Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
Unable to forward the windows logs to QRadar SIEM
Venky created
Hi All,I have requirement to forward the windows logs to QRadar using NX . Below is my config file , I am unable to receive the log in my SIEM platform. I could encounter the error : ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found. Check channel configuration.Panic Soft#NoFreeOnExit TRUEdefine ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data<Extension _syslog> Module xm_syslog</Extension># Snare compatible example configuration# Collecting event log<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'>*</Select> <Select Path='Security'>*[System/Level<4]</Select> <Select Path='System'>*</Select> <Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select> <Select Path='Microsoft-Windows-PowerShell/Operational'>*</Select> <Select Path='Windows PowerShell'>*</Select> </Query> </QueryList> </QueryXML> <Exec> if $Category == undef $Category = 0; if $EventType == 'CRITICAL' { $EventTypeNum = 1; $EventTypeStr = "Critical"; } else if $EventType == 'ERROR' { $EventTypeNum = 2; $EventTypeStr = "Error"; } else if $EventType == 'INFO' { $EventTypeNum = 4; $EventTypeStr = "Informational"; } else if $EventType == 'WARNING' { $EventTypeNum = 3; $EventTypeStr = "Warning"; } else if $EventType == 'VERBOSE' { $EventTypeNum = 5; $EventTypeStr = "Verbose"; } else { $EventTypeNum = 0; $EventTypeStr = "Audit"; } if $OpcodeValue == 0 $Opcode = "Info"; if $TaskValue == 0 $TaskValue = "None"; $EpochTime = string(integer($EventTime)); $EpochTime =~ /^(?<sec>\d+)(?<ms>\d{6})$/; $EpochTime = $sec; if $TaskValue == 12288 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSTATECHANGE"; } else if $TaskValue == 12289 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSUBSYSTEMEXTENSION"; } else if $TaskValue == 12290 { $TaskStr = "SE_ADT_SYSTEM_INTEGRITY"; } else if $TaskValue == 12291 { $TaskStr = "SE_ADT_SYSTEM_IPSECDRIVEREVENTS"; } else if $TaskValue == 12292 { $TaskStr = "SE_ADT_SYSTEM_OTHERS"; } else if $TaskValue == 12544 { $TaskStr = "SE_ADT_LOGON_LOGON"; } else if $TaskValue == 12545 { $TaskStr = "SE_ADT_LOGON_LOGOFF"; } else if $TaskValue == 12546 { $TaskStr = "SE_ADT_LOGON_ACCOUNTLOCKOUT"; } else if $TaskValue == 12547 { $TaskStr = "SE_ADT_LOGON_IPSECMAINMODE"; } else if $TaskValue == 12548 { $TaskStr = "SE_ADT_LOGON_SPECIALLOGON"; } else if $TaskValue == 12549 { $TaskStr = "SE_ADT_LOGON_IPSECQUICKMODE"; } else if $TaskValue == 12550 { $TaskStr = "SE_ADT_LOGON_IPSECUSERMODE"; } else if $TaskValue == 12551 { $TaskStr = "SE_ADT_LOGON_OTHERS"; } else if $TaskValue == 12552 { $TaskStr = "SE_ADT_LOGON_NPS"; } else if $TaskValue == 12553 { $TaskStr = "SE_ADT_LOGON_CLAIMS"; } else if $TaskValue == 12554 { $TaskStr = "SE_ADT_LOGON_GROUPS"; } else if $TaskValue == 12800 { $TaskStr = "SE_ADT_OBJECTACCESS_FILESYSTEM"; } else if $TaskValue == 12801 { $TaskStr = "SE_ADT_OBJECTACCESS_REGISTRY"; } else if $TaskValue == 12802 { $TaskStr = "SE_ADT_OBJECTACCESS_KERNEL"; } else if $TaskValue == 12803 { $TaskStr = "SE_ADT_OBJECTACCESS_SAM"; } else if $TaskValue == 12804 { $TaskStr = "SE_ADT_OBJECTACCESS_OTHER"; } else if $TaskValue == 12805 { $TaskStr = "SE_ADT_OBJECTACCESS_CERTIFICATIONAUTHORITY"; } else if $TaskValue == 12806 { $TaskStr = "SE_ADT_OBJECTACCESS_APPLICATIONGENERATED"; } else if $TaskValue == 12807 { $TaskStr = "SE_ADT_OBJECTACCESS_HANDLE"; } else if $TaskValue == 12808 { $TaskStr = "SE_ADT_OBJECTACCESS_SHARE"; } else if $TaskValue == 12809 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLPACKETDROPS"; } else if $TaskValue == 12810 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLCONNECTION"; } else if $TaskValue == 12811 { $TaskStr = "SE_ADT_OBJECTACCESS_DETAILEDFILESHARE"; } else if $TaskValue == 12812 { $TaskStr = "SE_ADT_OBJECTACCESS_REMOVABLESTORAGE"; } else if $TaskValue == 12813 { $TaskStr = "SE_ADT_OBJECTACCESS_CBACSTAGING"; } else if $TaskValue == 13056 { $TaskStr = "SE_ADT_PRIVILEGEUSE_SENSITIVE"; } else if $TaskValue == 13057 { $TaskStr = "SE_ADT_PRIVILEGEUSE_NONSENSITIVE"; } else if $TaskValue == 13058 { $TaskStr = "SE_ADT_PRIVILEGEUSE_OTHERS"; } else if $TaskValue == 13312 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSCREATION"; } else if $TaskValue == 13313 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSTERMINATION"; } else if $TaskValue == 13314 { $TaskStr = "SE_ADT_DETAILEDTRACKING_DPAPIACTIVITY"; } else if $TaskValue == 13315 { $TaskStr = "SE_ADT_DETAILEDTRACKING_RPCCALL"; } else if $TaskValue == 13316 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PNPACTIVITY"; } else if $TaskValue == 13317 { $TaskStr = "SE_ADT_DETAILEDTRACKING_TOKENRIGHTADJ"; } else if $TaskValue == 13568 { $TaskStr = "SE_ADT_POLICYCHANGE_AUDITPOLICY"; } else if $TaskValue == 13569 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHENTICATIONPOLICY"; } else if $TaskValue == 13570 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHORIZATIONPOLICY"; } else if $TaskValue == 13571 { $TaskStr = "SE_ADT_POLICYCHANGE_MPSSCVRULEPOLICY"; } else if $TaskValue == 13572 { $TaskStr = "SE_ADT_POLICYCHANGE_WFPIPSECPOLICY"; } else if $TaskValue == 13573 { $TaskStr = "SE_ADT_POLICYCHANGE_OTHERS"; } else if $TaskValue == 13824 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_USERACCOUNT"; } else if $TaskValue == 13825 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_COMPUTERACCOUNT"; } else if $TaskValue == 13826 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP"; } else if $TaskValue == 13827 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_DISTRIBUTIONGROUP"; } else if $TaskValue == 13828 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_APPLICATIONGROUP"; } else if $TaskValue == 13829 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_OTHERS"; } else if $TaskValue == 14080 { $TaskStr = "SE_ADT_DSACCESS_DSACCESS"; } else if $TaskValue == 14081 { $TaskStr = "SE_ADT_DSACCESS_DSCHANGES"; } else if $TaskValue == 14082 { $TaskStr = "SE_ADT_DS_REPLICATION"; } else if $TaskValue == 14083 { $TaskStr = "SE_ADT_DS_DETAILED_REPLICATION"; } else if $TaskValue == 14336 { $TaskStr = "SE_ADT_ACCOUNTLOGON_CREDENTIALVALIDATION"; } else if $TaskValue == 14337 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBEROS"; } else if $TaskValue == 14338 { $TaskStr = "SE_ADT_ACCOUNTLOGON_OTHERS"; } else if $TaskValue == 14339 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBCREDENTIALVALIDATION"; } else if $TaskValue == 65280 { $TaskStr = "SE_ADT_UNKNOWN_SUBCATEGORY"; } else { $TaskStr = "Unknown[" + $taskValue + "]"; } if $KeywordsStr == undef { if $TaskValue == 0 { $KeywordsStr = 'None'; } else { $KeywordsStr = '0'; } } if $TaskStr == undef { $TaskStr = $TaskValue; } if $EventType == 'AUDIT_SUCCESS' { $KeywordsStr = "Audit Success"; $EventTypeNum = 8; } else { $KeywordsStr = "Audit Failure"; $EventTypeNum = 16; } $Message = "AgentDevice=WindowsLog" + "\tAgentLogFile=" + $Channel + "\tSource=" + $SourceName + "\tComputer=" + hostname_fqdn() + "\tOriginatingComputer=" + host_ip() + "\tUser=" + $AccountName + "\tDomain=" + $Domain + "\tEventIDCode=" + $EventID + "\tEventType=" + $EventTypeNum + "\tEventCategory=" + $TaskValue + "\tRecordNumber=" + $RecordNumber + "\tTimeGenerated=" + $EpochTime + "\tTimeWritten=" + $EpochTime + "\tLevel=" + $EventTypeStr + "\tKeywords=" + $KeywordsStr + "\tTask=" + $TaskStr + "\tOpcode=" + $Opcode + "\tMessage=" + $Message; $Hostname = host_ip(); delete($SourceName); delete($Severity); delete($SeverityValue); to_syslog_bsd(); </Exec></Input># # Converting events to Snare format and sending them out over TCP syslog<Output out> Module om_tcp Host 10.x.x.x Port 514 Exec to_syslog_bsd();</Output># # Connect input 'in' to output 'out'<Route 1> Path eventlog => out</Route>
Venky created
Zyxel ATP700 to SIEM
domep created
Hello,I'm trying to forward the VPN logs of a Zyxel ATP700 to my SIEM (InsightIDR), the forwarding works fine, but I can't format them as indicated in this documentationhttps://docs.rapid7.com/insightidr/rapid7-universal-vpn/Can someone help me?Thank you
domep created
Graylog Sidecar integration not working on a Windows 11 system
Jon Irish created
Currently, I have GrayLog running as a docker image on an unraid server. Everything is working well. I also have a MS Windows lab environment that I want to forward logs into Graylog with the help of nxlog. I followed the instructions at: https://docs.nxlog.co/userguide/integrate/graylog.html and I don't have any errors, but I also don't have any data. Any ideas on how I can troubleshoot this to determine where my issue is?
Jon Irish created
Windows Event Logs out in XML
Santiago Sarchetti created
Hello, I´m trying to send logs from my windows server to my SIEM in XML format, but same logs are too long and i see 2 logs instead of just one. <Input windows>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Suppress Path="Security">*[System[(EventID=4663 or EventID=4690 or EventID=4658 or EventID=4656)]]</Suppress>
</Query>
</QueryList>
</QueryXML>
</Input>
#
<Output siem>
Module om_tcp
Host xxx.xxx.xxx.xxx
Port 514
Exec to_xml();
</Output>
#
# Connect input 'in' to output 'out'
<Route 1>
Path windows => siem
</Route> Can anyone help me?Thanks
Santiago Sarchetti created
IM_ETW Module
jrpayne created
Can anyone tell me for certain if this module is only included in the Enterprise version? If so, where does one buy the Enterprise Version and what is it's approximate cost? (USD)
jrpayne created
nxlog config file for 2003 servers
punith created
Hello Team,I am new to nxlog and i have a requirement to collect windows logs from 2003 servers and the agent version that i am using is “nxlog-ce-2.11.2190”As per the documnet i have used im_mseventlog module, but still getting error and not able to pull the logs from 2003 servers. If some one please share me the config file for 2003 servers would be a great help below is the error that we are getting when starting the nxlog service.2022-12-21 09:37:50 WARNING nxlog-ce received a termination request signal, exiting...2022-12-21 09:37:51 ERROR invalid keyword: QueryXML at C:\Program Files\nxlog\conf\nxlog.conf:272022-12-21 09:37:51 ERROR module 'eventlog' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:592022-12-21 09:37:51 ERROR route 1 is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:592022-12-21 09:37:51 WARNING no routes defined!2022-12-21 09:37:51 WARNING not starting unused module eventlog2022-12-21 09:37:51 WARNING not starting unused module syslogout2022-12-21 09:37:51 INFO nxlog-ce-2.11.2190 started my config file.#NoFreeOnExit TRUE define ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\confdefine LOGDIR %ROOT%\datadefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE% Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog</Extension> ############INPUTS######## <Input eventlog> Module im_mseventlog <QueryXML><QueryList><Query Id="0"><Select Path="Security">*</Select></Query></QueryList></QueryXML></Input> #<Processor eventlog_transformer>#Module pm_transformer#</Processor> #<Processor buffer>#Module pm_buffer#MaxSize 102400#Type disk#</Processor> <Output syslogout>#Module om_udpModule om_tcpHost syslogipPort 514 Exec to_syslog_snare();
</Output>
#<Route 1>
#Path eventlog => eventlog_transformer => syslogout
#</Route>
<Route 1>
Path eventlog => syslogout
</Route>
punith created
Accesses to AccessList mapping
opoplawski created
I'm sending im_msvistalog messages to splunk via to_json(). I'm ending up with a field AccessList like:AccessList: %%4423which I assume is some kind of mapping of:Access Request Information: Accesses: ReadAttributesfrom the “Message” component. Is that right? If so, it's fairly obscure. Is there some way to preserve “Accesses” as is? What is “AccessList” trying to tell me? Is there somewhere I can go to decode it?
opoplawski created
How to get NXLog Manager license
klevintest2 created
Hello team,How to get NXLog Manager license?Thank you Klevin
klevintest2 created
nxlog-ce-3.1.2319.msi vs windows 2008 R2
egas84 created
HiIs it possible to install nxlog-ce-3.1.2319.msi on Windows 2008 R2?Regards.
egas84 created
Update required of a specific windows EventID
dudu.confirm@gmail.com created
Hi, Doing my first steps with NXlog.I have managed to collect all “Security” windows event log and also managed to update the “Version” parameter to my own parameter - Just for a test purposes Now I need to perform 3 tasks Collect all “Security” windows event log - DoneUpdate the “Version” parameter from int to string - Done Update the “Hostname” parameter of specific event ID (for example EventID":4656) to “test” - Please advice Thank you <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'>*</Select> </Query> </QueryList> </QueryXML><Exec> $Hostname = "test" ; # This task should be only for eventID 4656 $Version = string($Version); to_json(); </Exec></Input>
dudu.confirm@gmail.com created
"module file not found" when using file->file_size() or other file functions in Exec
hukel created
I am trying to use the example in https://docs.nxlog.co/ce/current/index.html#om_file for file rotation on Windows (nxlog-ce-3.1.2319).I receive the following errorERROR Couldn't parse Exec block at xxx.conf:104; couldn't parse statement at line 107, character 29 in xxx.conf; module file not found
ERROR module 'testfile' has configuration errorsusing this configuration. The output works fine if I don't use the functions, so I assume om_file must be loading (by default?).<Output testfile>
Module om_file
File "E:/nxlog_output/active/nxlog-out.txt"
<Exec>
# Format output
to_json();
# Rotate file based on size, move to staging folder
if (file->file_size() > 10M)
{
$stagingFolder = 'E:/nxlog_output/staged/';
$newfile = $stagingFolder + 'data_' + strftime(now(), '%Y%m%d%H%M%S') + '.log';
file->rotate_to($newfile);
}
</Exec>
</Output>
hukel created
Help using this forum - searching and following Google results
hukel created
Apologies if I'm being dense, but I need some help with navigation of this site.The upper-right search box on this page, (https://nxlog.co/community-forum/) never submits. Is there another search function I can use?Google search results all point to URLs like https://nxlog.co/question/4970/iis-logs-containing-quotes-are-not-processing, which return a 404 when I click through.
hukel created
file_name does't work. nxlog-ce-3.1.2319.msi
ARTEM A created
Hi,I have installed nxlog service (nxlog-ce-3.1.2319.msi) on windows core 2019 machine. I have a config:define EVENT_REGEX /^.*(<EventData>.+<\/EventData>)$/
<Extension xml>
Module xm_xml
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input k8s_containers>
Module im_file
File "c:\var\log\containers*.log"
<Exec>
if $raw_event =~ %EVENT_REGEX%
{
parse_xml($1);
}
else
{
drop();
}
$log_type = "k8s_container";
$hostname = hostname();
$host_ip = host_ip();
$log_file = file_name();
if $log_file =~ /(.+)_(.+)_(.+)-(.+).log$/
{
$k8s_pod = $1;
$k8s_namespace = $2;
$k8s_container = $3;
$k8s_container_id = $4;
}
to_json();
</Exec>
</Input>
<Output file>
Module om_file
File "c:\k\nxlog.log"
</Output>
<Route containerlog>
Path k8s_containers => file
</Route>Everythings work fine, but log line has “log_file”: “unknown”. And because of that I didn't get $k8s_* fields.How should I debug/resolv this issue?
ARTEM A created
IBM AIX & SUN Solaris
9538789648 created
Does nxlog community edition support IBM AIX & SUN Solaris?
9538789648 created
How to collect RADIUS Accounting messages over UDP?
hukel created
Is there a combination of inputs and extensions that can be used to collect RADIUS accounting messages via UDP listener?
We use Microsoft NPS today, but could benefit from the forking and advanced parsing of NXLog. We send RADIUS accounting messages from multiple network devices and the differences in data layout are bit too much for NPS.
hukel created
Windows event logging
scotty created
Forgive my ignorance but I'm looking to use NX Log to capture all windows events under System, Application and Security whether they be Audit, Info, error or critical. Am I correct in my assumption that with no filter's it should collect everything?
<Select Path='Application'></Select>
<Select Path='Security'></Select>
<Select Path='System'></Select>
or do I need to specify on single lines each severity level? for example:
<Select Path='Application'>[System/Level=4]</Select>
<Select Path='Application'>[System/Level=3]</Select>
<Select Path='Application'>[System/Level=2]</Select>
and so on?
scotty created
NXLog Uninstallation Issues via string
j_shek created
Hi guys,
We have NXLog CE 3.0.2272 installed on a server which was originally installed by another user manually. We have tried uninstalling it via the uninstall string MsiExec.exe /X {xxxxx} via ConnectWise which appeared to have uninstalled ok. Since then, we have installed a newer CE version 3.1.2319 however after installation the nxlog service is non-existent. We suspect the uninstallation via string may have broken this. Several attempts using the original installer to repair or uninstall/reboots does not fix this.
Is there a way we can start fresh to remove NXLog completely then install? Any help would be appreciated :)
TIA
Jordan
j_shek created
Issues with the nxlog agent when installed on Citrix MCS VDI machines.
gijosgun created
Hellow everyone!
I have a scenario that uses Citrix MCS where I installed the agent on the master image that provides clone images that should go with the nxlog agent installed and running. But the agent goes up with some errors as below:
2022-09-23 13:51:38 ERROR couldn't connect to udp socket on <IP:XYZ:514>; The socket operation was attempted to an unreachable network.
2022-09-23 13:51:46 WARNING Due to the limitation in the Windows EventLog subsystem, the query cannot contain more than 256 sources.
2022-09-23 13:51:46 WARNING The following sources are omitted to avoid exceeding the limit in the generated query: Setup WitnessClientAdmin
2022-09-23 13:52:14 WARNING received a system shutdown request
2022-09-23 13:52:14 WARNING stopping nxlog service
2022-09-23 13:52:14 WARNING nxlog-ce received a termination request signal, exiting...
2022-11-02 23:16:38 INFO nxlog-ce-2.11.2190 started
2022-11-02 23:16:44 WARNING Due to the limitation in the Windows EventLog subsystem, the query cannot contain more than 256 sources.
2022-11-02 23:16:44 WARNING The following sources are omitted to avoid exceeding the limit in the generated query: Setup WitnessClientAdmin
2022-11-02 23:27:15 ERROR EvtNext failed with error 15007: The specified channel could not be found. Check channel configuration.
2022-11-02 23:27:16 WARNING Due to the limitation in the Windows EventLog subsystem, the query cannot contain more than 256 sources.
2022-11-02 23:27:16 WARNING The following sources are omitted to avoid exceeding the limit in the generated query: WitnessClientAdmin
2022-11-02 23:27:16 ERROR Failed to retrieve eventlog fields; The handle is invalid.
Has anyone had a problem like this using Citrix MCS?
Thanks
James \0/
gijosgun created
Memory leak in NXLog 5 (include latest v5.6.7727)
Roman_Andreev created
Hello!
We have permanent memory leaks on Windows Event Collect server with any 5 version NXLog. If we install any 4 version - it work without memory leak, but very slowly - it's accumulating queue on single filter for windows events. How we can help to fix it in next release?
Roman_Andreev created