Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
Sending Syslogs to 2 syslog collectors
mcerone created
Hello,
I'm trying to send Windows events to two different syslog servers.
I have two output modules and one route. I see syslog packets getting sent to both collectors but the packets are not coming in the correct format
The configuration looks like
LogLevel INFO
Logfile %LOGDIR%/nxlog.log
<Extension agent_managment>
Module xm_soapadmin
Connect 10.x.x.n
Port 4041
SocketType SSL
CAFile %CERTDIR%/agent-ca.pem
AllowUntrusted FALSE
RequireCert TRUE
<ACL conf>
Directory %CONFDIR%
AllowRead TRUE
AllowWrite TRUE
</ACL>
<ACL cert>
Directory %CERTDIR%
AllowRead TRUE
AllowWrite TRUE
</ACL>
</Extension>
<Extension Extension_json>
Module xm_json
</Extension>
<Input eventlog>
Module im_msvistalog
SavePos TRUE
ReadFromLast TRUE
Exec if ($EventID == 5156) drop();
</Input>
<Input internal_mod>
Module im_internal
</Input>
<Output out>
Module om_tcp
Host 10.x.x.a
Port 514
OutputType LineBased
<Exec>
$Hostname = string(host_ip());
to_syslog_ietf(); parse_syslog();
$Message = '@cee: ' + to_json(); to_syslog_bsd();
</Exec>
</Output>
<Output outlcp>
Module om_udp
Host 10.x.x.b
Port 514
OutputType Dgram
Exec $Hostname = string(host_ip());
Exec to_syslog_snare();
</Output>
<Route Syslog_lcp>
Priority 1
Path eventlog, internal_mod => outlcp, out
</Route>
mcerone created
Strip some data from an XML file
colaguy44 created
I have an XML that I am trying to strip some data out so it can be pre-processed by software on another machine. XML file is being generated on a windows logging to an XML file. I am at bit of a lost I have tried too many things to list here. What I am trying to do is remove our domain name and our domain email address before it is sent to the machine to be pre-processed. I only want the username. Any records that have host\domain.com don’t need to be sent and I figured out how to drop that data. (number 4). If it helps I am running nxlog-ce-3.0.2284.
Here is an example of event: (Removed bunch of xml fields for clarity of this post)
1:
<Event><Timestamp data_type="4">05/25/2022 12:45:43.806</Timestamp><Userid data_type="1">DOMAIN\username</Userid><IP-Address data_type="3">x.x.x.x</IP-Address><Endtimestamp data_type="5">05/25/2022 12:46:43.806</Endtimestamp>
2:
<Event><Timestamp data_type="4">05/25/2022 12:45:43.806</Timestamp><Userid data_type="1">username</Userid><IP-Address data_type="3">x.x.x.x</IP-Address><Endtimestamp data_type="5">05/25/2022 12:46:43.806</Endtimestamp>
3:
<Event><Timestamp data_type="4">05/25/2022 12:45:43.806</Timestamp><Userid data_type="1">username@domain.com</Userid><IP-Address data_type="3">x.x.x.x</IP-Address><Endtimestamp data_type="5">05/25/2022 12:46:43.806</Endtimestamp>
4:
<Event><Timestamp data_type="4">05/25/2022 12:45:43.806</Timestamp><Userid data_type="1">host\domain.com</Userid><IP-Address data_type="3">x.x.x.x</IP-Address><Endtimestamp data_type="5">05/25/2022 12:46:43.806</Endtimestamp>
Nxlog.conf:
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension xmlparser>
Module xm_xml
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input in>
Module im_file
File "C:\LogFiles\log*.log"
InputType LineBased
Exec $Message = $raw_event;
SavePos TRUE
ReadFromLast TRUE
<Exec>
Discard everything that doesn't seem to be an xml event
if $raw_event !~ /^<Event>/ drop();
if $raw_event =~ /^(.+)host(.+)/ drop();
parse_xml();
Convert to JSON
to_json();
</Exec>
</Input>
<Output out>
Module om_udp
Host yy.xx.xx.xx
Port 514
</Output>
<Route 1>
Path in => out
</Route>
colaguy44 created
WIndows Log dont seem to match what NZLog is sending?
LogicalSolutions created
Hey All,
A bit of a newbee and trying to get NXLOG working with GrayLog. It is working and I'm seeing the information. The issue is that the information I'm seeing does not seem to match the PC's event logs.
Please see below Config File:
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Extension _gelf>
Module xm_gelf
</Extension>
<Input win>
Module im_msvistalog
</Input>
Converting events to Snare format and sending them out over TCP syslog
<Output graylog>
Module om_udp
Host X.X.X.X
Port 3514
OutputType GELF
</Output>
<Route graylog_route>
Path win => graylog
</Route>
Any ideas about what I'm doing wrong????
LogicalSolutions created
Nxlog manager webpage issue
Ochimo created
HTTP ERROR: 503
Problem accessing /nxlog-manager. Reason:
Service Unavailable
New install. Not sure why this is fighting me :)
Ochimo created
Problems install nxlog manager onto Ubuntu
Ochimo created
I am betting I am simply missing a step.
Anyone able to help?
Unpacking nxlog-manager (5.6.5633) ...
dpkg-deb (subprocess): decompressing archive member: lzma error: compressed data is corrupt
dpkg-deb: error: <decompress> subprocess returned error exit status 2
dpkg: error processing archive nxlog-manager-5.6.5633-jdk1.7.1.deb (--install):
cannot copy extracted data for './opt/nxlog-manager/webapps/nxlog-manager/WEB-INF/lib/spring-js-resources-2.4.2.RELEASE.jar' to '/opt/nxlog-manager/webapps/nxlog-manager/WEB-INF/lib/spring-js-resources-2.4.2.RELEASE.jar.dpkg-new': unexpected end of file or stream
Processing triggers for systemd (245.4-4ubuntu3.17) ...
Errors were encountered while processing:
nxlog-manager-5.6.5633-jdk1.7.1.deb
Ochimo created
Problems with im_msvistalog under Windows Server 2022
Elix created
Dears,
I'm running nxlog-ce 3.0.2272 under Windows Server 2022 to search the Application event log for specific events using a custom query in order to forward them as GELF messages to some Graylog server. The connection is secured by SSL. With Server 2019, everything runs smoothly but with Server 2022, nxlog.exe keeps crashing after a few events have been collected and sent to Graylog. Worst fact is, that events are omitted and not transferred to Graylog.
The related event log entries (event id 1000):
Faulting application name: nxlog.exe, version: 0.0.0.0, time stamp: 0x00000000
Faulting module name: ntdll.dll, version: 10.0.20348.681, time stamp: 0x69d3cd31
Exception code: 0xc0000374
Fault offset: 0x0000000000103ad9
Faulting process id: 0x2b1c
Faulting application start time: 0x01d86901d76501a6
Faulting application path: C:\Program Files (x86)\nxlog\nxlog.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 362167c9-9922-4158-8d56-ee4bafd21e67
Faulting package full name:
Faulting package-relative application ID:
Faulting application name: nxlog.exe, version: 0.0.0.0, time stamp: 0x00000000
Faulting module name: RPCRT4.dll, version: 10.0.20348.707, time stamp: 0xd31f9dd8
Exception code: 0xc0000005
Fault offset: 0x00000000000272e3
Faulting process id: 0x1a24
Faulting application start time: 0x01d868da69310cd8
Faulting application path: C:\Program Files (x86)\nxlog\nxlog.exe
Faulting module path: C:\WINDOWS\System32\RPCRT4.dll
Report Id: 96a6d244-74ca-4f6f-8667-8bb5082a452a
Faulting package full name:
Faulting package-relative application ID:
Any idea?
Thanks ahead,
Elix
Elix created
NXLog / Hyper-V
mvary_wc2021 created
Has anyone installed NXLog Enterprise edition on Hyper-V? Any pros/cons if so?
mvary_wc2021 created
Unable see nxlog service in services.msc post installation
vigneshmoorthy created
Team,
Need your assistance on nxlog agent.
I have installed nxlog agent(Community Edition) in windows server and i could see the destination folder had created under c:/Program files (x86)/nxlog but when went to restart the nxlog service, i dont see the nxlog service inside services(service.msc) not sure where is the problem and need your assistance to fix it.
Version: nxlog-ce-2.11.2190
Thanks,
Vignesh
vigneshmoorthy created
Processing some historical files and loading to graylog
scallawa created
I am trying to use nxlog to process some historical files and load them into graylog. It is a nested json file and I only need a few fields out of it. I am hoping for some pointers on how to get the following data out of the json file and posted into graylog.
username
rename text to message
rename first title to method
rename title_link to method_link
From the fields section
Severity: value
Region: Value
Rename Last Seen to timestamp: value I would like graylog to use this as the timestamp for the data coming in.
Below is my whole nxlog.conf but the relevant input is the guardduty input.
nxlog.conf
User nxlog
Group nxlog
Panic Soft
default values:
define INSTALLDIR /opt/nxlog
PidFile %INSTALLDIR%/var/run/nxlog/nxlog.pid
CacheDir %INSTALLDIR%/var/spool/nxlog
ModuleDir %INSTALLDIR%/lib/nxlog/modules
SpoolDir %INSTALLDIR%/var/spool/nxlog
define CERTDIR %INSTALLDIR%/var/lib/nxlog/cert
define CONFDIR %INSTALLDIR%/etc/nxlog.d
Note that these two lines define constants only; the log file location
is ultimately set by the LogFile directive (see below). The
MYLOGFILE define is also used to rotate the log file automatically
(see the _fileop block).
define LOGDIR %INSTALLDIR%/var/log/nxlog
define MYLOGFILE %LOGDIR%/nxlog.log
If you are not using NXLog Manager, disable the include line
and enable LogLevel and LogFile.
#include %CONFDIR%/*.conf
LogLevel DEBUG
LogFile %MYLOGFILE%
<Extension _syslog>
Module xm_syslog
</Extension>
This block rotates %MYLOGFILE% on a schedule. Note that if LogFile
is changed in managed.conf via NXLog Manager, rotation of the new
file should also be configured there.
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
<Exec>
if ( file_exists('%MYLOGFILE%') and
(file_size('%MYLOGFILE%') >= 5M) )
{
file_cycle('%MYLOGFILE%', 8);
}
</Exec>
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>
</Extension>
<Extension json_parser>
Module xm_json
Flatten True
PrettyPrint True
</Extension>
<Extension exec>
Module xm_exec
</Extension>
<Extension gelf>
Module xm_gelf
</Extension>
<Extension antivirus_csv>
Module xm_csv
Fields $Severity,$timestamp,$ip,$endtime,$User,$User Groups,$Device,$Device Group
Delimiter ,
</Extension>
<Extension xml>
Module xm_xml
</Extension>
<Input alienvault>
Module im_file
File "/var/nxlog/alienvault/*.log"
SavePos TRUE
ReadFromLast TRUE
<Exec>
parse_xml();
to_json();
</Exec>
</Input>
<Input antivirus>
Module im_file
File "/var/nxlog/antivirus/*.csv"
ReadFromLast TRUE
SavePos True
<Exec>
antivirus_csv->parse_csv();
to_json();
</Exec>
</Input>
<Input guardduty>
Module im_file
File "/var/nxlog/guardduty/*.json"
SavePos True
InputType json_parser
<Exec>
#Delete some fields that aren't necessary
delete($type);
delete($subtype);
delete($text);
delete($mrkdwn_in);
delete($EventReceivedTime);
#Convert fields back to JSON because of the deletion
to_json();
</Exec>
</Input>
<Output udp_12202>
Module om_udp
Host graylog.mydomain.com:12202
OutputType GELF_UDP
</Output>
<Output udp_5515>
Module om_udp
Host graylog.mydomain.com:5515
OutputType GELF_UDP
</Output>
<Route antivirus_to_udp_5515>
Path antivirus => udp_5515
</Route>
<Route to_udp_12202>
Path alienvault, guardduty => udp_12202
</Route>
Sample JSON. The files are larger but I kept the first and last entry.
[
{
"type": "message",
"subtype": "bot_message",
"text": "",
"ts": "1614611466.000100",
"username": "GuardDuty",
"icons": {
"image_48": "https://s3-us-east-1.amazonaws.com/slack-files2/bot_icons/2019-07-02/671758367922_48.png"
},
"bot_id": "BL5799J6A",
"attachments": [
{
"fallback": "Recon:IAMUser/UserPermissions - <https://console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?search=id%5t45ffg59a575art6789404dr5oci5a4zz>",
"text": "APIs commonly used to discover the users, groups, policies and permissions in an account, was invoked by IAM principal Some-Role under unusual circumstances. Such activity is not typically seen from this principal.",
"pretext": "Finding in us-east-1 for Acct: 505986456095",
"title": "Recon:IAMUser/UserPermissions",
"id": 1,
"title_link": "https://console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?search=id%5t45ffg59a575art6789404dr5oci5a4zz",
"color": "e2d43b",
"fields": [
{
"title": "Severity",
"value": "Medium",
"short": true
},
{
"title": "Region",
"value": "us-east-1",
"short": true
},
{
"title": "Last Seen",
"value": "<!date^1614611294^{date} at {time} | 2021-03-01T15:08:14.526Z>",
"short": true
}
],
"mrkdwn_in": [
"pretext"
]
}
]
},
{
"type": "message",
"subtype": "bot_message",
"text": "",
"ts": "1614629763.001600",
"username": "GuardDuty",
"icons": {
"image_48": "https://s3-us-east-1.amazonaws.com/slack-files2/bot_icons/2019-07-02/671758367922_48.png"
},
"bot_id": "BL5799J6A",
"attachments": [
{
"fallback": "Recon:IAMUser/UserPermissions - <https://console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?search=id%5t45ffg59a575art6789404dr5oci5a4zz>",
"text": "APIs commonly used to discover the users, groups, policies and permissions in an account, was invoked by IAM principal Some-Role under unusual circumstances. Such activity is not typically seen from this principal.",
"pretext": "Finding in us-east-1 for Acct: 505986456095",
"title": "Recon:IAMUser/UserPermissions",
"id": 1,
"title_link": "https://console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?search=id%5t45ffg59a575art6789404dr5oci5a4zz",
"color": "e2d43b",
"fields": [
{
"title": "Severity",
"value": "Medium",
"short": true
},
{
"title": "Region",
"value": "us-east-1",
"short": true
},
{
"title": "Last Seen",
"value": "<!date^1614629482^{date} at {time} | 2021-03-01T20:11:22.426Z>",
"short": true
}
],
"mrkdwn_in": [
"pretext"
]
}
]
}
]
scallawa created
NXLog failed to Start. Throws error when attempting to start
srinivaspr20 created
Hi,
Reaching out to you because when I try to start the NXLog, i get the below message.
Error 1067: the process terminated unexpectedly
srinivaspr20 created
Multiple Configurations Files : standard + custom
emoragues created
Hello,
We have a the need to be able to collect a collection of files that would be our Standard template of collecte and to add another template to collecte specific files.
The goal is to limite the risk for disruption of other logging on the same system and to be able to modify the standard without any impact of the specific files.
Is this possible and if so how to do it.
Regards
Edouard MORAGUES
emoragues created
nxlog error log file
Exa777 created
Hi,
We have this error
ERROR binary header not found at position 0 in data received from xxx.xxx.xxx.xxx is input really binary?
Any hint will be appreciated.
Regards,
K
Exa777 created
NXLog with New Relic?
pnvnd created
Has anyone successfully send logs from NXLog to New Relic? I've tried using om_tcp, om_ssl, om_http to send syslogs to New Relic but I keep running into issues with NXLog.
For example:
ERROR [om_http|out] SSL error, SSL_ERROR_SSL: retval -1, from 162.247.243.181:443, reason: sslv3 alert handshake failure
ERROR [om_http|out] [ssl.c:209/nx_ssl_error()] SSL error, SSL_ERROR_SSL: retval -1, from 162.247.243.181:443, ( reason: unsupported protocol, function: SSL23_GET_SERVER_HELLO, library: SSL routines )
I've tried both the TCP endpoint for syslogs and the headerless API log endpoint, and if I send a curl -X POST with some JSON data to the New Relic log endpoint, it works fine without any issues.
Any ideas?
pnvnd created
Nxlog with ELK
NKH created
Hi,
It is possible to use Nxlog to pull logs from ELK to the Nxlog Manager?
Thanks
NKH created
Configuring om_ssl module for <Output tcpssl> and ERROR SSL error, SSL_ERROR_SSL: retval 0, sslv3 alert bad certificate
sidd_jain created
Hi,
I am Configuring om_ssl module for <Output tcpssl> for CE and successful in sending logs to logstash over SSL, however if I remove CertKeyFile I get an error "ERROR SSL error, SSL_ERROR_SSL: retval 0, sslv3 alert bad certificate". My question is why is private key desired here?
Thanks,
Sidd
sidd_jain created
Uninstall nxlog
demoloty created
Hello,
When I install nxlog with an Administrator account and then try to uninstall with another account (even with admin privileges) I'm having issues, and I'm not able to do it.
Any idea how to solve this issue?
demoloty created
Sample Verbatim Template
DSSLIM created
Hi,
I'm new to NXLog. Still learning how to deploy NXLog Manager and the agents. I'll like to know where can I download sample Verbatim templates for different environments like Linux, Windows Server, Windows 10 and so on. And also the configuration template to SIEM like LogRhythm and Splunk.
TIA !
DSSLIM created
Windows 46xx event logs do not display event message
aorta created
Hi,
We are using nxlog ce-2.11.2190.msi to forward windows server event logs to our SIEM. And now we are seeing an issue that the $message of events with ID 4624/4625/4xxx are missing, while those of event with ID 7xxx are shown completely. This issue will be temporarily fixed if we restarted the nxlog service, but the same problem comes back after nxlog service running for a while.
This is what we see on SIEM.
And the complete events should be like: [Our server’s system language is Traditional Chinese, so the $message is displayed as bytes]
Apr 12 18:19:36 win2k12.ahsuhome.local Microsoft-Windows-Security-Auditing[500]: Microsoft-Windows-Security-Auditing: 4634: \0xe5\0xb8\0xb3\0xe6\0x88\0xb6\0xe5\0xb7\0xb2\0xe7\0x99\0xbb\0xe5\0x87\0xba\0xe3\0x80\0x82 \0xe4\0xb8\0xbb\0xe6\0x97\0xa8: \0x09\0xe5\0xae\0x89\0xe5\0x85\0xa8\0xe6\0x80\0xa7\0xe8\0xad\0x98\0xe5\0x88\0xa5\0xe7\0xa2\0xbc:\0x09\0x09S-1-5-18 \0x09\0xe5\0xb8\0xb3\0xe6\0x88\0xb6\0xe5\0x90\0x8d\0xe7\0xa8\0xb1:\0x09\0x09WIN2K12$ \0x09\0xe5\0xb8\0xb3\0xe6\0x88\0xb6\0xe7\0xb6\0xb2\0xe5\0x9f\0x9f:\0x09\0x09AHSUHOME \0x09\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe8\0xad\0x98\0xe5\0x88\0xa5\0xe7\0xa2\0xbc:\0x09\0x090x367342 \0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe9\0xa1\0x9e\0xe5\0x9e\0x8b:\0x09\0x09\0x093 \0xe7\0x95\0xb6\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe5\0xb7\0xa5\0xe4\0xbd\0x9c\0xe9\0x9a\0x8e\0xe6\0xae\0xb5\0xe6\0x90\0x8d\0xe6\0xaf\0x80\0xe6\0x99\0x82\0xef\0xbc\0x8c\0xe5\0xb0\0xb1\0xe6\0x9c\0x83\0xe7\0x94\0xa2\0xe7\0x94\0x9f\0xe9\0x80\0x99\0xe5\0x80\0x8b\0xe4\0xba\0x8b\0xe4\0xbb\0xb6\0xe3\0x80\0x82\0xe9\0x80\0x99\0xe5\0x80\0x8b\0xe4\0xba\0x8b\0xe4\0xbb\0xb6\0xe5\0x8f\0xaf\0xe8\0x83\0xbd\0xe8\0x88\0x87\0xe4\0xbd\0xbf\0xe7\0x94\0xa8\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe8\0xad\0x98\0xe5\0x88\0xa5\0xe7\0xa2\0xbc\0xe6\0x95\0xb8\0xe5\0x80\0xbc\0xe7\0x9a\0x84\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe4\0xba\0x8b\0xe4\0xbb\0xb6\0xe6\0xad\0xa3\0xe9\0x9d\0xa2\0xe7\0x9b\0xb8\0xe9\0x97\0x9c\0xe3\0x80\0x82\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe8\0xad\0x98\0xe5\0x88\0xa5\0xe7\0xa2\0xbc\0xe5\0x83\0x85\0xe6\0x9c\0x89\0xe5\0x9c\0xa8\0xe9\0x87\0x8d\0xe6\0x96\0xb0\0xe5\0x95\0x9f\0xe5\0x8b\0x95\0xe7\0x9b\0xb8\0xe5\0x90\0x8c\0xe9\0x9b\0xbb\0xe8\0x85\0xa6\0xe4\0xb9\0x8b\0xe9\0x96\0x93\0xe6\0x89\0x8d\0xe6\0x9c\0x83\0xe6\0x98\0xaf\0xe5\0x94\0xaf\0xe4\0xb8\0x80\0xe7\0x9a\0x84\0xe3\0x80\0x82
Our config is as below:
define SIEM_IP 10.0.0.253
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension syslog>
Module xm_syslog
</Extension>
<Input in_eventlog>
Module im_msvistalog
ReadFromLast TRUE
SavePos TRUE
Query <QueryList> \
<Query Id="0"> \
<Select Path="Security">*[System[(EventID=1100 or EventID=1102)]]</Select> \
<Select Path="Security">*[System[(EventID=4768 or EventID=4769 or EventID=4771)]]</Select> \
<Select Path="Security">*[System[(EventID=4616 or EventID=4657)]]</Select> \
<Select Path="Security">*[System[(EventID=4624 or EventID=4625 or EventID=4634 or EventID=4647 or EventID=4648)]]</Select> \
<Select Path="Security">*[System[(EventID=5140 or EventID=5142 or EventID=5143 or EventID=5144 or EventID=5145 or EventID=5168)]]</Select> \
<Select Path="Security">*[System[(EventID=4656 or EventID=4658 or EventID=4660 or EventID=4663 or EventID=4664 or EventID=4985 or EventID=5051 or EventID=4670)]]</Select> \
<Select Path="Security">*[System[(EventID=4719 or EventID=4739)]]</Select> \
<Select Path="Security">*[System[(EventID=4720 or EventID=4722 or EventID=4723 or EventID=4724 or EventID=4725 or EventID=4726 or EventID=4738 or EventID=4740 or EventID=4767)]]</Select> \
<Select Path="Security">*[System[(EventID=4727 or EventID=4728 or EventID=4729 or EventID=4730 or EventID=4731 or EventID=4732 or EventID=4733 or EventID=4734 or EventID=4735 or EventID=4737 or EventID=4764)]]</Select> \
<Select Path="Security">*[System[(EventID=4741 or EventID=4742 or EventID=4743)]]</Select> \
<Select Path="Security">*[System[(EventID=4744 or EventID=4745 or EventID=4748)]]</Select> \
<Select Path="Security">*[System[(EventID=4749 or EventID=4750 or EventID=4753)]]</Select> \
<Select Path="Security">*[System[(EventID=4754 or EventID=4755 or EventID=4756 or EventID=4758 or EventID=4759 or EventID=4760 or EventID=4763)]]</Select> \
<Select Path="Security">*[System[(EventID=4778)]]</Select> \
<Select Path="Security">*[System[(EventID=4783)]]</Select> \
<Select Path="Security">*[System[(EventID=4800 or EventID=4801)]]</Select> \
<Select Path="System">*[System[(EventID=7036)]]</Select> \
</Query> \
</QueryList>
</Input>
<Output out_eventlog>
Module om_udp
Host %SIEM_IP%
Port 514
Exec $SyslogFacilityValue = 17;
Exec $Message = string($SourceName) + ": " + string($EventID) + ": " + $Message;
Exec if ($EventType == 'ERROR' or $EventType == 'AUDIT_FAILURE') { $SyslogSeverityValue = 3; } \
else if ($EventType == 'WARNING') { $SyslogSeverityValue = 4; } \
else if ($EventType == 'INFO' or $EventType == 'AUDIT_SUCCESS') { $SyslogSeverityValue = 5; }
Exec to_syslog_bsd();
</Output>
<Route eventlog>
Path in_eventlog => out_eventlog
</Route>
Any ideas about how can this happen will be appreciated.
aorta created
nxlog to kafka
dsta created
Is there a way to control the serialisation nxlog does on the logs sent to kafka via om_kafka? Firstly i do not know how they serialise the messages sent to kafka as a result when I read these messages from kafka, i end up facing de-serialisation errors.
dsta created
Nxlog 5.0 statement of supporting windows server 2022
Pr0n00bxWRx. created
Hello, i havent found any official statement about supporting windows server 2022 by nxlog. Our customer is asking us about that. Is nxlog 5.0 supporting log collection for Windows server 2022?
Pr0n00bxWRx. created