Hello I have to use nxlog to read SAS log file from SAS Guide. It's about more than 1.000 users in my company. Nxlog is installed on these 1.000 laptops, and the SAS Log files are under a directory like c:\Users\A012345\Logs*.log -> I can't change this directory ... -> A012345 is an exemple of the employee number. So, I have one different directory for all 1.000 laptops. I have to find a solution to bypass these employee numbers variable and find a generic expression to access to this directory. So, I can't use a wildcard directly in log directory (c:\Users*\Logs*.log), nxlog can't do that. I have a solution by using a Windows Shortcut. I create a shortcut "D:\Temp\SAS-Logs" with a link to my official directory c:\Users\A012345\Logs. And my nxlog input with im_file works perfectly. Now, I'm faced to another problem. I must manage the SAS logs file retention. I'm testing the file_remove function. When I specify my official directory (c:\Users\A012345\Logs*.log), it works perfectly. When I'm using the same shortcut (which works with my Im_file), nxlog says he can't find the directory. What is a the problem, the file_remove function uses another library ? Do you any idea to suppress my "old" sas log file with nxlog ? Thanks Arnaud

Hi, I'm using Graylog as logging platform and in the error logs I'm facing an issue related to the way Nxlog is forwarding messages to Graylog. Here the stacktrace followed by the nxlog configuration: 2021-10-19T17:00:24.464+02:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=49ba6ee1-30ed-11ec-a554-005056a17083, journalOffset=140463071838, codec=gelf, payloadSize=249, timestamp=2021-10-19T15:00:24.398Z, remoteAddress=/10.181.8.23:39018} java.lang.IllegalArgumentException: GELF message <49ba6ee1-30ed-11ec-a554-005056a17083> (received from <10.181.8.23:39018>) has empty mandatory "short_message" field. at org.graylog2.inputs.codecs.GelfCodec.validateGELFMessage(GelfCodec.java:258) ~[graylog.jar:?] at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:140) ~[graylog.jar:?] at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:149) ~[graylog.jar:?] at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:90) [graylog.jar:?] at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:90) [graylog.jar:?] at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:47) [graylog.jar:?] at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?] at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_292] 2021-10-19T17:00:24.464+02:00 ERROR [DecodingProcessor] Unable to decode raw message RawMessage{id=49ba47dc-30ed-11ec-a554-005056a17083, journalOffset=140463071836, codec=gelf, payloadSize=249, timestamp=2021-10-19T15:00:24.397Z, remoteAddress=/10.181.8.23:39018} on input <581344a7a0474e1cf763f7f4>. 2021-10-19T17:00:24.469+02:00 ERROR [DecodingProcessor] Error processing message RawMessage{id=49bb3232-30ed-11ec-a554-005056a17083, journalOffset=140463071886, codec=gelf, payloadSize=249, timestamp=2021-10-19T15:00:24.403Z, remoteAddress=/10.181.8.23:39018} java.lang.IllegalArgumentException: GELF message <49bb3232-30ed-11ec-a554-005056a17083> (received from <10.181.8.23:39018>) has empty mandatory "short_message" field. at org.graylog2.inputs.codecs.GelfCodec.validateGELFMessage(GelfCodec.java:258) ~[graylog.jar:?] at org.graylog2.inputs.codecs.GelfCodec.decode(GelfCodec.java:140) ~[graylog.jar:?] at org.graylog2.shared.buffers.processors.DecodingProcessor.processMessage(DecodingProcessor.java:149) ~[graylog.jar:?] at org.graylog2.shared.buffers.processors.DecodingProcessor.onEvent(DecodingProcessor.java:90) [graylog.jar:?] at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:90) [graylog.jar:?] at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:47) [graylog.jar:?] at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?] at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_292] @ define ROOT /usr/bin #define REGEX /^(?x)^[(?<EventTime>\d{4}-\d{2}-\d{2}\ \d{2}:\d{2}:\d{2}),\d{3}]/ define REGEX /(?x)^[(?<EventTime2>\d{4}-\d{2}-\d{2}\ \d{2}:\d{2}:\d{2}),\d{3}]\ (?<Severity>\S+)\ (?<Class>\S+)\ -\ (?<Message>[\s\S]+)/ define REGEX_CATALINA /(?x)^(?<EventTime>\d{2}-\w{3}-\d{4}\ \d{2}:\d{2}:\d{2}).\d{3}\ (?<Message>[\s\S]+) | (?x)^(?<EventTime2>\w{3}\ \w{3}\ \d{2}\ \d{2}:\d{2}:\d{2})\ (?<Message2>[\s\S]+)/ <Extension gelfExt> Module xm_gelf Avoid truncation of the short_message field to 64 characters. ShortMessageLength 65536 </Extension> <Extension syslogExt> Module xm_syslog </Extension> <Extension multiline> Module xm_multiline HeaderLine %REGEX% </Extension> User nxlog Group sfd #Moduledir /usr/lib/nxlog/modules Moduledir /usr/libexec/nxlog/modules CacheDir /var/spool/nxlog PidFile /var/run/nxlog/nxlog.pid LogFile /var/log/nxlog/nxlog.log LogLevel INFO <Input file_catalina1> Module im_file File '/opt/tomcat/logs/catalina.out' PollInterval 1 SavePos True ReadFromLast True Recursive False RenameCheck False Exec $FileName = file_name(); # Send file name with each message </Input> <Input file_catalina2> Module im_file File '/opt/tomcat8081/logs/catalina.out' PollInterval 1 SavePos True ReadFromLast True Recursive False RenameCheck False Exec $FileName = file_name(); # Send file name with each message </Input> <Input file_catalina3> Module im_file File '/opt/tomcat8082/logs/catalina.out' PollInterval 1 SavePos True ReadFromLast True Recursive False RenameCheck False Exec $FileName = file_name(); # Send file name with each message </Input> #<Input file_catalina> Module im_file File "/opt/tomcat/logs/catalina.out" InputType multiline <Exec> if $raw_event =~ %REGEX_CATALINA% $EventTime = parsedate($1); </Exec> #</Input> <Input log4j1> Module im_file File "/opt/tomcat/logs/error.log" InputType multiline <Exec> if $raw_event =~ %REGEX% $EventTime = parsedate($1); </Exec> </Input> <Input log4j2> Module im_file File "/opt/tomcat8081/logs/error.log" InputType multiline <Exec> if $raw_event =~ %REGEX% $EventTime = parsedate($1); </Exec> </Input> <Input log4j3> Module im_file File "/opt/tomcat8082/logs/error.log" InputType multiline <Exec> if $raw_event =~ %REGEX% $EventTime = parsedate($1); </Exec> </Input> #<Input file_logs> Module im_file File '/opt/tomcat8081/logs/error.log' PollInterval 1 SavePos True ReadFromLast True Recursive False RenameCheck False Exec $FileName = file_name(); # Send file name with each message #</Input> #<Input syslog-udp> Module im_udp Host 127.0.0.1 Port 514 Exec parse_syslog_bsd(); #</Input> <Output gelf> Module om_udp Host graylog.intern.ti8m.ch Port 1515 OutputType GELF <Exec> # These fields are needed for Graylog $gl2_source_collector = 'fb04f873-aed9-441a-b3a9-7545d4c728f6'; $collector_node_id = 'app-01.prd.sfd.intern.ti8m.ch'; $Hostname = 'app-01.prd.sfd.intern.ti8m.ch'; </Exec> </Output> <Route route-1> Path file_catalina1 => gelf </Route> <Route route-2> Path log4j1 => gelf </Route> <Route route-3> Path file_catalina2 => gelf </Route> <Route route-4> Path log4j2 => gelf </Route> <Route route-5> Path file_catalina3 => gelf </Route> <Route route-6> Path log4j3 => gelf </Route> #<Route route-7> Path syslog-udp => gelf #</Route> Hope you can help solving the issue. Thank you for your time. Best regards, Stefano Paci

Hi, I want to use nxlog to collect the windows eventlog, gzip the log and transform it to logstash for further processing. Is it possible to include all the steps into one pipeline? e.g., Input module -> Collect eventlog (im_msvistalog) Output module -> Compress the log (xm_zlib) and send it to Logstash (om_tcp) Thank you. Best regards, Steven

Hi, I can collect Security Events Windows in XML format and send them to my SIEM like i wanted the result is here for an event 4624 <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-10-08T09:48:30.960813800Z'/><EventRecordID>457357</EventRecordID><Correlation/><Execution ProcessID='620' ThreadID='4724'/><Channel>Security</Channel><Computer>test</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-5-18</Data><Data Name='TargetUserName'>test$</Data><Data Name='TargetDomainName'>test.com</Data><Data Name='TargetLogonId'>0xeb6a3</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Kerberos</Data><Data Name='AuthenticationPackageName'>Kerberos</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{49b0407a-e478-e673-1f20-942e0965289d}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>::1</Data><Data Name='IpPort'>49805</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event> but now i want some magic and i'm not Harry potter lol i dont know if it's possible but i would like to use xm_resolver to resolve SID from the SubjectUserSid ? rename <Data Name='TargetUserName'>test$</Data> into <Data Name='computer'>test$</Data> if the eventid = 4624 ? send the final result my siem in LEEF or JSon ? i don't find any good exemple on internet and all i'm trying is fail.. if someone can help ? thx ;)

Hello, My NXLog-ce-2.11.2190 stops sending logs after network disconnect and reconnect. Last logs: 2021-10-05 11:40:09 INFO nxlog-ce-2.11.2190 started 2021-10-05 11:53:29 INFO reconnecting in 1 seconds 2021-10-05 11:53:29 ERROR om_udp apr_socket_send failed; Został dostarczony nieprawidłowy argument. 2021-10-05 11:53:30 ERROR couldn't connect to udp socket on 10.2.1.159:9000; Próba przeprowadzenia operacji, wykonywanej przez gniazdo, na nieosiągalnej sieci. Config: <Extension _gelf> Module xm_gelf </Extension> <Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security"></Select> <Select Path="Microsoft-Windows-UniversalTelemetryClient/Operational"></Select> </Query> </QueryList> </QueryXML> </Input> <Output out> Module om_udp Host 10.2.1.159 Port 9000 OutputType GELF </Output> <Route 1> Path in => out </Route> System: Windows 10 Pro version 2004 on VMware vSphere 7.0 It is exactly the same question like here: https://www.mail-archive.com/nxlog-ce-users@lists.sourceforge.net/msg00970.html but I'm using the latest version of NXLog-CE. Any ideas, please...?

Hi, We have the use case to get the specific service's status hourly and it could be done via some PowerShell commands. However, we don't want maintain the script in users' hosts and want to integrate the checking into nxlog's configuration. Does nxlog agent has the capability to run such command hourly? Or will there be any alternative method? Many thanks in advance ! Best regards, Steven

Hi, The decoders used in Netwitness. The job of a decoder is to select a parser to parse log files. The Netwitness LogDeconder shows Service Type as unknown but I was expecting to see winevent_snare. My NXLog config uses the Exec $Message =~ s/(\t|\R)/ /g; to_syslog_snare(); to send windows log data to the NETWITNESS collector/decoder. The problem is the decoder is using unknown or rxlinux as service type not winevent_snare to parse my windows log files. I was looking for the decoder to use winevent_snare but it is not. Does anyone have a working NXLog config file to collect windows event logs to Netwitness? Thanks for you assistance, Jim

how send tag(sourcename) larger than 32 symbols?

h1, sorry my eng bad. Why do I need to http://192.168.91.133:9090/nxlog-manager when specifying the login "admin" and the password "nxlog123", I get the error " could not contact the database server." OS: CentOS Linux release 8.4.2105 DB: usr/libexec/mysqld Ver 8.0.21 for Linux on x86_64 (Source distribution) my.cnf -> [client] password=asdf Password "asdf" install mysql root user ./dbinit.sh - Done in /etc/hosts -> 192.168.91.133 localhost.localdomain [root@localhost db_init]# systemctl status mysqld.service ● mysqld.service - MySQL 8.0 database server Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2021-09-22 15:59:27 MSK; 9min ago Process: 4119 ExecStopPost=/usr/libexec/mysql-wait-stop (code=exited, status=0/SUCCESS) Process: 4277 ExecStartPost=/usr/libexec/mysql-check-upgrade (code=exited, status=0/SUCCESS) Process: 4196 ExecStartPre=/usr/libexec/mysql-prepare-db-dir mysqld.service (code=exited, status=0/SUCCESS) Process: 4171 ExecStartPre=/usr/libexec/mysql-check-socket (code=exited, status=0/SUCCESS) Main PID: 4233 (mysqld) Status: "Server is operational" Tasks: 42 (limit: 49168) Memory: 352.8M CGroup: /system.slice/mysqld.service └─4233 /usr/libexec/mysqld --basedir=/usr сен 22 15:59:27 localhost.localdomain systemd[1]: Starting MySQL 8.0 database server... сен 22 15:59:27 localhost.localdomain systemd[1]: Started MySQL 8.0 database server. [root@localhost db_init]# service nxlog-manager status ● nxlog-manager.service - NXLog Manager Loaded: loaded (/usr/lib/systemd/system/nxlog-manager.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2021-09-22 15:58:28 MSK; 11min ago Main PID: 4013 (java) Tasks: 53 (limit: 49168) Memory: 1.5G CGroup: /system.slice/nxlog-manager.service └─4013 /usr/bin/java -Xms1g -Xmx2g -XX:PermSize=64m -XX:MaxPermSize=256m -Xss2m -XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled -Dorg.apache.commons.collections.enableUnsa> Sep 22 16:00:13 localhost.localdomain service.sh[4013]: сен 22, 2021 4:00:13 PM org.apache.jasper.compiler.JDTJavaCompiler setSourceVM Sep 22 16:00:13 localhost.localdomain service.sh[4013]: WARNING: Unknown source VM 1.7 ignored. Sep 22 16:00:14 localhost.localdomain service.sh[4013]: сен 22, 2021 4:00:14 PM org.apache.jasper.compiler.JDTJavaCompiler setTargetVM Sep 22 16:00:14 localhost.localdomain service.sh[4013]: WARNING: Unknown target VM 1.7 ignored. nxlog-manager.log 2021-09-22 16:23:28,589 WARN localhost.localdomain unknown [com.mchange.v2.resourcepool.BasicResourcePool] - com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask@487eb16 -- Acquisition Attempt Failed!!! Clearing pending acquires. While trying to acquire a needed new resource, we failed to succeed more than the maximum number of allowed acquisition attempts (30). Last acquisition attempt exception: java.sql.SQLException: Unknown system variable 'tx_isolation' at org.mariadb.jdbc.internal.SQLExceptionMapper.get(SQLExceptionMapper.java:149) at org.mariadb.jdbc.internal.SQLExceptionMapper.throwException(SQLExceptionMapper.java:106) at org.mariadb.jdbc.MySQLStatement.executeQueryEpilog(MySQLStatement.java:268) at org.mariadb.jdbc.MySQLStatement.execute(MySQLStatement.java:296) at org.mariadb.jdbc.MySQLStatement.executeQuery(MySQLStatement.java:349) at org.mariadb.jdbc.MySQLStatement.executeQuery(MySQLStatement.java:408) at org.mariadb.jdbc.MySQLConnection.getTransactionIsolation(MySQLConnection.java:410) at com.mchange.v2.c3p0.impl.NewPooledConnection.<init>(NewPooledConnection.java:120) at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:240) at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:206) at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:203) at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1138) at com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1125) at com.mchange.v2.resourcepool.BasicResourcePool.access$700(BasicResourcePool.java:44) at com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask.run(BasicResourcePool.java:1870) at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:696) Caused by: org.mariadb.jdbc.internal.common.QueryException: Unknown system variable 'tx_isolation' at org.mariadb.jdbc.internal.mysql.MySQLProtocol.getResult(MySQLProtocol.java:995) at org.mariadb.jdbc.internal.mysql.MySQLProtocol.executeQuery(MySQLProtocol.java:1050) at org.mariadb.jdbc.internal.mysql.MySQLProtocol.executeQuery(MySQLProtocol.java:1030) at org.mariadb.jdbc.MySQLStatement.execute(MySQLStatement.java:289) ... 12 more

I am using Nxlog 5.4.7313 and I have such a config block. <Input perf_process> Module im_exec BufferSize 200 Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Arg "-ExecutionPolicy" Arg "remotesigned" Arg "-File" Arg "C:\scripts\Get-ProcessUtilization.ps1" Restart TRUE </Input> <Output out> Module om_file File 'c:\nxlog.txt' </Output> <Route client> Path perf_process => out </Route> When the service starts, it doesn't write anything to the output file. But if I execute "stop-process -name powershell" as administrator, then the next cycle will restart powershell scripts and the data will appear in the output. Also, the command "net stop nxlog" cannot independently stop the scripts that were launched for the first time.

Using NxLog with "EXEC to_syslog_snare();" to output Windows Events. What parser should be used by the Decoder? I thought maybe winevent_snare but maybe it is rhlinux. Which parser should be used... or should I only care the windows event logs are parsed correctly?

I need to append a hostname to the beginning of the raw log because the log that is being transferred does not show the host who is forwarding the log. I need to add a hostname to identify the log is being forwarded. Here is the output. How do I add the hostname? <Input internal> Module im_internal Exec $Message = to_json(); </Input> <Input cs> Module im_file File 'C:\fdr\out\data*.json' CloseWhenIdle TRUE DirCheckInterval 300 Recursive TRUE ReadFromLast FALSE <OnEOF> <Exec> file_remove(file_name ()); </Exec> Gnxlog </OnEOF> </Input>

Anyone experience this? New to NXLOG Community, first experience deploying. Servers are Windows 2019 Datacenter.

Want to check out if the links issue is still persists.

Hi can anyone help me out with this error: 2021-09-02 11:30:35 ERROR pcre match_limit reached for regexp /(?-i:vd=")(?!X|Y|Z).*".*dstport=999/ does this mean that the regex is performing poorly and the engine is skipping the argument? TIA.

I want to know is possible send, with the iis log message, a custom field and value. Actually this is my config: define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _gelf> #Module xm_syslog Module xm_gelf #Module xm_json </Extension> <Extension w3c_parser> Module xm_csv Fields date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, \ s-port, cs-username, c-ip, cs(User-Agent), cs(Referer), \ sc-status, sc-substatus, sc-win32-status, time-taken FieldTypes string, string, string, string, string, string, integer, \ string, string, string, string, integer, integer, integer, \ integer Delimiter ' ' EscapeChar '"' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Input in2> Module im_file File "c:\\logs\\app\\iislog\\u_extend1.log" <Exec> if $raw_event =~ /^#/ drop(); else { w3c_parser->parse_csv(); $EventTime = parsedate($date + "T" + $time + ".000Z"); } </Exec> </Input> <Output out> Module om_udp Host 172.28.36.25 Port 12201 #Exec to_syslog_snare(); OutputType GELF </Output> <Route 1> Path in2 => out </Route> This work great but i need to add a custom and static value in the message, like : FIELD: "system" , VALUE: "program1". and this value is always the same date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs(User-Agent), cs(Referer), sc-status, sc-substatus, sc-win32-status, time-taken,**system** Is this possible? Thanks!

Hi. I have a problem that I can't find a solution. use IM_ File entered some text as follows [20210816-094441] ID=123 some information1 [20210816-094441] ID=123 some information2 [20210816-094441] ID=124 some information3 [20210816-094441] ID=124 some information4 need to merge events according to the ID field. The expected output is as follows. I find some data and try to use PM_ Evcorr, but the community version lacks get_ prev_ event_ data() [20210816-094441] ID=123 some information1 some information2 [20210816-094441] ID=124 some information3 some information4

Environment: VMware vSphere 6.7 running a VM with Windows 2019 Datacenter + Docker Enterprise version 20.10.6 Windows detects Intel Xeon Silver 4414 CPU. Tried command: docker-compose up -d Results: Pulling db (mysql:5.5)... 5.5: Pulling from library/mysql ERROR: no matching manifest for windows/amd64 10.0.17763 in the manifest list entries What can I do to get the NXLog Docker image loaded?

Hello folks: I downloaded the latest msi file for the CE edition and used it on Azure Intune to deploy as a "Line of Business Application". Unfortunately, the status for the app deployment remains as "Waiting for install status" on the intune portal. So I decided the test the powershell install on my Win10 laptop using the following command on powershell with elevated privileges: msiexec.exe /i .\nxlog-ce-2.11.2190.msi /quiet /l*v "C:\NXLogCE-Install.log" I am not having any luck on my laptop either. I basically see the following: === Verbose logging started: 8/23/2021 15:53:19 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Windows\system32\msiexec.exe === MSI (c) (E4:B4) [15:53:19:924]: Resetting cached policy values MSI (c) (E4:B4) [15:53:19:924]: Machine policy value 'Debug' is 0 MSI (c) (E4:B4) [15:53:19:924]: ******* RunEngine: ******* Product: .\nxlog-ce-2.11.2190.msi ******* Action: ******* CommandLine: ********** MSI (c) (E4:B4) [15:53:19:924]: Client-side and UI is none or basic: Running entire install on the server. MSI (c) (E4:B4) [15:53:19:924]: Grabbed execution mutex. MSI (c) (E4:B4) [15:53:19:930]: Cloaking enabled. MSI (c) (E4:B4) [15:53:19:930]: Attempting to enable all disabled privileges before calling Install on Server MSI (c) (E4:B4) [15:53:19:931]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (24:4C) [15:53:19:934]: Running installation inside multi-package transaction C:\Users\palezvar\Desktop.\nxlog-ce-2.11.2190.msi MSI (s) (24:4C) [15:53:19:934]: Grabbed execution mutex. MSI (s) (24:2C) [15:53:19:935]: Resetting cached policy values MSI (s) (24:2C) [15:53:19:935]: Machine policy value 'Debug' is 0 MSI (s) (24:2C) [15:53:19:935]: ******* RunEngine: ******* Product: C:\Users\palezvar\Desktop.\nxlog-ce-2.11.2190.msi ******* Action: ******* CommandLine: ********** MSI (s) (24:2C) [15:53:19:935]: Machine policy value 'DisableUserInstalls' is 0 MSI (s) (24:2C) [15:53:19:952]: Note: 1: 2203 2: C:\WINDOWS\Installer\inprogressinstallinfo.ipi 3: -2147287038 MSI (s) (24:2C) [15:53:19:952]: SRSetRestorePoint skipped for this transaction. MSI (s) (24:2C) [15:53:19:953]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3: 2 MSI (s) (24:2C) [15:53:19:953]: Note: 1: 1324 2: . 3: 1 MSI (s) (24:2C) [15:53:19:953]: MainEngineThread is returning 2 MSI (s) (24:4C) [15:53:19:953]: No System Restore sequence number for this installation. MSI (s) (24:4C) [15:53:19:954]: User policy value 'DisableRollback' is 0 MSI (s) (24:4C) [15:53:19:954]: Machine policy value 'DisableRollback' is 0 MSI (s) (24:4C) [15:53:19:954]: Incrementing counter to disable shutdown. Counter after increment: 0 MSI (s) (24:4C) [15:53:19:954]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (24:4C) [15:53:19:954]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 MSI (s) (24:4C) [15:53:19:954]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (c) (E4:B4) [15:53:19:954]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1 MSI (c) (E4:B4) [15:53:19:955]: MainEngineThread is returning 2 === Verbose logging stopped: 8/23/2021 15:53:19 === What am I doing wrong? Thanks,

Hello, We have two Windows servers we are using NxLog agent to forward windows events to a log collection platform. The servers have two NICs and we are getting the wrong NIC IP address in the messages forwarded by NxLog The agent version is 4.6.4640 The server is Windows 2016 standard server Here is the output module from the template applied <module>om_udp</module> <config xsi:type="module-connect-address-config-mapping" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <type>OUTPUT</type> <verbatim>Exec $Hostname = string(host_ip()); Exec to_syslog_snare(); </verbatim> <connect-address>SERVERIP</connect-address> <port>514</port> <output-format>Dgram</output-format> </config>