Hi team, i use the FIM module to monitor a test file and output it to 2 destination: local file and remote logstash with tcp. Now I could see the log in local file, but remote logstash fails to parse the log with json. After checking the log, i figure out that the log received by logstash is different: Local: {"EventTime":"2022-02-13T16:11:50.094508+08:00","EventType":"CHANGE","Object":"FILE","PrevFileName":"c:\users\test\desktop\test20220211.txt","PrevModificationTime":"2022-02-11T19:18:59.925713+08:00","FileName":"c:\users\test\desktop\test20220211.txt","ModificationTime":"2022-02-13T16:10:53.402144+08:00","PrevFileSize":6,"FileSize":10,"DigestName":"SHA1","Digest":"31ca8d2ae67b53db43d3581974d12a48c648eca5","PrevDigest":"1b1e2aa8fb50e43dd20429afdbbec1b81b153853","Severity":"WARNING","SeverityValue":3,"EventReceivedTime":"2022-02-13T16:11:50.094508+08:00","SourceModuleName":"fim","SourceModuleType":"im_fim"} Logstash: [2022-02-13T08:11:49,919][ERROR][logstash.codecs.json ][main][2869f035623bc8e694e78ee6b779cd6214f6eba705fdae0bea0b55fadc035072] JSON parse error, original data now in message field {:message=>"Unexpected character ('-' (code 45)): Expected space separating root-level values\n at [Source: (String)"2022-02-13 16:11:50 HKLAP0240 WARNING EventType="CHANGE" Object="FILE" PrevFileName="c:\\users\\test\\desktop\\test20220211.txt" PrevModificationTime="2022-02-11 19:18:59" FileName="c:\\users\\test\\desktop\\test20220211.txt" ModificationTime="2022-02-13 16:10:53" PrevFileSize="6" FileSize="10" DigestName="SHA1" Digest="31ca8d2ae67b53db43d3581974d12a48c648eca5" PrevDigest="1b1e2aa8fb50e43dd20429afdbbec1b81b153853" SeverityValue="3""; line: 1, column: 6]", :exception=>LogStash::Json::ParserError, :data=>"2022-02-13 16:11:50 HKLAP0240 WARNING EventType="CHANGE" Object="FILE" PrevFileName="c:\\users\\test\\desktop\\test20220211.txt" PrevModificationTime="2022-02-11 19:18:59" FileName="c:\\users\\test\\desktop\\test20220211.txt" ModificationTime="2022-02-13 16:10:53" PrevFileSize="6" FileSize="10" DigestName="SHA1" Digest="31ca8d2ae67b53db43d3581974d12a48c648eca5" PrevDigest="1b1e2aa8fb50e43dd20429afdbbec1b81b153853" SeverityValue="3""} { "tags" => [ [0] "jsonparsefailure" ], "message" => "2022-02-13 16:11:50 HKLAP0240 WARNING EventType="CHANGE" Object="FILE" PrevFileName="c:\\users\\test\\desktop\\test20220211.txt" PrevModificationTime="2022-02-11 19:18:59" FileName="c:\\users\\test\\desktop\\test20220211.txt" ModificationTime="2022-02-13 16:10:53" PrevFileSize="6" FileSize="10" DigestName="SHA1" Digest="31ca8d2ae67b53db43d3581974d12a48c648eca5" PrevDigest="1b1e2aa8fb50e43dd20429afdbbec1b81b153853" SeverityValue="3"", "@version" => "1", "host" => "53959da2d559", "@timestamp" => 2022-02-13T08:11:49.924Z, "path" => "/opt/nxlog/var/log/nxlog/logmessage.log", "type" => "json" } It seems the "2022-02-13 16:11:50 HKLAP0240 WARNING " is added only in the tcp stream and could not be identified as Json format by logstash. Is it normal to see the scenario and is there any workaround? Thank you.

Hi guys! I'm wondering where to download nxlog community edition version 2.11. The link I have doesn't work anymore — https://nxlog.co/system/files/products/files/348/nxlog-ce-2.11.2190.tar.gz I'm not sure whether it's ok or not for project I'm currently working on to switch to version 3 of nxlog. Could it be possible to keep old source code archives on nxlog's website? (I've also looked through gitlab, but unfortunately there is no version tags too...)

Hello All, I have an issue with sysmon logs. When they contain characters "è" like on word "système" nxlog convert it to "Syst�me". Could you please tell me how I can resolve this issue ? I've already tested the instructions bellow, but I always have an issue <Extension charconv> Module xm_charconv AutodetectCharsets iso8859-1, utf-8, utf-16, utf-32 </Extension> <Input input> Exec convert_fields("auto", "utf-8"); </Input> Best regards,

Converting events to Snare format and sending them out over TCP syslog <Output out> Module om_tcp Host 192.168.1.1 Port 514 Exec to_syslog_snare(); Can someone please tell me what's the purpose of the HOST IP, by default it's set to 192.168.1.1. What exactly should it be? Thanks

Hi All, I want to write windows events to a new file every 1 min. As of now, I have the following Output block in my conf which works. It is given below, <Output file> Module om_file File "C:\\Program Files (x86)\\nxlog\\data\\nxlog-output.json" <Schedule> Every 1 min Exec rotate_to(file_name() + strftime(now(), '_%Y-%m-%d_%H-%M-%S')); </Schedule> </Output> But in this case, I always write to the same file i.e "C:\Program Files (x86)\nxlog\data\nxlog-output.json" and after 1 min, the data is saved in other file with naming convention mentioned above. I want to create a new file every 1 min with above naming convention and then write to that file instead of writing to the same file. **How can I do this? Admins please guide. **

2022-02-08 04:16:56 INFO [CORE|main] nxlog-5.4.7313-trial started on Windows 2022-02-08 04:16:56 INFO [im_odbc|reading_integer_id] im_odbc successfully connected to the database 2022-02-08 04:16:56 ERROR [im_odbc|reading_integer_id] SQLBindParameter failed, HY104:2:0:[Microsoft][ODBC SQL Server Driver]Invalid precision value (odbc error code: -1) <Input reading_integer_id> Module im_odbc SavePos True idType integer ConnectionString Driver={SQL Server}; Server=xxxxxxxx;Database=SCSPDB; UID=xxxxt;PWD=xxxxxx; SQL SELECT Event_ID AS id, * FROM dbo.CSPEVENT_VW WHERE Event_ID > ? Exec delete($id); </Input> Used CAST but still the same error

Hello, I have this problem on the servers of one of my clients: nxlog receives a termination signal many times a day, and it closes. Then it restarts, sometimes instantly, other times after a random amount of time. I can't identify the source of the signal, but this happens only on the servers of one of my clients. On the Windows eventviewer only show that nxlog service has stopped and then restarted. I tried updating from 2.9.1716 to 3.0.2272, but this behaviour didn't change. This is what I see in the nxlog.log everyday: 2022-02-07 00:25:12 WARNING stopping nxlog service 2022-02-07 00:25:12 WARNING nxlog-ce received a termination request signal, exiting... 2022-02-07 00:26:12 INFO nxlog-ce-3.0.2272 started 2022-02-07 01:59:14 WARNING stopping nxlog service 2022-02-07 01:59:14 WARNING nxlog-ce received a termination request signal, exiting... 2022-02-07 02:00:14 INFO nxlog-ce-3.0.2272 started 2022-02-07 03:49:15 WARNING stopping nxlog service 2022-02-07 03:49:15 WARNING nxlog-ce received a termination request signal, exiting... 2022-02-07 03:50:16 INFO nxlog-ce-3.0.2272 started 2022-02-07 05:42:17 WARNING stopping nxlog service 2022-02-07 05:42:17 WARNING nxlog-ce received a termination request signal, exiting... 2022-02-07 05:43:17 INFO nxlog-ce-3.0.2272 started 2022-02-07 07:34:18 WARNING stopping nxlog service 2022-02-07 07:34:18 WARNING nxlog-ce received a termination request signal, exiting... 2022-02-07 09:24:20 INFO nxlog-ce-3.0.2272 started The last time it stopped this morning, it stayed off around 2 hours. I think it's the Windows service control that restarts it, but sometimes it fails or get delayed somehow, but I can't prove it: there's nothing on the windows logs apart from the service start/stop notice. I searched the forums and see others have this problem, but cannot find a real solution or hint on where to search.

Hi, I’m looking for the steps to configure HTTPS for NxLog Manager using a CA signed cert. The doc provided is very limited. Please kindly advise. Thanks !

I need some help. I need the events received in the graylog, to be in the local date/time here in Sao Paulo_Brazil. In the moment, is showed of the Africa timezone...

Dear All, Has anyone else found issues with the latest Nxlog V3.0.22 in terms of memory. I upgraded a test system on a client and it was usng spiking up to 40% of CPU whereease 2.10 did not do this. Also, is it possible to download 2.11.90 as the download link appears to have been removed. I even found this issue on Gitlab https://gitlab.com/nxlog-public/nxlog-ce/-/issues/17, however the link does not work. Does anyone know if there is a repository of releases? Cheers Cyberkryption

Given: <Exec> if ($EventID == 5156) OR ($EventID == 5158) drop(); else if ($Channel == 'Security') and ($EventID == 4624) $Message =~ s/\s*This event is generated when a logon session is created.*$//s; else if ($Channel == 'Security') and ($EventID == 4634) $Message =~ s/\s*This event is generated when a logon session is destroyed.*$//s; # Update the $raw_event field $raw_event = $EventTime + ' ' + $Message; </Exec>; If I understand this correctly when an eventID of 4624 or 4634 is received a substitution is performed on the message field and the orginal contents are replaced with nothing(null). Am I correct or at least close? If so, what is does 's' before the ';' mean?

Hi, thanks for the post, it helped me a lot. I did according to the video, but when I started the nxlog service, an error appeared: "Windows could not start the nxlog service on local computer "Error: 1053 The service did not respond to the start or control request in timely fashion" I will be grateful if you can answer ! Tks.

Following the documentation to receive the logs from docker, the module configuration for a Linux configuration is the following : <Input in> Module im_file File '/var/lib/docker/containers/*/*-json.log' <Exec> parse_json(); $HostID = file_basename(file_name()); $HostID =~ s/-json.log//; </Exec> </Input> However, in Windows, docker is running inside a WSL2 instance. this is why I replace the path with the docker for desktop equivalent : \\\\wsl$\docker-desktop-data\version-pack-data\community\docker\containers\\*-json.log Now, this works only if we launch nxlog from a cmd terminal, with the -f option to run in foreground. When it is running as a Windows service, it throws an error, unable to access the files. It seems it can't resolve the \\wsl$ in the path How to access Docker WSL2 logs from Windows ?

Hi I have a windows server core 2016 and need help uninstalling nxlog. Not sure who installed it. I don't have the installer or know exactly what version I have. c:\Program Files (x86)\nxlog\nxlog.exe" -c "c:\Program Files (x86)\nxlog\conf\nxlog.conf" I don't think this below helps since I don't know the version. I think is a 32bit. > msiexec /x nxlog-5.4.7313_windows_x64.msi /qb

I am use nxlog ce edition for a few log file handling and parsing on windows. This files needs a little parsing and rewriting, what i tryed like this: <Input from_HS_info> Module im_file ReadFromLast true SavePos true RenameCheck true InputType ml_main File "L:\HS[A-Z]*.log" &lt;Exec&gt; $ReadFilename = file_name(); if ( $ReadFilename =~ /^([A-Za-z]+)_[A-Za-z_0-9]*RNTOFSZ_(OFSZIMHTR\d+).*\.log$/ ) { $AccountName = $1; $Hostname = $2; } # Remove extra spaces $raw_event = replace($raw_event,'\s\s+1',' '); $Channel = 'Software'; $AcountType = 'Porcess'; $Severity = 'INFO'; $Message = $raw_event $Tags = '[&quot;' + $AccountName + '&quot;, &quot;prod&quot;, &quot;Instant Money&quot; ]'; $raw_event = 'InstantMoney ' + $raw_event; &lt;/Exec&gt; This snippet starts on line 72 and ends on line 98. When I try to start it sneds an error message to the log file (nxlog.log): 2022-01-24 16:31:54 ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:80; couldn't parse statement at line 92, character 13 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; syntax error, unexpected TOKEN_FIELDNAME, expecting ; Can anyone help me to correct this?

Hiya, Just wondering when the packages for Bullseye are going to be released for the Community Edition? I can see there's one already for Enterprise Edition. I have also just checked that it builds OK on Bullseye and I can't see any problems, so it looks like it should be an easy one? Thanks, Rob

Hi, I'm receiving the follow errors in nxlog.log: 2022-01-20 10:11:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-0939.log 2022-01-20 10:41:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1009.log 2022-01-20 11:11:17 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1039.log 2022-01-20 11:41:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1109.log 2022-01-20 12:11:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1139.log 2022-01-20 12:41:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1209.log 2022-01-20 13:11:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1239.log 2022-01-20 13:41:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1309.log 2022-01-20 14:11:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1339.log 2022-01-20 14:41:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1409.log 2022-01-20 15:11:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1439.log 2022-01-20 15:41:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1509.log 2022-01-20 16:11:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1539.log Version: nxlog-ce-2.11.2190.msi Contents of nxlog.conf: # # Configuration for converting and sending Windows logs # to AlienVault USM Anywhere. # # Version: 0.2.20 # Last modification: 2021-10-15 # define ROOT C:\Program Files (x86)\nxlog define OUTPUT_DESTINATION_ADDRESS SYSLOG IP define OUTPUT_DESTINATION_PORT 514 Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Input internal> Module im_internal </Input> ####################################################################### #### SHAREPOINT-NXLOG ##### #### Uncomment the following lines for SharePoint-NXLOG ##### #### log forwarding ##### ####################################################################### <Extension transform_alienvault_csv_sharepoint> Module xm_csv Fields $Timestamp, $Process, $TID, $Area, $Category, $EventID, $Level, $Message, $Correlation FieldTypes string, string, string, string, string, string, string, string, string Delimiter \t </Extension> <Input SHAREPOINT_IN> Module im_file File "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS*-????????-????.log" <Exec> # Drop header lines and empty lines if $raw_event =~ /^(\xEF\xBB\xBF|Timestamp)/ drop(); else { $raw_event =~ s/ +(?=\t)//g; transform_alienvault_csv_sharepoint->parse_csv(); $EventTime = strptime($Timestamp, "%m/%d/%Y %H:%M:%S"); $Hostname = hostname_fqdn(); $SourceName = "SHAREPOINT-NXLOG"; } </Exec> </Input> <Output SHAREPOINT_OUT> Module om_udp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $EventTime = strftime($EventTime, '%Y-%m-%d %H:%M:%S'); Exec $Message = to_json(); to_syslog_bsd(); </Output> <Route SP_Route> Path SHAREPOINT_IN => SHAREPOINT_OUT </Route> ####################################################################### #### SHAREPOINT-NXLOG ##### ####################################################################### The files are no longer available due to the log retention policy. How do I prevent this error? I'm relatively sure that I'm missing something in the config file. Any help is appreciated.

Hi I'm new to nxlog. Just wanted to test it and created config that reads from a file and writes to a file. The input file contains the string This is a test My config is: User nxlog Group nxlog <Input in> Module im_file File "/opt/nxlog/bin/testlog" <Exec> if $raw_event =~ /(\w{4})(\s)(\w{2})(\s)(\w{1})(\s)(\w{4})/ { $f1 = $1; $f2 = $2; $f3 = $3; $f4 = $4; $f5 = $5; $f6 = $6; $f7 = $7; } </Exec> </Input> <Output out> Module om_file File "/opt/nxlog/bin/outest" </Output> <Route r> Path in => out </Route> I start nxlog with command nxlog -c myconf and it does not write to the file. What Am I missing?

Please help me with the character string transfer format. I need to pass a character string to an external program. I do it like this: <Extension exec> Module xm_exec </Extension> <Output to_db_repldata_access_log> Module om_null EXEC exec('c:\Windows\System32\cmd.exe','/U','/C','C:\Tools\NXLog\log_access_insert.bat', $Access_Resource); </Output> When the $Access_Resource field contains a character string without spaces, such as 'qwerty', then the string is passed without quotes, just qwerty When the $Access_Resource field contains a character string with spaces, such as 'qwer ty', then the string is passed in double quotes - "qwerty" Questions: How to unify the way the string is passed, either always in double quotes or always without quotes? Is it possible to configure the transmission of the string always in single quotes?

Have you noticed performance issues with the Windows Event log service when a log file size is set to a few GBs? I'm not sure if NXLog is a factor, but perhaps it may sometimes struggle with large event logs? We have our security event log set to 4 GB size on all servers. I've noticed that there are high CPU and RAM utilization on 5 or 20 minute cycles. The process using the CPU is svchost EventLog. Derived from using Resource Monitor and running: tasklist /svc /fi "imagename eq svchost.exe" I used Sysinternals RanMap to see that the security log file was using 4 GB of RAM stored in the Mapped File listing. We're not seeing this issue on all of our servers. But it was strange when a production and staging server with very similar loads experienced drastically utilizations. The utilization didn't match until the affected server had its security log cleared. There are not a lot of events being generated. 4 GBs of events goes back to over 30 days. The 4 GB setting is a recommended server configuration when using NetWrix Auditor. The biggest difference is the amount of standby vs active memory allocated to the security log. On affected servers, the active memory will be 4 GB. On unaffected servers, the standby memory will be 4 GB. Thank you in advance for any pointers.