Recent threads

Fields in curly braces not working
I used a configuration right out of the documentation. This error is logged at startup. I have to remove all fields referenced in curly braces ${}2023-03-31 13:45:13 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:60; couldn't parse statement at line 62, character 13 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '$' (0x24) Config:      # Convert integer type fields      if (${Framed-MTU})                    ${Framed-MTU} = integer(${Framed-MTU}); 

jmorrison
Replies: 0
View post »
jmorrison
Output udpfile rotate_to wrong filename
Hi,I am using NXLog with the Example 108. “File Rotation Based on Size” from the NXLog Community Edition Reference Manual.In rare cases i have the problem that rotate_to uses the wrong filename and overwrite some other logfile. In the example below “logid.log” to “Mod-002”.  See nxlog.logVersion:  nxlog-ce-3.1.2319nxlog.logZeile 3644025: 2023-03-14 10:28:02 INFO om_file successfully rotated file 'C:\Program Files\nxlog\data\10.87.243.24\logid.log' to 'C:\Program Files\nxlog\data\10.87.243.24\Mod-002.20230314102802.log'nxlog.conf## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start. define ROOT C:\Program Files\nxlog #define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension exec> Module xm_exec </Extension> <Extension syslog> Module xm_syslog </Extension> <Extension fileop> Module xm_fileop </Extension> <Input udp> Module im_udp Host 10.87.243.20 Port 514 Exec parse_syslog(); Exec dir_make('%LOGDIR%' + $Hostname); </Input> <Output udpfile> Module om_file CreateDir TRUE File '%LOGDIR%' + $Hostname + '' + $SourceName + '.log' Exec if udpfile->file_size() > 5M { $newfile = '%LOGDIR%' + $Hostname + '' + $SourceName + '.' + strftime(now(), "%Y%m%d%H%M%S") + '.log'; udpfile->rotate_to($newfile); exec_async('%CONFDIR%\bzip2.exe', $newfile); } </Output> <Route udp> Path udp => udpfile </Route>Any ideas what's going wrong here?Thanks

hate
Replies: 5
View post »
hate
NXLog -> GrayLog for Windows
Hello,I am trying to send my custom application Windows logs to GrayLog.  I am using GELF TCP.    Our event text is getting cut off.   It looks like our custom events write all of the data to the section GrayLog calls “short message”    I did see the article that said there is a 64 character limit and we did change that with  Exec   $short_message = $raw_message;  in the output section.  This did increase the number of characters shown but there are still plenty more characters getting cut off.  We have NXlog writing to a local file right now so were able to verify that it is NXlog that is cutting off the data.  Is there a way to fix this?   Here is my conf file:Panic Soft#NoFreeOnExit TRUEdefine ROOT     C:\Program Files\nxlogdefine CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data<Extension _syslog>   Module      xm_syslog</Extension><Extension _charconv>   Module      xm_charconv   AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec>   Module      xm_exec</Extension><Extension _gelf>   Module      xm_gelf   ShortMessageLength 1024   UseNullDelimiter false</Extension><Extension _fileop>   Module      xm_fileop   # Check the size of our log file hourly, rotate if larger than 5MB   <Schedule>       Every   1 hour       Exec    if (file_exists('%LOGFILE%') and \                  (file_size('%LOGFILE%') >= 5M)) \                   file_cycle('%LOGFILE%', 8);   </Schedule>   # Rotate our log file every week on Sunday at midnight   <Schedule>       When    @weekly       Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);   </Schedule></Extension><Input in>   Module      im_msvistalog</Input><Output file>      Module om_file      File 'c:/temp/nxlog.txt'</Output><Output out>   Module      om_tcp   Host       xxxxxxxxxxxxxxxxx   Port        5555   OutPutType  GELF_TCP   Exec        $short_message = $raw_message;</Output><Route 1>  Path        in => file</Route>This is what the event data shows:  [The description for EventID 0 from source xxxxxxx cannot be found:  The parameter is incorrect,   ]   There are several more lines after this that are just not coming over.   I am very inexperienced with this software.  Thank you for your help.  

alarosa
Replies: 2
View post »
alarosa
Multiple Outputs
I have the following config forwarding all events to siemPanic Soft#NoFreeOnExit TRUEdefine ROOT     C:\Program Files\nxlogdefine WINDNS_OUTPUT_DESTINATION_ADDRESS 1.1.1.5define WINDNS_OUTPUT_DESTINATION_PORT 10518define CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\datadefine LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data<Extension _json>     Module      xm_json </Extension> <Input windows_security_eventlog>     Module  im_msvistalog     <QueryXML>         <QueryList>             <Query Id="0">                 <Select Path="Application">*</Select>                 <Select Path="System">*</Select>                 <Select Path="Security">*</Select>   <Select Path="ForwardedEvents">*</Select>             </Query>         </QueryList>     </QueryXML>     ReadFromLast  False     SavePos  False </Input><Output out_siem_windevents>     Module      om_udp     Host        %WINDNS_OUTPUT_DESTINATION_ADDRESS%     Port        %WINDNS_OUTPUT_DESTINATION_PORT%     Exec        $EventTime = integer($EventTime) / 1000;     Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;     Exec        to_json(); </Output> <Route r2>     Path    windows_security_eventlog => out_siem_windevents </Route> I need to push sysmon events to a seperate feed within Siem, would the below be an aceptable config to use?  Not sure if the route statements need route r3 or if they can all exist within route r2 define ROOT     C:\Program Files\nxlogdefine WINDNS_OUTPUT_DESTINATION_ADDRESS 1.1.1.5define WINDNS_OUTPUT_DESTINATION_PORT 10518define CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\datadefine WINDNS_OUTPUT_DESTINATION_ADDRESS2 1.1.1.5define WINDNS_OUTPUT_DESTINATION_PORT2 10519define LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data<Extension _json>    Module      xm_json</Extension><Input windows_security_eventlog>    Module  im_msvistalog    <QueryXML>        <QueryList>            <Query Id="0">                <Select Path="Application">*</Select>                <Select Path="System">*</Select>                <Select Path="Security">*</Select>  <Select Path="ForwardedEvents">*</Select>            </Query>        </QueryList>    </QueryXML>    ReadFromLast  False    SavePos  False</Input><Output out_siem_windevents>    Module      om_udp    Host        %WINDNS_OUTPUT_DESTINATION_ADDRESS%    Port        %WINDNS_OUTPUT_DESTINATION_PORT%    Exec        $EventTime = integer($EventTime) / 1000;    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;    Exec        to_json();</Output><Output out_siem_windevents2>    Module      om_udp    Host        %WINDNS_OUTPUT_DESTINATION_ADDRESS2%    Port        %WINDNS_OUTPUT_DESTINATION_PORT2%    Exec        $EventTime = integer($EventTime) / 1000;    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;    Exec        to_json();</Output><Route r2>    Path    windows_security_eventlog => out_siem_windevents Path    windows_security_eventlog => out_siem_windevents2</Route>

gavin.lacey@telegraph.co.uk
Replies: 2
View post »
gavin.lacey@telegraph.co.uk
WARNING not starting unused module dbi
nxlog-ce-3.1.2319 add custom conf to ` /etc/nxlog/nxlog.d`; systemctl restart nxlog;systemctl status nxlog;got message: how to enable the im_dbi module ?the config looks like:config file: `/etc/nxlog/nxlog.d/icslog.conf`: <Input dbi> Module im_dbi Driver mysql Option host 127.0.0.1 Option username root Option password pp Option dbname logs SQL SELECT * FROM ics_alarm_log </Input> <Output file> Module om_file File '/tmp/ics_alarm_log.csv' </Output>

yang server
Replies: 1
View post »
NenadM