        if $raw_event =~ %EVENT_REGEX%
        {
             parse_xml($1);
        }
        else
        {
            drop();
        }

        $log_type = "k8s_container";
        $hostname = hostname();
        $host_ip  = host_ip();
        $log_file = file_name();

        if $log_file =~ /(.+)_(.+)_(.+)-(.+).log$/
        {
            $k8s_pod = $1;
            $k8s_namespace = $2;
            $k8s_container = $3;
            $k8s_container_id = $4;
        }

        to_json();

    </Exec>
</Input>

<Output file>
    Module  om_file
    File    "c:\\k\\nxlog.log"
</Output>

<Route containerlog>
    Path k8s_containers => file
</Route>

Everythings work fine, but log line has “log_file”: “unknown”. And because of that I didn't get $k8s_* fields.

How should I debug/resolv this issue?


ARTEM A
Community forum
Replies: 5
View post »
laszlofoldesi
NX LOG Newbie Question

Good Afternoon.

I currently run a NX log solution that was setup by the vendor of our cloud IDS. I do know that we have a collection of logs coming from workstations to a central server and that server uploads the logs to the IDS. That being said, I have set up a gray log server on an Ubuntu box and I want to send my Windows DNS logs to that server so that I have a way to search DNS queries made by workstations should on of them become compromised. (via malware, ransomware, etc) I realize that there is already a config fiile for nx log that sends the event viewer logs so I am assuming that I would have to use that same file to have nx send dns logs to a different location (if that is even possible).   So my questions are, Is it possible to do that? If so, is the collection service that has to be stopped in order to edit the config file?

I would send these logs to the same online IDS service but we are already going over our quota every month and management doesn't see the need to upgrade our service. Therefore, I am left to figure out another way to stay on top of DNS threat hunting. 

Any input will be greatly appreciated.


jrpayne
Community forum
Replies: 1
View post »
jeffron
NXLog-CE Question

Hello,

This is not a installation question.

Using wget, as I have done for past 6 years was grab a NXLog-CE installation and install on my Linux core servers.   Yesterday 11/22/2022 I was unable to do this. I also noticed the Web Site has changed for downloading community versions and now  I need to make account. I'm assuming at this point,  Steps  needed  are install NXLog on any core servers I need to make account  on NXLog  site, Download the package needed. Transfer the NXLog package to  a closed environment that we have,  Upload NXLog package to a internal repo and distribute it as needed?  

 I'm also assuming this is a security procedure taken by NXLog?   If anyone could enlighten me on the new changes  that would be great.

Thanks

-Greg

 


greg.smith
Community forum
Replies: 0
View post »
greg.smith