NXLOG - Integer line throws an error
define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _json> Module xm_json </Extension> <Input windows_security_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast True SavePos True </Input> <Output out_chronicle_windevents> Module om_tcp Host 172.16.94.69 Port 41001 Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json(); </Output> <Route r2> Path windows_security_eventlog => out_chronicle_windevents </Route>
2023-10-05 10:53:15 INFO nxlog-ce-3.2.2329 started 2023-10-05 10:53:15 INFO connecting to 172.16.94.69:41001 2023-10-05 10:53:15 ERROR assignment failed at line 30, character 56 in C:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; binary operation failed at line 30, character 56 in C:\Program Files\nxlog\conf\nxlog.conf. expression evaluation has been aborted; function 'integer' failed at line 30, character 48 in C:\Program Files\nxlog\conf\nxlog.conf. expression evaluation has been aborted; 'integer' type argument is invalid
I suspect that it's one of two possibilities:
1) a kind of race condition during nxlog startup, when the event has already arrived, but time field is not filled yet.
2) some Windows Log system specifics, when first event comes empty.
You can easily distinct them by using log_info() function before time division.