Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
NXLog Community edition not performing any output
jhartman created
SO I was in the process of creating a custom parser for NetMotion VPN logs but for some reason, no matter what I specify in the nxlog.conf I have no output.I originally had an older agent so I uninstalled and reinstalled with the latest download. - No changeI originally had an Exec stanza with some regex to capture some groups and assign them to some variables, I removed that whole section and am simply doing "parse_syslog(); - No change This was my original conf filepanic SOFT
define INSTALLDIR C:\Program Files\nxlog
define LOGDIR %INSTALLDIR%\data
define MYLOGFILE %LOGDIR%\nxlog.log
LogLevel DEBUG
LogFile %MYLOGFILE%
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input NetMotion>
Module im_file
File "C:\Testing-logs\NetMotion.txt"
<Exec>
if $raw_event =~ /m_user="([^"]+).+?pop_ip_srv="([^"]+).+?ses_start="([^"]+).+?ses_state="([^"]+).+?vip="([^"]+)/
{
if $4 == 'Connected' $event_type = 'VPN_SESSION_IP_ASSIGNED';
$version = 'v1';
$time = $3;
$account = $1;
$assigned_ip = $6;
$source_ip = $2;
$authentication_result = 'SUCCESS';
$authentication_target = $5;
}
</Exec>
</Input>
<Output local_file>
Module om_file
Exec to_json();
File "C:\Testing-logs\Parsed.txt"
</Output>
<Route NM_to_file>
Path NetMotion => local_file
</Route>After that was not producing anything I decided to rip the whole thing out and simply do a “parse_syslog” like below but still no luck.panic SOFT
define INSTALLDIR C:\Program Files\nxlog
define LOGDIR %INSTALLDIR%\data
define MYLOGFILE %LOGDIR%\nxlog.log
LogLevel DEBUG
LogFile %MYLOGFILE%
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input NetMotion>
Module im_file
File "C:\Testing-logs\NetMotion.txt"
Exec parse_syslog();
</Input>
<Output local_file>
Module om_file
Exec to_json();
File "C:\Testing-logs\Parsed.txt"
</Output>
<Route NM_to_file>
Path NetMotion => local_file
</Route>I've done similar things before and have never really had an issue but this is throwing me for a loop. The nxlog.log shows no errors and actually says that the routes are being processed. Even when I was applying the custom regex it showed the regex being applied and everythign workign but there were still no lines being written to the Parsed.txt file. Can anyone see anythign blatantly obvious that I'm missing that could stop this from working?
jhartman created
permanent download link gone
AutoNick created
Hi folks,how can we download the latest agent version without going true the manual download page.Since the change of your webpage, the previous links do not work anymore.This crucial, to have the latest agents in place.Thank youNick
AutoNick created
Sending TLS Syslog over from Trellix ePO to NXLOG CE
blackwat3rr created
Hello, I'm having trouble forwarding Logs from my ePO instance to nxlog. ePO will say Syslog connection success under test connection, however, nxlog.log will say “Error Module ssl coulden't read the input; invalid header received by Syslog_TLS input reader, input is not RFC 5425 compliant.” It seems like nxlog is having trouble decrypting due to maybe a certificate issue but im not sure. Any help would be greatly appreciated.
blackwat3rr created
Some error about getting data from chrome history log
lida02@megvii.com created
I want collect chrome histroy log, follow the https://docs.nxlog.co/userguide/integrate/browser-history.html#google-chrome-history-location-and-details guide on windows terminal, because the http://www.ch-werner.de/ site is down, so I can't download “SQLite ODBC Driver”,but i found another substitution https://www.devart.com/odbc/sqlite/download.html , I don't know if this driver is not as same as “SQLite ODBC Driver”. But when I run nxlog, I got some error info.2023-02-14 11:23:25 INFO [im_odbc|odbc] im_odbc successfully connected to the database2023-02-14 11:23:25 WARNING [im_odbc|odbc] im_odbc detected a disconnection, attempting to reconnect in 10 seconds2023-02-14 11:23:25 ERROR [im_odbc|odbc] SQLExecute failed, 22001:2:390:[Devart][ODBC]String data, right-truncated (odbc error code: -1) my input conf like below<Input odbc> Module im_odbc PollInterval 1200 ConnectionString DRIVER=Devart ODBC Driver for SQLite; Database=D:\ProgramFiles\logs\History_Chrome;Version=3; SQL Select visits.id AS id,urls.url AS URL,urls.title AS Title FROM visits INNER JOIN urls ON visits.url = urls.id WHERE visits.id > ? Exec $Hostname = hostname(); Exec to_json();</Input>I want to know what's wrong with my config ,or how to fix it.
lida02@megvii.com created
Unable to download CE v3.1.2319 for Windows
Dave Small created
Getting “Ajax request cannot be executed” error when downloading CE-3.1.2319.msi file from nxlog.co.
Dave Small created
NXLog-CE Question
greg.smith created
Hello,This is not a installation question.Using wget, as I have done for past 6 years was grab a NXLog-CE installation and install on my Linux core servers. Yesterday 11/22/2022 I was unable to do this. I also noticed the Web Site has changed for downloading community versions and now I need to make account. I'm assuming at this point, Steps needed are install NXLog on any core servers I need to make account on NXLog site, Download the package needed. Transfer the NXLog package to a closed environment that we have, Upload NXLog package to a internal repo and distribute it as needed? I'm also assuming this is a security procedure taken by NXLog? If anyone could enlighten me on the new changes that would be great.Thanks-Greg
greg.smith created
Exclude Windows logs based on process name
Alper Demir created
I am sending Windows logs to Graylog via nxlog community edition, but certain processes are generating so much logs that I'd rather not send at all, so I'm trying to figure out how to modify nxlog config to exclude logs with specific terms or generated by a specific process using the “ProcessName” field for example. any help would be appreciated.
Alper Demir created
ERROR [om_file|file] failed to open C:\Users\Administrator\Documents\Data; Access is denied.
billychua created
Hi,I get the above error when I tried to start nxlog server. Below is my config file. Please assists. thank you Panic Softdefine INSTALLDIR C:\Program Files\nxlog#ModuleDir %INSTALLDIR%\modules#CacheDir %INSTALLDIR%\data#SpoolDir %INSTALLDIR%\datadefine CERTDIR %INSTALLDIR%\certdefine CONFDIR %INSTALLDIR%\conf\nxlog.d# Note that these two lines define constants only; the log file location# is ultimately set by the `LogFile` directive (see below). The# `MYLOGFILE` define is also used to rotate the log file automatically# (see the `_fileop` block).define LOGDIR c:\datadefine MYLOGFILE %INSTALLDIR%\data\nxlog.log# If you are not using NXLog Manager, disable the `include` line# and enable LogLevel and LogFile.#include %CONFDIR%\*.confLogLevel INFOLogFile %MYLOGFILE%<Extension exec> Module xm_exec</Extension><Extension _syslog> Module xm_syslog</Extension><Extension fileop> Module xm_fileop</Extension># This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`# is changed in managed.conf via NXLog Manager, rotation of the new# file should also be configured there.<Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour <Exec> if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') >= 5M) ) { file_cycle('%MYLOGFILE%', 8); } </Exec> </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); </Schedule></Extension><Input tcp> Module im_tcp ListenAddr 0.0.0.0:514</Input>define LOCALFILE 'C:\Users\Administrator\Documents\Data'<Output file> Module om_file File %LOCALFILE%</Output><Route tcp_to_file> Path tcp => file</Route> Error Message:2023-02-06 00:41:43 INFO [CORE|main] nxlog-5.6.7727 (50b2a4353@REL_v5.6) started on Windows2023-02-06 00:41:43 ERROR [om_file|file] failed to open C:\Users\Administrator\Documents\Data; Access is denied. 2023-02-06 00:41:43 INFO [im_tcp|tcp] listening on 0.0.0.0:514 Regards, Billy
billychua created
License true-up
TS_521115 created
If a customer purchases 100 NXLog Enterprise licenses and needs more six months later, do they place an order for the additional licenses separately or increase the original order? Are they able to deploy and then true-up, or do they need a unique key for each before deploying?
TS_521115 created
extraspaces added after ; converting messages with multiline parser
Dileep Nannapaneni created
Hi team, i have converted auit messages in multiline to singleline using multiline parser. problem is two spaces are added instead of one space after semicolon. message1;message2; single line: message1;. message2; There is two space first simicolon and message2 instead of one how to remove extra space
Dileep Nannapaneni created
NXLogAgent: Sometimes cannot forwarding log to FortiSIEM (Agent stop running)
Sunat Praphanwong created
I would like to ask, in some circumstances NXLogAgent on Windows, the agent cannot forwarding log to FortiSIEM (sometimes the agent was stopped by itself), I need to manual restart the agent to make the agent running again, in this situation is it abnormal or not?Another question would be about the log format can be parsed by FortiSIEM or I need to custom parser to parse this log format or someone can provide this parser to me?Best Regards,
Sunat Praphanwong created
NX LOG Newbie Question
jrpayne created
Good Afternoon.I currently run a NX log solution that was setup by the vendor of our cloud IDS. I do know that we have a collection of logs coming from workstations to a central server and that server uploads the logs to the IDS. That being said, I have set up a gray log server on an Ubuntu box and I want to send my Windows DNS logs to that server so that I have a way to search DNS queries made by workstations should on of them become compromised. (via malware, ransomware, etc) I realize that there is already a config fiile for nx log that sends the event viewer logs so I am assuming that I would have to use that same file to have nx send dns logs to a different location (if that is even possible). So my questions are, Is it possible to do that? If so, is the collection service that has to be stopped in order to edit the config file?I would send these logs to the same online IDS service but we are already going over our quota every month and management doesn't see the need to upgrade our service. Therefore, I am left to figure out another way to stay on top of DNS threat hunting. Any input will be greatly appreciated.
jrpayne created
Randomly TCP Output
Tulio Gomes created
Hi Folks,I have a tcp output that has 3 hosts in sequence to send to graylog (failover), but I would like to "randomly" switch the ouputs to better distribute the load on the nodes. In my config example, 'graylog_1' will always receive all events. Is there a bultin solution for processor/output to send randomly to the multiple nodes?Config example:<Output out_graylog>
Module om_tcp
FlowControl False
Host 192.168.0.10:514 # graylog_1
Host 192.168.0.11:514 # graylog_2
Host 192.168.0.12:514 # graylog_3
</Output>A viP/loadbalancer for graylog is not the solution I'm looking for, I want to understand the power of nxlog and its customization.
Tulio Gomes created
Eliminate scrolling with wrapping
TestNXLogQA_01 created
It would be nice if you eliminate scrolling with wrapping in this forum posts.
TestNXLogQA_01 created
NXLOG configuration to work with GRAYLOG
José Manuel created
Hi the pronblem is that all works but I don´t receive any log.Graylog version 4.3 in debian 11. Sidecar graylog 1.2 and NXLOG 3.0 if my memory doesn´t fail.What can i do?Thanks and happy new year.
José Manuel created
Average resource consumption of the Nxlog agent.
gijosgun created
Guys, does anyone know where I can get information on average resource consumption by the Nxlog CE agent?Thanks.James \0/
gijosgun created
Unable to forward the windows logs to QRadar SIEM
Venky created
Hi All,I have requirement to forward the windows logs to QRadar using NX . Below is my config file , I am unable to receive the log in my SIEM platform. I could encounter the error : ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found. Check channel configuration.Panic Soft#NoFreeOnExit TRUEdefine ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data<Extension _syslog> Module xm_syslog</Extension># Snare compatible example configuration# Collecting event log<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'>*</Select> <Select Path='Security'>*[System/Level<4]</Select> <Select Path='System'>*</Select> <Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select> <Select Path='Microsoft-Windows-PowerShell/Operational'>*</Select> <Select Path='Windows PowerShell'>*</Select> </Query> </QueryList> </QueryXML> <Exec> if $Category == undef $Category = 0; if $EventType == 'CRITICAL' { $EventTypeNum = 1; $EventTypeStr = "Critical"; } else if $EventType == 'ERROR' { $EventTypeNum = 2; $EventTypeStr = "Error"; } else if $EventType == 'INFO' { $EventTypeNum = 4; $EventTypeStr = "Informational"; } else if $EventType == 'WARNING' { $EventTypeNum = 3; $EventTypeStr = "Warning"; } else if $EventType == 'VERBOSE' { $EventTypeNum = 5; $EventTypeStr = "Verbose"; } else { $EventTypeNum = 0; $EventTypeStr = "Audit"; } if $OpcodeValue == 0 $Opcode = "Info"; if $TaskValue == 0 $TaskValue = "None"; $EpochTime = string(integer($EventTime)); $EpochTime =~ /^(?<sec>\d+)(?<ms>\d{6})$/; $EpochTime = $sec; if $TaskValue == 12288 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSTATECHANGE"; } else if $TaskValue == 12289 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSUBSYSTEMEXTENSION"; } else if $TaskValue == 12290 { $TaskStr = "SE_ADT_SYSTEM_INTEGRITY"; } else if $TaskValue == 12291 { $TaskStr = "SE_ADT_SYSTEM_IPSECDRIVEREVENTS"; } else if $TaskValue == 12292 { $TaskStr = "SE_ADT_SYSTEM_OTHERS"; } else if $TaskValue == 12544 { $TaskStr = "SE_ADT_LOGON_LOGON"; } else if $TaskValue == 12545 { $TaskStr = "SE_ADT_LOGON_LOGOFF"; } else if $TaskValue == 12546 { $TaskStr = "SE_ADT_LOGON_ACCOUNTLOCKOUT"; } else if $TaskValue == 12547 { $TaskStr = "SE_ADT_LOGON_IPSECMAINMODE"; } else if $TaskValue == 12548 { $TaskStr = "SE_ADT_LOGON_SPECIALLOGON"; } else if $TaskValue == 12549 { $TaskStr = "SE_ADT_LOGON_IPSECQUICKMODE"; } else if $TaskValue == 12550 { $TaskStr = "SE_ADT_LOGON_IPSECUSERMODE"; } else if $TaskValue == 12551 { $TaskStr = "SE_ADT_LOGON_OTHERS"; } else if $TaskValue == 12552 { $TaskStr = "SE_ADT_LOGON_NPS"; } else if $TaskValue == 12553 { $TaskStr = "SE_ADT_LOGON_CLAIMS"; } else if $TaskValue == 12554 { $TaskStr = "SE_ADT_LOGON_GROUPS"; } else if $TaskValue == 12800 { $TaskStr = "SE_ADT_OBJECTACCESS_FILESYSTEM"; } else if $TaskValue == 12801 { $TaskStr = "SE_ADT_OBJECTACCESS_REGISTRY"; } else if $TaskValue == 12802 { $TaskStr = "SE_ADT_OBJECTACCESS_KERNEL"; } else if $TaskValue == 12803 { $TaskStr = "SE_ADT_OBJECTACCESS_SAM"; } else if $TaskValue == 12804 { $TaskStr = "SE_ADT_OBJECTACCESS_OTHER"; } else if $TaskValue == 12805 { $TaskStr = "SE_ADT_OBJECTACCESS_CERTIFICATIONAUTHORITY"; } else if $TaskValue == 12806 { $TaskStr = "SE_ADT_OBJECTACCESS_APPLICATIONGENERATED"; } else if $TaskValue == 12807 { $TaskStr = "SE_ADT_OBJECTACCESS_HANDLE"; } else if $TaskValue == 12808 { $TaskStr = "SE_ADT_OBJECTACCESS_SHARE"; } else if $TaskValue == 12809 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLPACKETDROPS"; } else if $TaskValue == 12810 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLCONNECTION"; } else if $TaskValue == 12811 { $TaskStr = "SE_ADT_OBJECTACCESS_DETAILEDFILESHARE"; } else if $TaskValue == 12812 { $TaskStr = "SE_ADT_OBJECTACCESS_REMOVABLESTORAGE"; } else if $TaskValue == 12813 { $TaskStr = "SE_ADT_OBJECTACCESS_CBACSTAGING"; } else if $TaskValue == 13056 { $TaskStr = "SE_ADT_PRIVILEGEUSE_SENSITIVE"; } else if $TaskValue == 13057 { $TaskStr = "SE_ADT_PRIVILEGEUSE_NONSENSITIVE"; } else if $TaskValue == 13058 { $TaskStr = "SE_ADT_PRIVILEGEUSE_OTHERS"; } else if $TaskValue == 13312 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSCREATION"; } else if $TaskValue == 13313 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSTERMINATION"; } else if $TaskValue == 13314 { $TaskStr = "SE_ADT_DETAILEDTRACKING_DPAPIACTIVITY"; } else if $TaskValue == 13315 { $TaskStr = "SE_ADT_DETAILEDTRACKING_RPCCALL"; } else if $TaskValue == 13316 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PNPACTIVITY"; } else if $TaskValue == 13317 { $TaskStr = "SE_ADT_DETAILEDTRACKING_TOKENRIGHTADJ"; } else if $TaskValue == 13568 { $TaskStr = "SE_ADT_POLICYCHANGE_AUDITPOLICY"; } else if $TaskValue == 13569 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHENTICATIONPOLICY"; } else if $TaskValue == 13570 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHORIZATIONPOLICY"; } else if $TaskValue == 13571 { $TaskStr = "SE_ADT_POLICYCHANGE_MPSSCVRULEPOLICY"; } else if $TaskValue == 13572 { $TaskStr = "SE_ADT_POLICYCHANGE_WFPIPSECPOLICY"; } else if $TaskValue == 13573 { $TaskStr = "SE_ADT_POLICYCHANGE_OTHERS"; } else if $TaskValue == 13824 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_USERACCOUNT"; } else if $TaskValue == 13825 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_COMPUTERACCOUNT"; } else if $TaskValue == 13826 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP"; } else if $TaskValue == 13827 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_DISTRIBUTIONGROUP"; } else if $TaskValue == 13828 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_APPLICATIONGROUP"; } else if $TaskValue == 13829 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_OTHERS"; } else if $TaskValue == 14080 { $TaskStr = "SE_ADT_DSACCESS_DSACCESS"; } else if $TaskValue == 14081 { $TaskStr = "SE_ADT_DSACCESS_DSCHANGES"; } else if $TaskValue == 14082 { $TaskStr = "SE_ADT_DS_REPLICATION"; } else if $TaskValue == 14083 { $TaskStr = "SE_ADT_DS_DETAILED_REPLICATION"; } else if $TaskValue == 14336 { $TaskStr = "SE_ADT_ACCOUNTLOGON_CREDENTIALVALIDATION"; } else if $TaskValue == 14337 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBEROS"; } else if $TaskValue == 14338 { $TaskStr = "SE_ADT_ACCOUNTLOGON_OTHERS"; } else if $TaskValue == 14339 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBCREDENTIALVALIDATION"; } else if $TaskValue == 65280 { $TaskStr = "SE_ADT_UNKNOWN_SUBCATEGORY"; } else { $TaskStr = "Unknown[" + $taskValue + "]"; } if $KeywordsStr == undef { if $TaskValue == 0 { $KeywordsStr = 'None'; } else { $KeywordsStr = '0'; } } if $TaskStr == undef { $TaskStr = $TaskValue; } if $EventType == 'AUDIT_SUCCESS' { $KeywordsStr = "Audit Success"; $EventTypeNum = 8; } else { $KeywordsStr = "Audit Failure"; $EventTypeNum = 16; } $Message = "AgentDevice=WindowsLog" + "\tAgentLogFile=" + $Channel + "\tSource=" + $SourceName + "\tComputer=" + hostname_fqdn() + "\tOriginatingComputer=" + host_ip() + "\tUser=" + $AccountName + "\tDomain=" + $Domain + "\tEventIDCode=" + $EventID + "\tEventType=" + $EventTypeNum + "\tEventCategory=" + $TaskValue + "\tRecordNumber=" + $RecordNumber + "\tTimeGenerated=" + $EpochTime + "\tTimeWritten=" + $EpochTime + "\tLevel=" + $EventTypeStr + "\tKeywords=" + $KeywordsStr + "\tTask=" + $TaskStr + "\tOpcode=" + $Opcode + "\tMessage=" + $Message; $Hostname = host_ip(); delete($SourceName); delete($Severity); delete($SeverityValue); to_syslog_bsd(); </Exec></Input># # Converting events to Snare format and sending them out over TCP syslog<Output out> Module om_tcp Host 10.x.x.x Port 514 Exec to_syslog_bsd();</Output># # Connect input 'in' to output 'out'<Route 1> Path eventlog => out</Route>
Venky created
Zyxel ATP700 to SIEM
domep created
Hello,I'm trying to forward the VPN logs of a Zyxel ATP700 to my SIEM (InsightIDR), the forwarding works fine, but I can't format them as indicated in this documentationhttps://docs.rapid7.com/insightidr/rapid7-universal-vpn/Can someone help me?Thank you
domep created
Graylog Sidecar integration not working on a Windows 11 system
Jon Irish created
Currently, I have GrayLog running as a docker image on an unraid server. Everything is working well. I also have a MS Windows lab environment that I want to forward logs into Graylog with the help of nxlog. I followed the instructions at: https://docs.nxlog.co/userguide/integrate/graylog.html and I don't have any errors, but I also don't have any data. Any ideas on how I can troubleshoot this to determine where my issue is?
Jon Irish created
Windows Event Logs out in XML
Santiago Sarchetti created
Hello, I´m trying to send logs from my windows server to my SIEM in XML format, but same logs are too long and i see 2 logs instead of just one. <Input windows>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Suppress Path="Security">*[System[(EventID=4663 or EventID=4690 or EventID=4658 or EventID=4656)]]</Suppress>
</Query>
</QueryList>
</QueryXML>
</Input>
#
<Output siem>
Module om_tcp
Host xxx.xxx.xxx.xxx
Port 514
Exec to_xml();
</Output>
#
# Connect input 'in' to output 'out'
<Route 1>
Path windows => siem
</Route> Can anyone help me?Thanks
Santiago Sarchetti created