Hello, I am using NXLog EE with the im_odbc module to read application logs from an SQL database table. After writing these logs to a file or forwarding them to a SIEM I seem to see random white space characters in various fields. Is there anyway possible where I can "cut out" this white space so it no longer appears in the log? For example, in the below there is white space in the USERID field after sa. Example log here: <13>Jan 4 16:32:56 PAGBSSC1SQL032 2022-01-04 16:32:56 PAGBSSC1SQL032 INFO id="63548" INDEX1="1" PRODNAME=" " CMPNYNAM="ABF plc " USERID="sa " INQYTYPE="2" DATE1="2022-01-04 00:00:00" SECDESC="Successful Attempts to Log In " DEX_ROW_ID="63548" Here is my NX Log EE config file: define INSTALLDIR C:\Program Files\nxlog #ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d Note that these two lines define constants only; the log file location is ultimately set by the LogFile directive (see below). The MYLOGFILE define is also used to rotate the log file automatically (see the _fileop block). define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log If you are not using NXLog Manager, disable the include line and enable LogLevel and LogFile. include %CONFDIR%*.conf LogLevel INFO LogFile %MYLOGFILE% <Extension _syslog> Module xm_syslog </Extension> This block rotates %MYLOGFILE% on a schedule. Note that if LogFile is changed in managed.conf via NXLog Manager, rotation of the new file should also be configured there. <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour &lt;Exec&gt; if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') &gt;= 5M) ) { file_cycle('%MYLOGFILE%', 8); } &lt;/Exec&gt; &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Input odbc> Module im_odbc ConnectionString DSN=NXLog; Driver={ODBC Driver 17 for SQL Server}; Server=PAGBSSC1SQL032; Trusted_Connection=yes; Database=DYNAMICS IdType integer SQL SELECT DEX_ROW_ID AS id, * FROM DYNAMICS.dbo.SY05000 WHERE DEX_ROW_ID > ? PollInterval 5 Exec delete($id); Exec if not ($raw_event =~ /sa/) drop (); </Input> <Output udp> Module om_udp Host 10.180.13.28:514 Exec to_syslog_bsd(); </Output> <Route transfer> Path odbc => udp </Route> Any help would be greatly appreciated! TIA

I'm trying to collect Sql Server error log using the second conf found here: https://nxlog.co/documentation/nxlog-user-guide/mssql.html <Input mssql_errorlog> Module im_file File 'C:\Program Files\Microsoft SQL Server' + 'MSSQL14.MSSQLSERVER\MSSQL\Log\ERRORLOG' <Exec> # Convert character encoding $raw_event = convert($raw_event, 'UTF-16LE', 'UTF-8'); # Discard empty lines if $raw_event == '' drop(); # Attempt to match regular expression else if $raw_event =~ /(?x)^(?<EventTime>\d+-\d+-\d+\ \d+:\d+:\d+.\d+) \ (?<Source>\S+)\s+(?<Message>.+)$/s { # Convert $EventTime field to datetime type $EventTime = parsedate($EventTime); # Save $EventTime and $Source; may be needed for next event set_var('last_EventTime', $EventTime); set_var('last_Source', $Source); } # If regular expression does not match, this is a multi-line event else { # Use the entire line for the $Message field $Message = $raw_event; # Check if fields were save from the previous event if defined(get_var('last_EventTime')) { # Use $EventTime and $Source from previous event $EventTime = get_var('last_EventTime'); $Source = get_var('last_Source'); } else # Use received timestamp for $EventTime; $Source is unknown $EventTime = $EventReceivedTime; } </Exec> </Input> I receive the follow error: ERROR if-else failed at line 71, character 9 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; if-else failed at line 71, character 9 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; assignment failed at line 57, character 47 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; function 'parsedate' failed at line 57, character 46 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. expression evaluation has been aborted; 'unknown' type argument is invalid It seems parsedate cannot evaluate $EventTime... Please, help me. Graziano.

Is the Conf file format work ? Which point will this read the SQL table ? SQL Table as provided by DCS integration with SIEM solutions like Splunk, SSIM or ArcSight (broadcom.com) KB https://knowledge.broadcom.com/external/article?articleId=175333 <Input reading_integer_id> Module im_odbc ConnectionString Driver={ODBC Driver 17 for SQL Server}; Server=xxxxx; Trusted_Connection=yes; Database=db1;UID=ROUSER;PWD=xxxxx; IdType integer SQL SELECT Event_ID AS id, * FROM dbo.CSPEVENT_VW WHERE Event_ID > ? Exec delete($id); </Input> Initial run of this gives the following error 2021-12-30 04:22:41 WARNING no routes defined! 2021-12-30 04:22:41 WARNING not starting unused module reading_integer_id 2021-12-30 04:22:41 INFO nxlog-4.10.5008-trial started 2021-12-30 04:22:50 WARNING stopping nxlog service 2021-12-30 04:22:51 WARNING nxlog received a termination request signal, exiting.

Hi Team, We are using nxlog ce 2.11.2190. We are facing this issue where the nxlog service stops due to "ERROR memory pool allocation error; Not enough space" error found in nxlog logs. After the observation we found that 300 GB disk space is free and we are still getting this error. What could be the reason? Thanks in Advance Dhananjaya

Exchange admins are complaining of NXlog agent is locking access to server logs. Any suggestion?

I am upgraded Nxlog version 4.3.4308 to version 5.4.7313. I have been using a Strawberry Perl (version 5.28.0.1) script to parse the logs, but now when Nxlog starts I am getting the following error "Failed to load module from C:\Program Files\nxlog\modules\extension\xm_perl.dll, a dependency dll is likely missing; The specified module could not be found". I have tried multiple versions of Strawberry Perl but get the same error. Can anyone explain why this is happening? Thanks in advance.

Hello. My query is i am trying to fetch "System Event log" from the windows 10 using below input. but problem is the system log is not fetching and putting the file by NXLOG. else i have tried to fetch "Application log" Using below method but that time log is fetching and working. but only "system" log can't fetch. <Input eventlog> Module im_msvistalog SavePos TRUE <QueryXML> <QueryList> <Query Id="0"> <Select Path="System">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and (EventID=3 or EventID=20)]]</Select> </Query> </QueryList> </QueryXML> Exec to_json(); </Input>

I want to use an automated method of deploying NXLog to specific machines. These machines have differing combinations of software installed that I want to monitor. I want to deploy NXLog along with a standard configuration file that has all the potential sources of log files I want to monitor. On some machines, those files/directories may not exist. How will NXLog handle that? Will it ignore it gracefully? I am trying to avoid having custom configs for each individual server, and instead use a generic config file that covers all of our potential configurations (IIS, Apache, NGINX, BIND, etc.)

Posting this here for guidance or advice on how to mitigate the log4j vulnerability (CVE-2021-44228) that looks to be present in nxlog. Will an update be done or are there other mitigations that can be placed in the meantime? Configuration changes? Found here in the nxlog documentation --> https://nxlog.co/documentation/nxlog-user-guide-full#nxlog_manager_config_logger

Looks like nxlog could be used to send log data to elasticsearch and replace logstash. Looking through the documentation and it looks like you can only provide 1 url/host for elastic in the nxlog config. With logstash we define the cluster of servers, in our case 6. Can multiple host node members be defined in the nxlog elastic configuration? Also it is referencing bulk, can the messages also be sent without sending in bulk?

Interested in collecting Netflow which can be a lot of volume. Anyone seen hardware specifications needed for collecting netflow?

Hi I have a testing environment needed by nxlog-ce-2.9.1716-1.x86_64，Where I Can Download？Note：My testing environment OS is SLES 11 SP4 and SLES 12 SP1，But on NXlog Website not for the nxlog-ce for SLES。

Hi all, I would like to set the actual IP address of a computer when an event is raised and add the result in a new field. Is it possible to set a new field with powershell ? &lt;Exec&gt; if ($EventID == 11001) \ {\ exec_async(&quot;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe&quot;, &quot;-ExecutionPolicy&quot;, &quot;ByPass&quot;, &quot;-NonInteractive&quot;, &quot;-Command&quot;, &quot;(gwmi Win32_NetworkAdapterConfiguration | where {$_.IPEnabled}).IPAddress&quot;);\ } &lt;/Exec&gt;

Hello We have an issue with SQL server logs recycling. Upon investigating we found as a possible root cause that a process NXLOG.exe is holding and preventing the recycle/deletion of the MSSQL log files. Could you please advise on this issue.

I am looking at nxlog receiving various system logs via syslong on a single port using tcp/514. I would then like to have the message, based on the log type, parse and then send to a different destination. Is this possible using nxlog? For example cisco devices will come in and would like to parse and then send those logs to one destination, lets say elk. Palo logs will come in on same tcp/514 listener but will need to be parsed and sent to a different destination, lets say splunk. They would be output as json and sent to the appropriate destination. I was thinking maybe looking at the raw event and having some type of logic based on a regex but that all happens in the same input module. Not seeing how it would direct the events to different outputs or routes.

HI, I need to get the pricing for the NXlog Enterprise license

Hi I try to use two time the input im_module to be sent two time to the local server but with two different port (used with PRTG) But I get the error that the module is already used and I don't understand why. Here the configuration file : define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Input Stamps> Module im_file File "C:\Program Files\timekeeper\var\log\timekeeper_stamps.log" SavePos TRUE ReadFromLast TRUE </Input> <Input Log> Module im_file File "C:\Program Files\timekeeper\var\log\timekeeper.log" SavePos TRUE ReadFromLast TRUE </Input> <Output Stamps> Module om_udp Host 127.0.0.1 Port 1530 </Output> <Output Log> Module om_udp Host 127.0.0.1 Port 1531 </Output> <Route Stamps> Path Stamps => Stamps </Route> <Route Log> Path Log => Log </Route> Here the error : 2021-11-30 09:25:23 WARNING nxlog-ce received a termination request signal, exiting... 2021-11-30 09:25:25 ERROR module 'Stamps' is already defined at C:\Program Files (x86)\nxlog\conf\nxlog.conf:34 2021-11-30 09:25:25 ERROR module 'Log' is already defined at C:\Program Files (x86)\nxlog\conf\nxlog.conf:39 2021-11-30 09:25:25 ERROR route Stamps is not functional without output modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:45 2021-11-30 09:25:25 ERROR route Log is not functional without output modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48 2021-11-30 09:25:25 WARNING no routes defined! 2021-11-30 09:25:25 WARNING not starting unused module Stamps 2021-11-30 09:25:25 WARNING not starting unused module Log 2021-11-30 09:25:25 INFO nxlog-ce-2.10.2150 started Can you help me ?

Is it possible to assign more than one template to an agent with NXlog Manager or do you need a full template for each possible combination? Our current configs use the includes folder to add and remove sections of config for specific items. Is it possible to do this with NXlog Manager also? Example: Server A and B both get the base template. Server A also gets the AD template include section. Server B also gets the AD and DHCP template include sections.

Hello guys, I have a WEC serveur with the last version of Nxlog installed on it. I forward these logs to a Qradar SIEM with the to_syslog_snare(); function in the output module. Everything is working fine in QRadar and the parsing is good. But when the SnareCounter value exceeds 9999999 in the log, I saw a "Tab" or a "space" and my log is not parsing well anymore in my QRadar. This modification appear between the SnareCounter and the Date value A working log with the value of the SnareCounter below 9999999 Nov 24 08:42:56 MyServer MSWinEventLog 1 Security 8944 **small space here ** Wed Nov 24 08:42:56 A non working log when the SnareCounter value exceed 9999999 Nov 24 08:41:36 MyServer MSWinEventLog 1 Security 29970217 **big space here ** Wed Nov 24 08:41:36 2021 As you can see, the space in bigger in the second log, and so the parsing is not working on my SIEM anymore. Anybody can help me regarding this issue ? Thx ! M.

I have logs that I need to collect with NxLog, these logs are in a .log file that has a name format [YYYY][MM][DD].request.log The log file name changes every day and if the logs roll over during the day they will be named with .request#.log I need to capture [YYYY]-[MM]_[DD].request.log for the current date For example today is Nov 18 2021 and I have these files 2021_11_18.request.log 2021_11_17.request.log 2021_11_16.request.log 2021_11_15.request.log I would need to read 2021_11_18.request.log and ignore the rest And tomorrow (Nov 19) I would need to read 2021_11_19.request.log I already know how to read log files and send them to my syslog collector, my question is how can I get NxLog to only read the log from the current day?