Hi All, We have configured Nxlog to send application logs to RSA Virtual log collector. We are able to send one logfile using the below configurations in nxlog.conf <Input AppLogs> Module im_file File 'C:\Important_Application\Logs\log1.log' SavePos FALSE Recursive TRUE ReadFromLast FALSE Exec $Message = $raw_event; </Input> <Output out2> Module om_tcp Host "0.0.0.0" Port 514 </Output> <Route 2> Path AppLogs => out2 </Route> However, we are unable to send all the log files within the Logs directory. We tried the below methods: <Input AppLogs> Module im_file File 'C:\Important_Application\Logs*.log' or 'C:\Important_Application\Logs*.log' or 'C:\Important_Application\Logs' or 'C:\Important_Application\Logs*' SavePos FALSE Recursive TRUE ReadFromLast FALSE Exec $Message = $raw_event; </Input> But none of the above methods are workings. We need to send all the log files within the "Logs" folder. Please help.

I get an error in this module but the xm_python.dll is available and 35kb ERROR Failed to load module from C:\nxlog\modules\extension\xm_python.dll thanks

Hi, I install NXLog Enterprise Edition v5 trial And try to filter out events before send to SIEM. I can get some events and see SIEM side. But when I create fake event , cannot see all. What I want? I want to forward Windows server APP, SEC ve SYS logs that have only WARNING,ERROR and CRITICAL levels in CEF format Is that config part correct? <Extension _syslog> Module xm_syslog </Extension> <Extension _cef> Module xm_cef </Extension> <Input in_jornal> Module im_msvistalog # For windows 2003 and earlier use the following: # Module im_mseventlog # Channel Security <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'> *[System/Level&lt;4] </Select> <Select Path='Security'> *[System/Level&lt;4] </Select> <Select Path='System'> *[System/Level&lt;4] </Select> </Query> </QueryList> </QueryXML>

Hello Techies, Can someone please help me below query? How to execute windows MSI installer to silently install nxlog agent(nxlog-ce-3.0.2272.msi) using a PowerShell script. Any code snippet or reference url will be very helpful to refer from. Thanks in advance Anil Kr

I've been trying to figure out the best way to ingest logs from 2 different data streams and have them go to separate log files. Heres the copy of my configuration. For my first input i have a bunch of firewall logs coming in to /syslog/firewalls.log. I now want to ingest syslog data from my isilon to a different log file. It only seems to work if I have host 0.0.0.0 setup. I'm getting the data but everything is being written to firewalls.log and not my isilon.log Any help would be greatly appreciated. <Extension _syslog> Module xm_syslog </Extension> <Extension _json> Module xm_json </Extension> <Input udp1> Module im_udp Host 0.0.0.0 Port 514 Exec parse_syslog(); </Input> <Output fwlog> Module om_file File "/syslog/firewalls.log" Exec to_json(); </Output> <Input udp2> Module im_udp Host 0.0.0.0 Port 514 InputType Syslog_TLS Exec parse_syslog(); </Input> <Output isilog> Module om_file File "/syslog/isilon.log" Exec to_json(); </Output> ######################################## # Routes # ######################################## <Route udp_to_file1> Path udp1 => fwlog </Route> <Route udp_to_file2> Path udp2 => isilog </Route>

https://docs.nxlog.co/ce/current/index.html#om_python The document has usage information. is not it right ? or is it only for linux ? https://gitlab.com/nxlog-public/nxlog-ce/-/blob/master/ChangeLog.txt 2021-12-13 3.0.2272 [2268] added python language integration modules [2639] added Raijin output module - om_raijin Thanks

Have you ever tested om_elasticsearch module with the 8th ElasticSearch version? I have no error log in nxlog.log, but no index or data are available in ES instance. I used the trial version 5.4 with ElasticSearch 8.0.

Hi. Tell me where I can download the 32-bit version of CE for Windows?

Hi Folks, We are from a reputed service based company, We have recently tested NXLog. We are planning to deploy it more than 500 production server. We want to automate deployment process. We have below queries. Is the windows setup (nxlog-ce-3.0.2272.msi) supports silent installation? Can it be installed using a PowerShell script without manual intervention? Note- If NxLog serves our purpose with better performance then we will go for enterprise edition. Thanks Anil

Hi everyone I'm very new to this and have searched around but couldn't find anything obvious. I have a few Pc's with NXLog Community Edition sending data to a Loggly instance, event log data They are picking up Security and System and Application ogs out of the box it seems, but i'm wondering if i need to do anything to add other event log sources to have them sent to Loggly? Is it a matter of adding something to the Conf file? For example, I have Kaspersky AV on an endpoint and i want to pick up the specific Event Log where Kaspersky sits. Am i explaining it right? I basically want to add other event Log types into the process of log sending Mark

Hello, I am in the process of setting up NXLOG to capture syslog messages via TLS, but I have issues with the TLS connection, specifically: ERROR SSL certificate verification failed: unsupported certificate purpose (err: 26) Certificate for NXLOG was issued with the following: OID=1.3.6.1.5.5.7.3.2; Client authentication OID=1.3.6.1.5.5.7.3.1; Server authentication Is there any documentation on how to request certificates for NXLOG? I do not have NXLOG manager. Cheers

Hello, I am evaluating the om_ssl (GELF) module of nxlog EE agent for a large number of devices with TLS authentication of the devices enabled at Graylog. We already have the certificates in the Windows certificate manager on the devices which we would use for the nxlog agent as well. The certificates are rotated frequently, and thus nxlog.conf needs to be kept up to date (with the thumbprints) and due to the large number of devices we cannot create and update the configuration files by hand. What is the best practice to populate nxlog.conf with the required certificate thumbprints from the certificate store on each device and keep the configuration up to date? Thank you!

I have installed NX Log agent on a windows machine, but NX Log Manager is showing multiple hostnames for a single IP address, and because of this there are multiple Agents showing now, and none of them is working.

Hi, Is it possible to install two Nxlog agents on a single machine and governed by two respective NxLog managers? Regards.

NXLOG version: NXLog CE 3.0.2272 OS version: Windows 2019 server \ Windows 10 for client Issue: I inspect the communication between NXLog client and server via Wireshark. Client output module is om_ssl and server input module is im_ssl. I've been expecting to see the usage of TLS protocol, but all I see is TCP and RSH protocols, which are non secure protocols. How can this be explained? Client config: <Output out_ssl> Module om_ssl Host <host_ip> Port 514 OutputType Binary AllowUntrusted TRUE </Output> Server config: <Input in_ssl> Module im_ssl Host 0.0.0.0 Port 514 InputType Binary CAFile <CA path> CertFile <Certificate path> CertKeyFile <private key path> KeyPass <key password> AllowUntrusted TRUE RequireCert FALSE </Input> Wireshark is tracking 514 port on the server. Thanks!

Dear Friends How can I restrict sending records from windows? For example: From Eventviewer, I want to select only id "5145" regarding deleting files and folders... For I am receiving a very large amount of messages that I do not need. I ask for your help. Thank you.

Hello, I send data from MS SQL to SysLog, i use im_dbi+freetds and even if i have set SavePos it always starts from the beginning at startup. After starting the service 2022-02-15 11:19:32 DEBUG im_dbi sql: SELECT * FROM *** WHERE id > -1 When it is already running, the id is used. 2022-02-15 11:19:35 DEBUG im_dbi sql: SELECT * FROM *** WHERE id > 116407 -rw-r--r-- 1 nxlog nxlog 64 Feb 15 11:20 configcache.dat OS: Ubuntu 20.04, last NXLog CE 3.0.2272 <Input sql_send> Module im_dbi SavePos TRUE PollInterval 10 Driver freetds Option host *** Option username *** Option password *** Option dbname *** SQL SELECT * FROM *** </Input>

NXLOG version: NXLog CE 3.0.2272 OS version: Windows 2019 server Issue: file_name() returns "unknown" in im_file module Config: <Input in_AppABC> Module im_file <Exec> log_info('Filename is' + file_name()); </Exec> File "C:\logs\AppABC.log" </Input>

I've configured NXlog to send printing events from our Windows 2012R2 print server to our Nagios LS instance. **Except **for the following issue, it works well. The issue is - when a filename contains a "%" sign, I receive a _grokparsefailure in Nagios. That led me to NXLog-CE and how it (and its modules) read/parsed the data from the Microsoft Windows PrintService Event Log. I enabled troubleshooting by means of debug AND outputting the $raw_event to a text file. Is there a way I can get this document name from the Windows Event Viewer into Nagios via NXlog-CE? This issue looks similar to this thread, which says the problem is with the provider: https://nxlog.co/question/2362/problem-windows-event DEBUG OUTPUT: {"EventTime":"2022-02-11 10:38:48","Hostname":"xxx.yyy.zzz","Keywords":4611686018427390016,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":307,"SourceName":"Microsoft-Windows-PrintService","ProviderGuid":"{xxxxxxx}","Version":0,"Task":26,"OpcodeValue":11,"RecordNumber":2136143,"ProcessID":4764,"ThreadID":6728,"Channel":"Microsoft-Windows-PrintService/Operational","Domain":"XXXX","AccountName":"QQQQ","UserID":"SID-aaa-bbb-ccc","AccountType":"User",**"ERROR_EVT_UNRESOLVED":true**,"Category":"Printing a document","Opcode":"Spooler Operation Succeeded","EventReceivedTime":"2022-02-11 10:38:50","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":null} $raw_event OUTPUT: 2022-02-11 10:38:48 xxx.yyy.zzz INFO 307 XXXX\QQQQ[The description for EventID 307 from source Microsoft-Windows-PrintService cannot be found: **The substitution string for insert index (%1) could not be found**. ] CONFIG: define ROOT C:\Program Files\nxlog define CERT %ROOT%\cert Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Input internal> Module im_internal </Input> <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="System">*[System[Provider[@Name='Srv'] and (Level=1 or Level=2 or Level=3)]]</Select> <Select Path="Microsoft-Windows-PrintService/Admin">*[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path="Microsoft-Windows-PrintService/Operational">*</Select> </Query> </QueryList> </QueryXML> </Input> <Output out> Module om_tcp Host qqq.yyy.zzz Port 1234 Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message"); Exec $raw_event = to_json(); </Output> <Route 1> Path internal, file1, eventlog => out </Route>

Hi everyone After the update of the Nxlog community to the last version(3.0.2272) the consumption of CPU had a huge increase. The configuration basic work over the im_file module. <Input fake> Module im_file File "C:\fakedir\logs\fake_file*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); else { w3c->parse_csv(); $EventTime = parsedate($date + " " + $time); $Message = to_json(); } </Input> Is there someone that had the same issue with this version?