2
responses

im_msvistalog EventData Fields are overwritten

Hello!

It appears that any nested data - e.g. from EventData - will be overwritten if the field exists on the event itself.

For example, please see your documentation on sysmon.  Notice that ProcessID is a field on the event, and is also a field under EventData, albeit with different data.

AskedJanuary 12, 2017 - 4:04pm
4
responses

im_msvistalog EventTime being sent as String to ElasticSearch

I'm attempting to demo xnlog and running into a problem where the Windows Server 2016 event logs are being sent to AWS ElasticSearch Service with the EventTime being a string. This basically renders it impossible to index the logs, as the Kibana board requires a time-field name and is not recongizing the string as a datetime.  Any suggestions on this, or is this a potential bug with Server 2016?

AskedJanuary 6, 2017 - 7:08pm
10
responses

NXlog Exec $Hostname = hostname_fqdn(); not working

Hi everybody,

stumbled over a problem that sometimes I get hostnames from nxlog other times it's fqdns. Happens only with internal nxlog messages.I tired to fix this by using the Exec $Hostname = hostname_fqdn(); statement.

# Nxlog internal logs
<Input internal>
   Module im_internal
   Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
   Exec $Hostname = hostname_fqdn(); 
</Input>

AskedJanuary 6, 2017 - 5:36pm
1
response

NXLog behavior when one route/output fails

I have a NXLog service running in Windows Server shipping event logs. It has 2 destinations, 1 is TCP sending logs to syslog_ng and another is GLEF UDP.

When my syslog_ng server goes offline, the logs I'm receiving at the GLEF UDP output also stops. Is there any way to make NXlog send the logs to the other output/route even if one output/route fails?

Config:

AskedJanuary 6, 2017 - 1:35pm

Pages