I originally asked about symlinks in a thread https://nxlog.co/community-forum/t/1518-wildcard-paths-not-working-with-symlinks, but was told that symlinks just didn't work. Pity. But I had a working config which worked around the issue. I'll reproduce the file structure here:/opt/tomcat-onesite/bin | /logs | /etc.... |-/tomcat-anothersite/bin | /logs | /etc.... |-/tomcat-somewhereelse/bin | /logs | /etc.... |-/tomcat-etc... |-/tomcat-logs/onesite -> /opt/tomcat-onesite/logs /anothersite -> /opt/tomcat-anothersite/logs /somewhereelse -> /opt/tomcat-somewhereelse/logs /etc ....Now, with nxlog-ce-2.9.x or 2.10.x, I could define a path of /opt/tomcat-logs/* and nxlog would start. It wouldn't read any symlinks under it but it would start. Now with any of the 3.x series, nxlog won't even start if there is a symlink directly in /opt/tomcat-logs. I can sort of get by with /opt/tomcat-logs/*/* in that particular case but it doesn't help with another part of the set of the setup where there are valid files in the equivalent or /opt/tomcat-logs at the same time. How or where can I report bugs or regressions?

Hi, I have a very strange question to askWhen collecting windows exchange tracking log, I encountered a strange problemIf you delete files older than 7 days in the tracking log folder, nxlog will generate an error, and at the same time the exchange system will also be affected and cannot operate======================================================================error log2023-02-15 10:39:04 INFO nxlog-ce-3.1.2319 started2023-02-15 10:44:31 ERROR apr_stat() failed on file E:\Log\IIS\W3SVC2\u_ex230207.log; 存取被拒。  2023-02-15 10:44:31 WARNING input file was deleted: E:\Log\IIS\W3SVC1\u_ex230207.log2023-02-15 10:44:33 WARNING input file was deleted: E:\Log\IIS\W3SVC2\u_ex230207.log2023-02-15 11:00:01 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-4.LOG; 存取被拒。  2023-02-15 11:00:03 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-4.LOG2023-02-15 11:32:02 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-5.LOG; 存取被拒。  2023-02-15 11:32:04 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-5.LOG2023-02-15 12:00:01 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-6.LOG; 存取被拒。  2023-02-15 12:00:03 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-6.LOG2023-02-15 13:43:11 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-7.LOG; 存取被拒。  2023-02-15 13:43:13 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-7.LOG2023-02-15 14:00:02 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-8.LOG; 存取被拒。  2023-02-15 14:00:04 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-8.LOG2023-02-15 14:32:56 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-9.LOG; 存取被拒。  2023-02-15 14:32:58 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-9.LOG2023-02-15 15:00:02 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-10.LOG2023-02-15 15:31:04 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-11.LOG2023-02-15 16:00:02 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-12.LOG2023-02-15 16:33:08 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021006-1.LOG2023-02-15 17:00:02 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021006-2.LOG2023-02-15 17:12:10 WARNING stopping nxlog service2023-02-15 17:12:10 WARNING nxlog-ce received a termination request signal, exiting...============================================================================nxlog config## Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start.define NCloud  172.21.30.1define MailLog E:\Log\MessageTrackingdefine IISLog  E:\Log\IISdefine ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\confdefine LOGDIR  %ROOT%\datadefine LOGFILE %LOGDIR%\nxlog.logLogFile  %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data## Load the modules needed by the outputs<Extension syslog> Module xm_syslog</Extension>## For Exchange Message Tracking log file use the following:<Input in_maillog> Module im_file File '%MailLog%\MSGTRK*.LOG' ReadFromLast TRUE SavePos TRUE</Input><Output out_maillog> Module om_udp Host %NCloud% Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'Exchange'; Exec to_syslog_bsd();</Output><Route maillog> Path in_maillog => out_maillog</Route>## For Windows Event log use the following:<Input in_eventlog> Module im_msvistalog ReadFromLast TRUE SavePos TRUE Query  <QueryList> \           <Query Id="0"> \               <Select Path="Security">*[System[(EventID=4624 or EventID=4625 or EventID=4626 or EventID=4627 or EventID=4634 or EventID=4646 or EventID=4647 or EventID=4648 or EventID=4649 or EventID=4672 or EventID=4675)]]</Select> \               <Select Path="Security">*[System[(EventID=4778 or EventID=4779 or EventID=4800 or EventID=4801 or EventID=4802 or EventID=4803 or EventID=4964 or EventID=4976 or EventID=5378 or EventID=5632 or EventID=5633)]]</Select> \               <Select Path="Security">*[System[(EventID=4768 or EventID=4769 or EventID=4770 or EventID=4771 or EventID=4772 or EventID=4773 or EventID=4774 or EventID=4775 or EventID=4776 or EventID=4777 or EventID=4820)]]</Select> \               <Select Path="Security">*[System[(EventID=4720 or EventID=4722 or EventID=4723 or EventID=4724 or EventID=4725 or EventID=4726 or EventID=4727 or EventID=4731 or EventID=4732 or EventID=4733 or EventID=4734)]]</Select> \               <Select Path="Security">*[System[(EventID=4735 or EventID=4738 or EventID=4739 or EventID=4740 or EventID=4749 or EventID=4750 or EventID=4751 or EventID=4752 or EventID=4753 or EventID=4764 or EventID=4765)]]</Select> \               <Select Path="Security">*[System[(EventID=4766 or EventID=4767 or EventID=4780 or EventID=4781 or EventID=4782 or EventID=4793 or EventID=4794 or EventID=4797 or EventID=4798 or EventID=4799 or EventID=5376 or EventID=5377)]]</Select> \               <Select Path="Security">*[System[(EventID=4608 or EventID=4610 or EventID=4611 or EventID=4612 or EventID=4614 or EventID=4615 or EventID=4616 or EventID=4618 or EventID=4621 or EventID=4622 or EventID=4697)]]</Select> \               <Select Path="Security">*[System[(EventID=5024 or EventID=5025 or EventID=5027 or EventID=5028 or EventID=5029 or EventID=5030 or EventID=5032 or EventID=5033 or EventID=5034 or EventID=5035 or EventID=5037)]]</Select> \               <Select Path="Security">*[System[(EventID=5038 or EventID=5056 or EventID=5058 or EventID=5059 or EventID=5061 or EventID=5890 or EventID=6281 or EventID=6400 or EventID=6401 or EventID=6402 or EventID=6403)]]</Select> \               <Select Path="Security">*[System[(EventID=6404 or EventID=6405 or EventID=6406 or EventID=6407 or EventID=6408 or EventID=6409 or EventID=6410)]]</Select> \           </Query> \        </QueryList> </Input><Output out_eventlog> Module om_udp Host %NCloud% Port 514 Exec $SyslogFacilityValue = 17; Exec $Message = string($SourceName) + ": " + string($EventID) + ": " + $Message; Exec if ($EventType == 'ERROR' or $EventType == 'AUDIT_FAILURE') { $SyslogSeverityValue = 3; } \         else if ($EventType == 'WARNING')  { $SyslogSeverityValue = 4; } \         else if ($EventType == 'INFO' or $EventType == 'AUDIT_SUCCESS')  { $SyslogSeverityValue = 5; }  Exec to_syslog_bsd();</Output><Route eventlog> Path in_eventlog => out_eventlog</Route>## For Microsoft IIS(Internet Information Server) log file use the following:<Input in_iislog> Module im_file File '%IISLog%\u_ex*.log' ReadFromLast TRUE Recursive TRUE SavePos TRUE</Input><Output out_iislog> Module om_udp Host %NCloud% Port 514 Exec $SyslogFacilityValue = 22; Exec $raw_event = "IIS [info]: " + $raw_event ; Exec to_syslog_bsd();</Output><Route iislog> Path in_iislog => out_iislog</Route> ======================================================================Please how can I deal with this problem?

Hi. Will there be a Nxlog EE for Parrot OS? If so are there an expected date.RegardsRoland

Hi all, I'm using CE edition and sending logs to Taegis XDR, I've followed the instructions at this page:  Microsoft IIS (secureworks.com)Configured IIS per these instructions: https://docs.ctpx.secureworks.com/integration/connectEndpoint/microsoft_iis_connect/#configuring-microsoft-iis-logging Configured nxlog.conf per these instructions:  https://docs.ctpx.secureworks.com/integration/connectEndpoint/microsoft_iis_connect/#configuring-nxlog Logs are still not showing up, and I think I have this section in the nxlog.conf IIS config misconfigured with the IP of my Taegis CDR collecter. I've got the IP of my host entered into the HOST line, and the port entered into the PORT line. Am I supposed to comment out any of the ‘Module’ lines? Do I have it misconfigured below? Any help is appreciated, thank you in advance. <Output W3SVCOUT>   Module      om_udp   Module      om_tcp### Guidance on TLS/SSL configuration - https://nxlog.co/documentation/nxlog-user-guide/om_ssl.html   Module    om_ssl   Host        x.x.x.x   Port        601   CAFile    %CERTDIR%\CA.cer   CertFile    %CERTDIR%\winhost.cer   CertKeyFile    %CERTDIR%\winhost.key   AllowUntrusted    FALSE

Hello there! I was wondering how one can forward the raw XML events (open Event Viewer, double click an event, click Details, then XML View) from the Windows Event Log to a SIEM/log file using nxlog EE. Currently, if I don't specify any options, it ends up in a log format that isn't XML, and if I use Exec $Message = to_xml(); to_syslog_bsd(); then I get an XML that isn't formatted the same way as the Windows Event XML, which confuses the SIEM. Thank you! As an aside, this is what I want: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> <EventID Qualifiers="16384">7036</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2021-06-25T08:54:27.604250100Z" /> <EventRecordID>718</EventRecordID> <Correlation /> <Execution ProcessID="592" ThreadID="3300" /> <Channel>System</Channel> <Computer>Lab-NXServer</Computer> <Security /> </System> <EventData> <Data Name="param1">Client License Service (ClipSVC)</Data> <Data Name="param2">running</Data> <Binary>43006C00690070005300560043002F0034000000</Binary> </EventData> </Event>

Hi,We recently upgraded our NXlog agents to version 5*, and have noticed the following warning in the logs on some servers:2023-05-16 08:03:32 WARNING [CORE|main] not starting unused module logfile_IMAP42023-05-16 08:03:32 WARNING [CORE|main] not starting unused module logfile_POP3…We figured out that this happens when we have more then one _include.conf file on top of the main nxlog.conf file. It seems that it reads one of them, and then spews out this warning for all the modules/inputs in the other include.conf files. This is a new behavior. We use the following syntax at the bottom of the main nxlog.conf file:include  C:\\Program Files\\nxlog\\conf\\*_include.confIt used to work till the upgrade to version 5. Anyone else has this issue? 

Good Day, I installed nxlog to ready to ready my mssql errorlog file, and send it to graylog server, but for some reason the message is not coming complete,here is my confI omitted the rest because it just the default configuration file <Extension charconv>    Module      xm_charconv   AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32,UCS-2LE</Extension> <Extension gelf>   Module xm_gelf</Extension><Input mssql_errorlog>   Module      im_file   File        "D:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Log\ERRORLOG"</Input><Output graylog_udp>   Module om_udp   Host 10.0.1.208   Port 12202   OutputType    GELF_UDP</Output><Route graylog_route_mssql_errorlog>   Path mssql_errorlog => graylog_udp_204</Route> This is the line in my ERRORLOG 2023-05-26 10:00:13.50 Logon       Login failed for user 'localnet\sqljobs'. Reason: Could not find a login matching the name provided. [CLIENT: <local machine>] And this is the message i get in graylog { "gl2_accounted_message_size": 242, "SourceModuleType": "im_file", "level": 6, "gl2_remote_ip": "10.0.1.239", "gl2_remote_port": 60459, "streams": [   "000000000000000000000001" ], "gl2_message_id": "01H1C5R90HW9F49TPRA9XXQ93E", "source": "sql-dev", "message": "2\u00000\u00002\u00003\u0000-\u00000\u00005\u0000-\u00002\u00006\u0000 \u00001\u00000\u0000:\u00000\u00000\u0000:\u00001\u00003\u0000.\u00005\u00000\u0000 \u0000L\u0000o\u0000g\u0000o\u0000n", "gl2_source_input": "646f94d504777573d7d0c945", "EventReceivedTime": "2023-05-26 10:00:13", "SourceModuleName": "mssql_errorlog", "gl2_source_node": "332a47fa-bf25-4d8f-8e25-ce6dedb6a67a", "_id": "a2c1f101-fbcd-11ed-87a7-00505687667c", "timestamp": "2023-05-26T14:00:13.000Z"}  And this is the result parsed by graylogmessage : 2023-05-26 10:00:13.50 LogonAny one has any idea what could be wrong? 

We're using nxlog-ce-3.1.2319 and have configuration files in the nxlog.d folder.  The windows event logs configuration looks like below.# Configuration for converting and sending Windows logs# directly to Devo## Compatible with NXLog 3.x## Place in C:\Program Files\nxlog\conf\nxlog.d\## Last modification: 2023-2-15## Output destination. Valid options are: ssl_devo local_devodefine DEVO_OUTPUT ssl_devo# Vars for local Devo relay communication#define OUTPUT_DEVO_RELAY_IP {REPLACE_WITH_RELAY_IP}define OUTPUT_DEVO_RELAY_PORT 13000# Vars for direct Devo communicationdefine OUTPUT_DESTINATION_ADDRESS redacted.logtrust.netdefine OUTPUT_DESTINATION_PORT 443define CHAIN %CERTDIR%\chain.crtdefine CERT %CERTDIR%\domain.crtdefine KEY %CERTDIR%\domain.keydefine KEYPASS *******define IIS_TAG web.iis.access-w3c.env.app.clon<Extension json>   Module      xm_json   DateFormat YYYY-MM-DD hh:mm:ss.sUTC   GenerateDateInUTC TRUE</Extension>######## Send to Devo Start ########<Output ssl_devo>   Module          om_ssl   Host            %OUTPUT_DESTINATION_ADDRESS%   Port            %OUTPUT_DESTINATION_PORT%   CAFile          %CHAIN%   CertFile        %CERT%   CertKeyFile     %KEY%   KeyPass         %KEYPASS%   AllowUntrusted  TRUE</Output># <Output local_devo>#    Module  om_tcp#    Host    %OUTPUT_DEVO_RELAY_IP%#    Port    %OUTPUT_DEVO_RELAY_PORT%#</Output>######## Send to Devo End ################ Windows Events Start ########<Input win_event_in>   Module      im_msvistalog <QueryXML>       <QueryList>           <Query Id="0">               <Select Path="Application">*</Select>               <Select Path="System">*</Select>               <Select Path="Security">*</Select>               <Select Path="Windows PowerShell">*</Select>           </Query>       </QueryList>   </QueryXML>   <Exec>       $Message = to_json();       $SourceName="box.win_nxlog."+lc($Channel);       delete($ProcessID);       to_syslog_bsd();   </Exec></Input><Route eventlog>   Path  win_event_in => %DEVO_OUTPUT%</Route>Do you have any ideas on how to prevent it from resending the same logs again?Thanks

Hi,We're trying to deploy NXLog to our Windows 10 and Windows 7 32-bit machines. Installation can't push through and the following error message shows up:“This installation package is not supported by this processor type. Contact your product vendor.”

The installation of the nxlog-windows_x64.msi fails on a Windows 2016 server, installing as Domain Administrator, and the error displayed was "Not enough permissions". In the log file, errors occur around line 39 with three consecutive errors : [27F4:2EBC][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to install MSI package. [27F4:2EBC][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to execute MSI package. [2294:25C8][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to configure per-machine MSI package The complete log file is below: [2294:25C8][2021-09-16T13:48:41]i001: Burn v3.11.2.4516, Windows v10.0 (Build 14393: Service Pack 0), path: C:\Windows\Temp{3D88D7A8-546D-45A9-94E7-3F78B7E791B6}.cr\CyglassADAgent_CyGlassAgent.exe [2294:25C8][2021-09-16T13:48:41]i009: Command Line: '-burn.clean.room=C:\Users\administrator.STRATEJM\Downloads\CyglassADAgent_CyGlassAgent.exe -burn.filehandle.attached=524 -burn.filehandle.self=520' [2294:25C8][2021-09-16T13:48:41]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\administrator.STRATEJM\Downloads\CyglassADAgent_CyGlassAgent.exe' [2294:25C8][2021-09-16T13:48:41]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\administrator.STRATEJM\Downloads' [2294:25C8][2021-09-16T13:48:41]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\ADMINI~1.STR\AppData\Local\Temp\Cyglass_Log_Collection_Agent_20210916134841.log' [2294:25C8][2021-09-16T13:48:41]i000: Setting string variable 'WixBundleName' to value 'Cyglass Log Collection Agent' [2294:25C8][2021-09-16T13:48:41]i000: Setting string variable 'WixBundleManufacturer' to value 'CyGlass' [2294:2F8C][2021-09-16T13:48:42]i000: Setting numeric variable 'WixStdBALanguageId' to value 1033 [2294:2F8C][2021-09-16T13:48:42]i000: Setting version variable 'WixBundleFileVersion' to value '2.1.0.0' [2294:25C8][2021-09-16T13:48:42]i100: Detect begin, 2 packages [2294:25C8][2021-09-16T13:48:42]i101: Detected package: NXLog, state: Absent, cached: None [2294:25C8][2021-09-16T13:48:42]i101: Detected package: NXLogconf, state: Absent, cached: Complete [2294:25C8][2021-09-16T13:48:42]i199: Detect complete, result: 0x0 [2294:2F8C][2021-09-16T13:48:44]i000: Setting numeric variable 'EulaAcceptCheckbox' to value 1 [2294:25C8][2021-09-16T13:48:44]i200: Plan begin, 2 packages, action: Install [2294:25C8][2021-09-16T13:48:44]i000: Setting string variable 'WixBundleRollbackLog_NXLog' to value 'C:\Users\ADMINI~1.STR\AppData\Local\Temp\Cyglass_Log_Collection_Agent_20210916134841_000_NXLog_rollback.log' [2294:25C8][2021-09-16T13:48:44]i000: Setting string variable 'WixBundleLog_NXLog' to value 'C:\Users\ADMINI~1.STR\AppData\Local\Temp\Cyglass_Log_Collection_Agent_20210916134841_000_NXLog.log' [2294:25C8][2021-09-16T13:48:44]i000: Setting string variable 'WixBundleRollbackLog_NXLogconf' to value 'C:\Users\ADMINI~1.STR\AppData\Local\Temp\Cyglass_Log_Collection_Agent_20210916134841_001_NXLogconf_rollback.log' [2294:25C8][2021-09-16T13:48:44]i000: Setting string variable 'WixBundleLog_NXLogconf' to value 'C:\Users\ADMINI~1.STR\AppData\Local\Temp\Cyglass_Log_Collection_Agent_20210916134841_001_NXLogconf.log' [2294:25C8][2021-09-16T13:48:44]i201: Planned package: NXLog, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register [2294:25C8][2021-09-16T13:48:44]i201: Planned package: NXLogconf, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: No, uncache: No, dependency: Register [2294:25C8][2021-09-16T13:48:44]i299: Plan complete, result: 0x0 [2294:25C8][2021-09-16T13:48:44]i300: Apply begin [2294:25C8][2021-09-16T13:48:44]i010: Launching elevated engine process. [2294:25C8][2021-09-16T13:48:44]i011: Launched elevated engine process. [2294:25C8][2021-09-16T13:48:44]i012: Connected to elevated engine. [27F4:2EBC][2021-09-16T13:48:44]i358: Pausing automatic updates. [27F4:2EBC][2021-09-16T13:48:44]i359: Paused automatic updates. [27F4:2EBC][2021-09-16T13:48:44]i360: Creating a system restore point. [27F4:2EBC][2021-09-16T13:48:44]i362: System restore disabled, system restore point not created. [27F4:2EBC][2021-09-16T13:48:44]i370: Session begin, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, options: 0x7, disable resume: No [27F4:2EBC][2021-09-16T13:48:44]i000: Caching bundle from: 'C:\Windows\Temp{FB49C0F4-C065-4621-9ED3-AE2008A17091}.be\cyglass-agent-x64.exe' to: 'C:\ProgramData\Package Cache{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}\cyglass-agent-x64.exe' [27F4:2EBC][2021-09-16T13:48:44]i320: Registering bundle dependency provider: {6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, version: 2.1.0.0 [27F4:2EBC][2021-09-16T13:48:44]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, resume: Active, restart initiated: No, disable resume: No [27F4:34E8][2021-09-16T13:48:44]i305: Verified acquired payload: NXLog at path: C:\ProgramData\Package Cache.unverified\NXLog, moving to: C:\ProgramData\Package Cache{2A263730-5A99-4953-96EE-58D5AD4F9145}v5.3.6735\nxlog-windows_x64.msi. [27F4:34E8][2021-09-16T13:48:44]i304: Verified existing payload: NXLogconf at path: C:\ProgramData\Package Cache{3E825850-75A4-4646-902D-9BCCB94CAEED}v1.0.0\nxlog-conf_x64.msi. [27F4:2EBC][2021-09-16T13:48:44]i323: Registering package dependency provider: {2A263730-5A99-4953-96EE-58D5AD4F9145}, version: 5.3.6735, package: NXLog [27F4:2EBC][2021-09-16T13:48:44]i301: Applying execute package: NXLog, action: Install, path: C:\ProgramData\Package Cache{2A263730-5A99-4953-96EE-58D5AD4F9145}v5.3.6735\nxlog-windows_x64.msi, arguments: ' ALLUSERS="1" ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7"' [27F4:2EBC][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to install MSI package. [27F4:2EBC][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to execute MSI package. [2294:25C8][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to configure per-machine MSI package. [2294:25C8][2021-09-16T13:50:32]i319: Applied execute package: NXLog, result: 0x80070643, restart: None [2294:25C8][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to execute MSI package. [27F4:2EBC][2021-09-16T13:50:32]i318: Skipped rollback of package: NXLog, action: Uninstall, already: Absent [2294:25C8][2021-09-16T13:50:32]i319: Applied rollback package: NXLog, result: 0x0, restart: None [27F4:2EBC][2021-09-16T13:50:32]i329: Removed package dependency provider: {2A263730-5A99-4953-96EE-58D5AD4F9145}, package: NXLog [27F4:2EBC][2021-09-16T13:50:32]i351: Removing cached package: NXLog, from path: C:\ProgramData\Package Cache{2A263730-5A99-4953-96EE-58D5AD4F9145}v5.3.6735 [27F4:2EBC][2021-09-16T13:50:32]i372: Session end, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, resume: None, restart: None, disable resume: No [27F4:2EBC][2021-09-16T13:50:32]i330: Removed bundle dependency provider: {6d503fdf-ecb1-46c8-bbdc-14b706fb9d77} [27F4:2EBC][2021-09-16T13:50:32]i352: Removing cached bundle: {6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, from path: C:\ProgramData\Package Cache{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77} [27F4:2EBC][2021-09-16T13:50:32]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, resume: None, restart initiated: No, disable resume: No [2294:25C8][2021-09-16T13:50:33]i399: Apply complete, result: 0x80070643, restart: None, ba requested restart: No

I've configured the NxLog for forwarding the security event logs from windows using the om_udp module and it is working as I can see those logs on the destination AWS EC2(rsyslog) instance. But when I tried to tweak the NxLog configuration for tcp forwarding using the om_tcp, it is throwing an error as shown below: "ERROR couldn't connect to tcp socket on <REDACTED>; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond." Can someone assist here to overcome this error. FYI, both UDP and TCP reception rules are in place.

Hi,I am using NXLog with the Example 108. “File Rotation Based on Size” from the NXLog Community Edition Reference Manual.In rare cases i have the problem that rotate_to uses the wrong filename and overwrite some other logfile. In the example below “logid.log” to “Mod-002”.  See nxlog.logVersion:  nxlog-ce-3.1.2319nxlog.logZeile 3644025: 2023-03-14 10:28:02 INFO om_file successfully rotated file 'C:\Program Files\nxlog\data\10.87.243.24\logid.log' to 'C:\Program Files\nxlog\data\10.87.243.24\Mod-002.20230314102802.log'nxlog.conf## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start. define ROOT C:\Program Files\nxlog #define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension exec> Module xm_exec </Extension> <Extension syslog> Module xm_syslog </Extension> <Extension fileop> Module xm_fileop </Extension> <Input udp> Module im_udp Host 10.87.243.20 Port 514 Exec parse_syslog(); Exec dir_make('%LOGDIR%' + $Hostname); </Input> <Output udpfile> Module om_file CreateDir TRUE File '%LOGDIR%' + $Hostname + '' + $SourceName + '.log' Exec if udpfile->file_size() > 5M { $newfile = '%LOGDIR%' + $Hostname + '' + $SourceName + '.' + strftime(now(), "%Y%m%d%H%M%S") + '.log'; udpfile->rotate_to($newfile); exec_async('%CONFDIR%\bzip2.exe', $newfile); } </Output> <Route udp> Path udp => udpfile </Route>Any ideas what's going wrong here?Thanks

HiI have noticed that my alerts are about 2 hours behind.  My SIEM rule retrohunts every 10 minutes.What is the default schedule for nxlog community edition? I think I need to input code similar to the below to make my rule retrohunts trigger in a more realtime way<Input in>   Module  im_tcp   Port    2345   <Schedule>       Every   1 sec       First   2010-12-17 00:19:06       Exec    log_info("scheduled execution at " + now());   </Schedule>   <Schedule>       When    1 */2 2-4 * *       Exec    log_info("scheduled execution at " + now());   </Schedule></Input>

Hi everyone, I have the following problem. 1 The problem:I trace the performance counters of several Windows clients. For that, CSV files are created and their inputs then are forwarded to our logging system. Each counter type (RAM, CPU, storage, etc) has its own CSV and therefore its own input in NXlog. While it works without any problems on nearly all clients, there is one Workstation where the im_file inputs are not forwardedBesides the im_file module we use the im_msvistalog module for Windows Event entries as well. And the Workstation does forward these events without any problems. It just has problems with the im_file inputs. Log file does not indicate any error and as I said: this configuration (with minor differences) already works flawlessly on the other systems. 2 The configuration:define ROOT C:\Program Files\nxlog define CERTDIR C:\Program Files\nxlog\keys define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _gelf> Module xm_gelf </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension> define MonitoredEventIDsSecurity 4624, 4634, 4672 Collecting event log <Input in> Module im_msvistalog SavePos TRUE ReadFromLast TRUE <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security">*</Select> </Query> </QueryList> </QueryXML> <Exec> if $EventID NOT IN (%MonitoredEventIDsSecurity%) drop(); </Exec> </Input> <Input trace_cpu> Module im_file File 'C:\tracing\trace_cpu.csv' SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; </Input> <Input trace_ram> Module im_file File 'C:\tracing\trace_ram.csv' SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; </Input> <Input trace_networkmain> Module im_file File 'C:\tracing\trace_networkmain.csv' SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; </Input> <Input trace_diskc> Module im_file File 'C:\tracing\trace_diskc.csv' SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; </Input> <Input trace_diskd> Module im_file File 'C:\tracing\trace_diskd.csv' SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; </Input> <Input trace_diske> Module im_file File 'C:\tracing\trace_diske.csv' SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; </Input> <Output x> Module om_ssl Host %IP_Address% Port %Port% OutputType GELF_TCP CAFile %CERTDIR%\cafile.pem CertFile %CERTDIR%\certfile.pem CertKeyFile %CERTDIR%\certkeyfile.pem KeyPass %password% Exec to_syslog_snare(); </Output> #Connect input 'in' to output 'out' <Route 1> Path in, trace_cpu, trace_ram, trace_networkmain, trace_diskc, trace_diskd, trace_diske => x </Route> 3 The NXLog log:I think it's irrelevant because it only shows this entries:2023-05-09 09:13:13 WARNING stopping nxlog service 2023-05-09 09:13:13 WARNING nxlog-ce received a termination request signal, exiting... 2023-05-09 09:13:16 INFO connecting to %IP_Address%:%Port% 2023-05-09 09:13:16 INFO nxlog-ce-3.1.2319 started 2023-05-09 09:13:16 INFO successfully connected to %IP_Address%:%Port% 4 Environment info:The mentioned client runs Windows 10 Pro 22H2, currently installed NXLog Version is ce-3.1.2319 (but also tested it with ce-3.2.2329)5 Relevant details: Config works on other clients without problemsOnly im_file module not working, im_msvistalog entries are being forwardedUntil two weeks ago I used one central CSV file for all performance counters and this was forwarded correctly until the separation into individual inputsWhen deleting the “Exec $Message = $raw_event;” directive from an input, the respective messages get forwarded to logging system but are in a cryptic format and not useableThat would be it for now. Please feel free to ask if you need further information :)Thanks in advance!

I'm trying to to save syslog and saving logs with a specific hostname based on the IP address. I'm using a if statement and a vaiable to define the file path I want to use. unfortunately I'm getting the folloging error message: nxlog.conf:32; couldn't parse statement at line 36, character 9 in C:\Program Files\nxlog\conf\nxlog.conf; function 'create_var()' does not exist or takes different arguments. My conf file is below. Any hint?  define ROOT C:\Program Files\nxlog Moduledir %ROOT%\modules CacheDir C:\syslog Pidfile C:\syslog\nxlog.pid SpoolDir C:\syslog LogFile C:\syslog\nxlog.log <Extension exec> Module xm_exec </Extension> <Extension syslog> Module xm_syslog </Extension> <Input syslog514udp> Module im_udp Port 514 Host 0.0.0.0 </Input> <Input syslog514tcp> Module im_tcp Port 514 Host 0.0.0.0 </Input> <Output consolefile> Module om_file #defining log path based on hostname &lt;Exec&gt; if $MessageSourceAddress == "10.1.62.61" { create_var('logPath', 'MySBC/Syslog-'+ strftime(now(), '%Y-%m-%d-%H') + '.log') } else { create_var('logPath', $MessageSourceAddress+'/Syslog-'+ strftime(now(), '%Y-%m-%d-%H') + '.log') } &lt;/Exec&gt; File get_var('logPath') # Addiere Zeitstempel an den Event Exec $raw_event = now() + " " + $raw_event; &lt;Exec&gt; if consolefile-&gt;file_size() &gt;= 100M { $newfile = $MessageSourceAddress+"/Syslog-"+ strftime(now(),"%Y-%m-%d-%H-%M") + ".log"; consolefile-&gt;rotate_to($newfile); } &lt;/Exec&gt; CreateDir TRUE </Output> <Output cdrlogger> Module om_udp Host 127.0.0.1 Port 1514 </Output> <Route udp> Priority 1 Path syslog514udp => consolefile, cdrlogger </Route> <Route tcp> Priority 2 Path syslog514tcp => consolefile, cdrlogger </Route>

Hi, I have a bit of an unconventional setup where I collect windows logs on one server, I then send these logs to another nxlog server via om_tcp. With the outputType GELF_TCP. From this second nxlog server, I then forward the logs to a graylog server using om_udp and outputType GELF_UDP. But the problem is that graylog seems to receive one message for each row in the windows log full message. If I instead forward directly from nxlog to graylog without the second nxlog-server inbetween, they arrive in the correct format. But I really need the other setup to work. Is there something I need to consider when it comes to formatting when first forwarding the logs to a second nxlog-server and then to the graylog server from there? 

We have a folder structure like:/opt/tomcat-onesite/bin | /logs | /etc.... |-/tomcat-anothersite/bin | /logs | /etc.... |-/tomcat-somewhereelse/bin | /logs | /etc.... |-/tomcat-etc... |-/tomcat-logs/onesite -> /opt/tomcat-onesite/logs /anothersite -> /opt/tomcat-anothersite/logs /somewhereelse -> /opt/tomcat-somewhereelse/logs /etc ....All folders directly under /opt/tomcat-logs are symlinks to the corresponding logs folder under each tomcat instance. We wanted to define a File of /opt/tomcat-logs/*.logwith Recursive   TRUE but nxlog-ce doesnt pick up anything. We also tried /opt/tomcat-logs/*/*.log but it seems like nxlog-ce is unable to follow a * symlink or recurse through a symlink. I have no problems with /opt/tomcat-logs/onesite/*.log which works OK. Is this a bug? Is there a reason it does not follow implicit symlinks but does follow them if named?Note with further testing I have /opt/tomcat-*/logs/*.log working and this will do for now but I feel sure this is an error.

Hi,we've configured im_maculs and have noticed, that it does not handle expected ULS logs (which are seen with log stream command).We then configured im_exec module, to run log stream and have compared configurations head-to-head, the input with im_exec receives expected logs, while im_maculs does not.Here is configuration:<Input m_uls>Module im_maculs<Exec># Filterif ($subsystem == 'com.apple.launchservices' and $category == 'open'){$Hostname = hostname();} else{drop();}to_json();</Exec></Input> <Input m_logstream>Module im_execCommand /usr/bin/logArg streamArg --style=ndjsonArg --type=log<Exec>if $raw_event =~ /^{/{# Filterif ($subsystem == 'com.apple.launchservices' and $category == 'open'){$Hostname = hostname();} else{drop();}to_json();} else{# Fix ERROR [im_exec|m_logstream] failed to parse json string, lexical error: invalid char in json text.; Filtering the log data using "t; (right here) ------^; [Filtering the log data using "type == 1024"]# Since first log stream output line is not a json log entry, but informational messagedrop();}</Exec></Input>The m_logstream Input produces log message every time a graphical application is openned in macOS, while the m_uls - does not. 

Hello,I'm deploying nxlog-ce docker container in order to collect logs from several servers.My container is running and stores logs in files. I would like store logs in a postgresql database but the om_dbi module is missing in the container.How can I add this module?

Hi folks,Is NXLog CE compatible with Windows Server 2003?  I am getting “The installation is not supported by this processor type” error.  Works fine on other OS's.RegardsBen