Hello there,
We are currently getting PowerShell transcript logs in one of our Windows WEF Collectors. Each log is been generated as a .txt file following the following naming convention: PowerShell_transcript.$deviceName.$RandownNumber.txt.
For example this is how the folder looks like: G:/PowerShell_logs/ PowerShell_transcript.device1.qww.txt PowerShell_transcript.device2.fgd.txt PowerShell_transcript.device3.hjj.txt
The issue I am having is that the content of each .txt file is arriving to the SIEM at one line at the time instead of arriving all the lines on the same event. This is the content of one of the PowerShell transcript file.
Windows PowerShell transcript start Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\temp\reset-password_1.2.ps1' Process ID: 19236 PSVersion: 5.1.18362.1714 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.18362.1714 BuildVersion: 10.0.18362.1714 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3
Windows PowerShell transcript end End time: 20210920120413
This is the "nxlog.conf" I am using:
Panic Soft #NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data
<Extension syslog> Module xm_syslog </Extension>
<Input in> Module im_file File "G:\PowerShell_logs\PowerShell_transcript*.txt" </Input>
<Output out1> Module om_tcp Host SIEM-FDQN-domain.com Port 514
Exec to_syslog_bsd();
</Output>
<Route 1> Path in => out1 </Route>
#----------------------------------------------------------------------------------- END nxlog.conf------------------------------------------------------ The question is: How to configure the "nxlog.conf" so the entire content of each PowerShell_transcript.device1.qww.txt is been sent to the SIEM as one event and not multiples ones?
Antonio.Gonzalez2021 created
I have install the amzon linux2 agent into EC2. After that we realized the om_chronicle is not available in the /opt/nxlog/modules/output/ directory. We copy the om_chronicle from Redhat and place it into the below directory. When restart the service and it have the below error.
Error [Core|main] Failed to load module from /opt/nxlog/modules/output/om_chronicle.so, libssl.so.1.1: cannot open shared object file. No such file or directory; DSO load/failed
billychua created
Hi,
i am using CE edition and looking for a setup which will find ceertain files and zip it using gzip. the below command runs successfully on CLI,
"find /home/syslog_admin/*.log -daystart -mtime +0 -print -exec gzip -f {} \;
how do run execute the above using nxlog.conf?
exec_async("/usr/bin/gzip", "/home/syslog_admin/*.log" -daystart -mtime +0 -print -exec "/usr/bin/gzip -f {} \; but not working.
aslo tried below but no luck,
exec_async("/usr/bin/find", "/home/syslog_admin/*.log","-daystart", "-mtime", "+0", "-print", "-exec", "/usr/bin/gzip", "-f", "{}", "\;");
Sajeshvv23 created
I originally asked about symlinks in a thread https://nxlog.co/community-forum/t/1518-wildcard-paths-not-working-with-symlinks, but was told that symlinks just didn't work. Pity. But I had a working config which worked around the issue. I'll reproduce the file structure here:
/opt/tomcat-onesite/bin
| /logs
| /etc....
|-/tomcat-anothersite/bin
| /logs
| /etc....
|-/tomcat-somewhereelse/bin
| /logs
| /etc....
|-/tomcat-etc...
|-/tomcat-logs/onesite -> /opt/tomcat-onesite/logs
/anothersite -> /opt/tomcat-anothersite/logs
/somewhereelse -> /opt/tomcat-somewhereelse/logs
/etc ....Now, with nxlog-ce-2.9.x or 2.10.x, I could define a path of /opt/tomcat-logs/* and nxlog would start. It wouldn't read any symlinks under it but it would start. Now with any of the 3.x series, nxlog won't even start if there is a symlink directly in /opt/tomcat-logs. I can sort of get by with /opt/tomcat-logs/*/* in that particular case but it doesn't help with another part of the set of the setup where there are valid files in the equivalent or /opt/tomcat-logs at the same time. How or where can I report bugs or regressions?
Deleted user created
Hi, I have a very strange question to askWhen collecting windows exchange tracking log, I encountered a strange problemIf you delete files older than 7 days in the tracking log folder, nxlog will generate an error, and at the same time the exchange system will also be affected and cannot operate
======================================================================
error log
2023-02-15 10:39:04 INFO nxlog-ce-3.1.2319 started2023-02-15 10:44:31 ERROR apr_stat() failed on file E:\Log\IIS\W3SVC2\u_ex230207.log; 存取被拒。 2023-02-15 10:44:31 WARNING input file was deleted: E:\Log\IIS\W3SVC1\u_ex230207.log2023-02-15 10:44:33 WARNING input file was deleted: E:\Log\IIS\W3SVC2\u_ex230207.log2023-02-15 11:00:01 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-4.LOG; 存取被拒。 2023-02-15 11:00:03 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-4.LOG2023-02-15 11:32:02 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-5.LOG; 存取被拒。 2023-02-15 11:32:04 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-5.LOG2023-02-15 12:00:01 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-6.LOG; 存取被拒。 2023-02-15 12:00:03 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-6.LOG2023-02-15 13:43:11 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-7.LOG; 存取被拒。 2023-02-15 13:43:13 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-7.LOG2023-02-15 14:00:02 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-8.LOG; 存取被拒。 2023-02-15 14:00:04 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-8.LOG2023-02-15 14:32:56 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-9.LOG; 存取被拒。 2023-02-15 14:32:58 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-9.LOG2023-02-15 15:00:02 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-10.LOG2023-02-15 15:31:04 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-11.LOG2023-02-15 16:00:02 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-12.LOG2023-02-15 16:33:08 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021006-1.LOG2023-02-15 17:00:02 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021006-2.LOG2023-02-15 17:12:10 WARNING stopping nxlog service2023-02-15 17:12:10 WARNING nxlog-ce received a termination request signal, exiting...
============================================================================
nxlog config
## Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start.define NCloud 172.21.30.1define MailLog E:\Log\MessageTrackingdefine IISLog E:\Log\IISdefine ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\confdefine LOGDIR %ROOT%\datadefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%
Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data
## Load the modules needed by the outputs<Extension syslog> Module xm_syslog</Extension>
## For Exchange Message Tracking log file use the following:<Input in_maillog> Module im_file File '%MailLog%\MSGTRK*.LOG' ReadFromLast TRUE SavePos TRUE</Input>
<Output out_maillog> Module om_udp Host %NCloud% Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'Exchange'; Exec to_syslog_bsd();</Output>
<Route maillog> Path in_maillog => out_maillog</Route>
## For Windows Event log use the following:<Input in_eventlog> Module im_msvistalog ReadFromLast TRUE SavePos TRUE Query <QueryList> \ <Query Id="0"> \ <Select Path="Security">*[System[(EventID=4624 or EventID=4625 or EventID=4626 or EventID=4627 or EventID=4634 or EventID=4646 or EventID=4647 or EventID=4648 or EventID=4649 or EventID=4672 or EventID=4675)]]</Select> \ <Select Path="Security">*[System[(EventID=4778 or EventID=4779 or EventID=4800 or EventID=4801 or EventID=4802 or EventID=4803 or EventID=4964 or EventID=4976 or EventID=5378 or EventID=5632 or EventID=5633)]]</Select> \ <Select Path="Security">*[System[(EventID=4768 or EventID=4769 or EventID=4770 or EventID=4771 or EventID=4772 or EventID=4773 or EventID=4774 or EventID=4775 or EventID=4776 or EventID=4777 or EventID=4820)]]</Select> \ <Select Path="Security">*[System[(EventID=4720 or EventID=4722 or EventID=4723 or EventID=4724 or EventID=4725 or EventID=4726 or EventID=4727 or EventID=4731 or EventID=4732 or EventID=4733 or EventID=4734)]]</Select> \ <Select Path="Security">*[System[(EventID=4735 or EventID=4738 or EventID=4739 or EventID=4740 or EventID=4749 or EventID=4750 or EventID=4751 or EventID=4752 or EventID=4753 or EventID=4764 or EventID=4765)]]</Select> \ <Select Path="Security">*[System[(EventID=4766 or EventID=4767 or EventID=4780 or EventID=4781 or EventID=4782 or EventID=4793 or EventID=4794 or EventID=4797 or EventID=4798 or EventID=4799 or EventID=5376 or EventID=5377)]]</Select> \ <Select Path="Security">*[System[(EventID=4608 or EventID=4610 or EventID=4611 or EventID=4612 or EventID=4614 or EventID=4615 or EventID=4616 or EventID=4618 or EventID=4621 or EventID=4622 or EventID=4697)]]</Select> \ <Select Path="Security">*[System[(EventID=5024 or EventID=5025 or EventID=5027 or EventID=5028 or EventID=5029 or EventID=5030 or EventID=5032 or EventID=5033 or EventID=5034 or EventID=5035 or EventID=5037)]]</Select> \ <Select Path="Security">*[System[(EventID=5038 or EventID=5056 or EventID=5058 or EventID=5059 or EventID=5061 or EventID=5890 or EventID=6281 or EventID=6400 or EventID=6401 or EventID=6402 or EventID=6403)]]</Select> \ <Select Path="Security">*[System[(EventID=6404 or EventID=6405 or EventID=6406 or EventID=6407 or EventID=6408 or EventID=6409 or EventID=6410)]]</Select> \ </Query> \ </QueryList> </Input>
<Output out_eventlog> Module om_udp Host %NCloud% Port 514 Exec $SyslogFacilityValue = 17; Exec $Message = string($SourceName) + ": " + string($EventID) + ": " + $Message; Exec if ($EventType == 'ERROR' or $EventType == 'AUDIT_FAILURE') { $SyslogSeverityValue = 3; } \ else if ($EventType == 'WARNING') { $SyslogSeverityValue = 4; } \ else if ($EventType == 'INFO' or $EventType == 'AUDIT_SUCCESS') { $SyslogSeverityValue = 5; } Exec to_syslog_bsd();</Output>
<Route eventlog> Path in_eventlog => out_eventlog</Route>
## For Microsoft IIS(Internet Information Server) log file use the following:<Input in_iislog> Module im_file File '%IISLog%\u_ex*.log' ReadFromLast TRUE Recursive TRUE SavePos TRUE</Input>
<Output out_iislog> Module om_udp Host %NCloud% Port 514 Exec $SyslogFacilityValue = 22; Exec $raw_event = "IIS [info]: " + $raw_event ; Exec to_syslog_bsd();</Output>
<Route iislog> Path in_iislog => out_iislog</Route>
======================================================================
Please how can I deal with this problem?
Chung Wang created
Hi. Will there be a Nxlog EE for Parrot OS? If so are there an expected date.
Regards
Roland
Roland9494Deactivated Nxlog ✓ created
Hi all, I'm using CE edition and sending logs to Taegis XDR, I've followed the instructions at this page: Microsoft IIS (secureworks.com)
Configured IIS per these instructions: https://docs.ctpx.secureworks.com/integration/connectEndpoint/microsoft_iis_connect/#configuring-microsoft-iis-logging
Configured nxlog.conf per these instructions: https://docs.ctpx.secureworks.com/integration/connectEndpoint/microsoft_iis_connect/#configuring-nxlog
Logs are still not showing up, and I think I have this section in the nxlog.conf IIS config misconfigured with the IP of my Taegis CDR collecter. I've got the IP of my host entered into the HOST line, and the port entered into the PORT line. Am I supposed to comment out any of the ‘Module’ lines? Do I have it misconfigured below? Any help is appreciated, thank you in advance.
<Output W3SVCOUT> Module om_udp Module om_tcp### Guidance on TLS/SSL configuration - https://nxlog.co/documentation/nxlog-user-guide/om_ssl.html Module om_ssl Host x.x.x.x Port 601 CAFile %CERTDIR%\CA.cer CertFile %CERTDIR%\winhost.cer CertKeyFile %CERTDIR%\winhost.key AllowUntrusted FALSE
bthx1138 created
ryanswj created
Hi,
We recently upgraded our NXlog agents to version 5*, and have noticed the following warning in the logs on some servers:
2023-05-16 08:03:32 WARNING [CORE|main] not starting unused module logfile_IMAP42023-05-16 08:03:32 WARNING [CORE|main] not starting unused module logfile_POP3…
We figured out that this happens when we have more then one _include.conf file on top of the main nxlog.conf file. It seems that it reads one of them, and then spews out this warning for all the modules/inputs in the other include.conf files. This is a new behavior. We use the following syntax at the bottom of the main nxlog.conf file:
include C:\\Program Files\\nxlog\\conf\\*_include.conf
It used to work till the upgrade to version 5. Anyone else has this issue?
sinisa created
Good Day,
I installed nxlog to ready to ready my mssql errorlog file, and send it to graylog server, but for some reason the message is not coming complete,
here is my conf
I omitted the rest because it just the default configuration file
<Extension charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32,UCS-2LE
</Extension><Extension gelf>
Module xm_gelf
</Extension><Input mssql_errorlog>
Module im_file
File "D:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Log\ERRORLOG"
</Input><Output graylog_udp>
Module om_udp
Host 10.0.1.208
Port 12202
OutputType GELF_UDP
</Output><Route graylog_route_mssql_errorlog>
Path mssql_errorlog => graylog_udp_204
</Route>
This is the line in my ERRORLOG
2023-05-26 10:00:13.50 Logon Login failed for user 'localnet\sqljobs'. Reason: Could not find a login matching the name provided. [CLIENT: <local machine>]
And this is the message i get in graylog
{
"gl2_accounted_message_size": 242,
"SourceModuleType": "im_file",
"level": 6,
"gl2_remote_ip": "10.0.1.239",
"gl2_remote_port": 60459,
"streams": [
"000000000000000000000001"
],
"gl2_message_id": "01H1C5R90HW9F49TPRA9XXQ93E",
"source": "sql-dev",
"message": "2\u00000\u00002\u00003\u0000-\u00000\u00005\u0000-\u00002\u00006\u0000 \u00001\u00000\u0000:\u00000\u00000\u0000:\u00001\u00003\u0000.\u00005\u00000\u0000 \u0000L\u0000o\u0000g\u0000o\u0000n",
"gl2_source_input": "646f94d504777573d7d0c945",
"EventReceivedTime": "2023-05-26 10:00:13",
"SourceModuleName": "mssql_errorlog",
"gl2_source_node": "332a47fa-bf25-4d8f-8e25-ce6dedb6a67a",
"_id": "a2c1f101-fbcd-11ed-87a7-00505687667c",
"timestamp": "2023-05-26T14:00:13.000Z"
}
And this is the result parsed by graylog
message : 2023-05-26 10:00:13.50 Logon
Any one has any idea what could be wrong?
Felix Roberto Read Rivero created
We're using nxlog-ce-3.1.2319 and have configuration files in the nxlog.d folder. The windows event logs configuration looks like below.
# Configuration for converting and sending Windows logs# directly to Devo## Compatible with NXLog 3.x## Place in C:\Program Files\nxlog\conf\nxlog.d\## Last modification: 2023-2-15#
# Output destination. Valid options are: ssl_devo local_devodefine DEVO_OUTPUT ssl_devo
# Vars for local Devo relay communication#define OUTPUT_DEVO_RELAY_IP {REPLACE_WITH_RELAY_IP}define OUTPUT_DEVO_RELAY_PORT 13000
# Vars for direct Devo communicationdefine OUTPUT_DESTINATION_ADDRESS redacted.logtrust.netdefine OUTPUT_DESTINATION_PORT 443define CHAIN %CERTDIR%\chain.crtdefine CERT %CERTDIR%\domain.crtdefine KEY %CERTDIR%\domain.keydefine KEYPASS *******define IIS_TAG web.iis.access-w3c.env.app.clon
<Extension json> Module xm_json DateFormat YYYY-MM-DD hh:mm:ss.sUTC GenerateDateInUTC TRUE</Extension>
######## Send to Devo Start ########<Output ssl_devo> Module om_ssl Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% CAFile %CHAIN% CertFile %CERT% CertKeyFile %KEY% KeyPass %KEYPASS% AllowUntrusted TRUE</Output>
# <Output local_devo># Module om_tcp# Host %OUTPUT_DEVO_RELAY_IP%# Port %OUTPUT_DEVO_RELAY_PORT%#</Output>
######## Send to Devo End ########
######## Windows Events Start ########<Input win_event_in> Module im_msvistalog
<QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="System">*</Select> <Select Path="Security">*</Select> <Select Path="Windows PowerShell">*</Select> </Query> </QueryList> </QueryXML> <Exec> $Message = to_json(); $SourceName="box.win_nxlog."+lc($Channel); delete($ProcessID); to_syslog_bsd(); </Exec></Input>
<Route eventlog> Path win_event_in => %DEVO_OUTPUT%</Route>Do you have any ideas on how to prevent it from resending the same logs again?
Thanks
Gary.Blackwell created
Hi,
We're trying to deploy NXLog to our Windows 10 and Windows 7 32-bit machines. Installation can't push through and the following error message shows up:
“This installation package is not supported by this processor type. Contact your product vendor.”
Mary Joy Baquilar created
The installation of the nxlog-windows_x64.msi fails on a Windows 2016 server, installing as Domain Administrator, and the error displayed was "Not enough permissions". In the log file, errors occur around line 39 with three consecutive errors :
[27F4:2EBC][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to install MSI package. [27F4:2EBC][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to execute MSI package. [2294:25C8][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to configure per-machine MSI package
The complete log file is below:
[2294:25C8][2021-09-16T13:48:41]i001: Burn v3.11.2.4516, Windows v10.0 (Build 14393: Service Pack 0), path: C:\Windows\Temp{3D88D7A8-546D-45A9-94E7-3F78B7E791B6}.cr\CyglassADAgent_CyGlassAgent.exe
[2294:25C8][2021-09-16T13:48:41]i009: Command Line: '-burn.clean.room=C:\Users\administrator.STRATEJM\Downloads\CyglassADAgent_CyGlassAgent.exe -burn.filehandle.attached=524 -burn.filehandle.self=520'
[2294:25C8][2021-09-16T13:48:41]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\administrator.STRATEJM\Downloads\CyglassADAgent_CyGlassAgent.exe'
[2294:25C8][2021-09-16T13:48:41]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\administrator.STRATEJM\Downloads'
[2294:25C8][2021-09-16T13:48:41]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\ADMINI~1.STR\AppData\Local\Temp\Cyglass_Log_Collection_Agent_20210916134841.log'
[2294:25C8][2021-09-16T13:48:41]i000: Setting string variable 'WixBundleName' to value 'Cyglass Log Collection Agent'
[2294:25C8][2021-09-16T13:48:41]i000: Setting string variable 'WixBundleManufacturer' to value 'CyGlass'
[2294:2F8C][2021-09-16T13:48:42]i000: Setting numeric variable 'WixStdBALanguageId' to value 1033
[2294:2F8C][2021-09-16T13:48:42]i000: Setting version variable 'WixBundleFileVersion' to value '2.1.0.0'
[2294:25C8][2021-09-16T13:48:42]i100: Detect begin, 2 packages
[2294:25C8][2021-09-16T13:48:42]i101: Detected package: NXLog, state: Absent, cached: None
[2294:25C8][2021-09-16T13:48:42]i101: Detected package: NXLogconf, state: Absent, cached: Complete
[2294:25C8][2021-09-16T13:48:42]i199: Detect complete, result: 0x0
[2294:2F8C][2021-09-16T13:48:44]i000: Setting numeric variable 'EulaAcceptCheckbox' to value 1
[2294:25C8][2021-09-16T13:48:44]i200: Plan begin, 2 packages, action: Install
[2294:25C8][2021-09-16T13:48:44]i000: Setting string variable 'WixBundleRollbackLog_NXLog' to value 'C:\Users\ADMINI~1.STR\AppData\Local\Temp\Cyglass_Log_Collection_Agent_20210916134841_000_NXLog_rollback.log'
[2294:25C8][2021-09-16T13:48:44]i000: Setting string variable 'WixBundleLog_NXLog' to value 'C:\Users\ADMINI~1.STR\AppData\Local\Temp\Cyglass_Log_Collection_Agent_20210916134841_000_NXLog.log'
[2294:25C8][2021-09-16T13:48:44]i000: Setting string variable 'WixBundleRollbackLog_NXLogconf' to value 'C:\Users\ADMINI~1.STR\AppData\Local\Temp\Cyglass_Log_Collection_Agent_20210916134841_001_NXLogconf_rollback.log'
[2294:25C8][2021-09-16T13:48:44]i000: Setting string variable 'WixBundleLog_NXLogconf' to value 'C:\Users\ADMINI~1.STR\AppData\Local\Temp\Cyglass_Log_Collection_Agent_20210916134841_001_NXLogconf.log'
[2294:25C8][2021-09-16T13:48:44]i201: Planned package: NXLog, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register
[2294:25C8][2021-09-16T13:48:44]i201: Planned package: NXLogconf, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: No, uncache: No, dependency: Register
[2294:25C8][2021-09-16T13:48:44]i299: Plan complete, result: 0x0
[2294:25C8][2021-09-16T13:48:44]i300: Apply begin
[2294:25C8][2021-09-16T13:48:44]i010: Launching elevated engine process.
[2294:25C8][2021-09-16T13:48:44]i011: Launched elevated engine process.
[2294:25C8][2021-09-16T13:48:44]i012: Connected to elevated engine.
[27F4:2EBC][2021-09-16T13:48:44]i358: Pausing automatic updates.
[27F4:2EBC][2021-09-16T13:48:44]i359: Paused automatic updates.
[27F4:2EBC][2021-09-16T13:48:44]i360: Creating a system restore point.
[27F4:2EBC][2021-09-16T13:48:44]i362: System restore disabled, system restore point not created.
[27F4:2EBC][2021-09-16T13:48:44]i370: Session begin, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, options: 0x7, disable resume: No
[27F4:2EBC][2021-09-16T13:48:44]i000: Caching bundle from: 'C:\Windows\Temp{FB49C0F4-C065-4621-9ED3-AE2008A17091}.be\cyglass-agent-x64.exe' to: 'C:\ProgramData\Package Cache{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}\cyglass-agent-x64.exe'
[27F4:2EBC][2021-09-16T13:48:44]i320: Registering bundle dependency provider: {6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, version: 2.1.0.0
[27F4:2EBC][2021-09-16T13:48:44]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, resume: Active, restart initiated: No, disable resume: No
[27F4:34E8][2021-09-16T13:48:44]i305: Verified acquired payload: NXLog at path: C:\ProgramData\Package Cache.unverified\NXLog, moving to: C:\ProgramData\Package Cache{2A263730-5A99-4953-96EE-58D5AD4F9145}v5.3.6735\nxlog-windows_x64.msi.
[27F4:34E8][2021-09-16T13:48:44]i304: Verified existing payload: NXLogconf at path: C:\ProgramData\Package Cache{3E825850-75A4-4646-902D-9BCCB94CAEED}v1.0.0\nxlog-conf_x64.msi.
[27F4:2EBC][2021-09-16T13:48:44]i323: Registering package dependency provider: {2A263730-5A99-4953-96EE-58D5AD4F9145}, version: 5.3.6735, package: NXLog
[27F4:2EBC][2021-09-16T13:48:44]i301: Applying execute package: NXLog, action: Install, path: C:\ProgramData\Package Cache{2A263730-5A99-4953-96EE-58D5AD4F9145}v5.3.6735\nxlog-windows_x64.msi, arguments: ' ALLUSERS="1" ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7"'
[27F4:2EBC][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to install MSI package.
[27F4:2EBC][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to execute MSI package.
[2294:25C8][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to configure per-machine MSI package.
[2294:25C8][2021-09-16T13:50:32]i319: Applied execute package: NXLog, result: 0x80070643, restart: None
[2294:25C8][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to execute MSI package.
[27F4:2EBC][2021-09-16T13:50:32]i318: Skipped rollback of package: NXLog, action: Uninstall, already: Absent
[2294:25C8][2021-09-16T13:50:32]i319: Applied rollback package: NXLog, result: 0x0, restart: None
[27F4:2EBC][2021-09-16T13:50:32]i329: Removed package dependency provider: {2A263730-5A99-4953-96EE-58D5AD4F9145}, package: NXLog
[27F4:2EBC][2021-09-16T13:50:32]i351: Removing cached package: NXLog, from path: C:\ProgramData\Package Cache{2A263730-5A99-4953-96EE-58D5AD4F9145}v5.3.6735
[27F4:2EBC][2021-09-16T13:50:32]i372: Session end, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, resume: None, restart: None, disable resume: No
[27F4:2EBC][2021-09-16T13:50:32]i330: Removed bundle dependency provider: {6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}
[27F4:2EBC][2021-09-16T13:50:32]i352: Removing cached bundle: {6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, from path: C:\ProgramData\Package Cache{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}
[27F4:2EBC][2021-09-16T13:50:32]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, resume: None, restart initiated: No, disable resume: No
[2294:25C8][2021-09-16T13:50:33]i399: Apply complete, result: 0x80070643, restart: None, ba requested restart: No
kberthia created
Ashok Biradhar created
Hi,
I am using NXLog with the Example 108. “File Rotation Based on Size” from the NXLog Community Edition Reference Manual.
In rare cases i have the problem that rotate_to uses the wrong filename and overwrite some other logfile. In the example below “logid.log” to “Mod-002”. See nxlog.log
Version: nxlog-ce-3.1.2319
nxlog.log
Zeile 3644025: 2023-03-14 10:28:02 INFO om_file successfully rotated file 'C:\Program Files\nxlog\data\10.87.243.24\logid.log' to 'C:\Program Files\nxlog\data\10.87.243.24\Mod-002.20230314102802.log'nxlog.conf
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension exec>
Module xm_exec
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Extension fileop>
Module xm_fileop
</Extension>
<Input udp>
Module im_udp
Host 10.87.243.20
Port 514
Exec parse_syslog();
Exec dir_make('%LOGDIR%\' + $Hostname);
</Input>
<Output udpfile>
Module om_file
CreateDir TRUE
File '%LOGDIR%\' + $Hostname + '\' + $SourceName + '.log'
Exec if udpfile->file_size() > 5M { \
$newfile = '%LOGDIR%\' + $Hostname + '\' + $SourceName + '.' + strftime(now(), "%Y%m%d%H%M%S") + '.log'; \
udpfile->rotate_to($newfile); \
exec_async('%CONFDIR%\\bzip2.exe', $newfile); \
}
</Output>
<Route udp>
Path udp => udpfile
</Route>Any ideas what's going wrong here?
Thanks
hate created
Hi
I have noticed that my alerts are about 2 hours behind. My SIEM rule retrohunts every 10 minutes.
What is the default schedule for nxlog community edition?
I think I need to input code similar to the below to make my rule retrohunts trigger in a more realtime way
<Input in> Module im_tcp Port 2345
<Schedule> Every 1 sec First 2010-12-17 00:19:06 Exec log_info("scheduled execution at " + now()); </Schedule>
<Schedule> When 1 */2 2-4 * * Exec log_info("scheduled execution at " + now()); </Schedule></Input>
gavin.lacey@telegraph.co.uk created
Hi everyone, I have the following problem.
1 The problem:
I trace the performance counters of several Windows clients. For that, CSV files are created and their inputs then are forwarded to our logging system. Each counter type (RAM, CPU, storage, etc) has its own CSV and therefore its own input in NXlog. While it works without any problems on nearly all clients, there is one Workstation where the im_file inputs are not forwardedBesides the im_file module we use the im_msvistalog module for Windows Event entries as well. And the Workstation does forward these events without any problems. It just has problems with the im_file inputs. Log file does not indicate any error and as I said: this configuration (with minor differences) already works flawlessly on the other systems.
2 The configuration:
define ROOT C:\Program Files\nxlog
define CERTDIR C:\Program Files\nxlog\keys
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _gelf>
Module xm_gelf
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
define MonitoredEventIDsSecurity 4624, 4634, 4672
# Collecting event log
<Input in>
Module im_msvistalog
SavePos TRUE
ReadFromLast TRUE
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Security">*</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
if $EventID NOT IN (%MonitoredEventIDsSecurity%) drop();
</Exec>
</Input>
<Input trace_cpu>
Module im_file
File 'C:\tracing\trace_cpu.csv'
SavePos TRUE
ReadFromLast TRUE
Exec $Message = $raw_event;
</Input>
<Input trace_ram>
Module im_file
File 'C:\tracing\trace_ram.csv'
SavePos TRUE
ReadFromLast TRUE
Exec $Message = $raw_event;
</Input>
<Input trace_networkmain>
Module im_file
File 'C:\tracing\trace_networkmain.csv'
SavePos TRUE
ReadFromLast TRUE
Exec $Message = $raw_event;
</Input>
<Input trace_diskc>
Module im_file
File 'C:\tracing\trace_diskc.csv'
SavePos TRUE
ReadFromLast TRUE
Exec $Message = $raw_event;
</Input>
<Input trace_diskd>
Module im_file
File 'C:\tracing\trace_diskd.csv'
SavePos TRUE
ReadFromLast TRUE
Exec $Message = $raw_event;
</Input>
<Input trace_diske>
Module im_file
File 'C:\tracing\trace_diske.csv'
SavePos TRUE
ReadFromLast TRUE
Exec $Message = $raw_event;
</Input>
<Output x>
Module om_ssl
Host %IP_Address%
Port %Port%
OutputType GELF_TCP
CAFile %CERTDIR%\cafile.pem
CertFile %CERTDIR%\certfile.pem
CertKeyFile %CERTDIR%\certkeyfile.pem
KeyPass %password%
Exec to_syslog_snare();
</Output>
#Connect input 'in' to output 'out'
<Route 1>
Path in, trace_cpu, trace_ram, trace_networkmain, trace_diskc, trace_diskd, trace_diske => x
</Route>
3 The NXLog log:
I think it's irrelevant because it only shows this entries:
2023-05-09 09:13:13 WARNING stopping nxlog service
2023-05-09 09:13:13 WARNING nxlog-ce received a termination request signal, exiting...
2023-05-09 09:13:16 INFO connecting to %IP_Address%:%Port%
2023-05-09 09:13:16 INFO nxlog-ce-3.1.2319 started
2023-05-09 09:13:16 INFO successfully connected to %IP_Address%:%Port%
4 Environment info:
The mentioned client runs Windows 10 Pro 22H2, currently installed NXLog Version is ce-3.1.2319 (but also tested it with ce-3.2.2329)
5 Relevant details:
- Config works on other clients without problems
- Only im_file module not working, im_msvistalog entries are being forwarded
- Until two weeks ago I used one central CSV file for all performance counters and this was forwarded correctly until the separation into individual inputs
- When deleting the “Exec $Message = $raw_event;” directive from an input, the respective messages get forwarded to logging system but are in a cryptic format and not useable
That would be it for now. Please feel free to ask if you need further information :)
Thanks in advance!
bero.0815 created
I'm trying to to save syslog and saving logs with a specific hostname based on the IP address. I'm using a if statement and a vaiable to define the file path I want to use. unfortunately I'm getting the folloging error message: nxlog.conf:32; couldn't parse statement at line 36, character 9 in C:\Program Files\nxlog\conf\nxlog.conf; function 'create_var()' does not exist or takes different arguments.
My conf file is below. Any hint?
define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir C:\syslog
Pidfile C:\syslog\nxlog.pid
SpoolDir C:\syslog
LogFile C:\syslog\nxlog.log
<Extension exec>
Module xm_exec
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input syslog514udp>
Module im_udp
Port 514
Host 0.0.0.0
</Input>
<Input syslog514tcp>
Module im_tcp
Port 514
Host 0.0.0.0
</Input>
<Output consolefile>
Module om_file
#defining log path based on hostname
<Exec>
if $MessageSourceAddress == "10.1.62.61"
{
create_var('logPath', 'MySBC/Syslog-'+ strftime(now(), '%Y-%m-%d-%H') + '.log')
}
else
{
create_var('logPath', $MessageSourceAddress+'/Syslog-'+ strftime(now(), '%Y-%m-%d-%H') + '.log')
}
</Exec>
File get_var('logPath')
# Addiere Zeitstempel an den Event
Exec $raw_event = now() + " " + $raw_event;
<Exec>
if consolefile->file_size() >= 100M
{
$newfile = $MessageSourceAddress+"/Syslog-"+ strftime(now(),"%Y-%m-%d-%H-%M") + ".log";
consolefile->rotate_to($newfile);
}
</Exec>
CreateDir TRUE
</Output>
<Output cdrlogger>
Module om_udp
Host 127.0.0.1
Port 1514
</Output>
<Route udp>
Priority 1
Path syslog514udp => consolefile, cdrlogger
</Route>
<Route tcp>
Priority 2
Path syslog514tcp => consolefile, cdrlogger
</Route>
Joao Alhinho created
Hi, I have a bit of an unconventional setup where I collect windows logs on one server, I then send these logs to another nxlog server via om_tcp. With the outputType GELF_TCP. From this second nxlog server, I then forward the logs to a graylog server using om_udp and outputType GELF_UDP. But the problem is that graylog seems to receive one message for each row in the windows log full message. If I instead forward directly from nxlog to graylog without the second nxlog-server inbetween, they arrive in the correct format. But I really need the other setup to work. Is there something I need to consider when it comes to formatting when first forwarding the logs to a second nxlog-server and then to the graylog server from there?
Greenwich Mean Time (Daniel) created
We have a folder structure like:
/opt/tomcat-onesite/bin
| /logs
| /etc....
|-/tomcat-anothersite/bin
| /logs
| /etc....
|-/tomcat-somewhereelse/bin
| /logs
| /etc....
|-/tomcat-etc...
|-/tomcat-logs/onesite -> /opt/tomcat-onesite/logs
/anothersite -> /opt/tomcat-anothersite/logs
/somewhereelse -> /opt/tomcat-somewhereelse/logs
/etc ....All folders directly under /opt/tomcat-logs are symlinks to the corresponding logs folder under each tomcat instance. We wanted to define a File of /opt/tomcat-logs/*.logwith Recursive TRUE but nxlog-ce doesnt pick up anything. We also tried /opt/tomcat-logs/*/*.log but it seems like nxlog-ce is unable to follow a * symlink or recurse through a symlink. I have no problems with /opt/tomcat-logs/onesite/*.log which works OK. Is this a bug? Is there a reason it does not follow implicit symlinks but does follow them if named?
Note with further testing I have /opt/tomcat-*/logs/*.log working and this will do for now but I feel sure this is an error.
Deleted user created
