Hi team, from the guide below we know that the Nxlog is able to deduplicate the log by some specific fields ("CheckFields"). https://nxlog.co/documentation/nxlog-user-guide/pm_norepeat.html May I know if it is possible to set the interval for it? Let's take below configuration as example. Is it possible to set the interval = 10s, so that the log with the same fields (Hostname, SourceName, Message) will be suppressed for only every 10 seconds. This is doable from Logstash (throttle -> period), but we wanna confirm if it is capable in Nxlog as well. Thank you. <Input uds> Module im_uds UDS /dev/log </Input> <Processor norepeat> Module pm_norepeat CheckFields Hostname, SourceName, Message </Processor> <Output file> Module om_file File "/var/log/messages" </Output> <Route uds_to_file> Path uds => norepeat => file </Route>

Hi all. I'm having some windows server that are subscribed to a nxlog server, who in turn sends the windows logs to a linux/syslog server. The syslog receives all these logs as NOTICE.USER which is not too practical. I would want the nxlog to keep the criticity of the message when forwarding them. I would want nxlog to prefix the logs with the original log sender hostname so that they appear as $PROGRAM in syslog. Also, is there a way to use some criterions to send logs from nxlog to syslog using different facilities (USER, MAIL, LOCALn,...) according to some criterions (real PROGRAM value for instance)

Hello - Currently using this for Event logs: Exec $SyslogFacilityValue = 22;to_syslog_snare(); However the timestamp in the logs is local machine time and it needs to be in UTC. From searching around it looks like this is possible in EE: DateFormat YYYY-MM-DDThh:mm:ss.sUTC However I cannot find that this is feasible for CE. Is there a way with Community Edition to either manually set the timestamp to UTC (without having to know the local machine time) or, worst case scenario, is it possible to forward the log from nxlog without a timestamp at all so the received log will only have a timestamp of ingest time?

Config works without <QueryXML> lines. When i add thoose lines it stops sends any data. I tested with user modification or login fail etc. Thanks for your help <Extension syslog> Module xm_syslog </Extension> <Extension xml> Module xm_xml </Extension> <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and (EventID=1102 or EventID=4719 or EventID=4704 or EventID=4717 or EventID=4738 or EventID=4798 or EventID=4705 or EventID=4674 or EventID=4697 or EventID=4648 or EventID=4723 or EventID=4946 or EventID=4950 or EventID=6416 or EventID=6424 or EventID=4732)]]</Select> </Query> </QueryList> </QueryXML> Exec $Message = to_xml(); to_syslog_bsd(); </Input> <Output tcp> Module om_tcp Host 127.0.0.1 Port 514 </Output> <Route eventlog_to_tcp> Path eventlog => tcp </Route>

Hello, I am trying to shorten a part of my raw_field which is way too long : Host_Application="..." to only keep like 50 characters. And I noticed that NXlog is using PCRE syntax for finding a string in a field, but not for the substitution where it uses classic regex. I tried different things: Substitute with a regex the part I want but I can't, since it replaces everything I write in the regex. Find the exact string I want to replace with my PCRE rexgex, and then try to substitute it but I can't use the $1 field as the source string to modify. I would like to know if there is any way of doing what I want. Malauran

Hi, Having this error below ..any ideas how to resolved ? Thanks INFO nxlog-ce-2.11.2190 started ERROR failed to subscribe to msvistalog events using bookmark: Access is denied. ERROR failed to subscribe to msvistalog events,access denied [error code: 5]; Access is denied. WARNING stopping nxlog service WARNING nxlog-ce received a termination request signal, exiting... WARNING not starting unused module dns INFO nxlog-ce-2.11.2190 started ERROR failed to subscribe to msvistalog events using bookmark: Access is denied. ERROR failed to subscribe to msvistalog events,access denied [error code: 5]; Access is denied.

Hi All, We have configured Nxlog to send application logs to RSA Virtual log collector. We are able to send one logfile using the below configurations in nxlog.conf <Input AppLogs> Module im_file File 'C:\Important_Application\Logs\log1.log' SavePos FALSE Recursive TRUE ReadFromLast FALSE Exec $Message = $raw_event; </Input> <Output out2> Module om_tcp Host "0.0.0.0" Port 514 </Output> <Route 2> Path AppLogs => out2 </Route> However, we are unable to send all the log files within the Logs directory. We tried the below methods: <Input AppLogs> Module im_file File 'C:\Important_Application\Logs*.log' or 'C:\Important_Application\Logs*.log' or 'C:\Important_Application\Logs' or 'C:\Important_Application\Logs*' SavePos FALSE Recursive TRUE ReadFromLast FALSE Exec $Message = $raw_event; </Input> But none of the above methods are workings. We need to send all the log files within the "Logs" folder. Please help.

I get an error in this module but the xm_python.dll is available and 35kb ERROR Failed to load module from C:\nxlog\modules\extension\xm_python.dll thanks

Hi, I install NXLog Enterprise Edition v5 trial And try to filter out events before send to SIEM. I can get some events and see SIEM side. But when I create fake event , cannot see all. What I want? I want to forward Windows server APP, SEC ve SYS logs that have only WARNING,ERROR and CRITICAL levels in CEF format Is that config part correct? <Extension _syslog> Module xm_syslog </Extension> <Extension _cef> Module xm_cef </Extension> <Input in_jornal> Module im_msvistalog # For windows 2003 and earlier use the following: # Module im_mseventlog # Channel Security <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'> *[System/Level&lt;4] </Select> <Select Path='Security'> *[System/Level&lt;4] </Select> <Select Path='System'> *[System/Level&lt;4] </Select> </Query> </QueryList> </QueryXML>

Hello Techies, Can someone please help me below query? How to execute windows MSI installer to silently install nxlog agent(nxlog-ce-3.0.2272.msi) using a PowerShell script. Any code snippet or reference url will be very helpful to refer from. Thanks in advance Anil Kr

I've been trying to figure out the best way to ingest logs from 2 different data streams and have them go to separate log files. Heres the copy of my configuration. For my first input i have a bunch of firewall logs coming in to /syslog/firewalls.log. I now want to ingest syslog data from my isilon to a different log file. It only seems to work if I have host 0.0.0.0 setup. I'm getting the data but everything is being written to firewalls.log and not my isilon.log Any help would be greatly appreciated. <Extension _syslog> Module xm_syslog </Extension> <Extension _json> Module xm_json </Extension> <Input udp1> Module im_udp Host 0.0.0.0 Port 514 Exec parse_syslog(); </Input> <Output fwlog> Module om_file File "/syslog/firewalls.log" Exec to_json(); </Output> <Input udp2> Module im_udp Host 0.0.0.0 Port 514 InputType Syslog_TLS Exec parse_syslog(); </Input> <Output isilog> Module om_file File "/syslog/isilon.log" Exec to_json(); </Output> ######################################## # Routes # ######################################## <Route udp_to_file1> Path udp1 => fwlog </Route> <Route udp_to_file2> Path udp2 => isilog </Route>

https://docs.nxlog.co/ce/current/index.html#om_python The document has usage information. is not it right ? or is it only for linux ? https://gitlab.com/nxlog-public/nxlog-ce/-/blob/master/ChangeLog.txt 2021-12-13 3.0.2272 [2268] added python language integration modules [2639] added Raijin output module - om_raijin Thanks

Have you ever tested om_elasticsearch module with the 8th ElasticSearch version? I have no error log in nxlog.log, but no index or data are available in ES instance. I used the trial version 5.4 with ElasticSearch 8.0.

Hi. Tell me where I can download the 32-bit version of CE for Windows?

Hi Folks, We are from a reputed service based company, We have recently tested NXLog. We are planning to deploy it more than 500 production server. We want to automate deployment process. We have below queries. Is the windows setup (nxlog-ce-3.0.2272.msi) supports silent installation? Can it be installed using a PowerShell script without manual intervention? Note- If NxLog serves our purpose with better performance then we will go for enterprise edition. Thanks Anil

Hi everyone I'm very new to this and have searched around but couldn't find anything obvious. I have a few Pc's with NXLog Community Edition sending data to a Loggly instance, event log data They are picking up Security and System and Application ogs out of the box it seems, but i'm wondering if i need to do anything to add other event log sources to have them sent to Loggly? Is it a matter of adding something to the Conf file? For example, I have Kaspersky AV on an endpoint and i want to pick up the specific Event Log where Kaspersky sits. Am i explaining it right? I basically want to add other event Log types into the process of log sending Mark

Hello, I am in the process of setting up NXLOG to capture syslog messages via TLS, but I have issues with the TLS connection, specifically: ERROR SSL certificate verification failed: unsupported certificate purpose (err: 26) Certificate for NXLOG was issued with the following: OID=1.3.6.1.5.5.7.3.2; Client authentication OID=1.3.6.1.5.5.7.3.1; Server authentication Is there any documentation on how to request certificates for NXLOG? I do not have NXLOG manager. Cheers

Hello, I am evaluating the om_ssl (GELF) module of nxlog EE agent for a large number of devices with TLS authentication of the devices enabled at Graylog. We already have the certificates in the Windows certificate manager on the devices which we would use for the nxlog agent as well. The certificates are rotated frequently, and thus nxlog.conf needs to be kept up to date (with the thumbprints) and due to the large number of devices we cannot create and update the configuration files by hand. What is the best practice to populate nxlog.conf with the required certificate thumbprints from the certificate store on each device and keep the configuration up to date? Thank you!

I have installed NX Log agent on a windows machine, but NX Log Manager is showing multiple hostnames for a single IP address, and because of this there are multiple Agents showing now, and none of them is working.

Hi, Is it possible to install two Nxlog agents on a single machine and governed by two respective NxLog managers? Regards.