missing module


#1 bianmingkai (Last updated )

Hi All, 

I am trying to test and evaluate the NXlog for collect the dns analytical log(ETL) and forward it to splunk directly. now I am using the community version of NXlog and get below error:

 

2024-03-14 10:35:31 ERROR Failed to load module from C:\Program Files\nxlog\modules\input\im_etw.dll, The specified module could not be found.  ; The specified module could not be found.  2024-03-14 10:35:31 ERROR invalid keyword: HTTPHeader at C:\Program Files\nxlog\conf\nxlog.conf:902024-03-14 10:35:31 ERROR module 'out_to_splunk' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:942024-03-14 10:35:31 ERROR route 1 is not functional without output modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:942024-03-14 10:35:31 WARNING no routes defined!

Could someone please help to point the error/misconfiguration from the below NXlog.conf? thanks.

 

 

nxlog.conf

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf\nxlog.d
define LOGDIR   %ROOT%\data

include %CONFDIR%\\*.conf
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
   Module      xm_syslog
</Extension>

<Extension _charconv>
   Module      xm_charconv
   AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
   Module      xm_exec
</Extension>

<Extension _fileop>
   Module      xm_fileop

   # Check the size of our log file hourly, rotate if larger than 5MB
   <Schedule>
       Every   1 hour
       Exec    if (file_exists('%LOGFILE%') and \
                  (file_size('%LOGFILE%') >= 5M)) \
                   file_cycle('%LOGFILE%', 8);
   </Schedule>

   # Rotate our log file every week on Sunday at midnight
   <Schedule>
       When    @weekly
       Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
   </Schedule>
</Extension>

# Snare compatible example configuration
# Collecting event log
# <Input in>
#     Module      im_msvistalog
# </Input>

# Converting events to Snare format and sending them out over TCP syslog
# <Output out>
#     Module      om_tcp
#     Host        192.168.1.1
#     Port        514
#     Exec        to_syslog_snare();
# </Output>

# Connect input 'in' to output 'out'
# <Route 1>
#     Path        in => out
# </Route>

<Input in_dns>
   Module      im_etw
   Provider    Microsoft-Windows-DNSServer
</Input>


<Input dns_analytical_log>
   Module      im_msvistalog
   Query       <QueryList>\
                   <Query Id="0">\
                       <Select Path="Microsoft-Windows-DNS-Server/Analytical">*</Select>\
                   </Query>\
               </QueryList>
</Input>

 

<Output out_to_splunk>
   Module      om_http
   URL         http://192.168.1.85:8088/services/collector
   ContentType application/json
   Exec        to_json();
   HTTPHeader  Authorization: 6aad1862-c232-4613-a248-bc58f0885ea8
</Output>

<Route 1>
   Path        dns_analytical_log => out_to_splunk
</Route>