Hi, I'm new to NXLog. Still learning how to deploy NXLog Manager and the agents. I'll like to know where can I download sample Verbatim templates for different environments like Linux, Windows Server, Windows 10 and so on. And also the configuration template to SIEM like LogRhythm and Splunk. TIA !

Hi, We are using nxlog ce-2.11.2190.msi to forward windows server event logs to our SIEM. And now we are seeing an issue that the $message of events with ID 4624/4625/4xxx are missing, while those of event with ID 7xxx are shown completely. This issue will be temporarily fixed if we restarted the nxlog service, but the same problem comes back after nxlog service running for a while. This is what we see on SIEM. And the complete events should be like: [Our server’s system language is Traditional Chinese, so the $message is displayed as bytes] Apr 12 18:19:36 win2k12.ahsuhome.local Microsoft-Windows-Security-Auditing[500]: Microsoft-Windows-Security-Auditing: 4634: \0xe5\0xb8\0xb3\0xe6\0x88\0xb6\0xe5\0xb7\0xb2\0xe7\0x99\0xbb\0xe5\0x87\0xba\0xe3\0x80\0x82 \0xe4\0xb8\0xbb\0xe6\0x97\0xa8: \0x09\0xe5\0xae\0x89\0xe5\0x85\0xa8\0xe6\0x80\0xa7\0xe8\0xad\0x98\0xe5\0x88\0xa5\0xe7\0xa2\0xbc:\0x09\0x09S-1-5-18 \0x09\0xe5\0xb8\0xb3\0xe6\0x88\0xb6\0xe5\0x90\0x8d\0xe7\0xa8\0xb1:\0x09\0x09WIN2K12$ \0x09\0xe5\0xb8\0xb3\0xe6\0x88\0xb6\0xe7\0xb6\0xb2\0xe5\0x9f\0x9f:\0x09\0x09AHSUHOME \0x09\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe8\0xad\0x98\0xe5\0x88\0xa5\0xe7\0xa2\0xbc:\0x09\0x090x367342 \0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe9\0xa1\0x9e\0xe5\0x9e\0x8b:\0x09\0x09\0x093 \0xe7\0x95\0xb6\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe5\0xb7\0xa5\0xe4\0xbd\0x9c\0xe9\0x9a\0x8e\0xe6\0xae\0xb5\0xe6\0x90\0x8d\0xe6\0xaf\0x80\0xe6\0x99\0x82\0xef\0xbc\0x8c\0xe5\0xb0\0xb1\0xe6\0x9c\0x83\0xe7\0x94\0xa2\0xe7\0x94\0x9f\0xe9\0x80\0x99\0xe5\0x80\0x8b\0xe4\0xba\0x8b\0xe4\0xbb\0xb6\0xe3\0x80\0x82\0xe9\0x80\0x99\0xe5\0x80\0x8b\0xe4\0xba\0x8b\0xe4\0xbb\0xb6\0xe5\0x8f\0xaf\0xe8\0x83\0xbd\0xe8\0x88\0x87\0xe4\0xbd\0xbf\0xe7\0x94\0xa8\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe8\0xad\0x98\0xe5\0x88\0xa5\0xe7\0xa2\0xbc\0xe6\0x95\0xb8\0xe5\0x80\0xbc\0xe7\0x9a\0x84\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe4\0xba\0x8b\0xe4\0xbb\0xb6\0xe6\0xad\0xa3\0xe9\0x9d\0xa2\0xe7\0x9b\0xb8\0xe9\0x97\0x9c\0xe3\0x80\0x82\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe8\0xad\0x98\0xe5\0x88\0xa5\0xe7\0xa2\0xbc\0xe5\0x83\0x85\0xe6\0x9c\0x89\0xe5\0x9c\0xa8\0xe9\0x87\0x8d\0xe6\0x96\0xb0\0xe5\0x95\0x9f\0xe5\0x8b\0x95\0xe7\0x9b\0xb8\0xe5\0x90\0x8c\0xe9\0x9b\0xbb\0xe8\0x85\0xa6\0xe4\0xb9\0x8b\0xe9\0x96\0x93\0xe6\0x89\0x8d\0xe6\0x9c\0x83\0xe6\0x98\0xaf\0xe5\0x94\0xaf\0xe4\0xb8\0x80\0xe7\0x9a\0x84\0xe3\0x80\0x82 Our config is as below: define SIEM_IP 10.0.0.253 define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension syslog> Module xm_syslog </Extension> <Input in_eventlog> Module im_msvistalog ReadFromLast TRUE SavePos TRUE Query <QueryList> \ <Query Id="0"> \ <Select Path="Security">*[System[(EventID=1100 or EventID=1102)]]</Select> \ <Select Path="Security">*[System[(EventID=4768 or EventID=4769 or EventID=4771)]]</Select> \ <Select Path="Security">*[System[(EventID=4616 or EventID=4657)]]</Select> \ <Select Path="Security">*[System[(EventID=4624 or EventID=4625 or EventID=4634 or EventID=4647 or EventID=4648)]]</Select> \ <Select Path="Security">*[System[(EventID=5140 or EventID=5142 or EventID=5143 or EventID=5144 or EventID=5145 or EventID=5168)]]</Select> \ <Select Path="Security">*[System[(EventID=4656 or EventID=4658 or EventID=4660 or EventID=4663 or EventID=4664 or EventID=4985 or EventID=5051 or EventID=4670)]]</Select> \ <Select Path="Security">*[System[(EventID=4719 or EventID=4739)]]</Select> \ <Select Path="Security">*[System[(EventID=4720 or EventID=4722 or EventID=4723 or EventID=4724 or EventID=4725 or EventID=4726 or EventID=4738 or EventID=4740 or EventID=4767)]]</Select> \ <Select Path="Security">*[System[(EventID=4727 or EventID=4728 or EventID=4729 or EventID=4730 or EventID=4731 or EventID=4732 or EventID=4733 or EventID=4734 or EventID=4735 or EventID=4737 or EventID=4764)]]</Select> \ <Select Path="Security">*[System[(EventID=4741 or EventID=4742 or EventID=4743)]]</Select> \ <Select Path="Security">*[System[(EventID=4744 or EventID=4745 or EventID=4748)]]</Select> \ <Select Path="Security">*[System[(EventID=4749 or EventID=4750 or EventID=4753)]]</Select> \ <Select Path="Security">*[System[(EventID=4754 or EventID=4755 or EventID=4756 or EventID=4758 or EventID=4759 or EventID=4760 or EventID=4763)]]</Select> \ <Select Path="Security">*[System[(EventID=4778)]]</Select> \ <Select Path="Security">*[System[(EventID=4783)]]</Select> \ <Select Path="Security">*[System[(EventID=4800 or EventID=4801)]]</Select> \ <Select Path="System">*[System[(EventID=7036)]]</Select> \ </Query> \ </QueryList> </Input> <Output out_eventlog> Module om_udp Host %SIEM_IP% Port 514 Exec $SyslogFacilityValue = 17; Exec $Message = string($SourceName) + ": " + string($EventID) + ": " + $Message; Exec if ($EventType == 'ERROR' or $EventType == 'AUDIT_FAILURE') { $SyslogSeverityValue = 3; } \ else if ($EventType == 'WARNING') { $SyslogSeverityValue = 4; } \ else if ($EventType == 'INFO' or $EventType == 'AUDIT_SUCCESS') { $SyslogSeverityValue = 5; } Exec to_syslog_bsd(); </Output> <Route eventlog> Path in_eventlog => out_eventlog </Route> Any ideas about how can this happen will be appreciated.

Is there a way to control the serialisation nxlog does on the logs sent to kafka via om_kafka? Firstly i do not know how they serialise the messages sent to kafka as a result when I read these messages from kafka, i end up facing de-serialisation errors.

Hello, i havent found any official statement about supporting windows server 2022 by nxlog. Our customer is asking us about that. Is nxlog 5.0 supporting log collection for Windows server 2022?

Hey Guys, we are trying to send out our Windows DHCP logs which requires us to massage the log before we can send it out to the remote server. Afraid I am not able to get the CSV Parser running, so far only the drop logic works, the intended output $Message does not come up in our output ` Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32, UCS-2LE </Extension> <Extension dhcp_csv_parser> Module xm_csv Fields ID, Date, Time, Description, IPAddress, Hostname, MACAddress, \ UserName, TransactionID, QResult, ProbationTime, CorrelationID, \ DHCID, VendorClassHex, VendorClassASCII, UserClassHex, \ UserClassASCII, RelayAgentInformation, DnsRegError </Extension> <Extension _exec> Module xm_exec </Extension> <Input ironnet_DHCPlogs> Module im_file File "C:\Windows\System32\dhcp\DhcpSrvLog-*.log" ReadFromLast TRUE SavePos TRUE <Exec> # Only process lines that begin with an event ID if $raw_event =~ /^\d+,/ { dhcp_csv_parser->parse_csv(); $QResult = integer($QResult); if $QResult == 0 $QMessage = "NoQuarantine"; else if $QResult == 1 $QMessage = "Quarantine"; else if $QResult == 2 $QMessage = "Drop Packet"; else if $QResult == 3 $QMessage = "Probation"; else if $QResult == 6 $QMessage = "No Quarantine Information"; $EventTime = strptime($Date + ' ' + $Time, '%m/%d/%y %H:%M:%S'); $ID = integer($ID); $ColonMAC = $MACAddress; if $ColonMAC =~ /^([0-9a-fA-F]{2})([0-9a-fA-F]{2})([0-9a-fA-F]{2})([0-9a-fA-F]{2})([0-9a-fA-F]{2})([0-9a-fA-F]{2})$/ { $ColonMAC = $1 + ":" + $2 + ":" + $3 + ":" + $4 + ":" + $5 + ":" + $6; } # DHCP Event IDs if $ID == 0 $Message = "The log was started."; else if $ID == 1 $Message = "The log was stopped."; else if $ID == 2 $Message = "The log was temporarily paused due to low disk space."; else if ($ID >= 10 and $ID <= 16) $Message = $Description + " |" + $IPAddress + " |" + $ClientHostname + " |" + $MACAddress + " |" + $UserName + " |" + $ColonMac; else if $ID == 17 drop(); else if $ID == 18 drop(); else if ($ID >= 20 and $ID <= 23) $Message = $Description + " |" + $IPAddress + " |" + $ClientHostname + " |" + $MACAddress + " |" + $UserName; else if $ID == 24 $Message = "IP address cleanup operation has began."; else if $ID == 25 $Message = "IP address cleanup statistics."; else if $ID == 30 drop(); else if $ID == 31 drop(); else if $ID == 32 drop(); else if $ID == 33 $Message = $Description + " |" + $IPAddress + " |" + $ClientHostname + " |" + $MACAddress + " |" + $UserName; else if $ID == 34 drop(); else if $ID == 35 drop(); else if $ID == 36 drop(); else if ($ID >= 50 and $ID < 1000) $Message = "Codes above 50 are used for Rogue Server Detection " + "information."; else drop(); } </Exec> </Input> <Output out_ionnet_datacollector2> Module om_udp Host 172.16.10.42 Port 514 OutputType LineBased </Output> <Route ionnet_DHCPlogs> Path ionnet_DHCPlogs => out_ionnet_datacollector2 </Route> ` Input 30,04/05/22,16:04:58,DNS Update Request,10.41.22.51,P21023LAB.HEALTH.LOCAL,,,0,6,,,,,,,,,0 11,04/05/22,16:04:58,Renew,10.41.22.51,P2103LAB.HEALTH.LOCAL,98EECBDE1CDE,,179078305,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0 32,04/05/22,16:04:58,DNS Update Successful,10.41.22.51,P2103LAB.HEALTH.LOCAL,,,0,6,,,,,,,,,0 Output 11,04/05/22,16:04:58,Renew,10.41.22.51,P2103LAB.HEALTH.LOCAL,98EECBDE1CDE,,179078305,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

Hi I have been trying to get this to work for 2 days but its not happening! i have a log that sometimes has java call stack errors (multiline) i ship these to graylog using nxlog. As you have guesed i have one log per line. So serched and found the xm_multiline module . Great but i cant get it to work as expected. I have tried many variations of regex but the output i get is not good . To test Im using txt files in and out.. From time to time I point to graylog but its never correct. Sample data:(stack shortened so not to fill up this forum message) 09:56:29.278 [TEST TEST] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error 09:56:30.278 [TEST TEST] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error 11:49:30.278 [TEST TEST] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error java.lang.NullPointerException: null at org.apache.xmlbeans.impl.store.Cur.listRemove(Cur.java:2788) at org.apache.xmlbeans.impl.store.Locale.embedCurs(Locale.java:2796) at org.apache.xmlbeans.impl.store.Cur.moveNode(Cur.java:1953) at org.apache.xmlbeans.impl.store.Cur.moveNode(Cur.java:1846) at org.apache.xmlbeans.impl.store.Cur.createHelper(Cur.java:287) at org.apache.xmlbeans.impl.store.Cur.createAttr(Cur.java:211) at org.apache.xmlbeans.impl.store.Xobj.setAttr(Xobj.java:559) at org.apache.xmlbeans.impl.store.Xobj.add_attribute_user(Xobj.java:2272) at org.openxmlformats.schemas.spreadsheetml.x2006.main.impl.CTCellImpl.setR(Unknown Source) at org.apache.poi.xssf.usermodel.XSSFCell.setCellNum(XSSFCell.java:911) at org.apache.poi.xssf.usermodel.XSSFRow.createCell(XSSFRow.java:226) at org.apache.poi.xssf.usermodel.XSSFRow.createCell(XSSFRow.java:200) at com.lexisnexis.bis.act.export.util.ExcelUtil.generateRowCell(ExcelUtil.java:73) at com.lexisnexis.bis.act.export.util.ExcelUtil.generateRowCell(ExcelUtil.java:60) at com.lexisnexis.bis.act.export.service.ExcelService.generateRowArticleData(ExcelService.java:441) at com.lexisnexis.bis.act.export.service.ExcelService.generateRowArticle(ExcelService.java:402) at com.lexisnexis.bis.act.export.service.ExcelService.generateRowArticle(ExcelService.java:372) at com.lexisnexis.bis.act.export.service.ExcelService.generateSheetArticles(ExcelService.java:242) at com.lexisnexis.bis.act.export.service.ExcelService.generateExport(ExcelService.java:212) 11:42:30.278 [TEST test2] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error 11:42:30.278 [TEST test2] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error NXLOG Config Panic Soft NoCache TRUE #Loglevel ERROR Loglevel INFO define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _gelf> Module xm_gelf #Avoid truncation of the short_message field to 64 characters. ShortMessageLength 65536 </Extension> <Extension multi> Module xm_multiline HeaderLine /^\d\d:\d\d:\d\d/ </Extension> #ACT <Input in> Module im_file FILE "C:\test.log" InputType multi ReadFromLast False SavePos False </Input> <Output gelf> Module om_tcp Host 192.168.xx Port 12222 OutputType GELF_TCP <Exec> # These fields are needed for Graylog $gl2_source_collector = '72f7289a-7cf5-4ae5-af7f-0428371459f4'; $collector_node_id = hostname(); </Exec> </Output> <Output out> Module om_file File "C:\test_out.txt" </Output> <Route 3> Path in => out </Route> OUTPUT: 09:56:29.278 [TEST TEST] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error഍ ਍　㤀㨀㔀㘀㨀㌀　⸀㈀㜀㠀 嬀吀䔀匀吀 吀䔀匀吀崀 䔀刀刀伀刀 漀⸀稀⸀瀀⸀猀瀀爀椀渀最⸀挀漀洀洀漀渀⸀䄀搀瘀椀挀攀吀爀愀椀琀猀 ⴀ 䤀渀琀攀爀渀愀氀 匀攀爀瘀攀爀 䔀爀爀漀爀ഀ਍ഀ 11:49:30.278 [TEST TEST] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error഍ ਍樀愀瘀愀⸀氀愀渀最⸀一甀氀氀倀漀椀渀琀攀爀䔀砀挀攀瀀琀椀漀渀㨀 渀甀氀氀ഀ਍ഀ at org.apache.xmlbeans.impl.store.Cur.listRemove(Cur.java:2788)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀砀洀氀戀攀愀渀猀⸀椀洀瀀氀⸀猀琀漀爀攀⸀䰀漀挀愀氀攀⸀攀洀戀攀搀䌀甀爀猀⠀䰀漀挀愀氀攀⸀樀愀瘀愀㨀㈀㜀㤀㘀⤀ഀ਍ഀ at org.apache.xmlbeans.impl.store.Cur.moveNode(Cur.java:1953)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀砀洀氀戀攀愀渀猀⸀椀洀瀀氀⸀猀琀漀爀攀⸀䌀甀爀⸀洀漀瘀攀一漀搀攀⠀䌀甀爀⸀樀愀瘀愀㨀㄀㠀㐀㘀⤀ഀ਍ഀ at org.apache.xmlbeans.impl.store.Cur.createHelper(Cur.java:287)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀砀洀氀戀攀愀渀猀⸀椀洀瀀氀⸀猀琀漀爀攀⸀䌀甀爀⸀挀爀攀愀琀攀䄀琀琀爀⠀䌀甀爀⸀樀愀瘀愀㨀㈀㄀㄀⤀ഀ਍ഀ at org.apache.xmlbeans.impl.store.Xobj.setAttr(Xobj.java:559)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀砀洀氀戀攀愀渀猀⸀椀洀瀀氀⸀猀琀漀爀攀⸀堀漀戀樀⸀愀搀搀开愀琀琀爀椀戀甀琀攀开甀猀攀爀⠀堀漀戀樀⸀樀愀瘀愀㨀㈀㈀㜀㈀⤀ഀ਍ഀ at org.openxmlformats.schemas.spreadsheetml.x2006.main.impl.CTCellImpl.setR(Unknown Source)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀瀀漀椀⸀砀猀猀昀⸀甀猀攀爀洀漀搀攀氀⸀堀匀匀䘀䌀攀氀氀⸀猀攀琀䌀攀氀氀一甀洀⠀堀匀匀䘀䌀攀氀氀⸀樀愀瘀愀㨀㤀㄀㄀⤀ഀ਍ഀ at org.apache.poi.xssf.usermodel.XSSFRow.createCell(XSSFRow.java:226)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀瀀漀椀⸀砀猀猀昀⸀甀猀攀爀洀漀搀攀氀⸀堀匀匀䘀刀漀眀⸀挀爀攀愀琀攀䌀攀氀氀⠀堀匀匀䘀刀漀眀⸀樀愀瘀愀㨀㈀　　⤀ഀ਍ഀ at com.lexisnexis.bis.act.export.util.ExcelUtil.generateRowCell(ExcelUtil.java:73)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀攀砀瀀漀爀琀⸀甀琀椀氀⸀䔀砀挀攀氀唀琀椀氀⸀最攀渀攀爀愀琀攀刀漀眀䌀攀氀氀⠀䔀砀挀攀氀唀琀椀氀⸀樀愀瘀愀㨀㘀　⤀ഀ਍ഀ at com.lexisnexis.bis.act.export.service.ExcelService.generateRowArticleData(ExcelService.java:441)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀攀砀瀀漀爀琀⸀猀攀爀瘀椀挀攀⸀䔀砀挀攀氀匀攀爀瘀椀挀攀⸀最攀渀攀爀愀琀攀刀漀眀䄀爀琀椀挀氀攀⠀䔀砀挀攀氀匀攀爀瘀椀挀攀⸀樀愀瘀愀㨀㐀　㈀⤀ഀ਍ഀ at com.lexisnexis.bis.act.export.service.ExcelService.generateRowArticle(ExcelService.java:372)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀攀砀瀀漀爀琀⸀猀攀爀瘀椀挀攀⸀䔀砀挀攀氀匀攀爀瘀椀挀攀⸀最攀渀攀爀愀琀攀匀栀攀攀琀䄀爀琀椀挀氀攀猀⠀䔀砀挀攀氀匀攀爀瘀椀挀攀⸀樀愀瘀愀㨀㈀㐀㈀⤀ഀ਍ഀ at com.lexisnexis.bis.act.export.service.ExcelService.generateExport(ExcelService.java:212)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀攀砀瀀漀爀琀⸀猀攀爀瘀椀挀攀⸀䔀砀挀攀氀匀攀爀瘀椀挀攀␀␀䘀愀猀琀䌀氀愀猀猀䈀礀匀瀀爀椀渀最䌀䜀䰀䤀䈀␀␀戀㔀㌀㤀戀㄀㌀㐀⸀椀渀瘀漀欀攀⠀㰀最攀渀攀爀愀琀攀搀㸀⤀ഀ਍ഀ at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀愀漀瀀⸀昀爀愀洀攀眀漀爀欀⸀䌀最氀椀戀䄀漀瀀倀爀漀砀礀␀䌀最氀椀戀䴀攀琀栀漀搀䤀渀瘀漀挀愀琀椀漀渀⸀椀渀瘀漀欀攀䨀漀椀渀瀀漀椀渀琀⠀䌀最氀椀戀䄀漀瀀倀爀漀砀礀⸀樀愀瘀愀㨀㜀㜀㄀⤀ഀ਍ഀ at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀愀漀瀀⸀昀爀愀洀攀眀漀爀欀⸀䌀最氀椀戀䄀漀瀀倀爀漀砀礀␀䌀最氀椀戀䴀攀琀栀漀搀䤀渀瘀漀挀愀琀椀漀渀⸀瀀爀漀挀攀攀搀⠀䌀最氀椀戀䄀漀瀀倀爀漀砀礀⸀樀愀瘀愀㨀㜀㐀㤀⤀ഀ਍ഀ at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:366)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀琀爀愀渀猀愀挀琀椀漀渀⸀椀渀琀攀爀挀攀瀀琀漀爀⸀吀爀愀渀猀愀挀琀椀漀渀䤀渀琀攀爀挀攀瀀琀漀爀⸀椀渀瘀漀欀攀⠀吀爀愀渀猀愀挀琀椀漀渀䤀渀琀攀爀挀攀瀀琀漀爀⸀樀愀瘀愀㨀㄀㄀㠀⤀ഀ਍ഀ at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀愀漀瀀⸀昀爀愀洀攀眀漀爀欀⸀䌀最氀椀戀䄀漀瀀倀爀漀砀礀␀䌀最氀椀戀䴀攀琀栀漀搀䤀渀瘀漀挀愀琀椀漀渀⸀瀀爀漀挀攀攀搀⠀䌀最氀椀戀䄀漀瀀倀爀漀砀礀⸀樀愀瘀愀㨀㜀㐀㤀⤀ഀ਍ഀ at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:691)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀攀砀瀀漀爀琀⸀猀攀爀瘀椀挀攀⸀䔀砀挀攀氀匀攀爀瘀椀挀攀␀␀䔀渀栀愀渀挀攀爀䈀礀匀瀀爀椀渀最䌀䜀䰀䤀䈀␀␀㈀㄀㌀攀㈀㤀㘀㤀⸀最攀渀攀爀愀琀攀䔀砀瀀漀爀琀⠀㰀最攀渀攀爀愀琀攀搀㸀⤀ഀ਍ഀ at com.lexisnexis.bis.act.service.ArticleService.getExcelExport(ArticleService.java:2200)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀猀攀爀瘀椀挀攀⸀䄀爀琀椀挀氀攀匀攀爀瘀椀挀攀␀␀䘀愀猀琀䌀氀愀猀猀䈀礀匀瀀爀椀渀最䌀䜀䰀䤀䈀␀␀昀㌀㜀㈀㌀攀昀㔀⸀椀渀瘀漀欀攀⠀㰀最攀渀攀爀愀琀攀搀㸀⤀ഀ਍ഀ at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀愀漀瀀⸀昀爀愀洀攀眀漀爀欀⸀䌀最氀椀戀䄀漀瀀倀爀漀砀礀␀䌀最氀椀戀䴀攀琀栀漀搀䤀渀瘀漀挀愀琀椀漀渀⸀椀渀瘀漀欀攀䨀漀椀渀瀀漀椀渀琀⠀䌀最氀椀戀䄀漀瀀倀爀漀砀礀⸀樀愀瘀愀㨀㜀㜀㄀⤀ഀ਍ഀ at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀愀漀瀀⸀昀爀愀洀攀眀漀爀欀⸀䌀最氀椀戀䄀漀瀀倀爀漀砀礀␀䌀最氀椀戀䴀攀琀栀漀搀䤀渀瘀漀挀愀琀椀漀渀⸀瀀爀漀挀攀攀搀⠀䌀最氀椀戀䄀漀瀀倀爀漀砀礀⸀樀愀瘀愀㨀㜀㐀㤀⤀ഀ਍ഀ at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:366)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀琀爀愀渀猀愀挀琀椀漀渀⸀椀渀琀攀爀挀攀瀀琀漀爀⸀吀爀愀渀猀愀挀琀椀漀渀䤀渀琀攀爀挀攀瀀琀漀爀⸀椀渀瘀漀欀攀⠀吀爀愀渀猀愀挀琀椀漀渀䤀渀琀攀爀挀攀瀀琀漀爀⸀樀愀瘀愀㨀㄀㄀㠀⤀ഀ਍ഀ at org.springframework.aop.framework.R

This works but I'm trying to filter out a service account username that is for cron tasks and is making the logs super noisy on my syslog server: Collecting event log <Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security"></Select> <Select Path="SentinelOne/Operational"></Select> <Select Path="Application">*</Select> </Query> </QueryList> </QueryXML> Exec $Message =~ s/(\t|\R)/ /g; to_syslog_bsd(); </Input> I tried Exec block filtering but any attempt to add xml code that filtered on the "Exec" line made all logs stop coming in. What would be the correct syntax for suppressing a username that's dedicated to cron tasks and is making the logs super noisy? Thanks all in advance. CB

Hi I downloaded and install nxlog-ce-3.0.2272_rhel8.x86_64.rpm on Centos 8 server I it is my first installation on centos 8. I used before only Centos 7 with nxlog. I copied input configuration from other server . and sending data to graylog But field FileName now unknown instead name of file . Rest of fields work excellent <Input log> Module im_file File &quot;/var/log/*&quot; SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; Exec $FileName = file_name(); </Input>

Hello, I would like to modify the IIS logs for further transfer to the destination. Now I am parsing the IIS log with the xm_csv module, as in the template. UndefValue is disabled to not get empty. How can I interact with parsed data from w3c_parser? For example, I want to combine into a variable $request = '"' + $cs-method + ' ' + $cs-uri-stem + ' ' + $cs-version + '"'; such a value, but I get an error. When I try to write a field from w3c_parser to $raw_event, I also get an error. Any other data is added without error. For example $raw_event = $c-ip error $raw_event = $EventTime + ' ' + $http_host no error Thank you in advance! Example error, logs and config file below 2022-03-23 16:49:45 WARNING stopping nxlog service 2022-03-23 16:49:45 WARNING nxlog-ce received a termination request signal, exiting... 2022-03-23 16:49:56 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:59; couldn't parse statement at line 71, character 32 in C:\Program Files\nxlog\conf\nxlog.conf; syntax error, unexpected +, expecting ( 2022-03-23 16:49:56 ERROR module 'iis_w3c' has configuration errors, not adding to route 'uds_to_file' at C:\Program Files\nxlog\conf\nxlog.conf:84 2022-03-23 16:49:56 ERROR route uds_to_file is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:84 2022-03-23 16:49:56 WARNING no routes defined! 2022-03-23 16:49:56 WARNING not starting unused module iis_w3c 2022-03-23 16:49:56 WARNING not starting unused module file 2022-03-23 16:49:56 INFO nxlog-ce-3.0.2272 started Current log format date time s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-bytes cs-bytes time-taken 2022-03-23 08:00:01 HOST.DOMAIN 99.XX.XX.4 GET /AnalyticsService - 443 - XX.XX.XX.XXX HTTP/1.1 Zabbix - - site.host.domain 200 3918 144 4 Required log format $http_host $remote_addr $remote_user [$time_local] UNIX-TIME-$msec "$request" $status "$sent_http_content_type" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_cookie" $request_time "$upstream_addr" NGINX-CACHE-$upstream_cache_status "$request_id" "$request_body" host.domain 99.99.99.249 - [11/Mar/2022:20:09:56+0300] UNIX-TIME-1647018596.031 "GET /api/company.php?id=853747 HTTP/1.1" 200 "text/xml; charset=UTF-8" 1455 "-" "-" "20b6b325ea192383cb1244412247c5ea=3002538ef353c9daab4f742176a840; etpsid=f488b343a23d1a4a2332e089a0" 0.059 0.059 "10.10.10.111:80" NGINX-CACHE-- "d0b5ac12cf82671067aa5e6c5c" "-" Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension fileop> Module xm_fileop </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> #Create the parse rule for IIS logs. You can copy these from the header of the IIS log file. <Extension w3c_parser> Module xm_csv Fields $date, $time, $s-computername, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs-version, $cs(User-Agent), $cs(Cookie), $cs(Referer), $cs-host, $sc-status, $sc-bytes, $cs-bytes, $time-taken FieldTypes string, string, string, string, string, string, string, integer, string, string, string, string, string, string, string, integer, integer, integer, integer Delimiter ' ' EscapeChar '"' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Extension w3c_out> Module xm_csv Fields $http_host, $c-ip, $cs-username, $EventTime1, $sc-status, $Unix FieldTypes string, string, string, string, string, string Delimiter ' ' UndefValue - QuoteMethod None </Extension> <Input iis_w3c> Module im_file File 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log' SavePos TRUE <Exec> if $raw_event =~ /^#/ drop(); else { w3c_parser->parse_csv(); $EventTime = parsedate($date + " " + $time); $EventTime = $EventTime + (3 * 3600); $EventTime1 = strftime($EventTime, '[%d/%b/%Y:%H:%M:%S]'); $EventTime1 = '$EventTime1' + ' +0003]'; $Unix = integer($EventTime); $Unix = 'UNIX-TIME-' + $Unix; $http_host = &quot;site.host.domain&quot;; $request = '"' + $cs-method + ' ' + $cs-uri-stem + ' ' + $cs-version + '"'; $request = $cs-method; w3c_out-&gt;to_csv(); } &lt;/Exec&gt; </Input> <Output file> Module om_file File 'C:\inetpub\logs\LogFiles\Parser\w3c.txt' </Output> <Route uds_to_file> Path iis_w3c => file </Route>

NXLog Community edition not finding modules Hello, I am getting an error loading modules with a trivial configuration. The nxlog.conf configuration file: # ############ BEGIN nxlog.conf Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog #define CERTDIR %ROOT%\cert #define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% <Input in> Module im_null # Module im_file </Input> <Output out> #  Module om_tcp #  Module om_file   Module om_null </Output> # Connect input 'in' to output 'out' <Route DefaultRoute> Path in => out </Route> # ############ END nxlog.conf The error: 2022-03-22 15:05:24 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:21 2022-03-22 15:05:24 ERROR module 'out' is not declared at c:\Program Files\nxlog\conf\nxlog.conf:27 2022-03-22 15:05:24 ERROR route DefaultRoute is not functional without output modules, ignored at c:\Program Files\nxlog\conf\nxlog.conf:27 2022-03-22 15:05:24 WARNING no routes defined! 2022-03-22 15:05:24 WARNING not starting unused module in If I try to load more modules with following configuration, things gets more worse: # ############ BEGIN nxlog.conf Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog #define CERTDIR %ROOT%\cert #define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% #Moduledir %ROOT%\modules #CacheDir %ROOT%\data #Pidfile %ROOT%\data\nxlog.pid #SpoolDir %ROOT%\data # Following processors give error "...ERROR Module missing at ..." <Processor _proc_buffer>   Module pm_buffer </Processor> <Processor _proc_evcorr>   Module pm_evcorr </Processor> <Processor _proc_norepeat>   Module pm_norepeat </Processor> <Processor _proc_null>   Module pm_null </Processor> <Processor _proc_pattern>   Module pm_pattern> </Processor> <Processor _proc_transformer>   Module pm_transformer> </Processor> # Following inputs give error "...ERROR Module missing at ..." <Input _im_exec>   exec im_exec </Input> <Input _im_module>   Module im_module </Input> <Input _im_file>   file im_file </Input> <Input _im_internal>   internal im_internal </Input> <Input _im_kernel>   kernel im_kernel </Input> # Following outputs give error "...ERROR Module missing at ..." <Output _om_exec>   Module om_exec </Output> <Output _om_file>   Module om_file </Output> <Output _om_http>   Module om_http </Output> <Output _om_null>   Module om_null </Output> <Output _om_ssl>   Module om_ssl </Output> <Output _om_tcp>   Module om_tcp </Output> <Output _om_udp>   Module om_udp </Output> <Input in> Module im_null # Module im_file </Input> <Output out> #  Module om_tcp #  Module om_file   Module om_null </Output> # Connect input 'in' to output 'out' <Route DefaultRoute> Path in => out </Route> # ############ END nxlog.conf The errors: 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:21 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:24 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:27 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:30 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:33 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:36 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:42 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:45 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:48 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:51 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:54 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:59 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:62 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:65 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:68 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:71 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:74 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:77 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:87 2022-03-22 15:07:55 ERROR module 'out' is not declared at c:\Program Files\nxlog\conf\nxlog.conf:93 2022-03-22 15:07:55 ERROR route DefaultRoute is not functional without output modules, ignored at c:\Program Files\nxlog\conf\nxlog.conf:93 2022-03-22 15:07:55 WARNING no routes defined! 2022-03-22 15:07:55 WARNING not starting unused module in I get same errors on two 64 bit machines (Windows 10 and Windows Server 2012R2) Tried with processmonitor.exe to see if nxlog-processor.exe fail to load the dll module but I do not see any load attempt. I suspect that I must missing a macroscopic thing but am unable to spot it. Using nxlog-ce-3.0.2272.msi Community Edition for Windows 64 bit. Any hint will be appreciated. Regards. Carlo

I'm not sure it's causing a problem, but consistently nxlog will crash on Windows when making a call to stop the nxlog service with error "System Error 109 has occurred. The pipe has ended." I'd like to fix this if anyone knows of a way.

We are using NXLog CE's im_msvistalog module to forward Windows Event Logs from the Security log, with some filtering, to an external syslog server. Functionally this works well and does exactly what we need it to. The problem we are having is that nxlog.exe process often consumes rather high percentages of a workstation's CPU in bursts. Between 25 and 35 percent every few minutes, for around a minute at a time. This is generally too much of a performance hit and I need to find some way to resolve it. I have already mitigated the size of the event log file that nxlog.exe is querying from by clearing the Security log entirely, so this is happening even on a system with not more than a few dozen log entries to read from. The query itself is fairly simple, it loads all Event ID 4625 entries from the Security log (these are logon failures). It then has a single command to drop any logon failures that were initiated for a computer account instead of a user account (this is done by reading the target account trying to logon, string parsing the account username to see if the final character is a "$", which denotes a computer account, and dropping the log if the "$" is found). What can I do to mitigate the excessive CPU usage? What I have tried so far: clearing the Windows event log that nxlog is reading from to reduce the size of the data it needs to read from disk, using UDP syslog forwarding instead of TCP, removed the parsing that dropped Event Log ID 4625 entries where the target account being logged in was a computer account instead of a user account. None of this has helped. Edit to add: I did try writing out text logging instead of syslog forwarding. This worked but I am still experiencing the periodic excessive CPU consumption. The problem is likely in the im_msvistalog input module, I would assume.

Hi everyone! Has anyone ever installed or have some tips regarding a community edition package compatible with Oracle Linux 6? We've tried to use the package for REHL/CENTOS 6, installing all the dependencies, but no log is generated and sent to the syslog server. Thanks!

Trying to get this to work on a Windows 2019 Server that's a clean build with nothing on it and has all current Windows updates applied Is it an issue with Windows 2019 Server or an issue with the XM_SYSLOG module? ######### WORKING - Copies event log data to C:\Program Files\nxlog\data\nxlog-output.log ######## define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> # Monitor Windows event logs <Input eventlog> Module im_msvistalog </Input> <Output file> Module om_file File 'C:\Program Files\nxlog\data\nxlog-output.log' Exec to_syslog_snare(); </Output> <Output syslogout> Module om_ssl Host logsx.papertrailapp.com Port 12345 Exec $Hostname = hostname(); to_syslog_ietf(); OutputType Syslog_TLS CAFile %CERTDIR%/papertrail-bundle.pem AllowUntrusted FALSE </Output> <Route out> Path eventlog => file </Route> ######### NOT WORKING - NXLOG Service will start for a moment and then stop immediately ########### <Route out> Path eventlog => syslogout </Route> nxlog.log 2022-03-16 18:10:47 WARNING not starting unused module file 2022-03-16 18:10:47 INFO nxlog-ce-3.0.2272 started 2022-03-16 18:10:47 INFO connecting to logs3.papertrailapp.com:49305 2022-03-16 18:10:47 INFO successfully connected to logx.papertrailapp.com:12345 Windows Logs, Application Events: Source: Application Error Event ID: 1000 Faulting application name: nxlog.exe, version: 0.0.0.0, time stamp: 0x00000000 Faulting module name: ntdll.dll, version: 10.0.17763.2628, time stamp: 0x91ea188a Exception code: 0xc0000374 Fault offset: 0x00000000000faad9 Faulting process id: 0xa7c Faulting application start time: 0x01d8399bfa79f8d0 Faulting application path: C:\Program Files\nxlog\nxlog.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: 7870365a-2a26-49dd-9670-7c8d889f9dda Faulting package full name: Faulting package-relative application ID: Windows Logs, Application Events: Source: Windows Error Reporting Event ID: 1001 Fault bucket 1367701673690831831, type 4 Event Name: APPCRASH Response: Not available Cab Id: 0 Problem signature: P1: nxlog.exe P2: 0.0.0.0 P3: 00000000 P4: StackHash_2e07 P5: 10.0.17763.2628 P6: 91ea188a P7: c0000374 P8: PCH_43_FROM_ntdll+0x00000000000A0544 P9: P10: Attached files: \?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER86A8.tmp.dmp \?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER87D2.tmp.WERInternalMetadata.xml \?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8802.tmp.xml \?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8804.tmp.csv \?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8843.tmp.txt These files may be available here: \?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_nxlog.exe_7198d2d4b17dc7d6aaa419f8df82eecf4ad86a_e5992931_12418b0d Analysis symbol: Rechecking for solution: 0 Report Id: 7870365a-2a26-49dd-9670-7c8d889f9dda Report Status: 268435456 Hashed bucket: 8cc762824f1e456172fb0d6d030c9bd7 Cab Guid: 0

Hi team, from the guide below we know that the Nxlog is able to deduplicate the log by some specific fields ("CheckFields"). https://nxlog.co/documentation/nxlog-user-guide/pm_norepeat.html May I know if it is possible to set the interval for it? Let's take below configuration as example. Is it possible to set the interval = 10s, so that the log with the same fields (Hostname, SourceName, Message) will be suppressed for only every 10 seconds. This is doable from Logstash (throttle -> period), but we wanna confirm if it is capable in Nxlog as well. Thank you. <Input uds> Module im_uds UDS /dev/log </Input> <Processor norepeat> Module pm_norepeat CheckFields Hostname, SourceName, Message </Processor> <Output file> Module om_file File "/var/log/messages" </Output> <Route uds_to_file> Path uds => norepeat => file </Route>

Hi all. I'm having some windows server that are subscribed to a nxlog server, who in turn sends the windows logs to a linux/syslog server. The syslog receives all these logs as NOTICE.USER which is not too practical. I would want the nxlog to keep the criticity of the message when forwarding them. I would want nxlog to prefix the logs with the original log sender hostname so that they appear as $PROGRAM in syslog. Also, is there a way to use some criterions to send logs from nxlog to syslog using different facilities (USER, MAIL, LOCALn,...) according to some criterions (real PROGRAM value for instance)

Hello - Currently using this for Event logs: Exec $SyslogFacilityValue = 22;to_syslog_snare(); However the timestamp in the logs is local machine time and it needs to be in UTC. From searching around it looks like this is possible in EE: DateFormat YYYY-MM-DDThh:mm:ss.sUTC However I cannot find that this is feasible for CE. Is there a way with Community Edition to either manually set the timestamp to UTC (without having to know the local machine time) or, worst case scenario, is it possible to forward the log from nxlog without a timestamp at all so the received log will only have a timestamp of ingest time?

Config works without <QueryXML> lines. When i add thoose lines it stops sends any data. I tested with user modification or login fail etc. Thanks for your help <Extension syslog> Module xm_syslog </Extension> <Extension xml> Module xm_xml </Extension> <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and (EventID=1102 or EventID=4719 or EventID=4704 or EventID=4717 or EventID=4738 or EventID=4798 or EventID=4705 or EventID=4674 or EventID=4697 or EventID=4648 or EventID=4723 or EventID=4946 or EventID=4950 or EventID=6416 or EventID=6424 or EventID=4732)]]</Select> </Query> </QueryList> </QueryXML> Exec $Message = to_xml(); to_syslog_bsd(); </Input> <Output tcp> Module om_tcp Host 127.0.0.1 Port 514 </Output> <Route eventlog_to_tcp> Path eventlog => tcp </Route>

Hello, I am trying to shorten a part of my raw_field which is way too long : Host_Application="..." to only keep like 50 characters. And I noticed that NXlog is using PCRE syntax for finding a string in a field, but not for the substitution where it uses classic regex. I tried different things: Substitute with a regex the part I want but I can't, since it replaces everything I write in the regex. Find the exact string I want to replace with my PCRE rexgex, and then try to substitute it but I can't use the $1 field as the source string to modify. I would like to know if there is any way of doing what I want. Malauran

Hi, Having this error below ..any ideas how to resolved ? Thanks INFO nxlog-ce-2.11.2190 started ERROR failed to subscribe to msvistalog events using bookmark: Access is denied. ERROR failed to subscribe to msvistalog events,access denied [error code: 5]; Access is denied. WARNING stopping nxlog service WARNING nxlog-ce received a termination request signal, exiting... WARNING not starting unused module dns INFO nxlog-ce-2.11.2190 started ERROR failed to subscribe to msvistalog events using bookmark: Access is denied. ERROR failed to subscribe to msvistalog events,access denied [error code: 5]; Access is denied.