Hello. I am using nxlog community edition 3.2.2329_ubuntu20_amd64.deb on ubuntu 20.04.6. I am trying to rotate and purge logs on a daily basis. This is a dev environment that shuts down from 6pm to 7am daily. I tried using a Schedule block with a directive of When to @startup but that throws an error when starting nxlog. Also tried @reboot and got the same error. 

Here are snippets of the  nxlog.conf with @reboot. 

<Output fileout1>   Module om_file   File "/var/log/nxlog/syslog.txt"   Exec if $Message =~ /error/ $SeverityValue = syslog_severity_value("error");   Exec to_syslog_bsd();<Schedule>        # This can likewise be used for `@weekly` or `@monthly` time periods.         When @reboot

        # The following crontab-style is the same as `@daily` above.        # When "0 0 * * *"

         # The `Every` directive could also be used in this case.         #Every @startup

        Exec    rotate_to(file_name() + strftime(now(), '_%Y-%m-%d'));    </Schedule></Output>…

<Output fileout2>   Module om_file   File "/var/log/nxlog/logmsg2.txt"</Output><Extension fileop>Module xm_fileop<Schedule> When @reboot # Delete logs older than 14 days (24x60x60x30)        Exec    file_remove('/var/log/nxlog/*.txt*', now() - 1209600);</Schedule></Extension> 

Here is the output from console when I try to start nxlog

ubuntu@ip-172-31-17-93:~$ sudo systemctl restart nxlogJob for nxlog.service failed because the control process exited with error code.See "systemctl status nxlog.service" and "journalctl -xe" for details.ubuntu@ip-172-31-17-93:~$ sudo systemctl status nxlog.service● nxlog.service - NXLog daemon    Loaded: loaded (/lib/systemd/system/nxlog.service; enabled; vendor preset: enabled)    Active: failed (Result: exit-code) since Fri 2025-02-28 09:49:47 PST; 29s ago   Process: 2821 ExecStartPre=/usr/bin/nxlog -v (code=exited, status=1/FAILURE)

Feb 28 09:49:47 ip-172-31-17-93 systemd[1]: Starting NXLog daemon...Feb 28 09:49:47 ip-172-31-17-93 nxlog[2821]: 2025-02-28 09:49:47 ERROR couldn't parse value for directive 'When': @reboot not supported at /etc/nxlog/nxlog.conf:43Feb 28 09:49:47 ip-172-31-17-93 systemd[1]: nxlog.service: Control process exited, code=exited, status=1/FAILUREFeb 28 09:49:47 ip-172-31-17-93 systemd[1]: nxlog.service: Failed with result 'exit-code'.Feb 28 09:49:47 ip-172-31-17-93 systemd[1]: Failed to start NXLog daemon. 

Seems like it does not like the When directive, but not sure why since it is in the documentation. nxlog starts fine if I use @daily, but since the system is shut down during the day change, the operations are not performed. 

Thanks!

Hello 

I startet central logging with nxlog community edition on windows 

most works fine

finding a working nxlog.conf to graylog needs a lot of ours

so I hope to find better help here in the community forum 

but missing several events in syslog

for example

Dns Client Events Event ID 1014

AppCrash Outlook Exe Event ID 1001

 

At the Moment  i need to send all Windows events to the graylog syslog server 

can you give me an example config file for logging all Windows events ? 

thanks

 

my config file 

++++++++++

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf\nxlog.d
define LOGDIR   %ROOT%\data

# define Application Crash Events
define AppCrashes               1000, 1001, 1002

include %CONFDIR%\\*.conf
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
   Module      xm_syslog
</Extension>

<Extension _charconv>
   Module      xm_charconv
   AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
   Module      xm_exec
</Extension>

<Extension _fileop>
   Module      xm_fileop

   # Check the size of our log file hourly, rotate if larger than 5MB
   <Schedule>
       Every   1 hour
       Exec    if (file_exists('%LOGFILE%') and \
                  (file_size('%LOGFILE%') >= 5M)) \
                   file_cycle('%LOGFILE%', 8);
   </Schedule>

   # Rotate our log file every week on Sunday at midnight
   <Schedule>
       When    @weekly
       Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
   </Schedule>
</Extension>

<Extension _gelf>
 Module  xm_gelf
</Extension>

<Input win>
  Module   im_msvistalog

  Query <QueryList>\
   <Query Id="0">\
   <Select Path="Application">*</Select>\
   <Select Path="System">*</Select>\
   <Select Path="Security">*</Select>\
   </Query>\
   </QueryList>

</Input>

<Output  graylog>
  Module om_tcp
  Host  syslog.geodata.local
  Port  3515
  OutputType GELF
</Output>

<Route graylog_route>
Path win => graylog
</Route>

 

 

 

 

Hi,

 

I'm seeing a lot of the above messages in my nxlog.log (Linux Enterprise Edition). I had tried to increase the StringLimit but every time the values of nnnn will be higher than aaaa.

May I know if anyone is able to enlighten me on this?

 

Thanks !

I've been using NXLog to monitor a simple log file from an application and send it to Graylog using GELF. Very simple, very efficient, and it works just like I want it to. Now I want to monitor a 2nd log file from another application and send that to a separate input in Graylog (also using GELF). I thought it would be quick and simple to add the 2nd log file as another om_file imput and add a 2nd output to route the log file to. But for some reason, I just can't get the 2nd input/output to work. Here is my nxlog.conf file: ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ######################################## # Modules # ######################################## Module xm_gelf Module im_file File "/var/log/logfile1.txt" Module im_file File "/var/log/logfile2.txt" Module om_udp Host 192.168.0.100 Port 12201 OutputType GELF Module om_udp Host 192.168.0.100 Port 12203 OutputType GELF ######################################## # Routes # ######################################## Path APP1=> Graylog1 Path APP2 => Graylog2 What I've found is that if I also route the logfile2.txt to Graylog1, it works just fine. So both log files can be sent to Graylog1. But when I add that 2nd output, Graylog2, and route logfile2.txt to it, I never get any of those messages in Graylog. I know this isn't a Graylog forum, but am I missing something in my nxlog.conf or should I be looking more at the Graylog server?

Hi

I am pretty new to nxlog, so I lack some knowledge.

We have been using NXLog to send logs using sysmon to our IBM Qradar.

On a few machines, we've seen some logs that arrived today, but are from 1-2 weeks ago.

How exactly does NXLog keeps logs that have not been sent. Are there any steps we can use to investigate why these logs were sent with such a long delay?

In most cases it all works without a problem, but on very rare occasions we receive a few really old events.

Thank you

Hi All,

We are using NXlog CE to forward from windows server to SIEM. But we are facing issue in delay of ingestion of events.  

Error of NXlog file details is given. Please assist.

Is the binary src/utils/csed built or otherwise incorporated into the build?

It doesn't look like it when I built it from source because the binary wasn't built by default, but I wanted to confirm.

There is a buffer overflow in csed.c, and I need to make sure it doesn't find its way into the build.

Thanks.

Hi NXLOG Community,

the NXLOG Process 100% CPU Load after Server restart on Windows Systems.
The Problemcause is simple but i dont understand why.

A Handfull of Servers whit much logfiles (nxlogconfiguration use Wildcard for logfolder(s)).
The Logfiles are written in the Cachefile and looks okay. 
But it feels like digs through all log files.

Small footage of a Configuration:

<Input catalina>
	Module im_file
	File 'C:\Tomcat\logs\\catalina*.log'
	Recursive    True
	PollInterval 30
	SavePos      True
	CloseWhenIdle       True

	<Exec>
		#parse date
		if $raw_event =~ /(\d\d\-\S\S\S-\d\d\d\d \d\d:\d\d:\d\d)/  $EventTime = strptime($1, '%d-%b-%Y%t%H:%M:%S');
        # Now set the severity to something custom. This defaults to 'INFO' if unset.
        if $raw_event =~ /\sSEVERE\s/ $Severity = 'CRITICAL';
		else if $raw_event =~ /\sERROR\s/ $Severity = 'ERROR';
		else if $raw_event =~ /\sWARN\s/ $Severity = 'WARNING';
        else $Severity = 'INFO';

        # The facility can be also set, otherwise the default value is 'USER'.
        $SyslogFacility = 'AUDIT';
    </Exec>
</Input>

We use the Last CE Version.: nxlog-ce-3.2.2329

Thanks, regards Wolfgang 

Hi,

I am trying to insert a custom, static text into the raw event (so that the output has the custom text + the log). However, it refuses to work. The log output is the same whether I add or remove my exec $raw_event

 

My config input and output look like this:

 <Input in>
     Module      im_msvistalog
   <QueryXML>
      <QueryList>
         <Query Id='0'>
            <Select Path='System'>*</Select>
            <Select Path='Application'>*</Select>
            <Select Path='Security'>*</Select>
         </Query>
      </QueryList>
   </QueryXML>
	 Exec $raw_event = "STATIC CONTENT" + $raw_event;

 </Input>
 


 <Output out>
     Module      om_udp
     Host        XX.XX.XX.XX
     Port        514
     Exec        to_syslog_snare();
 </Output>


 <Route 1>
     Path        in => out
 </Route>

 

 

Logs:

2025-02-12 11:09:20 INFO nxlog-ce-3.2.2329 started

Hello  community,

 

Hello,

 

im trying to use this function to hide filenames for windows event 4663 and attempt was made to access an object:

 

<Processor replace_files> 

Exec if $raw_event =~ /Object Name.*\.[a-zA-Z0-9]+$/ { 

# Replace file name with 'xxxxx' and keep the file extension intact

 $raw_event = regex_replace($raw_event, '(Object Name.*\\)[^\\]+(\.[a-zA-Z0-9]+)', '\1xxxxx\2'); 

} 

</Processor>

nxlog logs keeps telling im missing a module, is this function locked to the enterprise version ? is there another way around it ?

 

thanks in advance 

Hi,

We are using NXLog-CE version 2.10.2150 and we prepare to deploy NX log agent in Windows server 2022.

Is Nxlog 2.10.2150 supporting log collection for Windows server 2022?

If the version is not supported, what is the minimum NX log agent to support Windows server 2022?

Thanks.

Hello All, 

In NXlog Qradar windows configuration , we have setup forwarded events as well but the for the forwarded events the source is coming as host instead of client meachine or actual source. I would request your help in fixing this. I am using the below configuration define ROOT     C:\Program Files\nxlogdefine CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\data

include %CONFDIR%\\*.confdefine LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%

Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data

<Extension _syslog>   Module      xm_syslog</Extension>

<Extension _charconv>   Module      xm_charconv   AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension>

<Extension _exec>   Module      xm_exec</Extension>

<Extension _fileop>   Module      xm_fileop

   # Check the size of our log file hourly, rotate if larger than 5MB   <Schedule>       Every   1 hour       Exec    if (file_exists('%LOGFILE%') and \                  (file_size('%LOGFILE%') >= 5M)) \                   file_cycle('%LOGFILE%', 8);   </Schedule>

   # Rotate our log file every week on Sunday at midnight   <Schedule>       When    @weekly       Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);   </Schedule></Extension>

# Snare compatible example configuration# Collecting event log<Input in>    Module      im_msvistalog<QueryXML>       <QueryList>           <Query Id='0'>               <Select Path='Application'>*</Select>               <Select Path='Security'>*[System/Level<4]</Select>               <Select Path='System'>*</Select>   <Select Path='ForwardedEvents'>*</Select>                                </Query>       </QueryList>   </QueryXML>   <Exec>       if $Category == undef $Category = 0;       if $EventType == 'CRITICAL'       {           $EventTypeNum = 1;           $EventTypeStr = "Critical";       }       else if $EventType == 'ERROR'       {           $EventTypeNum = 2;           $EventTypeStr = "Error";       }       else if $EventType == 'INFO'       {           $EventTypeNum = 4;           $EventTypeStr = "Informational";       }       else if $EventType == 'WARNING'       {           $EventTypeNum = 3;           $EventTypeStr = "Warning";       }       else if $EventType == 'VERBOSE'       {           $EventTypeNum = 5;           $EventTypeStr = "Verbose";       }       else       {           $EventTypeNum = 0;           $EventTypeStr = "Audit";       }       if $OpcodeValue == 0 $Opcode = "Info";       if $TaskValue == 0 $TaskValue = "None";

       $EpochTime = string(integer($EventTime));       $EpochTime =~ /^(?<sec>\d+)(?<ms>\d{6})$/;       $EpochTime = $sec;

       if $TaskValue == 12288 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSTATECHANGE"; }       else if $TaskValue == 12289 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSUBSYSTEMEXTENSION"; }       else if $TaskValue == 12290 { $TaskStr = "SE_ADT_SYSTEM_INTEGRITY"; }       else if $TaskValue == 12291 { $TaskStr = "SE_ADT_SYSTEM_IPSECDRIVEREVENTS"; }       else if $TaskValue == 12292 { $TaskStr = "SE_ADT_SYSTEM_OTHERS"; }       else if $TaskValue == 12544 { $TaskStr = "SE_ADT_LOGON_LOGON"; }       else if $TaskValue == 12545 { $TaskStr = "SE_ADT_LOGON_LOGOFF"; }       else if $TaskValue == 12546 { $TaskStr = "SE_ADT_LOGON_ACCOUNTLOCKOUT"; }       else if $TaskValue == 12547 { $TaskStr = "SE_ADT_LOGON_IPSECMAINMODE"; }       else if $TaskValue == 12548 { $TaskStr = "SE_ADT_LOGON_SPECIALLOGON"; }       else if $TaskValue == 12549 { $TaskStr = "SE_ADT_LOGON_IPSECQUICKMODE"; }       else if $TaskValue == 12550 { $TaskStr = "SE_ADT_LOGON_IPSECUSERMODE"; }       else if $TaskValue == 12551 { $TaskStr = "SE_ADT_LOGON_OTHERS"; }       else if $TaskValue == 12552 { $TaskStr = "SE_ADT_LOGON_NPS"; }       else if $TaskValue == 12553 { $TaskStr = "SE_ADT_LOGON_CLAIMS"; }       else if $TaskValue == 12554 { $TaskStr = "SE_ADT_LOGON_GROUPS"; }       else if $TaskValue == 12800 { $TaskStr = "SE_ADT_OBJECTACCESS_FILESYSTEM"; }       else if $TaskValue == 12801 { $TaskStr = "SE_ADT_OBJECTACCESS_REGISTRY"; }       else if $TaskValue == 12802 { $TaskStr = "SE_ADT_OBJECTACCESS_KERNEL"; }       else if $TaskValue == 12803 { $TaskStr = "SE_ADT_OBJECTACCESS_SAM"; }       else if $TaskValue == 12804 { $TaskStr = "SE_ADT_OBJECTACCESS_OTHER"; }       else if $TaskValue == 12805 { $TaskStr = "SE_ADT_OBJECTACCESS_CERTIFICATIONAUTHORITY"; }       else if $TaskValue == 12806 { $TaskStr = "SE_ADT_OBJECTACCESS_APPLICATIONGENERATED"; }       else if $TaskValue == 12807 { $TaskStr = "SE_ADT_OBJECTACCESS_HANDLE"; }       else if $TaskValue == 12808 { $TaskStr = "SE_ADT_OBJECTACCESS_SHARE"; }       else if $TaskValue == 12809 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLPACKETDROPS"; }       else if $TaskValue == 12810 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLCONNECTION"; }       else if $TaskValue == 12811 { $TaskStr = "SE_ADT_OBJECTACCESS_DETAILEDFILESHARE"; }       else if $TaskValue == 12812 { $TaskStr = "SE_ADT_OBJECTACCESS_REMOVABLESTORAGE"; }       else if $TaskValue == 12813 { $TaskStr = "SE_ADT_OBJECTACCESS_CBACSTAGING"; }       else if $TaskValue == 13056 { $TaskStr = "SE_ADT_PRIVILEGEUSE_SENSITIVE"; }       else if $TaskValue == 13057 { $TaskStr = "SE_ADT_PRIVILEGEUSE_NONSENSITIVE"; }       else if $TaskValue == 13058 { $TaskStr = "SE_ADT_PRIVILEGEUSE_OTHERS"; }       else if $TaskValue == 13312 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSCREATION"; }       else if $TaskValue == 13313 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSTERMINATION"; }       else if $TaskValue == 13314 { $TaskStr = "SE_ADT_DETAILEDTRACKING_DPAPIACTIVITY"; }       else if $TaskValue == 13315 { $TaskStr = "SE_ADT_DETAILEDTRACKING_RPCCALL"; }       else if $TaskValue == 13316 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PNPACTIVITY"; }       else if $TaskValue == 13317 { $TaskStr = "SE_ADT_DETAILEDTRACKING_TOKENRIGHTADJ"; }       else if $TaskValue == 13568 { $TaskStr = "SE_ADT_POLICYCHANGE_AUDITPOLICY"; }       else if $TaskValue == 13569 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHENTICATIONPOLICY"; }       else if $TaskValue == 13570 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHORIZATIONPOLICY"; }       else if $TaskValue == 13571 { $TaskStr = "SE_ADT_POLICYCHANGE_MPSSCVRULEPOLICY"; }       else if $TaskValue == 13572 { $TaskStr = "SE_ADT_POLICYCHANGE_WFPIPSECPOLICY"; }       else if $TaskValue == 13573 { $TaskStr = "SE_ADT_POLICYCHANGE_OTHERS"; }       else if $TaskValue == 13824 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_USERACCOUNT"; }       else if $TaskValue == 13825 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_COMPUTERACCOUNT"; }       else if $TaskValue == 13826 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP"; }       else if $TaskValue == 13827 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_DISTRIBUTIONGROUP"; }       else if $TaskValue == 13828 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_APPLICATIONGROUP"; }       else if $TaskValue == 13829 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_OTHERS"; }       else if $TaskValue == 14080 { $TaskStr = "SE_ADT_DSACCESS_DSACCESS"; }       else if $TaskValue == 14081 { $TaskStr = "SE_ADT_DSACCESS_DSCHANGES"; }       else if $TaskValue == 14082 { $TaskStr = "SE_ADT_DS_REPLICATION"; }       else if $TaskValue == 14083 { $TaskStr = "SE_ADT_DS_DETAILED_REPLICATION"; }       else if $TaskValue == 14336 { $TaskStr = "SE_ADT_ACCOUNTLOGON_CREDENTIALVALIDATION"; }       else if $TaskValue == 14337 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBEROS"; }       else if $TaskValue == 14338 { $TaskStr = "SE_ADT_ACCOUNTLOGON_OTHERS"; }       else if $TaskValue == 14339 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBCREDENTIALVALIDATION"; }       else if $TaskValue == 65280 { $TaskStr = "SE_ADT_UNKNOWN_SUBCATEGORY"; }       else { $TaskStr = "Unknown[" + $taskValue + "]"; }

   if $KeywordsStr == undef {       if $TaskValue == 0 {           $KeywordsStr = 'None';       } else {           $KeywordsStr = '0';       }   }

   if $TaskStr == undef {       $TaskStr = $TaskValue;   }

   if $EventType == 'AUDIT_SUCCESS' {       $KeywordsStr = "Audit Success";       $EventTypeNum = 8;   } else {       $KeywordsStr = "Audit Failure";       $EventTypeNum = 16;   }

       $Message = "AgentDevice=WindowsLog" +           "\tAgentLogFile=" + $Channel +           "\tSource=" + $SourceName +           "\tComputer=" + hostname_fqdn() +           "\tOriginatingComputer=" + host_ip() +           "\tUser=" + $AccountName +           "\tDomain=" + $Domain +           "\tEventIDCode=" + $EventID +           "\tEventType=" + $EventTypeNum +           "\tEventCategory=" + $TaskValue +           "\tRecordNumber=" + $RecordNumber +           "\tTimeGenerated=" + $EpochTime +           "\tTimeWritten=" + $EpochTime +           "\tLevel=" + $EventTypeStr +           "\tKeywords=" + $KeywordsStr +           "\tTask=" + $TaskStr +           "\tOpcode=" + $Opcode +           "\tMessage=" + $Message;       $Hostname = host_ip();       delete($SourceName);       delete($Severity);       delete($SeverityValue);       to_syslog_bsd();   </Exec></Input>

Curious if IPv6 is supported yet? If not, is there an ETA on when it will be supported?

Hi there,  I have the following log server setup which recevice log from various servers and route to another server as well as written to a local file.

<router>

path from_other_servers => output_another_server, local_zip_encrypted_file

<\route>

it seems for smaller log size, I have to restarts the nxlog before the file can be written locally.    (the file is empty when I tried to decrypt and uncompress the file)

(1) is it possible to force flush into local file in regular basis?

(2) though I don't see the log written to local file, can I check if the log is forwarded to another server in this case?

Thanks in advance

Best regards,

Loh

Dear Community,

I am using NXlog community edition and am experiencing the problem that using the following configuration, the log sent to rsyslog arrives with the characters #011 as tab and #015 as carriage return:

 

<Extension _syslog>

    Module      xm_syslog

</Extension>

 

<Extension _charconv>

    Module xm_charconv

    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32

</Extension>

 

<Extension _exec>

    Module xm_exec

</Extension>

 

<Extension json>

    Module xm_json

</Extension>

 

<Input internal>

    Module im_internal

</Input>

 

<Input eventlog>

    Module im_msvistalog

Query <QueryList>\

    <Query Id="0">\

    <Select Path="Application">*</Select>\

    <Select Path="System">*</Select>\

    <Select Path="Security">*</Select>\

</Query>\

</QueryList>

    Exec if ($EventID == 5156) OR ($EventID == 5158) drop();

    Exec $HOSTNAME=hostname();

    Exec $Message = replace($Message, "#011", " ");

    Exec $raw_event = replace($raw_event, "#011", " ");

#    Exec $Message =~ s/(\t|\R)/ /g;

#    Exec $Message =~ s/(\t|\R|\011|\015)/ /g;

</Input> 

<Output out>

    Module om_tcp

    Host %OUTPUT_DESTINATION_ADDRESS%

    Port %OUTPUT_DESTINATION_PORT%

    Exec $Message = replace($Message, "#011", " ");

    Exec $raw_event = replace($raw_event, "#011", " ");

    Exec to_syslog_snare();

    Exec $Message = replace($Message, "#011", " ");

    Exec $raw_event = replace($raw_event, "#011", " ");

</Output>

 

<Route 1>

    Path eventlog, internal => out

</Route>

 

Can you tell me how to solve the problem? It seems not to remove the tab and carriage return characters.

Thank you very much.

Good day,

I was wondering if the CE will be releasing a version for Ubuntu 24.04 since this is a LTS release.

Thanks,

Jesse

Nxlog stops sending data to a route if another route is actively rejecting connections.

The other output stops sending data after a while (from a few minutes to a day), although TCP-connection is supported.

We use 2 routes at the same time with 1 input.

There is our nxlog config: “The in1 module is used by both routes. ”

Planforms: Windows 2016/2019 and Windows 2022

nxlog.conf

<Route r1>
    Path    in => out1
</Route>

<Route r2>
    Path    in =>  out2
</Route>

Logs:

2024-11-21 13:28:53 INFO nxlog-ce-3.2.2329 started
2024-11-21 13:28:53 INFO connecting to Graylogserver:12523
2024-11-21 13:28:53 INFO connecting to Graylogserver:12527
2024-11-21 13:28:54 INFO reconnecting in 1 seconds
2024-11-21 13:28:54 ERROR couldn't connect to tcp socket on Graylogserver:12523; No connection could be made because the target machine actively refused it.  
2024-11-21 13:28:55 INFO connecting to Graylogserver:12523
2024-11-21 13:28:56 INFO reconnecting in 2 seconds
2024-11-21 13:28:56 ERROR couldn't connect to tcp socket on Graylogserver:12523; No connection could be made because the target machine actively refused it.  
2024-11-21 13:28:58 INFO connecting to Graylogserver:12523

I have a setup using NXlog instances as collectors in a large number of security zones. ``` Module im_tcp Host XXX.XXX.XXX.XXX ``` but for some reason this does not capture logs coming in on port 514 from Fortinet units; all other logs (from Windows and Linux servers) are received and processed just fine. `tcpdump -nvvA host [Fortinet unit IP]` shows log traffic coming in on the NIC from the given IP address. What am I missing?

Hello!

I am working on integrating NXLog with Sumo Logic. I followed the instructions on how to integrate with Sumo Logic in the setup documentation, but the logs are not being forwarded to Sumo Logic correctly, even though I receive the INFO successfully connected message. I believe it may be related to the token. My input is from an SSL connection (which is successfully connecting, I tested by diverting it to a file which I'm currently using as an intermediary until I figure this out). I have tried both options below.   

 

Module         om_ssl   

Host              syslog.collection.us1.sumologic.com   

Port               6514   

CAFile           %CERTDIR%\digicert_ca.crt   

Exec             to_syslog_ietf();    Exec             $raw_event =~ s/(\[.*])//g; \                        $raw_event = replace($raw_event, \                        '{', '[%SUMO_TOKEN%] {', 1);

 

Module           om_ssl   

Host                syslog.collection.us1.sumologic.com   

Port                 6514   

CAFile             %CERTDIR%\digicert_ca.crt   

Exec                to_syslog_ietf();    Exec                $raw_event =~ s/(\[NXLOG@14506.*?\])//g; \                           $raw_event = replace($raw_event, \                           '{', '[%SUMO_TOKEN%] {', 1);