Hi,
I get the above error when I tried to start nxlog server. Below is my config file. Please assists. thank you
Panic Soft
define INSTALLDIR C:\Program Files\nxlog
#ModuleDir %INSTALLDIR%\modules#CacheDir %INSTALLDIR%\data#SpoolDir %INSTALLDIR%\data
define CERTDIR %INSTALLDIR%\certdefine CONFDIR %INSTALLDIR%\conf\nxlog.d
# Note that these two lines define constants only; the log file location# is ultimately set by the `LogFile` directive (see below). The# `MYLOGFILE` define is also used to rotate the log file automatically# (see the `_fileop` block).define LOGDIR c:\datadefine MYLOGFILE %INSTALLDIR%\data\nxlog.log
# If you are not using NXLog Manager, disable the `include` line# and enable LogLevel and LogFile.#include %CONFDIR%\*.conf
LogLevel INFOLogFile %MYLOGFILE%
<Extension exec> Module xm_exec</Extension>
<Extension _syslog> Module xm_syslog</Extension>
<Extension fileop> Module xm_fileop</Extension>
# This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`# is changed in managed.conf via NXLog Manager, rotation of the new# file should also be configured there.<Extension _fileop> Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour <Exec> if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') >= 5M) ) { file_cycle('%MYLOGFILE%', 8); } </Exec> </Schedule>
# Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); </Schedule></Extension>
<Input tcp> Module im_tcp ListenAddr 0.0.0.0:514</Input>
define LOCALFILE 'C:\Users\Administrator\Documents\Data'<Output file> Module om_file File %LOCALFILE%</Output>
<Route tcp_to_file> Path tcp => file</Route>
Error Message:
2023-02-06 00:41:43 INFO [CORE|main] nxlog-5.6.7727 (50b2a4353@REL_v5.6) started on Windows
2023-02-06 00:41:43 ERROR [om_file|file] failed to open C:\Users\Administrator\Documents\Data; Access is denied.
2023-02-06 00:41:43 INFO [im_tcp|tcp] listening on 0.0.0.0:514
Regards, Billy
billychua created
If a customer purchases 100 NXLog Enterprise licenses and needs more six months later, do they place an order for the additional licenses separately or increase the original order? Are they able to deploy and then true-up, or do they need a unique key for each before deploying?
TS_521115 created
Hi team,
i have converted auit messages in multiline to singleline using multiline parser. problem is two spaces are added instead of one space after semicolon.
message1;
message2;
single line: message1;. message2;
There is two space first simicolon and message2 instead of one how to remove extra space
Dileep Nannapaneni created
I would like to ask, in some circumstances NXLogAgent on Windows, the agent cannot forwarding log to FortiSIEM (sometimes the agent was stopped by itself), I need to manual restart the agent to make the agent running again, in this situation is it abnormal or not?
Another question would be about the log format can be parsed by FortiSIEM or I need to custom parser to parse this log format or someone can provide this parser to me?
Best Regards,
Sunat Praphanwong created
Good Afternoon.
I currently run a NX log solution that was setup by the vendor of our cloud IDS. I do know that we have a collection of logs coming from workstations to a central server and that server uploads the logs to the IDS. That being said, I have set up a gray log server on an Ubuntu box and I want to send my Windows DNS logs to that server so that I have a way to search DNS queries made by workstations should on of them become compromised. (via malware, ransomware, etc) I realize that there is already a config fiile for nx log that sends the event viewer logs so I am assuming that I would have to use that same file to have nx send dns logs to a different location (if that is even possible). So my questions are, Is it possible to do that? If so, is the collection service that has to be stopped in order to edit the config file?
I would send these logs to the same online IDS service but we are already going over our quota every month and management doesn't see the need to upgrade our service. Therefore, I am left to figure out another way to stay on top of DNS threat hunting.
Any input will be greatly appreciated.
jrpayne created
Hi Folks,
I have a tcp output that has 3 hosts in sequence to send to graylog (failover), but I would like to "randomly" switch the ouputs to better distribute the load on the nodes. In my config example, 'graylog_1' will always receive all events. Is there a bultin solution for processor/output to send randomly to the multiple nodes?
Config example:
<Output out_graylog>
Module om_tcp
FlowControl False
Host 192.168.0.10:514 # graylog_1
Host 192.168.0.11:514 # graylog_2
Host 192.168.0.12:514 # graylog_3
</Output>A viP/loadbalancer for graylog is not the solution I'm looking for, I want to understand the power of nxlog and its customization.
Tulio Gomes created
It would be nice if you eliminate scrolling with wrapping in this forum posts.
TestNXLogQA_01 created
Hi the pronblem is that all works but I don´t receive any log.
Graylog version 4.3 in debian 11. Sidecar graylog 1.2 and NXLOG 3.0 if my memory doesn´t fail.
What can i do?
Thanks and happy new year.
José Manuel created
Guys, does anyone know where I can get information on average resource consumption by the Nxlog CE agent?
Thanks.
James \0/
gijosgun created
Hi All,
I have requirement to forward the windows logs to QRadar using NX . Below is my config file , I am unable to receive the log in my SIEM platform. I could encounter the error : ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found. Check channel configuration.
Panic Soft#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\data
include %CONFDIR%\\*.confdefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%
Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data
<Extension _syslog> Module xm_syslog</Extension>
# Snare compatible example configuration# Collecting event log<Input eventlog> Module im_msvistalog
<QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'>*</Select> <Select Path='Security'>*[System/Level<4]</Select> <Select Path='System'>*</Select> <Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select> <Select Path='Microsoft-Windows-PowerShell/Operational'>*</Select> <Select Path='Windows PowerShell'>*</Select> </Query> </QueryList> </QueryXML> <Exec> if $Category == undef $Category = 0; if $EventType == 'CRITICAL' { $EventTypeNum = 1; $EventTypeStr = "Critical"; } else if $EventType == 'ERROR' { $EventTypeNum = 2; $EventTypeStr = "Error"; } else if $EventType == 'INFO' { $EventTypeNum = 4; $EventTypeStr = "Informational"; } else if $EventType == 'WARNING' { $EventTypeNum = 3; $EventTypeStr = "Warning"; } else if $EventType == 'VERBOSE' { $EventTypeNum = 5; $EventTypeStr = "Verbose"; } else { $EventTypeNum = 0; $EventTypeStr = "Audit"; } if $OpcodeValue == 0 $Opcode = "Info"; if $TaskValue == 0 $TaskValue = "None";
$EpochTime = string(integer($EventTime)); $EpochTime =~ /^(?<sec>\d+)(?<ms>\d{6})$/; $EpochTime = $sec;
if $TaskValue == 12288 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSTATECHANGE"; } else if $TaskValue == 12289 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSUBSYSTEMEXTENSION"; } else if $TaskValue == 12290 { $TaskStr = "SE_ADT_SYSTEM_INTEGRITY"; } else if $TaskValue == 12291 { $TaskStr = "SE_ADT_SYSTEM_IPSECDRIVEREVENTS"; } else if $TaskValue == 12292 { $TaskStr = "SE_ADT_SYSTEM_OTHERS"; } else if $TaskValue == 12544 { $TaskStr = "SE_ADT_LOGON_LOGON"; } else if $TaskValue == 12545 { $TaskStr = "SE_ADT_LOGON_LOGOFF"; } else if $TaskValue == 12546 { $TaskStr = "SE_ADT_LOGON_ACCOUNTLOCKOUT"; } else if $TaskValue == 12547 { $TaskStr = "SE_ADT_LOGON_IPSECMAINMODE"; } else if $TaskValue == 12548 { $TaskStr = "SE_ADT_LOGON_SPECIALLOGON"; } else if $TaskValue == 12549 { $TaskStr = "SE_ADT_LOGON_IPSECQUICKMODE"; } else if $TaskValue == 12550 { $TaskStr = "SE_ADT_LOGON_IPSECUSERMODE"; } else if $TaskValue == 12551 { $TaskStr = "SE_ADT_LOGON_OTHERS"; } else if $TaskValue == 12552 { $TaskStr = "SE_ADT_LOGON_NPS"; } else if $TaskValue == 12553 { $TaskStr = "SE_ADT_LOGON_CLAIMS"; } else if $TaskValue == 12554 { $TaskStr = "SE_ADT_LOGON_GROUPS"; } else if $TaskValue == 12800 { $TaskStr = "SE_ADT_OBJECTACCESS_FILESYSTEM"; } else if $TaskValue == 12801 { $TaskStr = "SE_ADT_OBJECTACCESS_REGISTRY"; } else if $TaskValue == 12802 { $TaskStr = "SE_ADT_OBJECTACCESS_KERNEL"; } else if $TaskValue == 12803 { $TaskStr = "SE_ADT_OBJECTACCESS_SAM"; } else if $TaskValue == 12804 { $TaskStr = "SE_ADT_OBJECTACCESS_OTHER"; } else if $TaskValue == 12805 { $TaskStr = "SE_ADT_OBJECTACCESS_CERTIFICATIONAUTHORITY"; } else if $TaskValue == 12806 { $TaskStr = "SE_ADT_OBJECTACCESS_APPLICATIONGENERATED"; } else if $TaskValue == 12807 { $TaskStr = "SE_ADT_OBJECTACCESS_HANDLE"; } else if $TaskValue == 12808 { $TaskStr = "SE_ADT_OBJECTACCESS_SHARE"; } else if $TaskValue == 12809 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLPACKETDROPS"; } else if $TaskValue == 12810 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLCONNECTION"; } else if $TaskValue == 12811 { $TaskStr = "SE_ADT_OBJECTACCESS_DETAILEDFILESHARE"; } else if $TaskValue == 12812 { $TaskStr = "SE_ADT_OBJECTACCESS_REMOVABLESTORAGE"; } else if $TaskValue == 12813 { $TaskStr = "SE_ADT_OBJECTACCESS_CBACSTAGING"; } else if $TaskValue == 13056 { $TaskStr = "SE_ADT_PRIVILEGEUSE_SENSITIVE"; } else if $TaskValue == 13057 { $TaskStr = "SE_ADT_PRIVILEGEUSE_NONSENSITIVE"; } else if $TaskValue == 13058 { $TaskStr = "SE_ADT_PRIVILEGEUSE_OTHERS"; } else if $TaskValue == 13312 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSCREATION"; } else if $TaskValue == 13313 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSTERMINATION"; } else if $TaskValue == 13314 { $TaskStr = "SE_ADT_DETAILEDTRACKING_DPAPIACTIVITY"; } else if $TaskValue == 13315 { $TaskStr = "SE_ADT_DETAILEDTRACKING_RPCCALL"; } else if $TaskValue == 13316 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PNPACTIVITY"; } else if $TaskValue == 13317 { $TaskStr = "SE_ADT_DETAILEDTRACKING_TOKENRIGHTADJ"; } else if $TaskValue == 13568 { $TaskStr = "SE_ADT_POLICYCHANGE_AUDITPOLICY"; } else if $TaskValue == 13569 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHENTICATIONPOLICY"; } else if $TaskValue == 13570 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHORIZATIONPOLICY"; } else if $TaskValue == 13571 { $TaskStr = "SE_ADT_POLICYCHANGE_MPSSCVRULEPOLICY"; } else if $TaskValue == 13572 { $TaskStr = "SE_ADT_POLICYCHANGE_WFPIPSECPOLICY"; } else if $TaskValue == 13573 { $TaskStr = "SE_ADT_POLICYCHANGE_OTHERS"; } else if $TaskValue == 13824 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_USERACCOUNT"; } else if $TaskValue == 13825 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_COMPUTERACCOUNT"; } else if $TaskValue == 13826 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP"; } else if $TaskValue == 13827 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_DISTRIBUTIONGROUP"; } else if $TaskValue == 13828 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_APPLICATIONGROUP"; } else if $TaskValue == 13829 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_OTHERS"; } else if $TaskValue == 14080 { $TaskStr = "SE_ADT_DSACCESS_DSACCESS"; } else if $TaskValue == 14081 { $TaskStr = "SE_ADT_DSACCESS_DSCHANGES"; } else if $TaskValue == 14082 { $TaskStr = "SE_ADT_DS_REPLICATION"; } else if $TaskValue == 14083 { $TaskStr = "SE_ADT_DS_DETAILED_REPLICATION"; } else if $TaskValue == 14336 { $TaskStr = "SE_ADT_ACCOUNTLOGON_CREDENTIALVALIDATION"; } else if $TaskValue == 14337 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBEROS"; } else if $TaskValue == 14338 { $TaskStr = "SE_ADT_ACCOUNTLOGON_OTHERS"; } else if $TaskValue == 14339 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBCREDENTIALVALIDATION"; } else if $TaskValue == 65280 { $TaskStr = "SE_ADT_UNKNOWN_SUBCATEGORY"; } else { $TaskStr = "Unknown[" + $taskValue + "]"; }
if $KeywordsStr == undef { if $TaskValue == 0 { $KeywordsStr = 'None'; } else { $KeywordsStr = '0'; } }
if $TaskStr == undef { $TaskStr = $TaskValue; }
if $EventType == 'AUDIT_SUCCESS' { $KeywordsStr = "Audit Success"; $EventTypeNum = 8; } else { $KeywordsStr = "Audit Failure"; $EventTypeNum = 16; }
$Message = "AgentDevice=WindowsLog" + "\tAgentLogFile=" + $Channel + "\tSource=" + $SourceName + "\tComputer=" + hostname_fqdn() + "\tOriginatingComputer=" + host_ip() + "\tUser=" + $AccountName + "\tDomain=" + $Domain + "\tEventIDCode=" + $EventID + "\tEventType=" + $EventTypeNum + "\tEventCategory=" + $TaskValue + "\tRecordNumber=" + $RecordNumber + "\tTimeGenerated=" + $EpochTime + "\tTimeWritten=" + $EpochTime + "\tLevel=" + $EventTypeStr + "\tKeywords=" + $KeywordsStr + "\tTask=" + $TaskStr + "\tOpcode=" + $Opcode + "\tMessage=" + $Message; $Hostname = host_ip(); delete($SourceName); delete($Severity); delete($SeverityValue); to_syslog_bsd(); </Exec></Input># # Converting events to Snare format and sending them out over TCP syslog<Output out> Module om_tcp Host 10.x.x.x Port 514 Exec to_syslog_bsd();</Output># # Connect input 'in' to output 'out'<Route 1> Path eventlog => out</Route>
Venky created
Hello,
I'm trying to forward the VPN logs of a Zyxel ATP700 to my SIEM (InsightIDR), the forwarding works fine, but I can't format them as indicated in this documentation
https://docs.rapid7.com/insightidr/rapid7-universal-vpn/
Can someone help me?
Thank you
domep created
Currently, I have GrayLog running as a docker image on an unraid server. Everything is working well. I also have a MS Windows lab environment that I want to forward logs into Graylog with the help of nxlog. I followed the instructions at: https://docs.nxlog.co/userguide/integrate/graylog.html and I don't have any errors, but I also don't have any data. Any ideas on how I can troubleshoot this to determine where my issue is?
Jon Irish created
Hello, I´m trying to send logs from my windows server to my SIEM in XML format, but same logs are too long and i see 2 logs instead of just one.
<Input windows>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Suppress Path="Security">*[System[(EventID=4663 or EventID=4690 or EventID=4658 or EventID=4656)]]</Suppress>
</Query>
</QueryList>
</QueryXML>
</Input>
#
<Output siem>
Module om_tcp
Host xxx.xxx.xxx.xxx
Port 514
Exec to_xml();
</Output>
#
# Connect input 'in' to output 'out'
<Route 1>
Path windows => siem
</Route>
Can anyone help me?
Thanks
Santiago Sarchetti created
Can anyone tell me for certain if this module is only included in the Enterprise version? If so, where does one buy the Enterprise Version and what is it's approximate cost? (USD)
jrpayne created
Hello Team,
I am new to nxlog and i have a requirement to collect windows logs from 2003 servers and the agent version that i am using is “nxlog-ce-2.11.2190”
As per the documnet i have used im_mseventlog module, but still getting error and not able to pull the logs from 2003 servers. If some one please share me the config file for 2003 servers would be a great help
below is the error that we are getting when starting the nxlog service.
2022-12-21 09:37:50 WARNING nxlog-ce received a termination request signal, exiting...
2022-12-21 09:37:51 ERROR invalid keyword: QueryXML at C:\Program Files\nxlog\conf\nxlog.conf:27
2022-12-21 09:37:51 ERROR module 'eventlog' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:59
2022-12-21 09:37:51 ERROR route 1 is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:59
2022-12-21 09:37:51 WARNING no routes defined!
2022-12-21 09:37:51 WARNING not starting unused module eventlog
2022-12-21 09:37:51 WARNING not starting unused module syslogout
2022-12-21 09:37:51 INFO nxlog-ce-2.11.2190 started
my config file.
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
############INPUTS########
<Input eventlog>
Module im_mseventlog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Security">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
#<Processor eventlog_transformer>
#Module pm_transformer
#</Processor>
#<Processor buffer>
#Module pm_buffer
#MaxSize 102400
#Type disk
#</Processor>
<Output syslogout>
#Module om_udp
Module om_tcp
Host syslogip
Port 514
Exec to_syslog_snare();
</Output>
#<Route 1>
#Path eventlog => eventlog_transformer => syslogout
#</Route>
<Route 1>
Path eventlog => syslogout
</Route>punith created
I'm sending im_msvistalog messages to splunk via to_json(). I'm ending up with a field AccessList like:
AccessList: %%4423
which I assume is some kind of mapping of:
Access Request Information: Accesses: ReadAttributes
from the “Message” component. Is that right? If so, it's fairly obscure. Is there some way to preserve “Accesses” as is? What is “AccessList” trying to tell me? Is there somewhere I can go to decode it?
opoplawski created
Hello team,
How to get NXLog Manager license?
Thank you Klevin
klevintest2 created
Hi
Is it possible to install nxlog-ce-3.1.2319.msi on Windows 2008 R2?
Regards.
egas84 created
Hi,
Doing my first steps with NXlog.
I have managed to collect all “Security” windows event log and also managed to update the “Version” parameter to my own parameter - Just for a test purposes
Now I need to perform 3 tasks
- Collect all “Security” windows event log - Done
- Update the “Version” parameter from int to string - Done
- Update the “Hostname” parameter of specific event ID (for example EventID":4656) to “test” - Please advice
Thank you
<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'>*</Select> </Query> </QueryList> </QueryXML><Exec> $Hostname = "test" ; # This task should be only for eventID 4656 $Version = string($Version); to_json(); </Exec></Input>
dudu.confirm@gmail.com created
