The following config file works in Ubuntu 14.04, but throws an error when used on an 18.04 server. Am I using the to_syslog_ietf() function incorrectly? ######################################## # Global directives # ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ##### Logging ##### <Input messages> Module im_file File "/var/log/syslog" </Input> <Input audit> Module im_file File "/var/log/audit/audit.log" # Exec $Message = $Hostname + ' ' + $raw_event; </Input> <Input auth> Module im_file File "/var/log/auth.log" </Input> <Input eve> Module im_file File "/var/log/suricata/eve.json" </Input> <Output tcp> Module om_tcp Host 10.10.10.33 Port 514 </Output> <Output tcp_audit> Module om_tcp Host 10.10.10.33 Port 514 Exec to_syslog_ietf(); </Output> <Output tcp_eve> Module om_tcp Host 10.10.10.33 Port 10002 </Output> <Route messages_to_tcp> Path messages, auth => tcp </Route> <Route messages_to_tcp_audit> Path audit => tcp_audit </Route> <Route eve_to_tcp> Path eve => tcp_eve </Route>

Hello Team, We are using below nxlog config to parse one application log file to Graylog. Nxlog is properly parsing file line by line to Graylog. But we are observing mismatch in timestamp (in 500 to 900 milliseconds) for actual event and showing in Graylog. Please let us know how to fix this issue. ===================================================================== <Input itmlog> Module im_file File "/opt/bin/applogs2*.txt" SavePos TRUE ReadFromLast FALSE InputType multiline PollInterval 1 Exec if $raw_event =~ /^(\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}\d{2}.\d{3})/ $EventTime = parsedate($1 + "Z"); Exec if $raw_event =~ /^.([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})|([^|])|([^|]+)|([\S\s])/ { $UUID = $1; $Plugin = $2; $Severity = $3; $Message = $4; } else if $raw_event =~ /^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}[.\d] ([^|]+)|([^|]+)|([\S\s]*)/ { $Plugin = $1; $Severity = $2; $Message = $3; } else { $Message = $raw_message; } Exec $facility = 'APP_UAT'; #Exec $EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); Exec $Hostname = %IP%; #Exec $FullMessage = ''; </Input> ========================================================================================

Looking for a Windows version 2.8.1248 of NXLog. I am stuck trying to remove this application from a Windows machine but a system cleanup was performed so the cache of the installer is missing. Add remove programs is requesting my .msi file to continue removing. I tried going to the downloads page and altering the URL for the latest version to include an old version but it has been removed from the website.

I am setting up NXLog Community Edition in an environment with multiple devices I want to monitor. I have already set up multiple routes of single inputs and outputs that does the job adequately, but I have a feeling I can get more complex and have less Routes to perform the same action. I have looked around the documentation and played with some prototypes but cannot find anything that works. So are any of the following ideas viable or does the Language prohibit them? Input Branching. Is it possible to route specific incoming logs to specific outputs or routes based in properties (For me it is $MessageSourceAddress)? Either by tagging the data, manipulating route data, etc. Processor Branching. Similar to #1, Is it possible to route or send logs to specific outputs based on properties (I am not sure if $MessageSourceAddress is usable in the processor or output modules). For example: Output Filtering. Is it possible to choose output destination (for me it will be a file) based on log parameters (again $MessageSourceAddress)? I think is my best option. For example: <Output Output_file> Module om_file <Exec> If $MessageSourceAddress = X.X.X.X { File '\TestLogs\Test\ test.log' … } else If $MessageSourceAddress = Y.Y.Y.Y { File '\TestLogs\Test2\ test2.log' … } else If $MessageSourceAddress = Z.Z.Z.Z { File '\TestLogs\Test3\ test3.log' … } </Exec> </Output> Thanks in advance!

I am using nx log IETF ( i.e. to_syslog_ietf() ) format to write logs. But in Wireshark (Packet Detail Window)the message is shown as following . Message [truncated]: 1 2022-08-11T10:45:38.152473+05:30 LINL190403680 NCM 0 - [NXLOG@14506 Keywords="36028797018963968" EventType="INFO" EventID="0" Version="0" Task="0" OpcodeValue="0" RecordNumber="24530" ThreadID="0" Channel="Applicati Syslog version: 1 Syslog timestamp: Aug 11, 2022 10:45:38.000000000 UTC Syslog hostname: LINL190403680 Syslog app name: NCM Syslog process id: 0 Syslog message id [truncated]: - [NXLOG@14506 Keywords="36028797018963968" EventType="INFO" EventID="0" Version="0" Task="0" OpcodeValue="0" RecordNumber="24530" ThreadID="0" Channel="Application" Opcode="Info" EventReceivedTime="2022-08- whereas using BSD format not causing this issue. Required format is shown below Priority (enclosed in < >) representing both facility and severity <30> Syslog Version: 1 Syslog timestamp: 2022-08-11T10:45:38.152473+05:30 Syslog hostname: LINL190403680 Syslog app name: NCM Syslog Process id: 0 Message identifier: Optional message specific properties (structured data) (enclosed in [ ]) : [NXLOG@14506 Keywords="36028797018963968" EventType="INFO" EventID="0" Version="0" Task="0" OpcodeValue="0" RecordNumber="24530" ThreadID="0" Channel="Application" Opcode="Info" EventReceivedTime="2022-08-11 10:45:38" SourceModuleName="ExtendedWindowsToCollect" SourceModuleType="im_msvistalog"] a human readable message (encoded in UTF-8 and starting with BOM, or ASCII 7 only bytes) : [CB-002] Application is stopped sucessfully.

There's a remote web-based app that can send syslog to an Ip/port. I've installed nxlog on my system and my current nxlog/conf/nxlog.conf file contains these lines <Input in> Module im_tcp Host 0.0.0.0 Port 1514 Exec parse_syslog(); </Input> I assume 0.0.0.0 here would mean localhost? However, the web-based app is failing to send the logs. I've pointed a sub-domain to my local machine where nxlog is installed and the web-based app is using the sub-domain to send logs to nxlogs. I'm not sure what goes in the 'host' filed in above lines? Any idea how I should go about debugging this?

Hi everybody, I upgraded my whole domain to Graylog 3.0.2284 yesterday, and decided to reboot my Graylog Server to clear all the RAM etc on it. When I restarted the Graylog Server, all the updated host got their NXLog service to "terminate unexpectedly" (info from EventID 7034, Windows Event Log). No information in the nxlog log file, and I needed to start all my services manually. What's wrong...? Thanks!

Hello, We are deploying NXLog Enterprise on a fleet of macOS devices with the goals to collect endpoint events even remotely. Which mean Graylog GELF exposed over Internet, with TLS encryption and certificate authentication requirements. I see that om_ssl can do the job of TLS communication and even client authentication, but the settings I see are using file path for the Private Key. Is there a way to have NXLog with om_ssl on macOS using a certificate from the System Keychain ? Thanks

Has anyone used JAMF to distribute this to Macs? We are rolling out NXLog to our Macs. I have the installer working, but don't have any security info to configure things like PPPC or System Extensions. I was able to manually tick the box for Full Disk Access, but I am still getting an error message saying that im_maces|in NXLog requires Transparency, Consent, and Control (TCC) approval to connect to Endpoint Security. If I can find the Bundle ID and Identifier, I should be able to roll that info a PPPC configuration profile which will flip the switch to turn on the Full Disk Access during install, so I don't have to manually do that. Then to clear the error message I am getting above, I likely need a Team Identifier and/or System Extension type for the System Extensions portion of the Configuration Profile in JAMF? But I have checked this website and don't seem to find anything here in the documentation or message boards about any identifier. Is there a way to find this info out by looking on a system that has the software installed?

Hi, We have one Oracle DB server and DBA needs to send all *.aud files from /u01/app/admin/admin/STG19/adump to remote syslog server. How do we configure nxlog file for the same Tejas Pandhare

Hello - Just checking - in a scenario where there are several hosts across multiple timezones is there a configuration method available for the 3.x version of Nxlog CE to always send logs in UTC similar to the DateFormat option in EE? I've seen options such as doing math on the timezones via the nxlog.conf but I'm hoping to create a template that can be used on multiple hosts without having to modify each host's nxlog.conf to take account of local timezone on each host. Thank you!

Hello everyone, I find myself configuring NXLog EE 5 with the batchcompress modules, but it does not connect the client with the server. My client configuration is: define ROOT C:\Program Files\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log #Lectura de los registros de auditoria <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'></Select> <Select Path='Security'>[System/Level&lt;4]</Select> <Select Path='System'>*</Select> </Query> </QueryList> </QueryXML> </Input> <Output out_batch> Module om_batchcompress Host 192.168.1.11 Port 2514 </Output> #Envio de los datos de la entrada a la salida <Route route_Pattern> Path eventlog => out_batch </Route> And the following error is: "couldn't connect to 10.0.200.11:2514; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond." My server configuration is: define ROOT C:\Program Files\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log #Extensiones de los logs <Extension json> Module xm_json </Extension> #Lectura de los registros de cliente <Input in_batch> Module im_batchcompress ListenAddr 0.0.0.0:2514 </Input> #Salida de las lecturas realizadas mediante UDP y en formato JSON <Output udp> Module om_udp Host 192.168.2.6:514 Exec to_json(); </Output> #Envio de los datos de la entrada a la salida <Route route_Pattern> Path in_batch => udp </Route> And if I get the message of listening on port 2514 Can you help me to determine what I am missing in my configuration, I appreciate your help.

Hi All, I am using NXlog to forward DHCP events from Windows DHCP Servers. This is working as intended, however I have the following issue: At midnight DHCP rotates the log file used for the next day and archives off the old one. When this occurs I get the following Events logged by DHCP to the Windows Event Log: "The DHCP service failed to initialize the audit log. The following error occurred: Access is denied." This is event id 1028 logged by the DHCP service. At the same time NXLog also logs an error about the file: 2022-07-26 00:00:26 ERROR apr_stat() failed on file C:\Windows\system32\dhcp\DhcpSrvLog-Tue.log; Access is denied. 2022-07-26 00:00:28 WARNING input file was deleted: C:\Windows\system32\dhcp\DhcpSrvLog-Tue.log Both DHCP and NXLog are able to read the new files after this, as it is the log archiving operation from DHCP and NXLog's lock on the file that I suspect causes these to be logged. Our issue is that our Monitoring systems are picking on on the DHCP errors and causing alerts. I do not want to turn of monitoring for these events for obvious reasons. Is there something I can configure / do to prevent this issue from occurring? I have also included my .conf file snippets for the DHCP options below: <Input MSDHCPLOGIN> Module im_file File 'C:\Windows\system32\dhcp\DhcpSrvLog-*.log' SavePos TRUE InputType LineBased Exec if $raw_event == '' drop(); Exec $Hostname = hostname_fqdn();$SourceName = "DHCPLog";$Message = $raw_event; </Input> <Output MSDHCPLOGOUT1> Module om_udp Host %XDR1% Port %PORT% Exec $SyslogFacilityValue = 21;$Severity = 'INFO';to_syslog_bsd(); </Output> Thanks in Advance.

I'm trying to create a stat which gives a RATE for the last 5 minutes whenever you run get_stat. The code example below runs within a im_msvistalog module Each of the stats are updates using add_stat('NAME', 1, $EventReceivedTime) in the main Exec block. The first schedule (re)creates the stats each hour - see below The second schedule outputs the stats each minute - see below <Schedule> Every 1 hour <Exec> create_stat('ep1m', 'RATE', 60, now(), 3600); # Change of count of events in the last 1 MINUTE create_stat('ep5m', 'RATE', 300, now(), 3600); # Change of count (i.e. rate) of events in the last 5 MINUTES </Exec> </Schedule> <Schedule> Every 1 min <Exec> log_info(get_stat('ep1m') + ' events collected from Windows Security Event Log in the last 1 minutes'); log_info(get_stat('ep5m') + ' events collected from Windows Security Event Log in the last 5 minutes'); </Exec> </Schedule> The stat that gives me a rate per minute is working fine. The stat that gives me a rate per 5 minutes is not working as expected. create_stat('ep5m', 'RATE', 300, now(), 3600); My expectation was that each minute, when I write the log, it would give me the RATE (i.e. change in count) for the last 300 seconds. I expected this value to go up and down each minute when I write the log info output. Instead it seems to be grouping the statistics into fixed 5 minute windows from the creation of the counter. That is, a RATE for the first 0-5 mins, then a new RATE for the next 5-10 mins, etc. Is there a way to ensure that when I query the statistics for the last 5 minutes it always gives me the interval between now() and 300 seconds ago?

Hello, The question is whether there is encryption of the logs in community edition? And can I deploy nxlog community edition with custom config via group policy? Thanks in advance!

Im looking for ways to reload nxlog config globally using the <schedule> option without having to restart the service or use the 'Update and Reload' button in nxlog manager. Is there a certain paramerter that can be used in the conf file that will do this on a specific cadence?

Hi, we use ODBC (im_odbc) to read some data from Oracle database and write them on a file. The polling interval is 15 mins. We noticed that when database service restarts, ODBC (im_odbc) do not restart automatically the connections. The only way I found to solve this problem is to stop and start nxlog service. Is there any parameter that force the nxlog to reconnect when existing connection is lost? Thanks

Hi, I'd like to log my Microsoft Defender Events (EventID:1116) so when a malware is detected, I get it on my Graylog server. Problem is that with Server 2016/Windows 10, the logs are too many for a simple input (with the 256 limit). So I decided to filter some, and to only get some of them : <Input in> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="Application"></Select> <Select Path="System"></Select> <Select Path="Security"></Select> <Select Path="Windows PowerShell"></Select> <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select> </Query> </QueryList> I receive my App, Sys, Security, and Powershell in Graylog but not my Windows Defender events. I tried to generate logs multiple times, with some EICAR files, the logs appear in the Event Viewer, but nothing appears in my Graylog Server. Any help please ? :) thanks

Hi. I am relatively new to nxlog and I hope the community can help me with my question. I have on a Windows Server an Windows Firewall Log File and following nxlog configuration: <Input in> Module im_file File "C:\Windows\system32\LogFiles\Firewall\pfirewall.log" SavePos TRUE ReadFromLast TRUE parse_syslog_ietf(); </Input> <Output out> Module om_tcp Host 3.125.146.97:514 #Exec to_syslog_ietf(); </Output> <Route 1> Path in => out </Route> So far so good. The logs I receive are now as following: <13>1 2022-07-08T13:44:08+00:00 ec2-3-66-101-32 1 - - - 2022-07-08T15:44:17.208477+02:00 WINFS02 - - - [NXLOG@14506 EventReceivedTime="2022-07-08 15:44:17" SourceModuleName="in" SourceModuleType="im_file"] 2022-07-08 15:44:18 ALLOW TCP X.X.X.X Y.Y.Y.Y 43031 Z 0 - 0 0 0 - - - RECEIVE Can I shorten the message, that I receive just the end of the message? 2022-07-08 15:44:18 ALLOW TCP X.X.X.X Y.Y.Y.Y 43031 Z 0 - 0 0 0 - - - RECEIVE

My question here is: If I want to scan an asset to verify that event logs are getting forwarded via NXLog configuration, where will I find the evidence on the device that is sending the logs to the NXLog collector? Will this be somewhere in the registry, or should I look somewhere else?