I am trying to use nxlog to process some historical files and load them into graylog. It is a nested json file and I only need a few fields out of it. I am hoping for some pointers on how to get the following data out of the json file and posted into graylog.

username rename text to message rename first title to method rename title_link to method_link

From the fields section Severity: value Region: Value Rename Last Seen to timestamp: value I would like graylog to use this as the timestamp for the data coming in.

Below is my whole nxlog.conf but the relevant input is the guardduty input.

nxlog.conf User nxlog Group nxlog Panic Soft

default values:

define INSTALLDIR /opt/nxlog

PidFile %INSTALLDIR%/var/run/nxlog/nxlog.pid

CacheDir %INSTALLDIR%/var/spool/nxlog

ModuleDir %INSTALLDIR%/lib/nxlog/modules

SpoolDir %INSTALLDIR%/var/spool/nxlog

define CERTDIR %INSTALLDIR%/var/lib/nxlog/cert define CONFDIR %INSTALLDIR%/etc/nxlog.d

Note that these two lines define constants only; the log file location

is ultimately set by the LogFile directive (see below). The

MYLOGFILE define is also used to rotate the log file automatically

(see the _fileop block).

define LOGDIR %INSTALLDIR%/var/log/nxlog define MYLOGFILE %LOGDIR%/nxlog.log

If you are not using NXLog Manager, disable the include line

and enable LogLevel and LogFile.

#include %CONFDIR%/*.conf LogLevel DEBUG LogFile %MYLOGFILE%

<Extension _syslog> Module xm_syslog </Extension>

This block rotates %MYLOGFILE% on a schedule. Note that if LogFile

is changed in managed.conf via NXLog Manager, rotation of the new

file should also be configured there.

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    <Exec>
        if ( file_exists('%MYLOGFILE%') and
             (file_size('%MYLOGFILE%') >= 5M) )
        {
             file_cycle('%MYLOGFILE%', 8);
        }
    </Exec>
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>

</Extension>

<Extension json_parser> Module xm_json Flatten True PrettyPrint True </Extension>

<Extension exec> Module xm_exec </Extension>

<Extension gelf> Module xm_gelf </Extension>

<Extension antivirus_csv> Module xm_csv Fields $Severity,$timestamp,$ip,$endtime,$User,$User Groups,$Device,$Device Group Delimiter , </Extension>

<Extension xml> Module xm_xml </Extension>

<Input alienvault> Module im_file File "/var/nxlog/alienvault/*.log" SavePos TRUE ReadFromLast TRUE <Exec> parse_xml(); to_json(); </Exec> </Input>

<Input antivirus> Module im_file File "/var/nxlog/antivirus/*.csv"

ReadFromLast TRUE

SavePos True

<Exec> antivirus_csv->parse_csv(); to_json(); </Exec> </Input>

<Input guardduty> Module im_file File "/var/nxlog/guardduty/*.json" SavePos True InputType json_parser <Exec> #Delete some fields that aren't necessary delete($type); delete($subtype); delete($text); delete($mrkdwn_in); delete($EventReceivedTime);

    #Convert fields back to JSON because of the deletion
    to_json();
</Exec>

</Input>

<Output udp_12202> Module om_udp Host graylog.mydomain.com:12202 OutputType GELF_UDP </Output>

<Output udp_5515> Module om_udp Host graylog.mydomain.com:5515 OutputType GELF_UDP </Output>

<Route antivirus_to_udp_5515> Path antivirus => udp_5515 </Route>

<Route to_udp_12202> Path alienvault, guardduty => udp_12202 </Route>

Sample JSON. The files are larger but I kept the first and last entry. [ { "type": "message", "subtype": "bot_message", "text": "", "ts": "1614611466.000100", "username": "GuardDuty", "icons": { "image_48": "https://s3-us-east-1.amazonaws.com/slack-files2/bot_icons/2019-07-02/671758367922_48.png" }, "bot_id": "BL5799J6A", "attachments": [ { "fallback": "Recon:IAMUser/UserPermissions - <https://console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?search=id%5t45ffg59a575art6789404dr5oci5a4zz>", "text": "APIs commonly used to discover the users, groups, policies and permissions in an account, was invoked by IAM principal Some-Role under unusual circumstances. Such activity is not typically seen from this principal.", "pretext": "Finding in us-east-1 for Acct: 505986456095", "title": "Recon:IAMUser/UserPermissions", "id": 1, "title_link": "https://console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?search=id%5t45ffg59a575art6789404dr5oci5a4zz", "color": "e2d43b", "fields": [ { "title": "Severity", "value": "Medium", "short": true }, { "title": "Region", "value": "us-east-1", "short": true }, { "title": "Last Seen", "value": "<!date^1614611294^{date} at {time} | 2021-03-01T15:08:14.526Z>", "short": true } ], "mrkdwn_in": [ "pretext" ] } ] }, { "type": "message", "subtype": "bot_message", "text": "", "ts": "1614629763.001600", "username": "GuardDuty", "icons": { "image_48": "https://s3-us-east-1.amazonaws.com/slack-files2/bot_icons/2019-07-02/671758367922_48.png" }, "bot_id": "BL5799J6A", "attachments": [ { "fallback": "Recon:IAMUser/UserPermissions - <https://console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?search=id%5t45ffg59a575art6789404dr5oci5a4zz>", "text": "APIs commonly used to discover the users, groups, policies and permissions in an account, was invoked by IAM principal Some-Role under unusual circumstances. Such activity is not typically seen from this principal.", "pretext": "Finding in us-east-1 for Acct: 505986456095", "title": "Recon:IAMUser/UserPermissions", "id": 1, "title_link": "https://console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?search=id%5t45ffg59a575art6789404dr5oci5a4zz", "color": "e2d43b", "fields": [ { "title": "Severity", "value": "Medium", "short": true }, { "title": "Region", "value": "us-east-1", "short": true }, { "title": "Last Seen", "value": "<!date^1614629482^{date} at {time} | 2021-03-01T20:11:22.426Z>", "short": true } ], "mrkdwn_in": [ "pretext" ] } ] } ]

Hi,

Reaching out to you because when I try to start the NXLog, i get the below message.

Error 1067: the process terminated unexpectedly

Hello,

We have a the need to be able to collect a collection of files that would be our Standard template of collecte and to add another template to collecte specific files.

The goal is to limite the risk for disruption of other logging on the same system and to be able to modify the standard without any impact of the specific files.

Is this possible and if so how to do it.

Regards Edouard MORAGUES

Hi,

We have this error

ERROR binary header not found at position 0 in data received from xxx.xxx.xxx.xxx is input really binary?

Any hint will be appreciated.

Regards, K

Has anyone successfully send logs from NXLog to New Relic? I've tried using om_tcp, om_ssl, om_http to send syslogs to New Relic but I keep running into issues with NXLog.

For example: ERROR [om_http|out] SSL error, SSL_ERROR_SSL: retval -1, from 162.247.243.181:443, reason: sslv3 alert handshake failure

ERROR [om_http|out] [ssl.c:209/nx_ssl_error()] SSL error, SSL_ERROR_SSL: retval -1, from 162.247.243.181:443, ( reason: unsupported protocol, function: SSL23_GET_SERVER_HELLO, library: SSL routines )

I've tried both the TCP endpoint for syslogs and the headerless API log endpoint, and if I send a curl -X POST with some JSON data to the New Relic log endpoint, it works fine without any issues.

Any ideas?

Hi,

It is possible to use Nxlog to pull logs from ELK to the Nxlog Manager?

Thanks

Hi, I am Configuring om_ssl module for <Output tcpssl> for CE and successful in sending logs to logstash over SSL, however if I remove CertKeyFile I get an error "ERROR SSL error, SSL_ERROR_SSL: retval 0, sslv3 alert bad certificate". My question is why is private key desired here? Thanks, Sidd

Hello,

When I install nxlog with an Administrator account and then try to uninstall with another account (even with admin privileges) I'm having issues, and I'm not able to do it.

Any idea how to solve this issue?

Hi,

I'm new to NXLog. Still learning how to deploy NXLog Manager and the agents. I'll like to know where can I download sample Verbatim templates for different environments like Linux, Windows Server, Windows 10 and so on. And also the configuration template to SIEM like LogRhythm and Splunk.

TIA !

Hi, We are using nxlog ce-2.11.2190.msi to forward windows server event logs to our SIEM. And now we are seeing an issue that the $message of events with ID 4624/4625/4xxx are missing, while those of event with ID 7xxx are shown completely. This issue will be temporarily fixed if we restarted the nxlog service, but the same problem comes back after nxlog service running for a while. This is what we see on SIEM. ![log prtsc][log prtsc] And the complete events should be like: [Our server’s system language is Traditional Chinese, so the $message is displayed as bytes] Apr 12 18:19:36 win2k12.ahsuhome.local Microsoft-Windows-Security-Auditing[500]: Microsoft-Windows-Security-Auditing: 4634: \0xe5\0xb8\0xb3\0xe6\0x88\0xb6\0xe5\0xb7\0xb2\0xe7\0x99\0xbb\0xe5\0x87\0xba\0xe3\0x80\0x82 \0xe4\0xb8\0xbb\0xe6\0x97\0xa8: \0x09\0xe5\0xae\0x89\0xe5\0x85\0xa8\0xe6\0x80\0xa7\0xe8\0xad\0x98\0xe5\0x88\0xa5\0xe7\0xa2\0xbc:\0x09\0x09S-1-5-18 \0x09\0xe5\0xb8\0xb3\0xe6\0x88\0xb6\0xe5\0x90\0x8d\0xe7\0xa8\0xb1:\0x09\0x09WIN2K12$ \0x09\0xe5\0xb8\0xb3\0xe6\0x88\0xb6\0xe7\0xb6\0xb2\0xe5\0x9f\0x9f:\0x09\0x09AHSUHOME \0x09\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe8\0xad\0x98\0xe5\0x88\0xa5\0xe7\0xa2\0xbc:\0x09\0x090x367342 \0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe9\0xa1\0x9e\0xe5\0x9e\0x8b:\0x09\0x09\0x093 \0xe7\0x95\0xb6\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe5\0xb7\0xa5\0xe4\0xbd\0x9c\0xe9\0x9a\0x8e\0xe6\0xae\0xb5\0xe6\0x90\0x8d\0xe6\0xaf\0x80\0xe6\0x99\0x82\0xef\0xbc\0x8c\0xe5\0xb0\0xb1\0xe6\0x9c\0x83\0xe7\0x94\0xa2\0xe7\0x94\0x9f\0xe9\0x80\0x99\0xe5\0x80\0x8b\0xe4\0xba\0x8b\0xe4\0xbb\0xb6\0xe3\0x80\0x82\0xe9\0x80\0x99\0xe5\0x80\0x8b\0xe4\0xba\0x8b\0xe4\0xbb\0xb6\0xe5\0x8f\0xaf\0xe8\0x83\0xbd\0xe8\0x88\0x87\0xe4\0xbd\0xbf\0xe7\0x94\0xa8\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe8\0xad\0x98\0xe5\0x88\0xa5\0xe7\0xa2\0xbc\0xe6\0x95\0xb8\0xe5\0x80\0xbc\0xe7\0x9a\0x84\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe4\0xba\0x8b\0xe4\0xbb\0xb6\0xe6\0xad\0xa3\0xe9\0x9d\0xa2\0xe7\0x9b\0xb8\0xe9\0x97\0x9c\0xe3\0x80\0x82\0xe7\0x99\0xbb\0xe5\0x85\0xa5\0xe8\0xad\0x98\0xe5\0x88\0xa5\0xe7\0xa2\0xbc\0xe5\0x83\0x85\0xe6\0x9c\0x89\0xe5\0x9c\0xa8\0xe9\0x87\0x8d\0xe6\0x96\0xb0\0xe5\0x95\0x9f\0xe5\0x8b\0x95\0xe7\0x9b\0xb8\0xe5\0x90\0x8c\0xe9\0x9b\0xbb\0xe8\0x85\0xa6\0xe4\0xb9\0x8b\0xe9\0x96\0x93\0xe6\0x89\0x8d\0xe6\0x9c\0x83\0xe6\0x98\0xaf\0xe5\0x94\0xaf\0xe4\0xb8\0x80\0xe7\0x9a\0x84\0xe3\0x80\0x82 Our config is as below: define SIEM_IP 10.0.0.253 define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_syslog Module im_msvistalog ReadFromLast TRUE SavePos TRUE Query \ \ *[System[(EventID=1100 or EventID=1102)]] \ *[System[(EventID=4768 or EventID=4769 or EventID=4771)]] \ *[System[(EventID=4616 or EventID=4657)]] \ *[System[(EventID=4624 or EventID=4625 or EventID=4634 or EventID=4647 or EventID=4648)]] \ *[System[(EventID=5140 or EventID=5142 or EventID=5143 or EventID=5144 or EventID=5145 or EventID=5168)]] \ *[System[(EventID=4656 or EventID=4658 or EventID=4660 or EventID=4663 or EventID=4664 or EventID=4985 or EventID=5051 or EventID=4670)]] \ *[System[(EventID=4719 or EventID=4739)]] \ *[System[(EventID=4720 or EventID=4722 or EventID=4723 or EventID=4724 or EventID=4725 or EventID=4726 or EventID=4738 or EventID=4740 or EventID=4767)]] \ *[System[(EventID=4727 or EventID=4728 or EventID=4729 or EventID=4730 or EventID=4731 or EventID=4732 or EventID=4733 or EventID=4734 or EventID=4735 or EventID=4737 or EventID=4764)]] \ *[System[(EventID=4741 or EventID=4742 or EventID=4743)]] \ *[System[(EventID=4744 or EventID=4745 or EventID=4748)]] \ *[System[(EventID=4749 or EventID=4750 or EventID=4753)]] \ *[System[(EventID=4754 or EventID=4755 or EventID=4756 or EventID=4758 or EventID=4759 or EventID=4760 or EventID=4763)]] \ *[System[(EventID=4778)]] \ *[System[(EventID=4783)]] \ *[System[(EventID=4800 or EventID=4801)]] \ *[System[(EventID=7036)]] \ \ Module om_udp Host %SIEM_IP% Port 514 Exec $SyslogFacilityValue = 17; Exec $Message = string($SourceName) + ": " + string($EventID) + ": " + $Message; Exec if ($EventType == 'ERROR' or $EventType == 'AUDIT_FAILURE') { $SyslogSeverityValue = 3; } \ else if ($EventType == 'WARNING') { $SyslogSeverityValue = 4; } \ else if ($EventType == 'INFO' or $EventType == 'AUDIT_SUCCESS') { $SyslogSeverityValue = 5; } Exec to_syslog_bsd(); Path in_eventlog => out_eventlog Any ideas about how can this happen will be appreciated. [log prtsc]: https://i.imgur.com/BydTLU6.jpeg

Is there a way to control the serialisation nxlog does on the logs sent to kafka via om_kafka? Firstly i do not know how they serialise the messages sent to kafka as a result when I read these messages from kafka, i end up facing de-serialisation errors.

Hello, i havent found any official statement about supporting windows server 2022 by nxlog. Our customer is asking us about that. Is nxlog 5.0 supporting log collection for Windows server 2022?

Hey Guys, we are trying to send out our Windows DHCP logs which requires us to massage the log before we can send it out to the remote server. Afraid I am not able to get the CSV Parser running, so far only the drop logic works, the intended output $Message does not come up in our output ` Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_syslog Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32, UCS-2LE Module xm_csv Fields ID, Date, Time, Description, IPAddress, Hostname, MACAddress, \ UserName, TransactionID, QResult, ProbationTime, CorrelationID, \ DHCID, VendorClassHex, VendorClassASCII, UserClassHex, \ UserClassASCII, RelayAgentInformation, DnsRegError Module xm_exec Module im_file File "C:\Windows\System32\dhcp\DhcpSrvLog-*.log" ReadFromLast TRUE SavePos TRUE # Only process lines that begin with an event ID if $raw_event =~ /^\d+,/ { dhcp_csv_parser->parse_csv(); $QResult = integer($QResult); if $QResult == 0 $QMessage = "NoQuarantine"; else if $QResult == 1 $QMessage = "Quarantine"; else if $QResult == 2 $QMessage = "Drop Packet"; else if $QResult == 3 $QMessage = "Probation"; else if $QResult == 6 $QMessage = "No Quarantine Information"; $EventTime = strptime($Date + ' ' + $Time, '%m/%d/%y %H:%M:%S'); $ID = integer($ID); $ColonMAC = $MACAddress; if $ColonMAC =~ /^([0-9a-fA-F]{2})([0-9a-fA-F]{2})([0-9a-fA-F]{2})([0-9a-fA-F]{2})([0-9a-fA-F]{2})([0-9a-fA-F]{2})$/ { $ColonMAC = $1 + ":" + $2 + ":" + $3 + ":" + $4 + ":" + $5 + ":" + $6; } # DHCP Event IDs if $ID == 0 $Message = "The log was started."; else if $ID == 1 $Message = "The log was stopped."; else if $ID == 2 $Message = "The log was temporarily paused due to low disk space."; else if ($ID >= 10 and $ID = 20 and $ID = 50 and $ID < 1000) $Message = "Codes above 50 are used for Rogue Server Detection " + "information."; else drop(); } Module om_udp Host 172.16.10.42 Port 514 OutputType LineBased Path ionnet_DHCPlogs => out_ionnet_datacollector2 ` Input 30,04/05/22,16:04:58,DNS Update Request,10.41.22.51,P21023LAB.HEALTH.LOCAL,,,0,6,,,,,,,,,0 11,04/05/22,16:04:58,Renew,10.41.22.51,P2103LAB.HEALTH.LOCAL,98EECBDE1CDE,,179078305,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0 32,04/05/22,16:04:58,DNS Update Successful,10.41.22.51,P2103LAB.HEALTH.LOCAL,,,0,6,,,,,,,,,0 Output 11,04/05/22,16:04:58,Renew,10.41.22.51,P2103LAB.HEALTH.LOCAL,98EECBDE1CDE,,179078305,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

Hi I have been trying to get this to work for 2 days but its not happening! i have a log that sometimes has java call stack errors (multiline) i ship these to graylog using nxlog. As you have guesed i have one log per line. So serched and found the xm_multiline module . Great but i cant get it to work as expected. I have tried many variations of regex but the output i get is not good . To test Im using txt files in and out.. From time to time I point to graylog but its never correct.

Sample data:(stack shortened so not to fill up this forum message) 09:56:29.278 [TEST TEST] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error 09:56:30.278 [TEST TEST] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error 11:49:30.278 [TEST TEST] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error java.lang.NullPointerException: null at org.apache.xmlbeans.impl.store.Cur.listRemove(Cur.java:2788) at org.apache.xmlbeans.impl.store.Locale.embedCurs(Locale.java:2796) at org.apache.xmlbeans.impl.store.Cur.moveNode(Cur.java:1953) at org.apache.xmlbeans.impl.store.Cur.moveNode(Cur.java:1846) at org.apache.xmlbeans.impl.store.Cur.createHelper(Cur.java:287) at org.apache.xmlbeans.impl.store.Cur.createAttr(Cur.java:211) at org.apache.xmlbeans.impl.store.Xobj.setAttr(Xobj.java:559) at org.apache.xmlbeans.impl.store.Xobj.add_attribute_user(Xobj.java:2272) at org.openxmlformats.schemas.spreadsheetml.x2006.main.impl.CTCellImpl.setR(Unknown Source) at org.apache.poi.xssf.usermodel.XSSFCell.setCellNum(XSSFCell.java:911) at org.apache.poi.xssf.usermodel.XSSFRow.createCell(XSSFRow.java:226) at org.apache.poi.xssf.usermodel.XSSFRow.createCell(XSSFRow.java:200) at com.lexisnexis.bis.act.export.util.ExcelUtil.generateRowCell(ExcelUtil.java:73) at com.lexisnexis.bis.act.export.util.ExcelUtil.generateRowCell(ExcelUtil.java:60) at com.lexisnexis.bis.act.export.service.ExcelService.generateRowArticleData(ExcelService.java:441) at com.lexisnexis.bis.act.export.service.ExcelService.generateRowArticle(ExcelService.java:402) at com.lexisnexis.bis.act.export.service.ExcelService.generateRowArticle(ExcelService.java:372) at com.lexisnexis.bis.act.export.service.ExcelService.generateSheetArticles(ExcelService.java:242) at com.lexisnexis.bis.act.export.service.ExcelService.generateExport(ExcelService.java:212) 11:42:30.278 [TEST test2] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error 11:42:30.278 [TEST test2] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error

NXLOG Config Panic Soft NoCache TRUE #Loglevel ERROR Loglevel INFO

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _gelf> Module xm_gelf #Avoid truncation of the short_message field to 64 characters. ShortMessageLength 65536 </Extension>

<Extension multi> Module xm_multiline HeaderLine /^\d\d:\d\d:\d\d/ </Extension>

#ACT <Input in> Module im_file FILE "C:\test.log" InputType multi ReadFromLast False SavePos False </Input>

<Output gelf> Module om_tcp Host 192.168.xx Port 12222 OutputType GELF_TCP <Exec> # These fields are needed for Graylog $gl2_source_collector = '72f7289a-7cf5-4ae5-af7f-0428371459f4'; $collector_node_id = hostname(); </Exec> </Output>

<Output out> Module om_file File "C:\test_out.txt" </Output>

<Route 3> Path in => out </Route>

OUTPUT: 09:56:29.278 [TEST TEST] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error഍ ਍　㤀㨀㔀㘀㨀㌀　⸀㈀㜀㠀 嬀吀䔀匀吀 吀䔀匀吀崀 䔀刀刀伀刀 漀⸀稀⸀瀀⸀猀瀀爀椀渀最⸀挀漀洀洀漀渀⸀䄀搀瘀椀挀攀吀爀愀椀琀猀 ⴀ 䤀渀琀攀爀渀愀氀 匀攀爀瘀攀爀 䔀爀爀漀爀ഀ਍ഀ 11:49:30.278 [TEST TEST] ERROR o.z.p.spring.common.AdviceTraits - Internal Server Error഍ ਍樀愀瘀愀⸀氀愀渀最⸀一甀氀氀倀漀椀渀琀攀爀䔀砀挀攀瀀琀椀漀渀㨀 渀甀氀氀ഀ਍ഀ at org.apache.xmlbeans.impl.store.Cur.listRemove(Cur.java:2788)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀砀洀氀戀攀愀渀猀⸀椀洀瀀氀⸀猀琀漀爀攀⸀䰀漀挀愀氀攀⸀攀洀戀攀搀䌀甀爀猀⠀䰀漀挀愀氀攀⸀樀愀瘀愀㨀㈀㜀㤀㘀⤀ഀ਍ഀ at org.apache.xmlbeans.impl.store.Cur.moveNode(Cur.java:1953)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀砀洀氀戀攀愀渀猀⸀椀洀瀀氀⸀猀琀漀爀攀⸀䌀甀爀⸀洀漀瘀攀一漀搀攀⠀䌀甀爀⸀樀愀瘀愀㨀㄀㠀㐀㘀⤀ഀ਍ഀ at org.apache.xmlbeans.impl.store.Cur.createHelper(Cur.java:287)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀砀洀氀戀攀愀渀猀⸀椀洀瀀氀⸀猀琀漀爀攀⸀䌀甀爀⸀挀爀攀愀琀攀䄀琀琀爀⠀䌀甀爀⸀樀愀瘀愀㨀㈀㄀㄀⤀ഀ਍ഀ at org.apache.xmlbeans.impl.store.Xobj.setAttr(Xobj.java:559)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀砀洀氀戀攀愀渀猀⸀椀洀瀀氀⸀猀琀漀爀攀⸀堀漀戀樀⸀愀搀搀开愀琀琀爀椀戀甀琀攀开甀猀攀爀⠀堀漀戀樀⸀樀愀瘀愀㨀㈀㈀㜀㈀⤀ഀ਍ഀ at org.openxmlformats.schemas.spreadsheetml.x2006.main.impl.CTCellImpl.setR(Unknown Source)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀瀀漀椀⸀砀猀猀昀⸀甀猀攀爀洀漀搀攀氀⸀堀匀匀䘀䌀攀氀氀⸀猀攀琀䌀攀氀氀一甀洀⠀堀匀匀䘀䌀攀氀氀⸀樀愀瘀愀㨀㤀㄀㄀⤀ഀ਍ഀ at org.apache.poi.xssf.usermodel.XSSFRow.createCell(XSSFRow.java:226)഍ ਍ऀ愀琀 漀爀最⸀愀瀀愀挀栀攀⸀瀀漀椀⸀砀猀猀昀⸀甀猀攀爀洀漀搀攀氀⸀堀匀匀䘀刀漀眀⸀挀爀攀愀琀攀䌀攀氀氀⠀堀匀匀䘀刀漀眀⸀樀愀瘀愀㨀㈀　　⤀ഀ਍ഀ at com.lexisnexis.bis.act.export.util.ExcelUtil.generateRowCell(ExcelUtil.java:73)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀攀砀瀀漀爀琀⸀甀琀椀氀⸀䔀砀挀攀氀唀琀椀氀⸀最攀渀攀爀愀琀攀刀漀眀䌀攀氀氀⠀䔀砀挀攀氀唀琀椀氀⸀樀愀瘀愀㨀㘀　⤀ഀ਍ഀ at com.lexisnexis.bis.act.export.service.ExcelService.generateRowArticleData(ExcelService.java:441)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀攀砀瀀漀爀琀⸀猀攀爀瘀椀挀攀⸀䔀砀挀攀氀匀攀爀瘀椀挀攀⸀最攀渀攀爀愀琀攀刀漀眀䄀爀琀椀挀氀攀⠀䔀砀挀攀氀匀攀爀瘀椀挀攀⸀樀愀瘀愀㨀㐀　㈀⤀ഀ਍ഀ at com.lexisnexis.bis.act.export.service.ExcelService.generateRowArticle(ExcelService.java:372)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀攀砀瀀漀爀琀⸀猀攀爀瘀椀挀攀⸀䔀砀挀攀氀匀攀爀瘀椀挀攀⸀最攀渀攀爀愀琀攀匀栀攀攀琀䄀爀琀椀挀氀攀猀⠀䔀砀挀攀氀匀攀爀瘀椀挀攀⸀樀愀瘀愀㨀㈀㐀㈀⤀ഀ਍ഀ at com.lexisnexis.bis.act.export.service.ExcelService.generateExport(ExcelService.java:212)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀攀砀瀀漀爀琀⸀猀攀爀瘀椀挀攀⸀䔀砀挀攀氀匀攀爀瘀椀挀攀␀␀䘀愀猀琀䌀氀愀猀猀䈀礀匀瀀爀椀渀最䌀䜀䰀䤀䈀␀␀戀㔀㌀㤀戀㄀㌀㐀⸀椀渀瘀漀欀攀⠀㰀最攀渀攀爀愀琀攀搀㸀⤀ഀ਍ഀ at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀愀漀瀀⸀昀爀愀洀攀眀漀爀欀⸀䌀最氀椀戀䄀漀瀀倀爀漀砀礀␀䌀最氀椀戀䴀攀琀栀漀搀䤀渀瘀漀挀愀琀椀漀渀⸀椀渀瘀漀欀攀䨀漀椀渀瀀漀椀渀琀⠀䌀最氀椀戀䄀漀瀀倀爀漀砀礀⸀樀愀瘀愀㨀㜀㜀㄀⤀ഀ਍ഀ at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀愀漀瀀⸀昀爀愀洀攀眀漀爀欀⸀䌀最氀椀戀䄀漀瀀倀爀漀砀礀␀䌀最氀椀戀䴀攀琀栀漀搀䤀渀瘀漀挀愀琀椀漀渀⸀瀀爀漀挀攀攀搀⠀䌀最氀椀戀䄀漀瀀倀爀漀砀礀⸀樀愀瘀愀㨀㜀㐀㤀⤀ഀ਍ഀ at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:366)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀琀爀愀渀猀愀挀琀椀漀渀⸀椀渀琀攀爀挀攀瀀琀漀爀⸀吀爀愀渀猀愀挀琀椀漀渀䤀渀琀攀爀挀攀瀀琀漀爀⸀椀渀瘀漀欀攀⠀吀爀愀渀猀愀挀琀椀漀渀䤀渀琀攀爀挀攀瀀琀漀爀⸀樀愀瘀愀㨀㄀㄀㠀⤀ഀ਍ഀ at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀愀漀瀀⸀昀爀愀洀攀眀漀爀欀⸀䌀最氀椀戀䄀漀瀀倀爀漀砀礀␀䌀最氀椀戀䴀攀琀栀漀搀䤀渀瘀漀挀愀琀椀漀渀⸀瀀爀漀挀攀攀搀⠀䌀最氀椀戀䄀漀瀀倀爀漀砀礀⸀樀愀瘀愀㨀㜀㐀㤀⤀ഀ਍ഀ at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:691)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀攀砀瀀漀爀琀⸀猀攀爀瘀椀挀攀⸀䔀砀挀攀氀匀攀爀瘀椀挀攀␀␀䔀渀栀愀渀挀攀爀䈀礀匀瀀爀椀渀最䌀䜀䰀䤀䈀␀␀㈀㄀㌀攀㈀㤀㘀㤀⸀最攀渀攀爀愀琀攀䔀砀瀀漀爀琀⠀㰀最攀渀攀爀愀琀攀搀㸀⤀ഀ਍ഀ at com.lexisnexis.bis.act.service.ArticleService.getExcelExport(ArticleService.java:2200)഍ ਍ऀ愀琀 挀漀洀⸀氀攀砀椀猀渀攀砀椀猀⸀戀椀猀⸀愀挀琀⸀猀攀爀瘀椀挀攀⸀䄀爀琀椀挀氀攀匀攀爀瘀椀挀攀␀␀䘀愀猀琀䌀氀愀猀猀䈀礀匀瀀爀椀渀最䌀䜀䰀䤀䈀␀␀昀㌀㜀㈀㌀攀昀㔀⸀椀渀瘀漀欀攀⠀㰀最攀渀攀爀愀琀攀搀㸀⤀ഀ਍ഀ at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀愀漀瀀⸀昀爀愀洀攀眀漀爀欀⸀䌀最氀椀戀䄀漀瀀倀爀漀砀礀␀䌀最氀椀戀䴀攀琀栀漀搀䤀渀瘀漀挀愀琀椀漀渀⸀椀渀瘀漀欀攀䨀漀椀渀瀀漀椀渀琀⠀䌀最氀椀戀䄀漀瀀倀爀漀砀礀⸀樀愀瘀愀㨀㜀㜀㄀⤀ഀ਍ഀ at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀愀漀瀀⸀昀爀愀洀攀眀漀爀欀⸀䌀最氀椀戀䄀漀瀀倀爀漀砀礀␀䌀最氀椀戀䴀攀琀栀漀搀䤀渀瘀漀挀愀琀椀漀渀⸀瀀爀漀挀攀攀搀⠀䌀最氀椀戀䄀漀瀀倀爀漀砀礀⸀樀愀瘀愀㨀㜀㐀㤀⤀ഀ਍ഀ at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:366)഍ ਍ऀ愀琀 漀爀最⸀猀瀀爀椀渀最昀爀愀洀攀眀漀爀欀⸀琀爀愀渀猀愀挀琀椀漀渀⸀椀渀琀攀爀挀攀瀀琀漀爀⸀吀爀愀渀猀愀挀琀椀漀渀䤀渀琀攀爀挀攀瀀琀漀爀⸀椀渀瘀漀欀攀⠀吀爀愀渀猀愀挀琀椀漀渀䤀渀琀攀爀挀攀瀀琀漀爀⸀樀愀瘀愀㨀㄀㄀㠀⤀ഀ਍ഀ at org.springframework.aop.framework.R

This works but I'm trying to filter out a service account username that is for cron tasks and is making the logs super noisy on my syslog server:

Collecting event log

<Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security"></Select> <Select Path="SentinelOne/Operational"></Select> <Select Path="Application">*</Select> </Query> </QueryList> </QueryXML> Exec $Message =~ s/(\t|\R)/ /g; to_syslog_bsd(); </Input>

I tried Exec block filtering but any attempt to add xml code that filtered on the "Exec" line made all logs stop coming in. What would be the correct syntax for suppressing a username that's dedicated to cron tasks and is making the logs super noisy? Thanks all in advance. CB

Hi I downloaded and install nxlog-ce-3.0.2272_rhel8.x86_64.rpm on Centos 8 server I it is my first installation on centos 8. I used before only Centos 7 with nxlog. I copied input configuration from other server . and sending data to graylog But field FileName now unknown instead name of file . Rest of fields work excellent

<Input log> Module im_file

File	"/var/log/*"
SavePos	TRUE
ReadFromLast TRUE

Exec	$Message = $raw_event;
Exec	$FileName = file_name();

</Input>

Hello,

I would like to modify the IIS logs for further transfer to the destination. Now I am parsing the IIS log with the xm_csv module, as in the template. UndefValue is disabled to not get empty. How can I interact with parsed data from w3c_parser? For example, I want to combine into a variable $request = '"' + $cs-method + ' ' + $cs-uri-stem + ' ' + $cs-version + '"'; such a value, but I get an error. When I try to write a field from w3c_parser to $raw_event, I also get an error. Any other data is added without error. For example $raw_event = $c-ip error $raw_event = $EventTime + ' ' + $http_host no error Thank you in advance! Example error, logs and config file below

2022-03-23 16:49:45 WARNING stopping nxlog service 2022-03-23 16:49:45 WARNING nxlog-ce received a termination request signal, exiting... 2022-03-23 16:49:56 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:59; couldn't parse statement at line 71, character 32 in C:\Program Files\nxlog\conf\nxlog.conf; syntax error, unexpected +, expecting ( 2022-03-23 16:49:56 ERROR module 'iis_w3c' has configuration errors, not adding to route 'uds_to_file' at C:\Program Files\nxlog\conf\nxlog.conf:84 2022-03-23 16:49:56 ERROR route uds_to_file is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:84 2022-03-23 16:49:56 WARNING no routes defined! 2022-03-23 16:49:56 WARNING not starting unused module iis_w3c 2022-03-23 16:49:56 WARNING not starting unused module file 2022-03-23 16:49:56 INFO nxlog-ce-3.0.2272 started

Current log format date time s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-bytes cs-bytes time-taken 2022-03-23 08:00:01 HOST.DOMAIN 99.XX.XX.4 GET /AnalyticsService - 443 - XX.XX.XX.XXX HTTP/1.1 Zabbix - - site.host.domain 200 3918 144 4

Required log format $http_host $remote_addr $remote_user [$time_local] UNIX-TIME-$msec "$request" $status "$sent_http_content_type" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_cookie" $request_time "$upstream_addr" NGINX-CACHE-$upstream_cache_status "$request_id" "$request_body" host.domain 99.99.99.249 - [11/Mar/2022:20:09:56+0300] UNIX-TIME-1647018596.031 "GET /api/company.php?id=853747 HTTP/1.1" 200 "text/xml; charset=UTF-8" 1455 "-" "-" "20b6b325ea192383cb1244412247c5ea=3002538ef353c9daab4f742176a840; etpsid=f488b343a23d1a4a2332e089a0" 0.059 0.059 "10.10.10.111:80" NGINX-CACHE-- "d0b5ac12cf82671067aa5e6c5c" "-"

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data

define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_syslog </Extension>

<Extension fileop> Module xm_fileop </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _exec> Module xm_exec </Extension>

#Create the parse rule for IIS logs. You can copy these from the header of the IIS log file. <Extension w3c_parser> Module xm_csv Fields $date, $time, $s-computername, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $cs-version, $cs(User-Agent), $cs(Cookie), $cs(Referer), $cs-host, $sc-status, $sc-bytes, $cs-bytes, $time-taken FieldTypes string, string, string, string, string, string, string, integer, string, string, string, string, string, string, string, integer, integer, integer, integer Delimiter ' ' EscapeChar '"' QuoteChar '"' EscapeControl FALSE

UndefValue -

</Extension>

<Extension w3c_out> Module xm_csv Fields $http_host, $c-ip, $cs-username, $EventTime1, $sc-status, $Unix FieldTypes string, string, string, string, string, string Delimiter ' '

UndefValue -

QuoteMethod		None

</Extension>

<Input iis_w3c> Module im_file File 'C:\inetpub\logs\LogFiles\W3SVC1\u_ex*.log' SavePos TRUE <Exec> if $raw_event =~ /^#/ drop(); else { w3c_parser->parse_csv(); $EventTime = parsedate($date + " " + $time); $EventTime = $EventTime + (3 * 3600); $EventTime1 = strftime($EventTime, '[%d/%b/%Y:%H:%M:%S]');

$EventTime1 = '$EventTime1' + ' +0003]';

		$Unix = integer($EventTime);
		$Unix = 'UNIX-TIME-' + $Unix;
                    $http_host = "site.host.domain";

$request = '"' + $cs-method + ' ' + $cs-uri-stem + ' ' + $cs-version + '"';

$request = $cs-method;

		w3c_out->to_csv();
    }
</Exec>

</Input>

<Output file> Module om_file File 'C:\inetpub\logs\LogFiles\Parser\w3c.txt' </Output>

<Route uds_to_file> Path iis_w3c => file </Route>

NXLog Community edition not finding modules Hello, I am getting an error loading modules with a trivial configuration. The nxlog.conf configuration file: ``` # ############ BEGIN nxlog.conf Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog #define CERTDIR %ROOT%\cert #define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Module im_null # Module im_file #  Module om_tcp #  Module om_file   Module om_null # Connect input 'in' to output 'out' Path in => out # ############ END nxlog.conf ``` The error: ``` 2022-03-22 15:05:24 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:21 2022-03-22 15:05:24 ERROR module 'out' is not declared at c:\Program Files\nxlog\conf\nxlog.conf:27 2022-03-22 15:05:24 ERROR route DefaultRoute is not functional without output modules, ignored at c:\Program Files\nxlog\conf\nxlog.conf:27 2022-03-22 15:05:24 WARNING no routes defined! 2022-03-22 15:05:24 WARNING not starting unused module in ``` If I try to load more modules with following configuration, things gets more worse: ``` # ############ BEGIN nxlog.conf Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog #define CERTDIR %ROOT%\cert #define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% #Moduledir %ROOT%\modules #CacheDir %ROOT%\data #Pidfile %ROOT%\data\nxlog.pid #SpoolDir %ROOT%\data # Following processors give error "...ERROR Module missing at ..."   Module pm_buffer   Module pm_evcorr   Module pm_norepeat   Module pm_null   Module pm_pattern>   Module pm_transformer> # Following inputs give error "...ERROR Module missing at ..."   exec im_exec   Module im_module   file im_file   internal im_internal   kernel im_kernel # Following outputs give error "...ERROR Module missing at ..."   Module om_exec   Module om_file   Module om_http   Module om_null   Module om_ssl   Module om_tcp   Module om_udp Module im_null # Module im_file #  Module om_tcp #  Module om_file   Module om_null # Connect input 'in' to output 'out' Path in => out # ############ END nxlog.conf ``` The errors: ``` 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:21 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:24 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:27 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:30 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:33 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:36 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:42 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:45 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:48 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:51 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:54 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:59 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:62 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:65 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:68 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:71 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:74 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:77 2022-03-22 15:07:55 ERROR Module missing at c:\Program Files\nxlog\conf\nxlog.conf:87 2022-03-22 15:07:55 ERROR module 'out' is not declared at c:\Program Files\nxlog\conf\nxlog.conf:93 2022-03-22 15:07:55 ERROR route DefaultRoute is not functional without output modules, ignored at c:\Program Files\nxlog\conf\nxlog.conf:93 2022-03-22 15:07:55 WARNING no routes defined! 2022-03-22 15:07:55 WARNING not starting unused module in ``` I get same errors on two 64 bit machines (Windows 10 and Windows Server 2012R2) Tried with **processmonitor.exe** to see if **nxlog-processor.exe** fail to load the dll module but I do not see any load attempt. I suspect that I must missing a macroscopic thing but am unable to spot it. Using nxlog-ce-3.0.2272.msi Community Edition for Windows 64 bit. Any hint will be appreciated. Regards. Carlo

I'm not sure it's causing a problem, but consistently nxlog will crash on Windows when making a call to stop the nxlog service with error "System Error 109 has occurred. The pipe has ended."

I'd like to fix this if anyone knows of a way.

We are using NXLog CE's im_msvistalog module to forward Windows Event Logs from the Security log, with some filtering, to an external syslog server. Functionally this works well and does exactly what we need it to.

The problem we are having is that nxlog.exe process often consumes rather high percentages of a workstation's CPU in bursts. Between 25 and 35 percent every few minutes, for around a minute at a time. This is generally too much of a performance hit and I need to find some way to resolve it.

I have already mitigated the size of the event log file that nxlog.exe is querying from by clearing the Security log entirely, so this is happening even on a system with not more than a few dozen log entries to read from. The query itself is fairly simple, it loads all Event ID 4625 entries from the Security log (these are logon failures). It then has a single command to drop any logon failures that were initiated for a computer account instead of a user account (this is done by reading the target account trying to logon, string parsing the account username to see if the final character is a "$", which denotes a computer account, and dropping the log if the "$" is found).

What can I do to mitigate the excessive CPU usage?

What I have tried so far: clearing the Windows event log that nxlog is reading from to reduce the size of the data it needs to read from disk, using UDP syslog forwarding instead of TCP, removed the parsing that dropped Event Log ID 4625 entries where the target account being logged in was a computer account instead of a user account. None of this has helped.

Edit to add: I did try writing out text logging instead of syslog forwarding. This worked but I am still experiencing the periodic excessive CPU consumption. The problem is likely in the im_msvistalog input module, I would assume.