Hello,This is not a installation question.Using wget, as I have done for past 6 years was grab a NXLog-CE installation and install on my Linux core servers.   Yesterday 11/22/2022 I was unable to do this. I also noticed the Web Site has changed for downloading community versions and now  I need to make account. I'm assuming at this point,  Steps  needed  are install NXLog on any core servers I need to make account  on NXLog  site, Download the package needed. Transfer the NXLog package to  a closed environment that we have,  Upload NXLog package to a internal repo and distribute it as needed?   I'm also assuming this is a security procedure taken by NXLog?   If anyone could enlighten me on the new changes  that would be great.Thanks-Greg 

I am sending Windows logs to Graylog via nxlog community edition, but certain processes are generating so much logs that I'd rather not send at all, so I'm trying to figure out how to modify nxlog config to exclude logs with specific terms or generated by a specific process using the “ProcessName” field for example. any help would be appreciated.

Hi,I get the above error when I tried to start nxlog server. Below is my config file. Please assists. thank you Panic Softdefine INSTALLDIR C:\Program Files\nxlog#ModuleDir %INSTALLDIR%\modules#CacheDir  %INSTALLDIR%\data#SpoolDir  %INSTALLDIR%\datadefine CERTDIR %INSTALLDIR%\certdefine CONFDIR %INSTALLDIR%\conf\nxlog.d# Note that these two lines define constants only; the log file location# is ultimately set by the `LogFile` directive (see below). The# `MYLOGFILE` define is also used to rotate the log file automatically# (see the `_fileop` block).define LOGDIR c:\datadefine MYLOGFILE %INSTALLDIR%\data\nxlog.log# If you are not using NXLog Manager, disable the `include` line# and enable LogLevel and LogFile.#include %CONFDIR%\*.confLogLevel    INFOLogFile     %MYLOGFILE%<Extension exec>   Module        xm_exec</Extension><Extension _syslog>   Module  xm_syslog</Extension><Extension fileop>   Module      xm_fileop</Extension># This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`# is changed in managed.conf via NXLog Manager, rotation of the new# file should also be configured there.<Extension _fileop>   Module  xm_fileop   # Check the size of our log file hourly, rotate if larger than 5MB   <Schedule>       Every   1 hour       <Exec>           if ( file_exists('%MYLOGFILE%') and                (file_size('%MYLOGFILE%') >= 5M) )           {                file_cycle('%MYLOGFILE%', 8);           }       </Exec>   </Schedule>   # Rotate our log file every week on Sunday at midnight   <Schedule>       When    @weekly       Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);   </Schedule></Extension><Input tcp>   Module      im_tcp   ListenAddr  0.0.0.0:514</Input>define LOCALFILE  'C:\Users\Administrator\Documents\Data'<Output file>   Module  om_file   File    %LOCALFILE%</Output><Route tcp_to_file>   Path    tcp => file</Route> Error Message:2023-02-06 00:41:43 INFO [CORE|main] nxlog-5.6.7727 (50b2a4353@REL_v5.6) started on Windows2023-02-06 00:41:43 ERROR [om_file|file] failed to open C:\Users\Administrator\Documents\Data; Access is denied.  2023-02-06 00:41:43 INFO [im_tcp|tcp] listening on 0.0.0.0:514 Regards, Billy

If a customer purchases 100 NXLog Enterprise licenses and needs more six months later, do they place an order for the additional licenses separately or increase the original order? Are they able to deploy and then true-up, or do they need a unique key for each before deploying?

Hi team, i have converted auit messages in multiline to singleline using multiline parser. problem is two spaces are added instead of one space after semicolon. message1;message2; single line: message1;. message2; There is two space first simicolon and message2 instead of one how to remove extra space

I would like to ask, in some circumstances NXLogAgent on Windows, the agent cannot forwarding log to FortiSIEM (sometimes the agent was stopped by itself), I need to manual restart the agent to make the agent running again, in this situation is it abnormal or not?Another question would be about the log format can be parsed by FortiSIEM or I need to custom parser to parse this log format or someone can provide this parser to me?Best Regards, 

Running nxlog-ce-3.1.2319 on Windows.2023-01-19 08:12:46 ERROR Failed to load module from C:\xxxxx\nxlog\modules\extension\xm_python.dll, The specified module could not be found.  ; The specified module could not be found.The NXLog Python DLL is on disk so I am wondering if this is complaining because I don't have the nxlog Python module  (which I don't see in pip).I looked around for some setup instructions but I don't see any extra setup steps required for Python (aside from writing the script).Config:<Extension python>   Module      xm_python   PythonCode  "C:\xxx\NXLogDev\modules\convert_to_splunk_hec.py"</Extension> PythonCodeimport nxlogdef get_splunk_hec_format(event):   nxlog.log_warning('in get_splunk_hec_format()')   for field in event.field_names():       nxlog.log_debug('Received field:' + field) 

Good Afternoon.I currently run a NX log solution that was setup by the vendor of our cloud IDS. I do know that we have a collection of logs coming from workstations to a central server and that server uploads the logs to the IDS. That being said, I have set up a gray log server on an Ubuntu box and I want to send my Windows DNS logs to that server so that I have a way to search DNS queries made by workstations should on of them become compromised. (via malware, ransomware, etc) I realize that there is already a config fiile for nx log that sends the event viewer logs so I am assuming that I would have to use that same file to have nx send dns logs to a different location (if that is even possible).   So my questions are, Is it possible to do that? If so, is the collection service that has to be stopped in order to edit the config file?I would send these logs to the same online IDS service but we are already going over our quota every month and management doesn't see the need to upgrade our service. Therefore, I am left to figure out another way to stay on top of DNS threat hunting. Any input will be greatly appreciated.

Hi Folks,I have a tcp output that has 3 hosts in sequence to send to graylog (failover), but I would like to "randomly" switch the ouputs to better distribute the load on the nodes. In my config example, 'graylog_1' will always receive all events. Is there a bultin solution for processor/output to send randomly to the multiple nodes?Config example:<Output out_graylog>   Module om_tcp     FlowControl False      Host 192.168.0.10:514 # graylog_1      Host 192.168.0.11:514 # graylog_2      Host 192.168.0.12:514 # graylog_3 </Output>A viP/loadbalancer for graylog is not the solution I'm looking for, I want to understand the power of nxlog and its customization.

It would be nice if you eliminate scrolling with wrapping in this forum posts.

Hi the pronblem is that all works but I don´t receive any log.Graylog version 4.3 in debian 11.  Sidecar graylog 1.2 and NXLOG 3.0 if my memory doesn´t fail.What can i do?Thanks and happy new year.

Guys, does anyone know where I can get information on average resource consumption by the Nxlog CE agent?Thanks.James \0/

Hi All,I have requirement to forward the windows logs to QRadar using NX . Below is my config file , I am unable to receive the log in my SIEM platform. I could encounter the error : ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found. Check channel configuration.Panic Soft#NoFreeOnExit TRUEdefine ROOT     C:\Program Files\nxlogdefine CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data<Extension _syslog>   Module      xm_syslog</Extension># Snare compatible example configuration# Collecting event log<Input eventlog>   Module    im_msvistalog   <QueryXML>       <QueryList>           <Query Id='0'>               <Select Path='Application'>*</Select>               <Select Path='Security'>*[System/Level<4]</Select>               <Select Path='System'>*</Select>               <Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select>               <Select Path='Microsoft-Windows-PowerShell/Operational'>*</Select>               <Select Path='Windows PowerShell'>*</Select>           </Query>       </QueryList>   </QueryXML>   <Exec>       if $Category == undef $Category = 0;       if $EventType == 'CRITICAL'       {           $EventTypeNum = 1;           $EventTypeStr = "Critical";       }       else if $EventType == 'ERROR'       {           $EventTypeNum = 2;           $EventTypeStr = "Error";       }       else if $EventType == 'INFO'       {           $EventTypeNum = 4;           $EventTypeStr = "Informational";       }       else if $EventType == 'WARNING'       {           $EventTypeNum = 3;           $EventTypeStr = "Warning";       }       else if $EventType == 'VERBOSE'       {           $EventTypeNum = 5;           $EventTypeStr = "Verbose";       }       else       {           $EventTypeNum = 0;           $EventTypeStr = "Audit";       }       if $OpcodeValue == 0 $Opcode = "Info";       if $TaskValue == 0 $TaskValue = "None";       $EpochTime = string(integer($EventTime));       $EpochTime =~ /^(?<sec>\d+)(?<ms>\d{6})$/;       $EpochTime = $sec;       if $TaskValue == 12288 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSTATECHANGE"; }       else if $TaskValue == 12289 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSUBSYSTEMEXTENSION"; }       else if $TaskValue == 12290 { $TaskStr = "SE_ADT_SYSTEM_INTEGRITY"; }       else if $TaskValue == 12291 { $TaskStr = "SE_ADT_SYSTEM_IPSECDRIVEREVENTS"; }       else if $TaskValue == 12292 { $TaskStr = "SE_ADT_SYSTEM_OTHERS"; }       else if $TaskValue == 12544 { $TaskStr = "SE_ADT_LOGON_LOGON"; }       else if $TaskValue == 12545 { $TaskStr = "SE_ADT_LOGON_LOGOFF"; }       else if $TaskValue == 12546 { $TaskStr = "SE_ADT_LOGON_ACCOUNTLOCKOUT"; }       else if $TaskValue == 12547 { $TaskStr = "SE_ADT_LOGON_IPSECMAINMODE"; }       else if $TaskValue == 12548 { $TaskStr = "SE_ADT_LOGON_SPECIALLOGON"; }       else if $TaskValue == 12549 { $TaskStr = "SE_ADT_LOGON_IPSECQUICKMODE"; }       else if $TaskValue == 12550 { $TaskStr = "SE_ADT_LOGON_IPSECUSERMODE"; }       else if $TaskValue == 12551 { $TaskStr = "SE_ADT_LOGON_OTHERS"; }       else if $TaskValue == 12552 { $TaskStr = "SE_ADT_LOGON_NPS"; }       else if $TaskValue == 12553 { $TaskStr = "SE_ADT_LOGON_CLAIMS"; }       else if $TaskValue == 12554 { $TaskStr = "SE_ADT_LOGON_GROUPS"; }       else if $TaskValue == 12800 { $TaskStr = "SE_ADT_OBJECTACCESS_FILESYSTEM"; }       else if $TaskValue == 12801 { $TaskStr = "SE_ADT_OBJECTACCESS_REGISTRY"; }       else if $TaskValue == 12802 { $TaskStr = "SE_ADT_OBJECTACCESS_KERNEL"; }       else if $TaskValue == 12803 { $TaskStr = "SE_ADT_OBJECTACCESS_SAM"; }       else if $TaskValue == 12804 { $TaskStr = "SE_ADT_OBJECTACCESS_OTHER"; }       else if $TaskValue == 12805 { $TaskStr = "SE_ADT_OBJECTACCESS_CERTIFICATIONAUTHORITY"; }       else if $TaskValue == 12806 { $TaskStr = "SE_ADT_OBJECTACCESS_APPLICATIONGENERATED"; }       else if $TaskValue == 12807 { $TaskStr = "SE_ADT_OBJECTACCESS_HANDLE"; }       else if $TaskValue == 12808 { $TaskStr = "SE_ADT_OBJECTACCESS_SHARE"; }       else if $TaskValue == 12809 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLPACKETDROPS"; }       else if $TaskValue == 12810 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLCONNECTION"; }       else if $TaskValue == 12811 { $TaskStr = "SE_ADT_OBJECTACCESS_DETAILEDFILESHARE"; }       else if $TaskValue == 12812 { $TaskStr = "SE_ADT_OBJECTACCESS_REMOVABLESTORAGE"; }       else if $TaskValue == 12813 { $TaskStr = "SE_ADT_OBJECTACCESS_CBACSTAGING"; }       else if $TaskValue == 13056 { $TaskStr = "SE_ADT_PRIVILEGEUSE_SENSITIVE"; }       else if $TaskValue == 13057 { $TaskStr = "SE_ADT_PRIVILEGEUSE_NONSENSITIVE"; }       else if $TaskValue == 13058 { $TaskStr = "SE_ADT_PRIVILEGEUSE_OTHERS"; }       else if $TaskValue == 13312 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSCREATION"; }       else if $TaskValue == 13313 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSTERMINATION"; }       else if $TaskValue == 13314 { $TaskStr = "SE_ADT_DETAILEDTRACKING_DPAPIACTIVITY"; }       else if $TaskValue == 13315 { $TaskStr = "SE_ADT_DETAILEDTRACKING_RPCCALL"; }       else if $TaskValue == 13316 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PNPACTIVITY"; }       else if $TaskValue == 13317 { $TaskStr = "SE_ADT_DETAILEDTRACKING_TOKENRIGHTADJ"; }       else if $TaskValue == 13568 { $TaskStr = "SE_ADT_POLICYCHANGE_AUDITPOLICY"; }       else if $TaskValue == 13569 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHENTICATIONPOLICY"; }       else if $TaskValue == 13570 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHORIZATIONPOLICY"; }       else if $TaskValue == 13571 { $TaskStr = "SE_ADT_POLICYCHANGE_MPSSCVRULEPOLICY"; }       else if $TaskValue == 13572 { $TaskStr = "SE_ADT_POLICYCHANGE_WFPIPSECPOLICY"; }       else if $TaskValue == 13573 { $TaskStr = "SE_ADT_POLICYCHANGE_OTHERS"; }       else if $TaskValue == 13824 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_USERACCOUNT"; }       else if $TaskValue == 13825 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_COMPUTERACCOUNT"; }       else if $TaskValue == 13826 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP"; }       else if $TaskValue == 13827 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_DISTRIBUTIONGROUP"; }       else if $TaskValue == 13828 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_APPLICATIONGROUP"; }       else if $TaskValue == 13829 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_OTHERS"; }       else if $TaskValue == 14080 { $TaskStr = "SE_ADT_DSACCESS_DSACCESS"; }       else if $TaskValue == 14081 { $TaskStr = "SE_ADT_DSACCESS_DSCHANGES"; }       else if $TaskValue == 14082 { $TaskStr = "SE_ADT_DS_REPLICATION"; }       else if $TaskValue == 14083 { $TaskStr = "SE_ADT_DS_DETAILED_REPLICATION"; }       else if $TaskValue == 14336 { $TaskStr = "SE_ADT_ACCOUNTLOGON_CREDENTIALVALIDATION"; }       else if $TaskValue == 14337 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBEROS"; }       else if $TaskValue == 14338 { $TaskStr = "SE_ADT_ACCOUNTLOGON_OTHERS"; }       else if $TaskValue == 14339 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBCREDENTIALVALIDATION"; }       else if $TaskValue == 65280 { $TaskStr = "SE_ADT_UNKNOWN_SUBCATEGORY"; }       else { $TaskStr = "Unknown[" + $taskValue + "]"; }   if $KeywordsStr == undef {       if $TaskValue == 0 {           $KeywordsStr = 'None';       } else {           $KeywordsStr = '0';       }   }   if $TaskStr == undef {       $TaskStr = $TaskValue;   }   if $EventType == 'AUDIT_SUCCESS' {       $KeywordsStr = "Audit Success";       $EventTypeNum = 8;   } else {       $KeywordsStr = "Audit Failure";       $EventTypeNum = 16;   }       $Message = "AgentDevice=WindowsLog" +           "\tAgentLogFile=" + $Channel +           "\tSource=" + $SourceName +           "\tComputer=" + hostname_fqdn() +           "\tOriginatingComputer=" + host_ip() +           "\tUser=" + $AccountName +           "\tDomain=" + $Domain +           "\tEventIDCode=" + $EventID +           "\tEventType=" + $EventTypeNum +           "\tEventCategory=" + $TaskValue +           "\tRecordNumber=" + $RecordNumber +           "\tTimeGenerated=" + $EpochTime +           "\tTimeWritten=" + $EpochTime +           "\tLevel=" + $EventTypeStr +           "\tKeywords=" + $KeywordsStr +           "\tTask=" + $TaskStr +           "\tOpcode=" + $Opcode +           "\tMessage=" + $Message;       $Hostname = host_ip();       delete($SourceName);       delete($Severity);       delete($SeverityValue);       to_syslog_bsd();   </Exec></Input># # Converting events to Snare format and sending them out over TCP syslog<Output out>    Module      om_tcp    Host        10.x.x.x    Port        514    Exec        to_syslog_bsd();</Output># # Connect input 'in' to output 'out'<Route 1>    Path        eventlog => out</Route>  

Hello,I'm trying to forward the VPN logs of a Zyxel ATP700 to my SIEM (InsightIDR), the forwarding works fine, but I can't format them as indicated in this documentationhttps://docs.rapid7.com/insightidr/rapid7-universal-vpn/Can someone help me?Thank you

Currently, I have GrayLog running as a docker image on an unraid server. Everything is working well. I also have a MS Windows lab environment that I want to forward logs into Graylog with the help of nxlog. I followed the instructions at: https://docs.nxlog.co/userguide/integrate/graylog.html and I don't have any errors, but I also don't have any data. Any ideas on how I can troubleshoot this to determine where my issue is?

Hello, I´m trying to send logs from my windows server to my SIEM in XML format, but same logs are too long and i see 2 logs instead of just one. <Input windows> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*</Select> <Suppress Path="Security">*[System[(EventID=4663 or EventID=4690 or EventID=4658 or EventID=4656)]]</Suppress> </Query> </QueryList> </QueryXML> </Input> # <Output siem> Module om_tcp Host xxx.xxx.xxx.xxx Port 514 Exec to_xml(); </Output> # # Connect input 'in' to output 'out' <Route 1> Path windows => siem </Route> Can anyone help me?Thanks

Can anyone tell me for certain if this module is only included in the Enterprise version? If so, where does one buy the Enterprise Version and what is it's approximate cost? (USD)

Hello Team,I am new to nxlog and i have a requirement to collect windows logs from 2003 servers and the agent version that i am using is “nxlog-ce-2.11.2190”As per the documnet i have used im_mseventlog module, but still getting error and not able to pull the logs from 2003 servers. If some one please share me the config file for 2003 servers would be a great help below is the error that we are getting when starting the nxlog service.2022-12-21 09:37:50 WARNING nxlog-ce received a termination request signal, exiting...2022-12-21 09:37:51 ERROR invalid keyword: QueryXML at C:\Program Files\nxlog\conf\nxlog.conf:272022-12-21 09:37:51 ERROR module 'eventlog' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:592022-12-21 09:37:51 ERROR route 1 is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:592022-12-21 09:37:51 WARNING no routes defined!2022-12-21 09:37:51 WARNING not starting unused module eventlog2022-12-21 09:37:51 WARNING not starting unused module syslogout2022-12-21 09:37:51 INFO nxlog-ce-2.11.2190 started my config file.#NoFreeOnExit TRUE define ROOT     C:\Program Files\nxlogdefine CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\confdefine LOGDIR   %ROOT%\datadefine LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE% Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data <Extension _syslog>    Module      xm_syslog</Extension> ############INPUTS######## <Input eventlog> Module im_mseventlog <QueryXML><QueryList><Query Id="0"><Select Path="Security">*</Select></Query></QueryList></QueryXML></Input> #<Processor eventlog_transformer>#Module pm_transformer#</Processor> #<Processor buffer>#Module pm_buffer#MaxSize 102400#Type disk#</Processor> <Output syslogout>#Module om_udpModule om_tcpHost syslogipPort 514 Exec to_syslog_snare(); </Output> #<Route 1> #Path eventlog => eventlog_transformer => syslogout #</Route> <Route 1> Path eventlog => syslogout </Route>

Hello,My current architecture is a windows nxlog agent sending logs to a remote syslog server. The agent is translating Windows event logs to json encapsulated syslog before sending them.I've encountered an inconsistency with the hostname field of the sent log, most of the sent logs contain the hostname as expected, but some only contains the IP address which creates a mess on the sorting I made on the remote syslog server.I haven't tried anything yet as I don't really know where to look for. My take is that it is a windows event log issue that can't be fixed but i'd like your opinions.Thank you for your help.

I'm sending im_msvistalog messages to splunk via to_json().  I'm ending up with a field AccessList like:AccessList: %%4423which I assume is some kind of mapping of:Access Request Information: Accesses: ReadAttributesfrom the “Message” component.  Is that right?  If so, it's fairly obscure.  Is there some way to preserve “Accesses” as is?  What is “AccessList” trying to tell me?  Is there somewhere I can go to decode it?