Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
Add additional Windows Event Log Sources
markdavidboyd created
Hi everyone
I'm very new to this and have searched around but couldn't find anything obvious.
I have a few Pc's with NXLog Community Edition sending data to a Loggly instance, event log data
They are picking up Security and System and Application ogs out of the box it seems, but i'm wondering if i need to do anything to add other event log sources to have them sent to Loggly?
Is it a matter of adding something to the Conf file?
For example, I have Kaspersky AV on an endpoint and i want to pick up the specific Event Log where Kaspersky sits.
Am i explaining it right? I basically want to add other event Log types into the process of log sending
Mark
markdavidboyd created
NXLOG Community Edition - SSL Certificate Usage requirements
istoikov created
Hello,
I am in the process of setting up NXLOG to capture syslog messages via TLS, but I have issues with the TLS connection, specifically:
ERROR SSL certificate verification failed: unsupported certificate purpose (err: 26)
Certificate for NXLOG was issued with the following:
OID=1.3.6.1.5.5.7.3.2; Client authentication
OID=1.3.6.1.5.5.7.3.1; Server authentication
Is there any documentation on how to request certificates for NXLOG? I do not have NXLOG manager.
Cheers
istoikov created
Configuring om_ssl - CertThumbprint on a large number of devices
atisu created
Hello,
I am evaluating the om_ssl (GELF) module of nxlog EE agent for a large number of devices with TLS authentication of the devices enabled at Graylog. We already have the certificates in the Windows certificate manager on the devices which we would use for the nxlog agent as well. The certificates are rotated frequently, and thus nxlog.conf needs to be kept up to date (with the thumbprints) and due to the large number of devices we cannot create and update the configuration files by hand.
What is the best practice to populate nxlog.conf with the required certificate thumbprints from the certificate store on each device and keep the configuration up to date?
Thank you!
atisu created
Multiple hostnames for single IP address
soc.techdlabs created
I have installed NX Log agent on a windows machine, but NX Log Manager is showing multiple hostnames for a single IP address, and because of this there are multiple Agents showing now, and none of them is working.
soc.techdlabs created
Two agents on a single windows machine.
JBS created
Hi,
Is it possible to install two Nxlog agents on a single machine and governed by two respective NxLog managers?
Regards.
JBS created
Usage of TLS protocol in CE
LaniMils created
NXLOG version: NXLog CE 3.0.2272
OS version: Windows 2019 server \ Windows 10 for client
Issue: I inspect the communication between NXLog client and server via Wireshark. Client output module is om_ssl and server input module is im_ssl.
I've been expecting to see the usage of TLS protocol, but all I see is TCP and RSH protocols, which are non secure protocols. How can this be explained?
Client config:
<Output out_ssl>
Module om_ssl
Host <host_ip>
Port 514
OutputType Binary
AllowUntrusted TRUE
</Output>
Server config:
<Input in_ssl>
Module im_ssl
Host 0.0.0.0
Port 514
InputType Binary
CAFile <CA path>
CertFile <Certificate path>
CertKeyFile <private key path>
KeyPass <key password>
AllowUntrusted TRUE
RequireCert FALSE
</Input>
Wireshark is tracking 514 port on the server.
Thanks!
LaniMils created
Restrict sending Windows logs to Graylog
romuloforato created
Dear Friends
How can I restrict sending records from windows? For example:
From Eventviewer, I want to select only id "5145" regarding deleting files and folders...
For I am receiving a very large amount of messages that I do not need.
I ask for your help.
Thank you.
romuloforato created
MS SQL SavePos is not used
Robert000 created
Hello, I send data from MS SQL to SysLog, i use im_dbi+freetds and even if i have set SavePos it always starts from the beginning at startup.
After starting the service
2022-02-15 11:19:32 DEBUG im_dbi sql: SELECT * FROM *** WHERE id > -1
When it is already running, the id is used.
2022-02-15 11:19:35 DEBUG im_dbi sql: SELECT * FROM *** WHERE id > 116407
-rw-r--r-- 1 nxlog nxlog 64 Feb 15 11:20 configcache.dat
OS: Ubuntu 20.04, last NXLog CE 3.0.2272
<Input sql_send>
Module im_dbi
SavePos TRUE
PollInterval 10
Driver freetds
Option host ***
Option username ***
Option password ***
Option dbname ***
SQL SELECT * FROM ***
</Input>
Robert000 created
file_name() returns unknown in im_file in Windows
mitchfloresswi created
NXLOG version: NXLog CE 3.0.2272
OS version: Windows 2019 server
Issue: file_name() returns "unknown" in im_file module
Config:
<Input in_AppABC>
Module im_file
<Exec>
log_info('Filename is' + file_name());
</Exec>
File "C:\logs\AppABC.log"
</Input>
mitchfloresswi created
NXlog-CE-3.0.2272 and Microsoft-Windows-PrintService
vm_grrl created
I've configured NXlog to send printing events from our Windows 2012R2 print server to our Nagios LS instance. **Except **for the following issue, it works well.
The issue is - when a filename contains a "%" sign, I receive a _grokparsefailure in Nagios. That led me to NXLog-CE and how it (and its modules) read/parsed the data from the Microsoft Windows PrintService Event Log. I enabled troubleshooting by means of debug AND outputting the $raw_event to a text file.
Is there a way I can get this document name from the Windows Event Viewer into Nagios via NXlog-CE? This issue looks similar to this thread, which says the problem is with the provider: https://nxlog.co/question/2362/problem-windows-event
DEBUG OUTPUT:
{"EventTime":"2022-02-11 10:38:48","Hostname":"xxx.yyy.zzz","Keywords":4611686018427390016,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":307,"SourceName":"Microsoft-Windows-PrintService","ProviderGuid":"{xxxxxxx}","Version":0,"Task":26,"OpcodeValue":11,"RecordNumber":2136143,"ProcessID":4764,"ThreadID":6728,"Channel":"Microsoft-Windows-PrintService/Operational","Domain":"XXXX","AccountName":"QQQQ","UserID":"SID-aaa-bbb-ccc","AccountType":"User",**"ERROR_EVT_UNRESOLVED":true**,"Category":"Printing a document","Opcode":"Spooler Operation Succeeded","EventReceivedTime":"2022-02-11 10:38:50","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":null}
$raw_event OUTPUT:
2022-02-11 10:38:48 xxx.yyy.zzz INFO 307 XXXX\QQQQ[The description for EventID 307 from source Microsoft-Windows-PrintService cannot be found: **The substitution string for insert index (%1) could not be found**. ]
CONFIG:
define ROOT C:\Program Files\nxlog
define CERT %ROOT%\cert
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="System">*[System[Provider[@Name='Srv'] and (Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-PrintService/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Microsoft-Windows-PrintService/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output out>
Module om_tcp
Host qqq.yyy.zzz
Port 1234
Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();
</Output>
<Route 1>
Path internal, file1, eventlog => out
</Route>
vm_grrl created
Nxlog CE 3.0.2272 - High CPU Usage
ortega87 created
Hi everyone
After the update of the Nxlog community to the last version(3.0.2272) the consumption of CPU had a huge increase. The configuration basic work over the im_file module.
<Input fake>
Module im_file
File "C:\fakedir\logs\fake_file*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop();
else
{
w3c->parse_csv();
$EventTime = parsedate($date + " " + $time);
$Message = to_json();
}
</Input>
Is there someone that had the same issue with this version?
ortega87 created
FIM output to logstash has a mismatch Json format
steven.su created
Hi team, i use the FIM module to monitor a test file and output it to 2 destination: local file and remote logstash with tcp.
Now I could see the log in local file, but remote logstash fails to parse the log with json. After checking the log, i figure out that the log received by logstash is different:
Local:
{"EventTime":"2022-02-13T16:11:50.094508+08:00","EventType":"CHANGE","Object":"FILE","PrevFileName":"c:\users\test\desktop\test20220211.txt","PrevModificationTime":"2022-02-11T19:18:59.925713+08:00","FileName":"c:\users\test\desktop\test20220211.txt","ModificationTime":"2022-02-13T16:10:53.402144+08:00","PrevFileSize":6,"FileSize":10,"DigestName":"SHA1","Digest":"31ca8d2ae67b53db43d3581974d12a48c648eca5","PrevDigest":"1b1e2aa8fb50e43dd20429afdbbec1b81b153853","Severity":"WARNING","SeverityValue":3,"EventReceivedTime":"2022-02-13T16:11:50.094508+08:00","SourceModuleName":"fim","SourceModuleType":"im_fim"}
Logstash:
[2022-02-13T08:11:49,919][ERROR][logstash.codecs.json ][main][2869f035623bc8e694e78ee6b779cd6214f6eba705fdae0bea0b55fadc035072] JSON parse error, original data now in message field {:message=>"Unexpected character ('-' (code 45)): Expected space separating root-level values\n at [Source: (String)"2022-02-13 16:11:50 HKLAP0240 WARNING EventType="CHANGE" Object="FILE" PrevFileName="c:\\users\\test\\desktop\\test20220211.txt" PrevModificationTime="2022-02-11 19:18:59" FileName="c:\\users\\test\\desktop\\test20220211.txt" ModificationTime="2022-02-13 16:10:53" PrevFileSize="6" FileSize="10" DigestName="SHA1" Digest="31ca8d2ae67b53db43d3581974d12a48c648eca5" PrevDigest="1b1e2aa8fb50e43dd20429afdbbec1b81b153853" SeverityValue="3""; line: 1, column: 6]", :exception=>LogStash::Json::ParserError, :data=>"2022-02-13 16:11:50 HKLAP0240 WARNING EventType="CHANGE" Object="FILE" PrevFileName="c:\\users\\test\\desktop\\test20220211.txt" PrevModificationTime="2022-02-11 19:18:59" FileName="c:\\users\\test\\desktop\\test20220211.txt" ModificationTime="2022-02-13 16:10:53" PrevFileSize="6" FileSize="10" DigestName="SHA1" Digest="31ca8d2ae67b53db43d3581974d12a48c648eca5" PrevDigest="1b1e2aa8fb50e43dd20429afdbbec1b81b153853" SeverityValue="3""}
{
"tags" => [
[0] "jsonparsefailure"
],
"message" => "2022-02-13 16:11:50 HKLAP0240 WARNING EventType="CHANGE" Object="FILE" PrevFileName="c:\\users\\test\\desktop\\test20220211.txt" PrevModificationTime="2022-02-11 19:18:59" FileName="c:\\users\\test\\desktop\\test20220211.txt" ModificationTime="2022-02-13 16:10:53" PrevFileSize="6" FileSize="10" DigestName="SHA1" Digest="31ca8d2ae67b53db43d3581974d12a48c648eca5" PrevDigest="1b1e2aa8fb50e43dd20429afdbbec1b81b153853" SeverityValue="3"",
"@version" => "1",
"host" => "53959da2d559",
"@timestamp" => 2022-02-13T08:11:49.924Z,
"path" => "/opt/nxlog/var/log/nxlog/logmessage.log",
"type" => "json"
}
It seems the "2022-02-13 16:11:50 HKLAP0240 WARNING " is added only in the tcp stream and could not be identified as Json format by logstash. Is it normal to see the scenario and is there any workaround? Thank you.
steven.su created
Source code — download old version(s)
Ivan_Ivanovich created
Hi guys! I'm wondering where to download nxlog community edition version 2.11. The link I have doesn't work anymore — https://nxlog.co/system/files/products/files/348/nxlog-ce-2.11.2190.tar.gz
I'm not sure whether it's ok or not for project I'm currently working on to switch to version 3 of nxlog.
Could it be possible to keep old source code archives on nxlog's website?
(I've also looked through gitlab, but unfortunately there is no version tags too...)
Ivan_Ivanovich created
Issue with encoding french sysmon events
mldi created
Hello All,
I have an issue with sysmon logs. When they contain characters "è" like on word "système" nxlog convert it to "Syst�me".
Could you please tell me how I can resolve this issue ?
I've already tested the instructions bellow, but I always have an issue
<Extension charconv>
Module xm_charconv
AutodetectCharsets iso8859-1, utf-8, utf-16, utf-32
</Extension>
<Input input>
Exec convert_fields("auto", "utf-8");
</Input>
Best regards,
mldi created
NXLog.conf files issues
Drew.Ferguson created
Converting events to Snare format and sending them out over TCP syslog
<Output out>
Module om_tcp
Host 192.168.1.1
Port 514
Exec to_syslog_snare();
Can someone please tell me what's the purpose of the HOST IP, by default it's set to 192.168.1.1.
What exactly should it be?
Thanks
Drew.Ferguson created
How to write windows events to a new file every 1 min
gtarone created
Hi All,
I want to write windows events to a new file every 1 min.
As of now, I have the following Output block in my conf which works. It is given below,
<Output file>
Module om_file
File "C:\\Program Files (x86)\\nxlog\\data\\nxlog-output.json"
<Schedule>
Every 1 min
Exec rotate_to(file_name() + strftime(now(), '_%Y-%m-%d_%H-%M-%S'));
</Schedule>
</Output>
But in this case, I always write to the same file i.e "C:\Program Files (x86)\nxlog\data\nxlog-output.json" and after 1 min, the data is saved in other file with naming convention mentioned above.
I want to create a new file every 1 min with above naming convention and then write to that file instead of writing to the same file.
**How can I do this? Admins please guide. **
gtarone created
SQLBindPatrameter error
tothr2 created
2022-02-08 04:16:56 INFO [CORE|main] nxlog-5.4.7313-trial started on Windows
2022-02-08 04:16:56 INFO [im_odbc|reading_integer_id] im_odbc successfully connected to the database
2022-02-08 04:16:56 ERROR [im_odbc|reading_integer_id] SQLBindParameter failed, HY104:2:0:[Microsoft][ODBC SQL Server Driver]Invalid precision value (odbc error code: -1)
<Input reading_integer_id>
Module im_odbc
SavePos True
idType integer
ConnectionString Driver={SQL Server}; Server=xxxxxxxx;Database=SCSPDB;
UID=xxxxt;PWD=xxxxxx;
SQL SELECT Event_ID AS id, * FROM dbo.CSPEVENT_VW WHERE Event_ID > ?
Exec delete($id);
</Input>
Used CAST but still the same error
tothr2 created
nxlog receives termination signal on Windows Server
Massimiliano created
Hello,
I have this problem on the servers of one of my clients: nxlog receives a termination signal many times a day, and it closes. Then it restarts, sometimes instantly, other times after a random amount of time.
I can't identify the source of the signal, but this happens only on the servers of one of my clients. On the Windows eventviewer only show that nxlog service has stopped and then restarted.
I tried updating from 2.9.1716 to 3.0.2272, but this behaviour didn't change.
This is what I see in the nxlog.log everyday:
2022-02-07 00:25:12 WARNING stopping nxlog service
2022-02-07 00:25:12 WARNING nxlog-ce received a termination request signal, exiting...
2022-02-07 00:26:12 INFO nxlog-ce-3.0.2272 started
2022-02-07 01:59:14 WARNING stopping nxlog service
2022-02-07 01:59:14 WARNING nxlog-ce received a termination request signal, exiting...
2022-02-07 02:00:14 INFO nxlog-ce-3.0.2272 started
2022-02-07 03:49:15 WARNING stopping nxlog service
2022-02-07 03:49:15 WARNING nxlog-ce received a termination request signal, exiting...
2022-02-07 03:50:16 INFO nxlog-ce-3.0.2272 started
2022-02-07 05:42:17 WARNING stopping nxlog service
2022-02-07 05:42:17 WARNING nxlog-ce received a termination request signal, exiting...
2022-02-07 05:43:17 INFO nxlog-ce-3.0.2272 started
2022-02-07 07:34:18 WARNING stopping nxlog service
2022-02-07 07:34:18 WARNING nxlog-ce received a termination request signal, exiting...
2022-02-07 09:24:20 INFO nxlog-ce-3.0.2272 started
The last time it stopped this morning, it stayed off around 2 hours. I think it's the Windows service control that restarts it, but sometimes it fails or get delayed somehow, but I can't prove it: there's nothing on the windows logs apart from the service start/stop notice.
I searched the forums and see others have this problem, but cannot find a real solution or hint on where to search.
Massimiliano created
Steps to configure HTTPS for NxLog Manager
DSSLIM created
Hi, I’m looking for the steps to configure HTTPS for NxLog Manager using a CA signed cert. The doc provided is very limited.
Please kindly advise. Thanks !
DSSLIM created
Adjust timezone windows events sending Graylog
romuloforato created
I need some help. I need the events received in the graylog, to be in the local date/time here in Sao Paulo_Brazil.
In the moment, is showed of the Africa timezone...
romuloforato created