Hello, My NXLog-ce-2.11.2190 stops sending logs after network disconnect and reconnect. Last logs: 2021-10-05 11:40:09 INFO nxlog-ce-2.11.2190 started 2021-10-05 11:53:29 INFO reconnecting in 1 seconds 2021-10-05 11:53:29 ERROR om_udp apr_socket_send failed; Został dostarczony nieprawidłowy argument. 2021-10-05 11:53:30 ERROR couldn't connect to udp socket on 10.2.1.159:9000; Próba przeprowadzenia operacji, wykonywanej przez gniazdo, na nieosiągalnej sieci. Config: <Extension _gelf> Module xm_gelf </Extension> <Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security"></Select> <Select Path="Microsoft-Windows-UniversalTelemetryClient/Operational"></Select> </Query> </QueryList> </QueryXML> </Input> <Output out> Module om_udp Host 10.2.1.159 Port 9000 OutputType GELF </Output> <Route 1> Path in => out </Route> System: Windows 10 Pro version 2004 on VMware vSphere 7.0 It is exactly the same question like here: https://www.mail-archive.com/nxlog-ce-users@lists.sourceforge.net/msg00970.html but I'm using the latest version of NXLog-CE. Any ideas, please...?

Hi, We have the use case to get the specific service's status hourly and it could be done via some PowerShell commands. However, we don't want maintain the script in users' hosts and want to integrate the checking into nxlog's configuration. Does nxlog agent has the capability to run such command hourly? Or will there be any alternative method? Many thanks in advance ! Best regards, Steven

Hi, The decoders used in Netwitness. The job of a decoder is to select a parser to parse log files. The Netwitness LogDeconder shows Service Type as unknown but I was expecting to see winevent_snare. My NXLog config uses the Exec $Message =~ s/(\t|\R)/ /g; to_syslog_snare(); to send windows log data to the NETWITNESS collector/decoder. The problem is the decoder is using unknown or rxlinux as service type not winevent_snare to parse my windows log files. I was looking for the decoder to use winevent_snare but it is not. Does anyone have a working NXLog config file to collect windows event logs to Netwitness? Thanks for you assistance, Jim

how send tag(sourcename) larger than 32 symbols?

h1, sorry my eng bad. Why do I need to http://192.168.91.133:9090/nxlog-manager when specifying the login "admin" and the password "nxlog123", I get the error " could not contact the database server." OS: CentOS Linux release 8.4.2105 DB: usr/libexec/mysqld Ver 8.0.21 for Linux on x86_64 (Source distribution) my.cnf -> [client] password=asdf Password "asdf" install mysql root user ./dbinit.sh - Done in /etc/hosts -> 192.168.91.133 localhost.localdomain [root@localhost db_init]# systemctl status mysqld.service ● mysqld.service - MySQL 8.0 database server Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2021-09-22 15:59:27 MSK; 9min ago Process: 4119 ExecStopPost=/usr/libexec/mysql-wait-stop (code=exited, status=0/SUCCESS) Process: 4277 ExecStartPost=/usr/libexec/mysql-check-upgrade (code=exited, status=0/SUCCESS) Process: 4196 ExecStartPre=/usr/libexec/mysql-prepare-db-dir mysqld.service (code=exited, status=0/SUCCESS) Process: 4171 ExecStartPre=/usr/libexec/mysql-check-socket (code=exited, status=0/SUCCESS) Main PID: 4233 (mysqld) Status: "Server is operational" Tasks: 42 (limit: 49168) Memory: 352.8M CGroup: /system.slice/mysqld.service └─4233 /usr/libexec/mysqld --basedir=/usr сен 22 15:59:27 localhost.localdomain systemd[1]: Starting MySQL 8.0 database server... сен 22 15:59:27 localhost.localdomain systemd[1]: Started MySQL 8.0 database server. [root@localhost db_init]# service nxlog-manager status ● nxlog-manager.service - NXLog Manager Loaded: loaded (/usr/lib/systemd/system/nxlog-manager.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2021-09-22 15:58:28 MSK; 11min ago Main PID: 4013 (java) Tasks: 53 (limit: 49168) Memory: 1.5G CGroup: /system.slice/nxlog-manager.service └─4013 /usr/bin/java -Xms1g -Xmx2g -XX:PermSize=64m -XX:MaxPermSize=256m -Xss2m -XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled -Dorg.apache.commons.collections.enableUnsa> Sep 22 16:00:13 localhost.localdomain service.sh[4013]: сен 22, 2021 4:00:13 PM org.apache.jasper.compiler.JDTJavaCompiler setSourceVM Sep 22 16:00:13 localhost.localdomain service.sh[4013]: WARNING: Unknown source VM 1.7 ignored. Sep 22 16:00:14 localhost.localdomain service.sh[4013]: сен 22, 2021 4:00:14 PM org.apache.jasper.compiler.JDTJavaCompiler setTargetVM Sep 22 16:00:14 localhost.localdomain service.sh[4013]: WARNING: Unknown target VM 1.7 ignored. nxlog-manager.log 2021-09-22 16:23:28,589 WARN localhost.localdomain unknown [com.mchange.v2.resourcepool.BasicResourcePool] - com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@487eb16 -- Acquisition Attempt Failed!!! Clearing pending acquires. While trying to acquire a needed new resource, we failed to succeed more than the maximum number of allowed acquisition attempts (30). Last acquisition attempt exception: java.sql.SQLException: Unknown system variable 'tx_isolation' at org.mariadb.jdbc.internal.SQLExceptionMapper.get(SQLExceptionMapper.java:149) at org.mariadb.jdbc.internal.SQLExceptionMapper.throwException(SQLExceptionMapper.java:106) at org.mariadb.jdbc.MySQLStatement.executeQueryEpilog(MySQLStatement.java:268) at org.mariadb.jdbc.MySQLStatement.execute(MySQLStatement.java:296) at org.mariadb.jdbc.MySQLStatement.executeQuery(MySQLStatement.java:349) at org.mariadb.jdbc.MySQLStatement.executeQuery(MySQLStatement.java:408) at org.mariadb.jdbc.MySQLConnection.getTransactionIsolation(MySQLConnection.java:410) at com.mchange.v2.c3p0.impl.NewPooledConnection.<init>(NewPooledConnection.java:120) at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:240) at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206) at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203) at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1138) at com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1125) at com.mchange.v2.resourcepool.BasicResourcePool.access$700(BasicResourcePool.java:44) at com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask.run(BasicResourcePool.java:1870) at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696) Caused by: org.mariadb.jdbc.internal.common.QueryException: Unknown system variable 'tx_isolation' at org.mariadb.jdbc.internal.mysql.MySQLProtocol.getResult(MySQLProtocol.java:995) at org.mariadb.jdbc.internal.mysql.MySQLProtocol.executeQuery(MySQLProtocol.java:1050) at org.mariadb.jdbc.internal.mysql.MySQLProtocol.executeQuery(MySQLProtocol.java:1030) at org.mariadb.jdbc.MySQLStatement.execute(MySQLStatement.java:289) ... 12 more

I am using Nxlog 5.4.7313 and I have such a config block. <Input perf_process> Module im_exec BufferSize 200 Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Arg "-ExecutionPolicy" Arg "remotesigned" Arg "-File" Arg "C:\scripts\Get-ProcessUtilization.ps1" Restart TRUE </Input> <Output out> Module om_file File 'c:\nxlog.txt' </Output> <Route client> Path perf_process => out </Route> When the service starts, it doesn't write anything to the output file. But if I execute "stop-process -name powershell" as administrator, then the next cycle will restart powershell scripts and the data will appear in the output. Also, the command "net stop nxlog" cannot independently stop the scripts that were launched for the first time.

Using NxLog with "EXEC to_syslog_snare();" to output Windows Events. What parser should be used by the Decoder? I thought maybe winevent_snare but maybe it is rhlinux. Which parser should be used... or should I only care the windows event logs are parsed correctly?

I need to append a hostname to the beginning of the raw log because the log that is being transferred does not show the host who is forwarding the log. I need to add a hostname to identify the log is being forwarded. Here is the output. How do I add the hostname? <Input internal> Module im_internal Exec $Message = to_json(); </Input> <Input cs> Module im_file File 'C:\fdr\out\data*.json' CloseWhenIdle TRUE DirCheckInterval 300 Recursive TRUE ReadFromLast FALSE <OnEOF> <Exec> file_remove(file_name ()); </Exec> Gnxlog </OnEOF> </Input>

Anyone experience this? New to NXLOG Community, first experience deploying. Servers are Windows 2019 Datacenter.

Want to check out if the links issue is still persists.

Hi can anyone help me out with this error: 2021-09-02 11:30:35 ERROR pcre match_limit reached for regexp /(?-i:vd=")(?!X|Y|Z).*".*dstport=999/ does this mean that the regex is performing poorly and the engine is skipping the argument? TIA.

I want to know is possible send, with the iis log message, a custom field and value. Actually this is my config: define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _gelf> #Module xm_syslog Module xm_gelf #Module xm_json </Extension> <Extension w3c_parser> Module xm_csv Fields date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, \ s-port, cs-username, c-ip, cs(User-Agent), cs(Referer), \ sc-status, sc-substatus, sc-win32-status, time-taken FieldTypes string, string, string, string, string, string, integer, \ string, string, string, string, integer, integer, integer, \ integer Delimiter ' ' EscapeChar '"' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Input in2> Module im_file File "c:\\logs\\app\\iislog\\u_extend1.log" <Exec> if $raw_event =~ /^#/ drop(); else { w3c_parser->parse_csv(); $EventTime = parsedate($date + "T" + $time + ".000Z"); } </Exec> </Input> <Output out> Module om_udp Host 172.28.36.25 Port 12201 #Exec to_syslog_snare(); OutputType GELF </Output> <Route 1> Path in2 => out </Route> This work great but i need to add a custom and static value in the message, like : FIELD: "system" , VALUE: "program1". and this value is always the same date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs(User-Agent), cs(Referer), sc-status, sc-substatus, sc-win32-status, time-taken,**system** Is this possible? Thanks!

Hi. I have a problem that I can't find a solution. use IM_ File entered some text as follows [20210816-094441] ID=123 some information1 [20210816-094441] ID=123 some information2 [20210816-094441] ID=124 some information3 [20210816-094441] ID=124 some information4 need to merge events according to the ID field. The expected output is as follows. I find some data and try to use PM_ Evcorr, but the community version lacks get_ prev_ event_ data() [20210816-094441] ID=123 some information1 some information2 [20210816-094441] ID=124 some information3 some information4

Environment: VMware vSphere 6.7 running a VM with Windows 2019 Datacenter + Docker Enterprise version 20.10.6 Windows detects Intel Xeon Silver 4414 CPU. Tried command: docker-compose up -d Results: Pulling db (mysql:5.5)... 5.5: Pulling from library/mysql ERROR: no matching manifest for windows/amd64 10.0.17763 in the manifest list entries What can I do to get the NXLog Docker image loaded?

Hello folks: I downloaded the latest msi file for the CE edition and used it on Azure Intune to deploy as a "Line of Business Application". Unfortunately, the status for the app deployment remains as "Waiting for install status" on the intune portal. So I decided the test the powershell install on my Win10 laptop using the following command on powershell with elevated privileges: msiexec.exe /i .\nxlog-ce-2.11.2190.msi /quiet /l*v "C:\NXLogCE-Install.log" I am not having any luck on my laptop either. I basically see the following: === Verbose logging started: 8/23/2021 15:53:19 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Windows\system32\msiexec.exe === MSI (c) (E4:B4) [15:53:19:924]: Resetting cached policy values MSI (c) (E4:B4) [15:53:19:924]: Machine policy value 'Debug' is 0 MSI (c) (E4:B4) [15:53:19:924]: ******* RunEngine: ******* Product: .\nxlog-ce-2.11.2190.msi ******* Action: ******* CommandLine: ********** MSI (c) (E4:B4) [15:53:19:924]: Client-side and UI is none or basic: Running entire install on the server. MSI (c) (E4:B4) [15:53:19:924]: Grabbed execution mutex. MSI (c) (E4:B4) [15:53:19:930]: Cloaking enabled. MSI (c) (E4:B4) [15:53:19:930]: Attempting to enable all disabled privileges before calling Install on Server MSI (c) (E4:B4) [15:53:19:931]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (24:4C) [15:53:19:934]: Running installation inside multi-package transaction C:\Users\palezvar\Desktop.\nxlog-ce-2.11.2190.msi MSI (s) (24:4C) [15:53:19:934]: Grabbed execution mutex. MSI (s) (24:2C) [15:53:19:935]: Resetting cached policy values MSI (s) (24:2C) [15:53:19:935]: Machine policy value 'Debug' is 0 MSI (s) (24:2C) [15:53:19:935]: ******* RunEngine: ******* Product: C:\Users\palezvar\Desktop.\nxlog-ce-2.11.2190.msi ******* Action: ******* CommandLine: ********** MSI (s) (24:2C) [15:53:19:935]: Machine policy value 'DisableUserInstalls' is 0 MSI (s) (24:2C) [15:53:19:952]: Note: 1: 2203 2: C:\WINDOWS\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (24:2C) [15:53:19:952]: SRSetRestorePoint skipped for this transaction. MSI (s) (24:2C) [15:53:19:953]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3: 2 MSI (s) (24:2C) [15:53:19:953]: Note: 1: 1324 2: . 3: 1 MSI (s) (24:2C) [15:53:19:953]: MainEngineThread is returning 2 MSI (s) (24:4C) [15:53:19:953]: No System Restore sequence number for this installation. MSI (s) (24:4C) [15:53:19:954]: User policy value 'DisableRollback' is 0 MSI (s) (24:4C) [15:53:19:954]: Machine policy value 'DisableRollback' is 0 MSI (s) (24:4C) [15:53:19:954]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (24:4C) [15:53:19:954]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (24:4C) [15:53:19:954]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (24:4C) [15:53:19:954]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (c) (E4:B4) [15:53:19:954]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (c) (E4:B4) [15:53:19:955]: MainEngineThread is returning 2 === Verbose logging stopped: 8/23/2021 15:53:19 === What am I doing wrong? Thanks,

Hello, We have two Windows servers we are using NxLog agent to forward windows events to a log collection platform. The servers have two NICs and we are getting the wrong NIC IP address in the messages forwarded by NxLog The agent version is 4.6.4640 The server is Windows 2016 standard server Here is the output module from the template applied <module>om_udp</module> <config xsi:type="module-connect-address-config-mapping" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <type>OUTPUT</type> <verbatim>Exec $Hostname = string(host_ip()); Exec to_syslog_snare(); </verbatim> <connect-address>SERVERIP</connect-address> <port>514</port> <output-format>Dgram</output-format> </config>

Hi, Please help me with the solution of the below issue that I am facing while doing the configuration of oracle on windows server with nxlog. I have used below nxlog conf file to fetch Oracle event logs: This is a sample configuration file. See the nxlog reference manual about the configuration options. It should be installed locally and is also available online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> <Input in_Oracle> Module im_file File 'D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace' SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input> <Output out_Oracle> Module om_udp Host CCE-IP Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'oracle_logs'; Exec to_syslog_bsd(); </Output> <Route 1> Path in_Oracle => out_Oracle </Route> Below is the patch where Oracle events are storing and I have put the same path in conf file as well: D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace When I have restarted the nxlog services, I found below error in data folder: 2021-08-12 15:14:02 ERROR failed to open D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace; Access is denied. 2021-08-12 15:14:06 ERROR last message repeated 2 times 2021-08-12 15:14:10 ERROR failed to open D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace; Access is denied. 2021-08-12 15:14:18 ERROR failed to open D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace; Access is denied. Can you please let me know why its showing access denied and how I can resolve this? Thanks, Priyanka

We use NXlog on Windows server to send audit logs from MariaDB to a syslog server. On certain messages I execute a powershell script with exec_async. We discoverred that the powershell.exe subprocesses is not closed correctly which leads to excessive memory use which can be seen by using RamMap and then the Page Table value. In the processes tab a lot of powershell.exe's can be seen with 4KB memory use. With Process Explorer I can see a large number of Handles in the NXlog.exe process. A restart of the nxlog service temporary resolves the issue by cleaning up the (zombie?) powershell.exe processes. I could reproduce the issue with a very simple powershell script with only 1 line: "exit". When I run "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy ByPass -NonInteractive -File C:\temp\test.ps1" from a cmd.exe it exits normally and the powershell.exe subprocess doesn't stay visible in RamMap. Could this be a bug? Or should I call powershell.exe differently? Excerpt of my config: define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _exec> Module xm_exec </Extension> ..... <Processor discard_messages> Module pm_null <Exec> # Discard messages with 'keepalive' if( $auditlog_object == "SELECT 0 FROM DUAL" ) exec_async("C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "-ExecutionPolicy", "ByPass", "-NonInteractive", "-File", "C:\\temp\\test.ps1"); if( $auditlog_object == "SELECT 0 FROM DUAL" ) drop(); </Exec> </Processor> .... <Input mariadb_audit_file> Module im_file File 'C:\mariadb\data\server_audit.log' PollInterval 1 SavePos True ReadFromLast True Recursive False RenameCheck False Exec $FileName = file_name(); # Send file name with each message </Input> <Output output_graylog> Module om_udp Host x.x.x.x Port 12201 OutputType GELF Exec $short_message = $raw_event; # Avoids truncation of the short_message field. Exec $Hostname = hostname_fqdn(); </Output> <Route route-0> Path mariadb_audit_file => preprocess => extract_fields => discard_messages => whitelist_queries => output_graylog </Route>

I'm trying to set up nxlog on a windows host and break out configuration files for specific applications. I followed the example in the documentation ( https://nxlog.co/documentation/nxlog-user-guide/ref-config.html#config_general_include ) but when I include a wildcard character, the nxlog service fails to start with the following error in the log file: nxlog failed to start: Invalid 'include' directive at c:\Program Files (x86)\nxlog\conf\nxlog.conf:19 Failed to open config file C:\Program Files (x86)\nxlog\conf\nxlog.d*.conf The filename, directory name, or volume label syntax is incorrect. The nxlog.d sub-directory exists and I have an application-specific config file there. If I specify the filename explicitly, the nxlog service starts. I'd like to use the wildcard in the main nxlog.conf file so I can scale this to multiple servers with different apps.

Say I have the following nxlog.conf file: <Input lc1> Module im_file File "/var/log/messages" </Input> <Input lc2> Module im_file File "/var/log/mything.txt" </Input> <Output fileout> Module om_file Exec if $Message =~ /error/ $SeverityValue = syslog_severity_value("error"); Exec to_syslog_bsd(); File "/var/log/logmsg2.txt" </Output> <Route lcroute1> Path lc1 => fileout </Route> <Route lcroute2> Path lc2 => fileout </Route> Is there a way to just turn off the harvesting of Ic2 or the lcroute2 without having to modify or manually change the nxlog.conf file? Basically for this example nxlog.conf file have fine-grained adjustment/control of the logs if someone decides they want to turn off a log getting routed to the output file. Thank you!