It would be nice if you eliminate scrolling with wrapping in this forum posts.
TestNXLogQA_01 created
Hi the pronblem is that all works but I don´t receive any log.
Graylog version 4.3 in debian 11. Sidecar graylog 1.2 and NXLOG 3.0 if my memory doesn´t fail.
What can i do?
Thanks and happy new year.
José Manuel created
Guys, does anyone know where I can get information on average resource consumption by the Nxlog CE agent?
Thanks.
James \0/
gijosgun created
Hi All,
I have requirement to forward the windows logs to QRadar using NX . Below is my config file , I am unable to receive the log in my SIEM platform. I could encounter the error : ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found. Check channel configuration.
Panic Soft#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\data
include %CONFDIR%\\*.confdefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%
Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data
<Extension _syslog> Module xm_syslog</Extension>
# Snare compatible example configuration# Collecting event log<Input eventlog> Module im_msvistalog
<QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'>*</Select> <Select Path='Security'>*[System/Level<4]</Select> <Select Path='System'>*</Select> <Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select> <Select Path='Microsoft-Windows-PowerShell/Operational'>*</Select> <Select Path='Windows PowerShell'>*</Select> </Query> </QueryList> </QueryXML> <Exec> if $Category == undef $Category = 0; if $EventType == 'CRITICAL' { $EventTypeNum = 1; $EventTypeStr = "Critical"; } else if $EventType == 'ERROR' { $EventTypeNum = 2; $EventTypeStr = "Error"; } else if $EventType == 'INFO' { $EventTypeNum = 4; $EventTypeStr = "Informational"; } else if $EventType == 'WARNING' { $EventTypeNum = 3; $EventTypeStr = "Warning"; } else if $EventType == 'VERBOSE' { $EventTypeNum = 5; $EventTypeStr = "Verbose"; } else { $EventTypeNum = 0; $EventTypeStr = "Audit"; } if $OpcodeValue == 0 $Opcode = "Info"; if $TaskValue == 0 $TaskValue = "None";
$EpochTime = string(integer($EventTime)); $EpochTime =~ /^(?<sec>\d+)(?<ms>\d{6})$/; $EpochTime = $sec;
if $TaskValue == 12288 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSTATECHANGE"; } else if $TaskValue == 12289 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSUBSYSTEMEXTENSION"; } else if $TaskValue == 12290 { $TaskStr = "SE_ADT_SYSTEM_INTEGRITY"; } else if $TaskValue == 12291 { $TaskStr = "SE_ADT_SYSTEM_IPSECDRIVEREVENTS"; } else if $TaskValue == 12292 { $TaskStr = "SE_ADT_SYSTEM_OTHERS"; } else if $TaskValue == 12544 { $TaskStr = "SE_ADT_LOGON_LOGON"; } else if $TaskValue == 12545 { $TaskStr = "SE_ADT_LOGON_LOGOFF"; } else if $TaskValue == 12546 { $TaskStr = "SE_ADT_LOGON_ACCOUNTLOCKOUT"; } else if $TaskValue == 12547 { $TaskStr = "SE_ADT_LOGON_IPSECMAINMODE"; } else if $TaskValue == 12548 { $TaskStr = "SE_ADT_LOGON_SPECIALLOGON"; } else if $TaskValue == 12549 { $TaskStr = "SE_ADT_LOGON_IPSECQUICKMODE"; } else if $TaskValue == 12550 { $TaskStr = "SE_ADT_LOGON_IPSECUSERMODE"; } else if $TaskValue == 12551 { $TaskStr = "SE_ADT_LOGON_OTHERS"; } else if $TaskValue == 12552 { $TaskStr = "SE_ADT_LOGON_NPS"; } else if $TaskValue == 12553 { $TaskStr = "SE_ADT_LOGON_CLAIMS"; } else if $TaskValue == 12554 { $TaskStr = "SE_ADT_LOGON_GROUPS"; } else if $TaskValue == 12800 { $TaskStr = "SE_ADT_OBJECTACCESS_FILESYSTEM"; } else if $TaskValue == 12801 { $TaskStr = "SE_ADT_OBJECTACCESS_REGISTRY"; } else if $TaskValue == 12802 { $TaskStr = "SE_ADT_OBJECTACCESS_KERNEL"; } else if $TaskValue == 12803 { $TaskStr = "SE_ADT_OBJECTACCESS_SAM"; } else if $TaskValue == 12804 { $TaskStr = "SE_ADT_OBJECTACCESS_OTHER"; } else if $TaskValue == 12805 { $TaskStr = "SE_ADT_OBJECTACCESS_CERTIFICATIONAUTHORITY"; } else if $TaskValue == 12806 { $TaskStr = "SE_ADT_OBJECTACCESS_APPLICATIONGENERATED"; } else if $TaskValue == 12807 { $TaskStr = "SE_ADT_OBJECTACCESS_HANDLE"; } else if $TaskValue == 12808 { $TaskStr = "SE_ADT_OBJECTACCESS_SHARE"; } else if $TaskValue == 12809 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLPACKETDROPS"; } else if $TaskValue == 12810 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLCONNECTION"; } else if $TaskValue == 12811 { $TaskStr = "SE_ADT_OBJECTACCESS_DETAILEDFILESHARE"; } else if $TaskValue == 12812 { $TaskStr = "SE_ADT_OBJECTACCESS_REMOVABLESTORAGE"; } else if $TaskValue == 12813 { $TaskStr = "SE_ADT_OBJECTACCESS_CBACSTAGING"; } else if $TaskValue == 13056 { $TaskStr = "SE_ADT_PRIVILEGEUSE_SENSITIVE"; } else if $TaskValue == 13057 { $TaskStr = "SE_ADT_PRIVILEGEUSE_NONSENSITIVE"; } else if $TaskValue == 13058 { $TaskStr = "SE_ADT_PRIVILEGEUSE_OTHERS"; } else if $TaskValue == 13312 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSCREATION"; } else if $TaskValue == 13313 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSTERMINATION"; } else if $TaskValue == 13314 { $TaskStr = "SE_ADT_DETAILEDTRACKING_DPAPIACTIVITY"; } else if $TaskValue == 13315 { $TaskStr = "SE_ADT_DETAILEDTRACKING_RPCCALL"; } else if $TaskValue == 13316 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PNPACTIVITY"; } else if $TaskValue == 13317 { $TaskStr = "SE_ADT_DETAILEDTRACKING_TOKENRIGHTADJ"; } else if $TaskValue == 13568 { $TaskStr = "SE_ADT_POLICYCHANGE_AUDITPOLICY"; } else if $TaskValue == 13569 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHENTICATIONPOLICY"; } else if $TaskValue == 13570 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHORIZATIONPOLICY"; } else if $TaskValue == 13571 { $TaskStr = "SE_ADT_POLICYCHANGE_MPSSCVRULEPOLICY"; } else if $TaskValue == 13572 { $TaskStr = "SE_ADT_POLICYCHANGE_WFPIPSECPOLICY"; } else if $TaskValue == 13573 { $TaskStr = "SE_ADT_POLICYCHANGE_OTHERS"; } else if $TaskValue == 13824 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_USERACCOUNT"; } else if $TaskValue == 13825 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_COMPUTERACCOUNT"; } else if $TaskValue == 13826 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP"; } else if $TaskValue == 13827 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_DISTRIBUTIONGROUP"; } else if $TaskValue == 13828 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_APPLICATIONGROUP"; } else if $TaskValue == 13829 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_OTHERS"; } else if $TaskValue == 14080 { $TaskStr = "SE_ADT_DSACCESS_DSACCESS"; } else if $TaskValue == 14081 { $TaskStr = "SE_ADT_DSACCESS_DSCHANGES"; } else if $TaskValue == 14082 { $TaskStr = "SE_ADT_DS_REPLICATION"; } else if $TaskValue == 14083 { $TaskStr = "SE_ADT_DS_DETAILED_REPLICATION"; } else if $TaskValue == 14336 { $TaskStr = "SE_ADT_ACCOUNTLOGON_CREDENTIALVALIDATION"; } else if $TaskValue == 14337 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBEROS"; } else if $TaskValue == 14338 { $TaskStr = "SE_ADT_ACCOUNTLOGON_OTHERS"; } else if $TaskValue == 14339 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBCREDENTIALVALIDATION"; } else if $TaskValue == 65280 { $TaskStr = "SE_ADT_UNKNOWN_SUBCATEGORY"; } else { $TaskStr = "Unknown[" + $taskValue + "]"; }
if $KeywordsStr == undef { if $TaskValue == 0 { $KeywordsStr = 'None'; } else { $KeywordsStr = '0'; } }
if $TaskStr == undef { $TaskStr = $TaskValue; }
if $EventType == 'AUDIT_SUCCESS' { $KeywordsStr = "Audit Success"; $EventTypeNum = 8; } else { $KeywordsStr = "Audit Failure"; $EventTypeNum = 16; }
$Message = "AgentDevice=WindowsLog" + "\tAgentLogFile=" + $Channel + "\tSource=" + $SourceName + "\tComputer=" + hostname_fqdn() + "\tOriginatingComputer=" + host_ip() + "\tUser=" + $AccountName + "\tDomain=" + $Domain + "\tEventIDCode=" + $EventID + "\tEventType=" + $EventTypeNum + "\tEventCategory=" + $TaskValue + "\tRecordNumber=" + $RecordNumber + "\tTimeGenerated=" + $EpochTime + "\tTimeWritten=" + $EpochTime + "\tLevel=" + $EventTypeStr + "\tKeywords=" + $KeywordsStr + "\tTask=" + $TaskStr + "\tOpcode=" + $Opcode + "\tMessage=" + $Message; $Hostname = host_ip(); delete($SourceName); delete($Severity); delete($SeverityValue); to_syslog_bsd(); </Exec></Input># # Converting events to Snare format and sending them out over TCP syslog<Output out> Module om_tcp Host 10.x.x.x Port 514 Exec to_syslog_bsd();</Output># # Connect input 'in' to output 'out'<Route 1> Path eventlog => out</Route>
Venky created
Hello,
I'm trying to forward the VPN logs of a Zyxel ATP700 to my SIEM (InsightIDR), the forwarding works fine, but I can't format them as indicated in this documentation
https://docs.rapid7.com/insightidr/rapid7-universal-vpn/
Can someone help me?
Thank you
domep created
Currently, I have GrayLog running as a docker image on an unraid server. Everything is working well. I also have a MS Windows lab environment that I want to forward logs into Graylog with the help of nxlog. I followed the instructions at: https://docs.nxlog.co/userguide/integrate/graylog.html and I don't have any errors, but I also don't have any data. Any ideas on how I can troubleshoot this to determine where my issue is?
Jon Irish created
Hello, I´m trying to send logs from my windows server to my SIEM in XML format, but same logs are too long and i see 2 logs instead of just one.
<Input windows>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Suppress Path="Security">*[System[(EventID=4663 or EventID=4690 or EventID=4658 or EventID=4656)]]</Suppress>
</Query>
</QueryList>
</QueryXML>
</Input>
#
<Output siem>
Module om_tcp
Host xxx.xxx.xxx.xxx
Port 514
Exec to_xml();
</Output>
#
# Connect input 'in' to output 'out'
<Route 1>
Path windows => siem
</Route>
Can anyone help me?
Thanks
Santiago Sarchetti created
Can anyone tell me for certain if this module is only included in the Enterprise version? If so, where does one buy the Enterprise Version and what is it's approximate cost? (USD)
jrpayne created
Hello Team,
I am new to nxlog and i have a requirement to collect windows logs from 2003 servers and the agent version that i am using is “nxlog-ce-2.11.2190”
As per the documnet i have used im_mseventlog module, but still getting error and not able to pull the logs from 2003 servers. If some one please share me the config file for 2003 servers would be a great help
below is the error that we are getting when starting the nxlog service.
2022-12-21 09:37:50 WARNING nxlog-ce received a termination request signal, exiting...
2022-12-21 09:37:51 ERROR invalid keyword: QueryXML at C:\Program Files\nxlog\conf\nxlog.conf:27
2022-12-21 09:37:51 ERROR module 'eventlog' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:59
2022-12-21 09:37:51 ERROR route 1 is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:59
2022-12-21 09:37:51 WARNING no routes defined!
2022-12-21 09:37:51 WARNING not starting unused module eventlog
2022-12-21 09:37:51 WARNING not starting unused module syslogout
2022-12-21 09:37:51 INFO nxlog-ce-2.11.2190 started
my config file.
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
############INPUTS########
<Input eventlog>
Module im_mseventlog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Security">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
#<Processor eventlog_transformer>
#Module pm_transformer
#</Processor>
#<Processor buffer>
#Module pm_buffer
#MaxSize 102400
#Type disk
#</Processor>
<Output syslogout>
#Module om_udp
Module om_tcp
Host syslogip
Port 514
Exec to_syslog_snare();
</Output>
#<Route 1>
#Path eventlog => eventlog_transformer => syslogout
#</Route>
<Route 1>
Path eventlog => syslogout
</Route>punith created
I'm sending im_msvistalog messages to splunk via to_json(). I'm ending up with a field AccessList like:
AccessList: %%4423
which I assume is some kind of mapping of:
Access Request Information: Accesses: ReadAttributes
from the “Message” component. Is that right? If so, it's fairly obscure. Is there some way to preserve “Accesses” as is? What is “AccessList” trying to tell me? Is there somewhere I can go to decode it?
opoplawski created
Hello team,
How to get NXLog Manager license?
Thank you Klevin
klevintest2 created
Hi
Is it possible to install nxlog-ce-3.1.2319.msi on Windows 2008 R2?
Regards.
egas84 created
Hi,
Doing my first steps with NXlog.
I have managed to collect all “Security” windows event log and also managed to update the “Version” parameter to my own parameter - Just for a test purposes
Now I need to perform 3 tasks
- Collect all “Security” windows event log - Done
- Update the “Version” parameter from int to string - Done
- Update the “Hostname” parameter of specific event ID (for example EventID":4656) to “test” - Please advice
Thank you
<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'>*</Select> </Query> </QueryList> </QueryXML><Exec> $Hostname = "test" ; # This task should be only for eventID 4656 $Version = string($Version); to_json(); </Exec></Input>
dudu.confirm@gmail.com created
I am trying to use the example in https://docs.nxlog.co/ce/current/index.html#om_file for file rotation on Windows (nxlog-ce-3.1.2319).
I receive the following error
ERROR Couldn't parse Exec block at xxx.conf:104; couldn't parse statement at line 107, character 29 in xxx.conf; module file not found
ERROR module 'testfile' has configuration errorsusing this configuration. The output works fine if I don't use the functions, so I assume om_file must be loading (by default?).
<Output testfile>
Module om_file
File "E:/nxlog_output/active/nxlog-out.txt"
<Exec>
# Format output
to_json();
# Rotate file based on size, move to staging folder
if (file->file_size() > 10M)
{
$stagingFolder = 'E:/nxlog_output/staged/';
$newfile = $stagingFolder + 'data_' + strftime(now(), '%Y%m%d%H%M%S') + '.log';
file->rotate_to($newfile);
}
</Exec>
</Output>
hukel created
Apologies if I'm being dense, but I need some help with navigation of this site.
- The upper-right search box on this page, (https://nxlog.co/community-forum/) never submits. Is there another search function I can use?
- Google search results all point to URLs like https://nxlog.co/question/4970/iis-logs-containing-quotes-are-not-processing, which return a 404 when I click through.
hukel created
Hi,
I have installed nxlog service (nxlog-ce-3.1.2319.msi) on windows core 2019 machine. I have a config:
define EVENT_REGEX /^.*(<EventData>.+<\/EventData>)$/
<Extension xml>
Module xm_xml
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input k8s_containers>
Module im_file
File "c:\var\log\containers\*.log"
<Exec>
if $raw_event =~ %EVENT_REGEX%
{
parse_xml($1);
}
else
{
drop();
}
$log_type = "k8s_container";
$hostname = hostname();
$host_ip = host_ip();
$log_file = file_name();
if $log_file =~ /(.+)_(.+)_(.+)-(.+).log$/
{
$k8s_pod = $1;
$k8s_namespace = $2;
$k8s_container = $3;
$k8s_container_id = $4;
}
to_json();
</Exec>
</Input>
<Output file>
Module om_file
File "c:\\k\\nxlog.log"
</Output>
<Route containerlog>
Path k8s_containers => file
</Route>Everythings work fine, but log line has “log_file”: “unknown”. And because of that I didn't get $k8s_* fields.
How should I debug/resolv this issue?
ARTEM A created
Does nxlog community edition support IBM AIX & SUN Solaris?
9538789648 created
Is there a combination of inputs and extensions that can be used to collect RADIUS accounting messages via UDP listener?
We use Microsoft NPS today, but could benefit from the forking and advanced parsing of NXLog. We send RADIUS accounting messages from multiple network devices and the differences in data layout are bit too much for NPS.
hukel created
Forgive my ignorance but I'm looking to use NX Log to capture all windows events under System, Application and Security whether they be Audit, Info, error or critical. Am I correct in my assumption that with no filter's it should collect everything? <Select Path='Application'></Select> <Select Path='Security'></Select> <Select Path='System'></Select> or do I need to specify on single lines each severity level? for example: <Select Path='Application'>[System/Level=4]</Select> <Select Path='Application'>[System/Level=3]</Select> <Select Path='Application'>[System/Level=2]</Select>
and so on?
scotty created
