Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

Errors when obtaining logs from Office365.
Hello team.We have followed the steps from this link: https://docs.nxlog.co/refman/v5.10/im/ms365.html#config-certkeyfile to obtain the logs from Office365.The following permissions have been applied:However, I am encountering the following errors when trying to extract the information:  2024-05-01 18:59:31 WARNING [im_ms365|microsoft_365] Retrying request Audit.Exchange, attempt 33 failed, error: {"error":{"code":"AF20055","message":"Start time and end time must both be specified (or both omitted) and must be less than or equal to 24 hours apart, with the start time prior to end time and start time no more than 7 days in the past. StartTime:2024-05-01T22:48:58Z, EndTime:2024-05-01T21:21:47Z"}}. (Retrying in 200 seconds). 2024-05-01 18:59:34 WARNING [im_ms365|microsoft_365] Retrying request HealthOverviewsWithServiceHealthIssues, attempt 33 failed, error: {"error":{"code":"UnknownError","message":"","innerError":{"date":"2024-05-01T22:59:34","request-id":"20d6e12b-eb61-4b2b-bffa-b69f8f5c4847","client-request-id":"20d6e12b-eb61-4b2b-bffa-b69f8f5c4847"}}}. (Retrying in 200 seconds). 2024-05-01 18:59:36 WARNING [im_ms365|microsoft_365] Retrying request AuditEvents, attempt 33 failed, error: {"error":{"code":"Forbidden","message":"{\r\n \"_version\": 3,\r\n \"Message\": \"Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementApps.Read.All, DeviceManagementApps.ReadWrite.All - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: e188947b-1412-4a09-9b64-548de1c1f6a6 - Url: https://fef.amsua0602.manage.microsoft.com/StatelessAuditingFEService/deviceManagement/auditEvents?api-version=5022-08-30&$filter=activityDateTime+ge+2024-04-01T21%3a21%3a47Z+and+activityDateTime+lt+2024-05-01T21%3a21%3a47Z&$top=50\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{}\"\r\n}","innerError":{"date":"2024-05-01T22:59:36","request-id":"e188947b-1412-4a09-9b64-548de1c1f6a6","client-request-id":"e188947b-1412-4a09-9b64-548de1c1f6a 2024-05-01 18:59:44 WARNING [im_ms365|microsoft_365] Retrying request SignIns, attempt 33 failed, error: {"error":{"code":"Authentication_RequestFromNonPremiumTenantOrB2CTenant","message":"Neither tenant is B2C or tenant doesn't have premium license","innerError":{"date":"2024-05-01T22:59:44","request-id":"6eb5223c-948f-42af-b28b-bbf3fbea96fb","client-request-id":"6eb5223c-948f-42af-b28b-bbf3fbea96fb"}}}. (Retrying in 200 seconds). 2024-05-01 19:00:05 WARNING [im_ms365|microsoft_365] Retrying request ReportingWebService/MessageTrace, attempt 33 failed, error: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">; <html xmlns="http://www.w3.org/1999/xhtml">; <head>; <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>; <title>401 - Unauthorized: Access is denied due to invalid credentials.</title>; <style type="text/css">; <!--; body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}; fieldset{padding:0 15px 10px 15px;} ; h1{font-size:2.4em;margin:0;color:#FFF;}; h2{font-size:1.7em;margin:0;color:#CC0000;} ; h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ; #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;; background-color:#555555;}; #content{margin:0 0 0 2%;position:relative;}; .content-container{background:#FFF;width:96%;margin-top:8px;padding:1 Could you help me understand these errors?

oscar.cerna@threatshieldsecurity.com created
Replies: 0
View post »
last updated
nxlog could not be stopped - error during installation
I uninstalled the community version and trying to install the enterprise version, I am getting this error - Service nxlog could not be stopped, verify that you have sufficient privileges to stop system services. I am a global admin. Please help

sa250367 created
Replies: 0
View post »
last updated
The MSI file seems to not be installing
Whenever I try to run the .msi to install the Nxlog CE I get this error message Am doing something incorrectly or is the download file broken?

CyberIke created
Replies: 1
View post »
last updated
Possible to have 2 different <Output Out> outbound configurations for 2 different log collectors?
Hello all. I wanted to know if anyone has had any luck or if it is possible to add a second <Output Out> configuration to the current nxlog.conf? Currently want to test a new log collector (Taegis) along side our current collector (Masergy) so we have streaming logs concurrently to each collector. e.gOutput out1>   Module om_tcp   Host 192.168.1.100   Port 514</Output> # Define the output to send logs to the second destination IP<Output out2>   Module om_tcp   Host 192.168.1.101   Port 514</Output> Thank you. 

smohammed@frgi.com created
Replies: 0
View post »
last updated
Are there any sample log files for NXLog Manager available to test?
Looking to test some ingest into a data lake to test searches adn dashboards.

JW created
Replies: 0
View post »
last updated
DROP messages, if contains STRING SOMEWHERE
hi,I try  to DROP all messages, if they contains somewhere “/connection_status” or “/status”, but what ever I try, the filter won't fit on Nxlog, while it works in RegexTesterExample log:Apr 25 11:15:11 nomad-cde cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981: {"Hostname":"nomad-cde","ShortMessage":{"message":"Matched route \"status\".","context":{"route":"status","route_parameters":{"_route":"status","_controller":"App\\Controller\\Monitoring\\MonitoringController::getStatus"},"request_uri":"https://hpp.example.com/status","method":"GET"},"level":200,"level_name":"INFO","channel":"request","datetime":"2024-04-25T09:15:10.999734+00:00","extra":{}},"EventTime":"2024-04-25T11:15:11.000000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"2baaa8302059bbcb881aac339807d429b1d91e1a117659e37cb4edfb7bb1eeca","container_name":"cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981","image_id":"sha256:7ddb43de759bd8ef93975cf10b25289a4f8628587b6d31cbe3d16e8d39443572","image_name":"harbor.example.com/testing/hpp/test:433e16c7","tag":"production","EventReceivedTime":"2024-04-25T11:15:11.001689+02:00","SourceModuleName":"container","SourceName":"cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981","SyslogFacility":6}orApr 25 11:15:09 nomad-cde cde_iframes-3709bf3d-86a1-0264-fe9f-150ac2b14cdd: {"Hostname":"nomad-cde","ShortMessage":"172.16.0.40 - - [25/Apr/2024:09:15:09 +0000] \"GET /status HTTP/1.0\" 200 2 \"-\" \"-\" \"172.16.1.40\"","EventTime":"2024-04-25T11:15:09.479000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"c8b7c9357b1bc195f6d88d09e4c329627bfe165debc09cfe4bbfd556fdab966c","container_name":"cde_iframes-3709bf3d-86a1-0264-fe9f-150ac2b14cdd","image_id":"sha256:be421273041ffa5d7b8be4963f91c0376d9829ba942b86341413c59105ae671c","image_name":"harbor.example.com/testing/iframes/test:3cb57629","tag":"production","EventReceivedTime":"2024-04-25T11:15:09.524068+02:00","SourceModuleName":"container","SourceName":"cde_iframes-3709bf3d-86a1-0264-fe9f-150ac2b14cdd","SyslogFacility":6}orApr 25 11:15:09 nomad-cde cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981: {"Hostname":"nomad-cde","ShortMessage":{"message":"Matched route \"connection_status\".","context":{"route":"connection_status","route_parameters":{"_route":"connection_status","_controller":"App\\Controller\\Monitoring\\MonitoringController::getStatusDB"},"request_uri":"https://web:4433/connection_status","method":"GET"},"level":200,"level_name":"INFO","channel":"request","datetime":"2024-04-25T09:15:09.603963+00:00","extra":{}},"EventTime":"2024-04-25T11:15:09.605000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"2baaa8302059bbcb881aac339807d429b1d91e1a117659e37cb4edfb7bb1eeca","container_name":"cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981","image_id":"sha256:7ddb43de759bd8ef93975cf10b25289a4f8628587b6d31cbe3d16e8d39443572","image_name":"harbor.example.com/testing/hpp/test:433e16c7","tag":"production","EventReceivedTime":"2024-04-25T11:15:09.634920+02:00","SourceModuleName":"container","SourceName":"cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981","SyslogFacility":6}I tried in the end the simplest one:if $raw_event =~ /.*status.*/ drop(); but it does not match. The config looks like this: <Output syslog-container-server> Module om_udp Host ${user.logserver} Port 514 <Exec> if $raw_event =~ /.*status.*/ drop(); $Hostname = "nomad-cde"; $message =~ s/-p[^\s]+/-pXXX/; delete($SourceModuleType); delete($MessageSourceAddress); delete($version); delete($created); $SourceName = $container_name; $SyslogFacility = $SeverityValue; to_json(); to_syslog_bsd(); </Exec> </Output>Can someone give me an hint, where I have to look ?

denny.fuchs@inatec.com created
Replies: 0
View post »
last updated
Upgrade to NXLOG Enterprise Edition 6.0
Good Morning All,We would need to take advantage of the new features within NXLOG 6.0 EE.  Are there any instructions on to perform the upgrade from 5.0 to 6.0?  OR is this a revamp oft he whole environment and re-deployment of the agents?  I currently have 900 agents deployed and it would not make sense to re-deploy.

emerson.arcella@pediatrix.com created
Replies: 0
View post »
last updated
High time differences between event time and event received time
I'm currently using nxlog to collect windows event log and notice in the local log file there are time differences between event time and event received time. Event received time was about half an hour behind event time, any idea what would cause this to happen?

mig020 created
Replies: 0
View post »
last updated
Any best ways to filter out the heartbeat logs from Azure
I noticed that many Azure heartbeat logs will send to SIEM, if i want to config the nxlog output file, how to filter it out and make it not send the logs to SIEM? Thanks.

lauzeroo created
Replies: 2
View post »
last updated
nxlog-ce-3.2.2329.msi installer hashes/checksums
Hi,Understand that the Community Edition .msi installer are not digitally signed and there are previous discussion on this. Hope that I can some answers on where I can get the hashes for nxlog-ce-3.2.2329.msi to verify the file downloaded.The following are the Hash values I got for my downloaded fileMD5: 31862b5f58bbd07c82fc5b3b507a3fd1SHA1: 3b9ef0f6886d57601b9a072554cd78d7870f1866  Thank you very much.

techsupport created
Replies: 0
View post »
last updated
*SOLVED*: Input Gelf -> Output Syslog -> extract container_name from JSON and set $SourceName
Hello,we using Nomad which sends logs in GELF format. We need to forward it to Rsyslog and also to Graylog. For Syslog I want to set $SourceName, which needs to be exracted from the JSON / GELF.The config looks like this: ... <Input container> Module im_tcp ListenAddr 127.0.0.1:12202 InputType GELF_TCP </Input> ... <Output syslog-container-server> Module om_udp Host ${user.logserver} Port 514 Exec to_json(); Exec $message =~ s/-p[^\s]+/-pXXX/; Exec to_syslog_bsd(); </Output> ... <Route container-to-syslog> Path container => syslog-container-buffer => syslog-container-server </Route>And the log on the rsyslog:Apr 15 15:24:26 qh-a07-nomad-agent-03 {"version": "1.1","Hostname":"qh-a07-nomad-agent-03","ShortMessage":"[2024-04-15 13:24:26] app.DEBUG: Connected to redis...PONG [] []","EventTime":"2024-04-15T15:24:26.376000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"f1...","container_name":"iframes-c77e666c-fd39-f6f6-4d57-b416a4a7e28a","created":"2024-04-12T08:58:36.870730597Z","image_id":"sha256:2a26fed9c075899cfe86d74f8f44c2729be0f392a96d10c938795fe84036506d","image_name":"repos/production/iframes/production:68c00192","tag":"production","MessageSourceAddress":"127.0.0.1","EventReceivedTime":"2024-04-15T15:24:26.376703+02:00","SourceModuleName":"container","SourceModuleType":"im_tcp"}How can I extract container_nameand use for $SourceName = 'my_application';  so that “my_application” is replaced with the content of "container_name ?cu denny

denny.fuchs@inatec.com created
Replies: 1
View post »
last updated
Combine syslog and json
This might seem as an odd thing, but I have a need where I want to combine syslog as well as json in the same message. Syslog should be combined (without the message field) with the complete $raw_event as json. I've successfully converted the entire thing to json with $json_message = to_json();However when I attempt the same thing with to_syslog_ietf(); an error is thrown. How would I achieve this behaviour with CE?Couldn't parse Exec block at C:\Path\nxlog.conf:58; couldn't parse statement at line 72, character 42 in C:\Path\nxlog.conf; function 'to_syslog_ietf()' does not exist or take different arguments.

kristoffer created
Replies: 0
View post »
last updated
Issue with nxlog agent sending logs containing IP instead of hostname
Hello,My current architecture is a windows nxlog agent sending logs to a remote syslog server. The agent is translating Windows event logs to json encapsulated syslog before sending them.I've encountered an inconsistency with the hostname field of the sent log, most of the sent logs contain the hostname as expected, but some only contains the IP address which creates a mess on the sorting I made on the remote syslog server.I haven't tried anything yet as I don't really know where to look for. My take is that it is a windows event log issue that can't be fixed but i'd like your opinions.Thank you for your help.

LM_19 created
Replies: 6
View post »
last updated
jQuery vulnerability in nxlog-manager-5.5.5398
Greetings! I have a vulnerability in jQuery to be addressed in the nxlog manager v5 (5.5.5398). This is related to XSS vulnerabilities from the version of jQuery installed (1.8.3, 1.9.2 ui) . Will upgrading Manager to 5.6.5633 resolve the issue and update jQuery to 3.5.0+ ? If not, please can you provide steps to update jQuery manually? Thanks! Shyam (on behalf of Shashidhar Ghiliyal)

sgiliyal created
Replies: 2
View post »
last updated
ERROR failed to subscribe to msvistalog events,access denied [error code : 5]; Access is denied
error message still remain: ERROR failed to subscribe to msvistalog events,access denied [error code : 5]; Access is deniedChange the logon on account to administrator to start service reinstall nxlog in Server added local admin account in manage auditing and security log properties 

marco.tan created
Replies: 0
View post »
last updated
Replies: 0
View post »
last updated
AllowIP Directive Not working in EE 6.2
Hi,I am getting the following error when using the AllowIP Directive in Enterprise Edition 6.2:2024-04-02 15:17:42 ERROR [im_udp|SynologySyslog] invalid keyword: AllowIP at C:\Program Files\nxlog\conf\nxlog.conf:45The config snippit containing this is:<Input SynologySyslog> module im_udp ListenAddr 0.0.0.0:514 AllowIP 10.0.0.106 <Exec> parse_syslog_ietf(); </Exec> </Input><Input SynologySyslog>module  im_udpListenAddr 0.0.0.0:514AllowIP 10.0.0.106<Exec> parse_syslog_ietf();</Exec></Input>Any help would be greatly appreciated!! 

PHILLIPS, DALE (ext) (SMO UKI RC-GB RI PE MT 1 6 1) created
Replies: 0
View post »
last updated
CE edition not installing correctly on Linux, I think
I spun up a brand-new Linux instance in AWS. I downloaded the RHEL9 CE package and got it onto that instance. I installed it as:yum -y localinstall nxlog-ce-3.2.2329_rhel9.x86_64.rpmThe problems:Nothing gets installed to /opt/nxlog; NXLog gets installed instead to /etc/nxlogThere aren't any modules downloaded/installedWhat am I missing?

cschelin created
Replies: 0
View post »
last updated
NXLog 32-Bit Installation
Hello, Does anyone know how to install nxlog on a Windows 32-bit system? Windows Server 2003

tputman created
Replies: 0
View post »
last updated
module csv_parser not found
Hi:I am new to nxlog but I do haves sending windows events into graylog via nxlogs so I know some basics.I am know trying to parse csv exchange logs.I am running the community version.I realize I have no output or routing statements yet.The log does not complain about the module xm_csv being found but does complain about module csv_parser not being found.I used this as starting point: https://docs.nxlog.co/integrate/exchange.html using the community section for reference.If someone could offer any hints I would be most grateful.--mikejVersion: nxlog-ce-3.2.2329LOGFILE:C:\Program Files\nxlog\data>type nxlog.log2024-03-25 15:15:51 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.d\\protocol.conf:21; couldn't parse statement at line 25, character 27 in C:\Program Files\nxlog\conf\nxlog.d\\protocol.conf; module csv_parser not found2024-03-25 15:15:51 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.d\\protocol.conf:34; couldn't parse statement at line 38, character 26 in C:\Program Files\nxlog\conf\nxlog.d\\protocol.conf; module csv_parser not found2024-03-25 15:15:51 WARNING not starting unused module smtp_receive2024-03-25 15:15:51 WARNING not starting unused module smtp_send2024-03-25 15:15:51 INFO nxlog-ce-3.2.2329 startedCONFIG FILE: protocol.conf - in nxlog.ddefine BASEDIR C:\Program Files\Microsoft\Exchange Server\V15#Software: Microsoft Exchange Server#Version: 15.0.0.0#Log-type: SMTP Receive Protocol Log#Date: 2024-03-25T19:00:26.686Z#Fields: date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context## MJ number of fields matches count<Extension csv>       Module    xm_csv       Fields    date-time, connector-id, session-id, sequence-number, \                 local-endpoint, remote-endpoint, event, data, context</Extension><Input smtp_receive>Module    im_file   File      '%BASEDIR%\TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive\RECV*.LOG'<Exec> if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop(); else {  csv_parser->parse_csv();  $EventTime = parsedate(${date-time}); }</Exec></Input><Input smtp_send>Module    im_fileFile      '%BASEDIR%\TransportRoles\Logs\Hub\ProtocolLog\SmtpSend\SEND*.LOG'<Exec>   if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop();else{ csv_parser->parse_csv(); $EventTime = parsedate(${date-time});}</Exec></Input>

mike.jung@gopai.com created
Replies: 0
View post »
last updated