Looking for a Windows version 2.8.1248 of NXLog. I am stuck trying to remove this application from a Windows machine but a system cleanup was performed so the cache of the installer is missing. Add remove programs is requesting my .msi file to continue removing. I tried going to the downloads page and altering the URL for the latest version to include an old version but it has been removed from the website.

I am setting up NXLog Community Edition in an environment with multiple devices I want to monitor. I have already set up multiple routes of single inputs and outputs that does the job adequately, but I have a feeling I can get more complex and have less Routes to perform the same action. I have looked around the documentation and played with some prototypes but cannot find anything that works. So are any of the following ideas viable or does the Language prohibit them?

1. Input Branching. Is it possible to route specific incoming logs to specific outputs or routes based in properties (For me it is $MessageSourceAddress)? Either by tagging the data, manipulating route data, etc.

2. Processor Branching. Similar to #1, Is it possible to route or send logs to specific outputs based on properties (I am not sure if $MessageSourceAddress is usable in the processor or output modules). For example:

3. Output Filtering. Is it possible to choose output destination (for me it will be a file) based on log parameters (again $MessageSourceAddress)? I think is my best option. For example: <Output Output_file> Module om_file

   <Exec> If $MessageSourceAddress = X.X.X.X { File '\TestLogs\Test\ test.log' … }

   else If $MessageSourceAddress = Y.Y.Y.Y { File '\TestLogs\Test2\ test2.log' … }

   else If $MessageSourceAddress = Z.Z.Z.Z { File '\TestLogs\Test3\ test3.log' … } </Exec>

</Output>

Thanks in advance!

I am using nx log IETF ( i.e. to_syslog_ietf() ) format to write logs. But in Wireshark (Packet Detail Window)the message is shown as following .

Message [truncated]: 1 2022-08-11T10:45:38.152473+05:30 LINL190403680 NCM 0 - [NXLOG@14506 Keywords="36028797018963968" EventType="INFO" EventID="0" Version="0" Task="0" OpcodeValue="0" RecordNumber="24530" ThreadID="0" Channel="Applicati Syslog version: 1 Syslog timestamp: Aug 11, 2022 10:45:38.000000000 UTC Syslog hostname: LINL190403680 Syslog app name: NCM Syslog process id: 0 Syslog message id [truncated]: - [NXLOG@14506 Keywords="36028797018963968" EventType="INFO" EventID="0" Version="0" Task="0" OpcodeValue="0" RecordNumber="24530" ThreadID="0" Channel="Application" Opcode="Info" EventReceivedTime="2022-08-

whereas using BSD format not causing this issue. Required format is shown below Priority (enclosed in < >) representing both facility and severity <30> Syslog Version: 1 Syslog timestamp: 2022-08-11T10:45:38.152473+05:30 Syslog hostname: LINL190403680 Syslog app name: NCM Syslog Process id: 0 Message identifier:
Optional message specific properties (structured data) (enclosed in [ ]) : [NXLOG@14506 Keywords="36028797018963968" EventType="INFO" EventID="0" Version="0" Task="0" OpcodeValue="0" RecordNumber="24530" ThreadID="0" Channel="Application" Opcode="Info" EventReceivedTime="2022-08-11 10:45:38" SourceModuleName="ExtendedWindowsToCollect" SourceModuleType="im_msvistalog"] a human readable message (encoded in UTF-8 and starting with BOM, or ASCII 7 only bytes) : [CB-002] Application is stopped sucessfully.

There's a remote web-based app that can send syslog to an Ip/port. I've installed nxlog on my system and my current nxlog/conf/nxlog.conf file contains these lines

<Input in> Module im_tcp Host 0.0.0.0 Port 1514 Exec parse_syslog(); </Input>

I assume 0.0.0.0 here would mean localhost? However, the web-based app is failing to send the logs. I've pointed a sub-domain to my local machine where nxlog is installed and the web-based app is using the sub-domain to send logs to nxlogs. I'm not sure what goes in the 'host' filed in above lines? Any idea how I should go about debugging this?

Hi everybody,

I upgraded my whole domain to Graylog 3.0.2284 yesterday, and decided to reboot my Graylog Server to clear all the RAM etc on it.

When I restarted the Graylog Server, all the updated host got their NXLog service to "terminate unexpectedly" (info from EventID 7034, Windows Event Log).

No information in the nxlog log file, and I needed to start all my services manually.

What's wrong...?

Thanks!

Hello,

We are deploying NXLog Enterprise on a fleet of macOS devices with the goals to collect endpoint events even remotely. Which mean Graylog GELF exposed over Internet, with TLS encryption and certificate authentication requirements.

I see that om_ssl can do the job of TLS communication and even client authentication, but the settings I see are using file path for the Private Key.

Is there a way to have NXLog with om_ssl on macOS using a certificate from the System Keychain ?

Thanks

Has anyone used JAMF to distribute this to Macs?

We are rolling out NXLog to our Macs. I have the installer working, but don't have any security info to configure things like PPPC or System Extensions. I was able to manually tick the box for Full Disk Access, but I am still getting an error message saying that im_maces|in NXLog requires Transparency, Consent, and Control (TCC) approval to connect to Endpoint Security.

If I can find the Bundle ID and Identifier, I should be able to roll that info a PPPC configuration profile which will flip the switch to turn on the Full Disk Access during install, so I don't have to manually do that.

Then to clear the error message I am getting above, I likely need a Team Identifier and/or System Extension type for the System Extensions portion of the Configuration Profile in JAMF?

But I have checked this website and don't seem to find anything here in the documentation or message boards about any identifier. Is there a way to find this info out by looking on a system that has the software installed?

Hi,

We have one Oracle DB server and DBA needs to send all *.aud files from /u01/app/admin/admin/STG19/adump to remote syslog server. How do we configure nxlog file for the same

Tejas Pandhare

Hello -

Just checking - in a scenario where there are several hosts across multiple timezones is there a configuration method available for the 3.x version of Nxlog CE to always send logs in UTC similar to the DateFormat option in EE?

I've seen options such as doing math on the timezones via the nxlog.conf but I'm hoping to create a template that can be used on multiple hosts without having to modify each host's nxlog.conf to take account of local timezone on each host.

Thank you!

Hello everyone, I find myself configuring NXLog EE 5 with the batchcompress modules, but it does not connect the client with the server.

My client configuration is:

define ROOT C:\Program Files\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

#Lectura de los registros de auditoria <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'></Select> <Select Path='Security'>[System/Level&lt;4]</Select> <Select Path='System'>*</Select> </Query> </QueryList> </QueryXML> </Input>

<Output out_batch> Module om_batchcompress Host 192.168.1.11 Port 2514 </Output>

#Envio de los datos de la entrada a la salida <Route route_Pattern> Path eventlog => out_batch </Route>

And the following error is: "couldn't connect to 10.0.200.11:2514; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond."

My server configuration is:

define ROOT C:\Program Files\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

#Extensiones de los logs <Extension json> Module xm_json </Extension>

#Lectura de los registros de cliente <Input in_batch> Module im_batchcompress ListenAddr 0.0.0.0:2514 </Input>

#Salida de las lecturas realizadas mediante UDP y en formato JSON <Output udp> Module om_udp Host 192.168.2.6:514 Exec to_json(); </Output>

#Envio de los datos de la entrada a la salida <Route route_Pattern> Path in_batch => udp </Route>

And if I get the message of listening on port 2514

Can you help me to determine what I am missing in my configuration, I appreciate your help.

Hi All,

I am using NXlog to forward DHCP events from Windows DHCP Servers. This is working as intended, however I have the following issue:

At midnight DHCP rotates the log file used for the next day and archives off the old one. When this occurs I get the following Events logged by DHCP to the Windows Event Log:

"The DHCP service failed to initialize the audit log. The following error occurred: Access is denied."

This is event id 1028 logged by the DHCP service. At the same time NXLog also logs an error about the file:

2022-07-26 00:00:26 ERROR apr_stat() failed on file C:\Windows\system32\dhcp\DhcpSrvLog-Tue.log; Access is denied.
2022-07-26 00:00:28 WARNING input file was deleted: C:\Windows\system32\dhcp\DhcpSrvLog-Tue.log

Both DHCP and NXLog are able to read the new files after this, as it is the log archiving operation from DHCP and NXLog's lock on the file that I suspect causes these to be logged. Our issue is that our Monitoring systems are picking on on the DHCP errors and causing alerts.

I do not want to turn of monitoring for these events for obvious reasons. Is there something I can configure / do to prevent this issue from occurring?

I have also included my .conf file snippets for the DHCP options below:

<Input MSDHCPLOGIN> Module im_file File 'C:\Windows\system32\dhcp\DhcpSrvLog-*.log' SavePos TRUE InputType LineBased Exec if $raw_event == '' drop(); Exec $Hostname = hostname_fqdn();$SourceName = "DHCPLog";$Message = $raw_event; </Input>

<Output MSDHCPLOGOUT1> Module om_udp Host %XDR1% Port %PORT% Exec $SyslogFacilityValue = 21;$Severity = 'INFO';to_syslog_bsd(); </Output>

Thanks in Advance.

I'm trying to create a stat which gives a **RATE** for the last 5 minutes whenever you run `get_stat`. * The code example below runs within a `im_msvistalog` module * Each of the stats are updates using `add_stat('NAME', 1, $EventReceivedTime)` in the main Exec block. * The first schedule (re)creates the stats each hour - see below * The second schedule outputs the stats each minute - see below ``` Every 1 hour create_stat('ep1m', 'RATE', 60, now(), 3600); # Change of count of events in the last 1 MINUTE create_stat('ep5m', 'RATE', 300, now(), 3600); # Change of count (i.e. rate) of events in the last 5 MINUTES Every 1 min log_info(get_stat('ep1m') + ' events collected from Windows Security Event Log in the last 1 minutes'); log_info(get_stat('ep5m') + ' events collected from Windows Security Event Log in the last 5 minutes'); ``` * The stat that gives me a rate per minute is working fine. * The stat that gives me a rate per 5 minutes is not working as expected. ``` create_stat('ep5m', 'RATE', 300, now(), 3600); ``` My expectation was that each minute, when I write the log, it would give me the RATE (i.e. change in count) **for the last 300 seconds**. I expected this value to go up and down each minute when I write the log info output. Instead it seems to be grouping the statistics into fixed 5 minute windows from the creation of the counter. That is, a RATE for the first 0-5 mins, then a new RATE for the next 5-10 mins, etc. Is there a way to ensure that when I query the statistics for the last 5 minutes it always gives me the interval between `now()` and 300 seconds ago?

Hello, The question is whether there is encryption of the logs in community edition? And can I deploy nxlog community edition with custom config via group policy? Thanks in advance!

Im looking for ways to reload nxlog config globally using the <schedule> option without having to restart the service or use the 'Update and Reload' button in nxlog manager.

Is there a certain paramerter that can be used in the conf file that will do this on a specific cadence?

Hi, we use ODBC (im_odbc) to read some data from Oracle database and write them on a file. The polling interval is 15 mins. We noticed that when database service restarts, ODBC (im_odbc) do not restart automatically the connections. The only way I found to solve this problem is to stop and start nxlog service. Is there any parameter that force the nxlog to reconnect when existing connection is lost? Thanks

Hi, I'd like to log my Microsoft Defender Events (EventID:1116) so when a malware is detected, I get it on my Graylog server.

Problem is that with Server 2016/Windows 10, the logs are too many for a simple input (with the 256 limit).

So I decided to filter some, and to only get some of them :

<Input in> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="Application"></Select>
<Select Path="System"></Select>
<Select Path="Security"></Select>
<Select Path="Windows PowerShell"></Select>
<Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>
</Query>
</QueryList>

I receive my App, Sys, Security, and Powershell in Graylog but not my Windows Defender events. I tried to generate logs multiple times, with some EICAR files, the logs appear in the Event Viewer, but nothing appears in my Graylog Server.

Any help please ? :) thanks

Hi. I am relatively new to nxlog and I hope the community can help me with my question. I have on a Windows Server an Windows Firewall Log File and following nxlog configuration:

<Input in> Module im_file File "C:\Windows\system32\LogFiles\Firewall\pfirewall.log" SavePos TRUE ReadFromLast TRUE parse_syslog_ietf(); </Input>

<Output out> Module om_tcp Host 3.125.146.97:514 #Exec to_syslog_ietf(); </Output>

<Route 1> Path in => out </Route>

So far so good. The logs I receive are now as following:

<13>1 2022-07-08T13:44:08+00:00 ec2-3-66-101-32 1 - - - 2022-07-08T15:44:17.208477+02:00 WINFS02 - - - [NXLOG@14506 EventReceivedTime="2022-07-08 15:44:17" SourceModuleName="in" SourceModuleType="im_file"] 2022-07-08 15:44:18 ALLOW TCP X.X.X.X Y.Y.Y.Y 43031 Z 0 - 0 0 0 - - - RECEIVE

Can I shorten the message, that I receive just the end of the message?

2022-07-08 15:44:18 ALLOW TCP X.X.X.X Y.Y.Y.Y 43031 Z 0 - 0 0 0 - - - RECEIVE

My question here is:

If I want to scan an asset to verify that event logs are getting forwarded via NXLog configuration, where will I find the evidence on the device that is sending the logs to the NXLog collector? Will this be somewhere in the registry, or should I look somewhere else?

We currently have 1 Nagios Log server to record logs and 1 windows server with NXlog installed, which has 2 types of logs, TLIB and SIP, from one folder. There are 16 TLIB logs and only 1 SIP log with around 25 increments of each. Both generate a 51,201kb file with 429780 lines and have a total of 483 files in the log folder.

When less logs are produced, the 483 logs are overwritten less often and are recorded to Nagios Log successfully. Both log types are recorded to Nagios Log within 1 second of the time stamp of the log entry.

When more logs are produced, the 483 logs are overwritten every few minutes. TLIB logs are recorded to Nagios Log successfully within 1 second of the time stamp of the log entry. However the SIP logs starts to fall behind. Entries recorded to Nagios Log can be upto 2 hours different from the time stamp of the log entry.

Does anyone know why one log location would fall behind when the other remains unaffected? Is there anyway to improve the reliability of the SIP logs that fall behind?

nxlog.conf

See the nxlog reference manual at

http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

Please set the ROOT to the folder your nxlog was installed into,

otherwise it will not start.

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog define CERT %ROOT%\cert

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension json> Module xm_json </Extension>

<Extension syslog> Module xm_syslog </Extension>

<Output out1> Module om_tcp Host xx.xx.xx.xx Port 3515

Exec  $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec  $raw_event = to_json();
            
            # Uncomment for debug output
            # Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");

</Output>

<Output out2> Module om_tcp Host xx.xx.xx.xx Port 3515

Exec  $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec  $raw_event = to_json();
            
            # Uncomment for debug output
            # Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");

</Output>

<Route 1> Path SIP => out1 </Route>

<Route 2> Path TLIB => out2 </Route>

<Extension multiline_SIPTLIB> Module xm_multiline HeaderLine /^@?\d\d:\d\d:\d\d./ </Extension>

<Input TLIB> Module im_file InputType multiline_SIPTLIB File 'E:\GenesysLogs\H_SIPS_01_SIP001\H_SIPS_01_SIP001_TLIB-0*' SavePos TRUE Exec $Message = $raw_event; </Input>

<Input SIP> Module im_file InputType multiline_SIPTLIB File 'E:\GenesysLogs\H_SIPS_01_SIP001\H_SIPS_01_SIP001.*' SavePos TRUE Exec $Message = $raw_event; </Input>

I'm receiving this error when sending Palo Alto logs to my NXLog v5 environment. On Palo Alto side, I have selected CEF format, and the Delimiter field is set to Space:" " (that's my only option)

2022-07-01 18:18:48 ERROR [im_ssl|ssl] binary header not found at position 0 in data received from logforwarding.us.cdl.paloaltonetworks.com (34.67.106.77), is input really binary?

Any idea's??

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files\nxlog define CERTDIR C:\Program Files\nxlog\cert

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension cef> Module xm_cef </Extension>

<Extension syslog> Module xm_syslog </Extension>

<Input ssl> Module im_ssl ListenAddr 0.0.0.0:16514 CAFile %CERTDIR%/datalake.cert CertFile %CERTDIR%/plzwork.crt CertKeyFile %CERTDIR%/plzwork.key

KeyPass secret

InputType Binary </Input>

<Input udp_input> Module im_udp ListenAddr 0.0.0.0:16514 Exec parse_syslog(); parse_cef($Message); </Input>

<Output udp_output> Module om_udp Host 127.0.0.1 Port 16515 Exec $Message = to_cef(); to_syslog_bsd(); </Output>

<Route 1> Path ssl => udp_input => udp_output </Route>

Thank you!!