Hi, I am doing a test with the agent nxlog EE v.5.3.6735_windows_x64 and after the installation of the agent on the server I stopped receiving the windows audit logs (im_msvistalog module) that I was receiving regularly with the version of nxlog CE v.2.10.2150 and I am not getting the IIS logs either. I attach the implemented configuration file: Panic Soft define INSTALLDIR C:\Program Files\nxlog #ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d Note that these two lines define constants only; the log file location is ultimately set by the LogFile directive (see below). The MYLOGFILE define is also used to rotate the log file automatically (see the _fileop block). define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log If you are not using NXLog Manager, disable the include line and enable LogLevel and LogFile. #include %CONFDIR%*.conf LogLevel INFO LogFile %MYLOGFILE% <Extension gelf> Module xm_gelf </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> This block rotates %MYLOGFILE% on a schedule. Note that if LogFile is changed in managed.conf via NXLog Manager, rotation of the new file should also be configured there. <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour &lt;Exec&gt; if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') &gt;= 5M) ) { file_cycle('%MYLOGFILE%', 8); } &lt;/Exec&gt; &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Input eventlog> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="System"></Select> <Select Path="Security"></Select> <Select Path="Microsoft-IIS-Logging/Logs">*</Select> </Query> </QueryList> </Input> <Input iis_w3c> Module im_file File "X:\inetpub\logs\LogFiles\W3SVC2\u_ex*.log" SavePos TRUE InputType LineBased Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c_parser-&gt;parse_csv(); \ $EventTime = parsedate($date + &quot; &quot; + $time); \ $EventTime = strftime($EventTime, &quot;%Y-%m-%dT%H:%M:%SZ&quot;); \ $SourceName = &quot;IIS&quot;; \ $SiteName = &quot;Test&quot;; \ $Message = to_json(); \ } </Input> <Output udp> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP Exec to_syslog_bsd(); Exec log_info("sending data: " + $raw_event); </Output> <Route eventlog_to_udp_win> Path eventlog => udp </Route> <Route iis_w3c_to_udp_iis> Path iis_w3c => udp </Route>

Hi, I am doing a test with the agent nxlog EE v.5.3.6735_windows_x64 and after the installation of the agent on the server I stopped receiving the windows audit logs (im_msvistalog module) that I was receiving regularly with the version of nxlog CE v.2.10.2150 and I am not getting the SQL logs either. I attach the implemented configuration files: nxlog.con (nxlog EE v.5.3.6735): Panic Soft define INSTALLDIR C:\Program Files\nxlog #ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d Note that these two lines define constants only; the log file location is ultimately set by the LogFile directive (see below). The MYLOGFILE define is also used to rotate the log file automatically (see the _fileop block). define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log If you are not using NXLog Manager, disable the include line and enable LogLevel and LogFile. include %CONFDIR%*.conf #LogLevel INFO #LogFile %MYLOGFILE% <Extension gelf> Module xm_gelf </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> This block rotates %MYLOGFILE% on a schedule. Note that if LogFile is changed in managed.conf via NXLog Manager, rotation of the new file should also be configured there. <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour &lt;Exec&gt; if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') &gt;= 5M) ) { file_cycle('%MYLOGFILE%', 8); } &lt;/Exec&gt; &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Input eventlog> Module im_msvistalog </Input> <Input eventlogSQL> Module im_odbc ConnectionString Driver={ODBC Driver 17 for SQL Server}; Server=<server_name>; Trusted_Connection=yes; DATABASE=MASTER; PollInterval 5 IdType timestamp SQL SELECT event_time AS 'id', f., a.name AS action_name FROM fn_get_audit_file('X:\SQLDATA\Log\logfiles\Audit-.sqlaudit', default, default) AS f INNER JOIN sys.dm_audit_actions AS a ON f.action_id = a.action_id WHERE event_time > ? <Exec> delete($id); rename_field($event_time, $EventTime); </Exec> </Input> <Output udp> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP </Output> <Output udpSQL> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP </Output> <Route eventlog_to_udp> Path eventlog => udp </Route> <Route eventlog_to_udpSQL> Path eventlogSQL => udpSQL </Route> nxlog.con (nxlog CEv.2.10.2150): Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension gelf> Module xm_gelf </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Input eventlog> Module im_msvistalog </Input> <Output udp> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP </Output> <Route eventlog_to_udp> Path eventlog => udp </Route>

I want to use pattern matching on different streams, and have different patterndb xml file, like this ... Filter for system logs <Processor client_filter> Module pm_pattern PatternFile /data/conf/patterndb.xml </Processor> Filter for SEQ <Processor seq_filter> Module pm_pattern PatternFile /data/conf/seq_pattern.xml </Processor> #Filter for RDS <Processor rds_filter> Module pm_pattern PatternFile /data/conf/rds_pattern.xml </Processor> and call them like this... <Route route2001> Path client2001 => client_filter => client_to_sumo,judo-sumo-uat,client_master </Route> <Route route2002> Path client2002 => seq_filter => client_to_sumo,judo-sumo-uat,client_master </Route> etc... Is that possible? It doesn't seem to be working as I hoped.

Hello I have tried this link below, still struggling... https://nxlog.co/documentation/nxlog-user-guide/ref-config.html#config_global_dateformat How to get following following Timestamp ? RFC 5424 Heure locale : 2021-05-21T03:05:03.001+02:00 RFC 5424 UTC : 2021-05-21T01:05:03.001Z Thanks in advance for your help.

Hi, I have installed nxlog inside the Virtual Machine in vCenter whenever i am starting nxlog service then by default it's try to connect one particular IP which is gate way of vCenter and then connection gets failed so changed IP address to Virtual Machine IP from config.d file but still connection gets failed but whenever performing query from nxlog then it successfully send event logs to Splunk. Can you please help me here to understand the issue. I am doing POC(Prof of Concept) on NXlog for philips products. 2021-07-29 22:58:32 INFO [CORE|main] nxlog-5.3.6735-trial started 2021-07-29 22:58:32 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-29 22:58:32 INFO [om_tcp|out] connecting to 10.232.44.92:1524 2021-07-29 22:58:32 INFO [om_tcp|out] successfully connected to 10.232.44.92:1524 2021-07-29 22:58:33 ERROR [xm_admin|agent_managment] couldn't connect to 10.232.44.1:4041; No connection could be made because the target machine actively refused it. 2021-07-29 22:58:33 INFO [xm_admin|agent_managment] reconnecting in 1 sec 2021-07-29 22:58:34 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-29 22:58:35 ERROR [xm_admin|agent_managment] couldn't connect to 10.232.44.1:4041; No connection could be made because the target machine actively refused it. 2021-07-29 22:58:35 INFO [xm_admin|agent_managment] reconnecting in 2 sec

Hi, I am doing POC on NXlog for Philips product and when i am extracting eventlogs only for security by using im_msvistalog module then it's successfully extracting logs & sending to splunk server but when i am putting filter by referring https://nxlog.co/documentation/nxlog-user-guide/eventlog-eventids.html where i have used ExtendedWindowsToCollect in Input tag then facing multiple error like unused modules, couldn't parse to Exec. Please see the below details of conf & log files. Please help me here if config file is required any changes. Note: Defined Event IDs are just an example since i have big list to be added in config file. config file Panic Soft define INSTALLDIR C:\Program Files\nxlog #ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d Note that these two lines define constants only; the log file location is ultimately set by the LogFile directive (see below). The MYLOGFILE define is also used to rotate the log file automatically (see the _fileop block). define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log If you are not using NXLog Manager, disable the include line and enable LogLevel and LogFile. include %CONFDIR%*.conf #LogLevel INFO #LogFile %MYLOGFILE% Define security IDs define Security 4634, 4647, 4648, 4656, 4661, 4662, 4672, 4688, 4689, 4704, 4705, 4706, 4707, 4713, 4716, 4717, \ 4718, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730 <Extension _syslog> Module xm_syslog </Extension> <Extension _json> Module xm_json </Extension> <Input ExtendedWindowsToCollect> Module im_msvistalog TolerateQueryErrors TRUE &lt;QueryXML&gt; &lt;QueryList&gt; &lt;Query Id='0'&gt; &lt;Select Path ='Security'&gt;*&lt;/Select&gt; </Query> </QueryList> </QueryXML> <Exec> if ($EventID NOT IN (%Security%) drop(); </Exec> </Input> <Output TCP> Module om_tcp Host 10.232.44.92 Port 1524 Exec to_json(); </Output> <Route Out> Path ExtendedWindowsToCollect = TCP </Route> This block rotates %MYLOGFILE% on a schedule. Note that if LogFile is changed in managed.conf via NXLog Manager, rotation of the new file should also be configured there. <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour &lt;Exec&gt; if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') &gt;= 5M) ) { file_cycle('%MYLOGFILE%', 8); } &lt;/Exec&gt; &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); &lt;/Schedule&gt; </Extension> config log file 2021-07-30 00:02:23 INFO [CORE|main] nxlog-5.3.6735-trial started 2021-07-30 00:02:23 WARNING [CORE|main] not starting unused module TCP 2021-07-30 00:02:23 WARNING [CORE|main] not starting unused module ExtendedWindowsToCollect 2021-07-30 00:03:53 ERROR [CORE|main] module 'ExtendedWindowsToCollect' is already defined at C:\Program Files\nxlog\conf\nxlog.conf:63 2021-07-30 00:03:53 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:55; couldn't parse statement at line 56, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:03:53 WARNING [CORE|main] no functional input modules! 2021-07-30 00:03:53 ERROR [CORE|main] module 'ExtendedWindowsToCollect' has configuration errors, not adding to route 'Out' at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:03:53 ERROR [CORE|main] module 'ExtendedWindowsToCollect' has configuration errors, not adding to route 'Out' at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:03:53 ERROR [CORE|main] route Out is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:03:53 INFO [CORE|main] nxlog-5.3.6735-trial started 2021-07-30 00:03:53 WARNING [CORE|main] not starting unused module ExtendedWindowsToCollect 2021-07-30 00:03:53 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-30 00:03:54 ERROR [xm_admin|agent_managment] couldn't connect to 10.232.44.1:4041; No connection could be made because the target machine actively refused it. 2021-07-30 00:03:54 INFO [xm_admin|agent_managment] reconnecting in 1 sec 2021-07-30 00:03:55 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-30 00:23:22 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:55; couldn't parse statement at line 56, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:23:22 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:23:22 WARNING [CORE|main] no functional input modules! 2021-07-30 00:23:22 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:23:22 ERROR [CORE|main] exiting... 2021-07-30 00:24:27 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:55; couldn't parse statement at line 56, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:24:27 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:24:27 WARNING [CORE|main] no functional input modules! 2021-07-30 00:24:27 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:24:27 ERROR [CORE|main] exiting... 2021-07-30 00:25:32 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:25:32 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:25:32 WARNING [CORE|main] no functional input modules! 2021-07-30 00:25:32 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:25:32 ERROR [CORE|main] exiting... 2021-07-30 00:25:43 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:25:43 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:25:43 WARNING [CORE|main] no functional input modules! 2021-07-30 00:25:43 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:25:43 ERROR [CORE|main] exiting... 2021-07-30 00:26:36 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:26:36 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:26:36 WARNING [CORE|main] no functional input modules! 2021-07-30 00:26:36 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:26:36 ERROR [CORE|main] exiting... 2021-07-30 00:27:02 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:27:02 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:27:02 WARNING [CORE|main] no functional input modules! 2021-07-30 00:27:02 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:27:02 ERROR [CORE|main] exiting... 2021-07-30 00:27:40 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:27:40 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:27:40 WARNING [CORE|main] no functional input modules! 2021-07-30 00:27:40 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:27:40 ERROR [CORE|main] exiting... 2021-07-30 00:27:53 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:27:53 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:27:53 WARNING [CORE|main] no functional input modules! 2021-07-30 00:27:53 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:27:53 ERROR [CORE|main] exiting... 2021-07-30 00:28:07 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:28:07 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:28:07 WARNING [CORE|main] no functional input modules! 2021-07-30 00:28:07 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:28:07 ERROR [CORE|main] exiting... 2021-07-30 00:28:46 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:28:46 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:28:46 WARNING [CORE|main] no functional input modules! 2021-07-30 00:28:46 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:28:46 ERROR [CORE|main] exiting... 2021-07-30 00:28:58 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:28:58 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:28:58 WARNING [CORE|main] no functional input modules! 2021-07-30 00:28:58 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:28:58 ERROR [CORE|main] exiting... 2021-07-30 00:29:13 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:29:13 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:29:13 WARNING [CORE|main] no functional input modules! 2021-07-30 00:29:13 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:29:13 ERROR [CORE|main] exiting... 2021-07-30 00:29:50 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:29:50 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:29:50 WARNING [CORE|main] no functional input modules! 2021-07-30 00:29:50 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:29:50 ERROR [CORE|main] exiting... 2021-07-30 00:30:02 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:30:02 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:30:02 WARNING [CORE|main] no functional input modules! 2021-07-30 00:30:02 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:30:02 ERROR [CORE|main] exiting...

Hello We have the NXLog Enterprise Edition. How to include milliseconds in Timestamps of NXLog? Eg: yyyy-mm-dd ... ss-mm + 2.00 Reconnecting cable after removing it loses log output. How to fix the such failover issue with NXLOG? Thanks for your attentions.

Hello, I have a question regarding the xm_json module of nxlog-ce v2.10. I am sending windows logs to out syslog server and using json message with a BSD header like so: <Input in_winlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="System">*</Select> <Select Path="Application">*</Select> <Select Path="Security">*</Select> </Query> </QueryList> </QueryXML> <Exec> $SyslogFacilityValue = syslog_facility_value("local1"); </Exec> </Input> <Output out_syslog> Module om_udp Host 10.10.231.62 port 514 <Exec> $Hostname = string(host_ip()); $Keywords = string($Keywords); $Message = to_json(); $Message =~ s/}$/,"field":"value"}\n/g; $Message =~ s/\\[r|n|t]/ /g; $Message =~ s/\s{2,}/ /g; to_syslog_bsd(); </Exec> </Output> So on output I convert the message to json, then add an extra field to the end of it, then remove the \t, \r, \n characters in the message and finally cleanup the extra whitespaces left by the previous substitution. This has a side-effect of modifying any string that contain the \t, \t or \n character in it, typically the "A user DOMAIN\ruser1" string will be changed to "A user DOMAIN\ user1" (space after backslash) mangling the json string in the process. So to prevent this, I changed the output to the following: <Output out_syslog> Module om_udp Host 10.10.231.62 port 514 <Exec> $Hostname = string(host_ip()); $Keywords = string($Keywords); $Message = replace($Message, "\r", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\t", " "); $Message = to_json(); $Message =~ s/}$/,"field":"value"}\n/g; $Message =~ s/\\r\\n\\t\\t\\t/ /g; $Message =~ s/\s{2,}/ /g; # $Message =~ s/\\[r|n|t]/ /g; to_syslog_bsd(); </Exec> </Output> This time doing the substitutions before converting to json. Using this configuration when the to_json(); is executed I see on eventID 4672 that the privilegelist field is populated along with a \r\n\t\t\t sequence. I would have though that the replace actions would have gotten rid of those, is this an expected behavior or am I doing this the wrong way? For the moment I added $Message =~ s/\\r\\n\\t\\t\\t/ /g; to get rid of this specific sequence but how can I be sure that other messages are not affected with another sequence of tabulations and carriage return ? Thanks for your time. Vincent

Hello, I just setup the NXLog to work with Graylog to process CSV file (converted from some java.utils.logging logs (WebSphere and FileNet). It's a lab environment (docker) to test and evaluate the tools. The solution is woking ok so far but while I am feeding the csv file I am getting errors for some of the lines. I started the nxlog container by mapping a volume for the csv (input) file like: logs_filenet.csv:/var/log/filenet/logs.csv. I am echoing lines ou cating files and directing it's output to logs_filenet.csv file on the docker host. Below is my nxlog.conf: =================================================================================================== ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally under ## /usr/share/doc/nxlog-ce/ and is also available online at ## http://nxlog.org/docs ######################################## # Global directives # ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ######################################## # Modules # ######################################## <Extension gelf> Module xm_gelf </Extension> <Extension csv> Module xm_csv Fields $fn_source, $fn_event_date, $fn_event_time, $fn_thread, $fn_sub, $fn_error_code, $fn_event_type, $fn_full_message Delimiter ; </Extension> <Input file> Module im_file File "/var/log/filenet/logs.csv" <Exec> csv->parse_csv(); </Exec> </Input> <Output tcp> Module om_tcp Host 172.17.0.4 Port 12201 OutputType GELF_TCP </Output> ######################################## # Routes # ######################################## <Route csv_to_gelf> Path file => tcp </Route> =================================================================================================== And this is the errors I am getting from the nxlog.log: =================================================================================================== 2021-07-22 00:15:36 WARNING already running as gid 998 2021-07-22 00:15:36 WARNING already running as uid 999 2021-07-22 00:55:08 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-19;21:00:42;752A06AC;ENG;FNRCE0043E;ERROR;"2021-07-19 21:00:42 752A06AC ENG FNRCE0043E - ERROR method name: checkNameCollision principal name: XXXXXXX Global Transaction: true User Transaction: false Exception Info: A uniqueness requirement has been violated. The value for property FolderName of class someClass is nfcm:server;2021-07-19;21:00:42;752A06AC;ENG;FNRCE0043E;ERROR;"2021-07-19 21:00:42 752A06AC ENG FNRCE0043E - ERROR method name: checkNameCollision principal name: XXXXXXX Global Transaction: true User Transaction: false Exception Info: A uniqueness requirement has been violated. The value for property FolderName of class someClass is not unique."' 2021-07-22 02:22:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;09:08:27;EC70023B;ENG;FNRCR0080E;ERROR;"2021-07-20 09:08:27 EC70023B ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."' 2021-07-22 02:22:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;09:08:44;6F09F23D;ENG;FNRCR0080E;ERROR;"2021-07-20 09:08:44 6F09F23D ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."' 2021-07-22 02:24:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;09:19:14;44DA04B6;ENG;FNRCR0080E;ERROR;"2021-07-20 09:19:14 44DA04B6 ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."' 2021-07-22 02:24:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;09:26:38;C38C4FD0;ENG;FNRCR0080E;ERROR;"2021-07-20 09:26:38 C38C4FD0 ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."' 2021-07-22 02:30:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;10:20:29;6447AF17;ENG;FNRCR0080E;ERROR;"2021-07-20 10:20:29 6447AF17 ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."' 2021-07-22 02:34:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;10:54:12;62F887F6;ENG;FNRCE0066E;ERROR;"2021-07-20 10:54:12 62F887F6 ENG FNRCE0066E - ERROR method name: executeSearch principal name: I362279 Global Transaction: false User Transaction: false Exception Info: An unexpected exception occurred. Message was: For input string: "35997028887""' 2021-07-22 02:34:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;10:55:08;D36E314A;ENG;FNRCR0080E;ERROR;"2021-07-20 10:55:08 D36E314A ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."' 2021-07-22 02:48:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-06-02;23:40:45;CMR1.ICM35BF;PESecondary2;PESecondary2;Error;"2021-06-02 23:40:45 CMR1.ICM35BF PESecondary2 DB=SOME_DB Reg#1 [Error] FNRPE2131090436E CMQueueInfo:getServerConfigEntries caught unexpected exception when get farm config; Exception: Assertion failed in file "DbTransaction.java", method "PushTransaction", line 245. "' 2021-07-22 02:48:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-02;20:25:43;EventExp25B5;PESecondary2;PESecondary2;Error;"2021-07-02 20:25:43 EventExp25B5 PESecondary2 [Error] Exception while attempting to begin processing a store CADB.; Exception: com.filenet.api.exception.EngineRuntimeException: FNRCE0066E: E_UNEXPECTED_EXCEPTION: An unexpected exception occurred. Message was: A communication failure occurred while attempting to obtain an initial context with the provider URL: "corbaloc:rir:/NameServiceServerRoot". Make sure that any bootstrap address information in the URL is correct and that the target name server is running. A bootstrap address with no port specification defaults to port 2809. Possible causes other than an incorrect bootstrap address or unavailable name server include the network environment and workstation network configuration. errorStack={ "' 2021-07-22 02:54:06 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;09:17:20;AC4CFEFB;ENG;FNRCR0080E;ERROR;"2021-07-20 09:17:20 AC4CFEFB ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."' =================================================================================================== I am achieving success on most of the lines on the csv but I am wondering what are the errors above. Any clue on what is the problem or how to troubleshoot it ? Andre

Can everyone share what script for my testing, what I want to happen is I have a CSV file and I want to send it to my Syslog server?. This is my config. Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data ######################################## # Modules # ######################################## <Extension csv> Module xm_csv Fields $LogFilename, $RowNumber, $date, $time, $c-ip, $cs-username, $cs-username, %s-ip, $s-port, $cs-method, $cs-uri-stem, $sc-status, $sc-win32-status, $sc-substatus, $x-session, $x-fullpath Delimiter , </Extension> <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_file File 'C:/Users/Administrator/Desktop/Test/*.csv' ReadFromLast FALSE SavePos FALSE <Exec> csv->parse_csv(); to_syslog_ietf(); $EventTime = strptime($Date + " " + $Time, "%m/%d/%Y %H:%M:%S"); </Exec> </Input> <Output out> Module om_udp Host 192.168.2.192 Port 514 #Exec to_syslog_bsd(); Exec to_syslog_ietf(); </Output> ######################################## # Routes # ######################################## <Route 1> Path in =>out </Route> This is the error that appears. What am I missing here in the script ?. 2021-07-25 19:00:48 WARNING stopping nxlog service 2021-07-25 19:00:49 WARNING nxlog-ce received a termination request signal, exiting... 2021-07-25 19:00:53 INFO nxlog-ce-2.11.2190 started 2021-07-25 19:00:53 WARNING Module in has no input files to read

Hello All. I am new to the forum as well as Linux and NXlog. (triple issue I know) I am attempting to install NXLog (nxlog-ce-2.11.2190_rhel8.x86_64.rpm) on a CentOS 8 machine. I am using the NXLog user guide (9. REHL & CentOS) for installing the program. When I run the command to install the rpm package below, I receive the following error message. I have been unsuccessful searching the internet for a resolution so I though I would give the forum a try. I would appreciate any help or tip which might steer me in the right direction. Thanks in advance, Mark Problem: conflicting requests Nothing provides libdbi >= 0.8.1 needed by nxlog-ce-2.11.2190_rhel8.x86_64

I would like to use Nxlog CE agent to forward logs as snare log to an S3 bucket from Windows and Linux servers. I've read the documentation https://nxlog.co/documentation/nxlog-user-guide/addon-amazon-s3.html. But I'm a bit confused because it is stating that I need to install Boto3. Do I need to install Boto3 on all my servers to be able to forward Windows event log and other logs such as DNS, etc. to S3 using Nxlog CE? Also, does anyone know what ports are needed to let this pass through the firewall? Thank you so much!

Hi, I am receiving a Defender SmartScreen message when trying to install nxlog-ce-2.11.2190.msi. I do not recall receiving this message when installing nxlog-ce-2.10.2150. Is this expected behaviour for the latest version on a fully patched Windows machine? (This has been tested on Windows 10 and Windows Server 2012 R2/2019 with the same outcome each time).

I set up a new port (2514/TCP) to receive logs messages from VMware Workspace One. I notice this new port was not writing the log messages to the file specified. (Other ports for other products work fine) I can see the messages come in when I run tcpdump, but they do not end up getting written to a file. When I looked at the /var/log/nxlog/nxlog.log file, I noticed a LOT of messages like this: 2021-07-07 22:44:31 INFO connection accepted from 10.42.32.149:60599 2021-07-07 22:44:31 WARNING TCP connection closed from 10.42.32.149:60599: End of file found I tried to google the error, but could not fine anything about it. My config file includes this: <Extension _syslog> Module xm_syslog </Extension> <Input vmwarelogtcp> Module im_tcp Port 2514 Host 0.0.0.0 Exec parse_syslog(); </Input> <Output vmwareout> Module om_file File "/log/SYSLOG_vmwarelog/VMWARELOG_" + $Hostname + ".log" CreateDir TRUE Exec to_syslog_bsd(); </Output> <Route 3> Path vmwarelogtcp => vmwareout </Route> Any ideas? Thank you

Hello, Is it possible to use password hash in config files instead plaintext while connecting to odbc Module om_odbc ConnectionString Driver={ODBC Driver 13 for SQL Server}; Server=MSSQL-HOST; UID=test; PWD=testpass; Database=TESTDB` or windows Module im_msvistalog RemoteUser nxlog RemotePassword nxlogpass1234

Ok so im trying to export the logs from our FortiGate to a CSV file. Thats actually allready working fine. But the problem is, lots of information is stored in the $Message. So what i want to do is to get all "variables" in the $Message in seperate fields. Im having a really hard time with this right now. Ive never really done something with regex and nxlog. I´d be really happy if you guys could help me out here. Thats how nxlog writes an event into the csv file: 2021-06-28 00:00:05;"INFO";2;"XXX.XXX.XXX.XXX";;"date=2021-06-28,time=00:00:05,devname=&quot;XXXX&quot;,devid=&quot;XXX&quot;,logid=&quot;0000000013&quot;,type=&quot;traffic&quot;,subtype=&quot;forward&quot;,level=&quot;notice&quot;,vd=&quot;root&quot;,eventtime=1624831205715391871,tz=&quot;+0200&quot;,srcip=XXX.XXX.XXX.XXX,srcport=33084,srcintf=&quot;port1&quot;,srcintfrole=&quot;lan&quot;,dstip=XXX.XXX.XXX.XXX,dstport=80,dstintf=&quot;wan1&quot;,dstintfrole=&quot;wan&quot;,sessionid=24018243,proto=6,action=&quot;close&quot;,policyid=3,policytype=&quot;policy&quot;,poluuid=&quot;7f09e0e6-c026-51ea-ccf3-27ba9a95d742&quot;,service=&quot;HTTP&quot;,dstcountry=&quot;France&quot;,srccountry=&quot;Reserved&quot;,trandisp=&quot;snat&quot;,transip=XXX.XXX.XXX.XXX,transport=33084,appid=16648,app=&quot;Kaspersky.Update&quot;,appcat=&quot;Update&quot;,apprisk=&quot;low&quot;,applist=&quot;Std-Appcontrol&quot;,duration=5,sentbyte=836,rcvdbyte=1036,sentpkt=6,rcvdpkt=4,shapingpolicyid=7,shapersentname=&quot;A1_Outgoing&quot;,shaperdropsentbyte=0,shaperrcvdname=&quot;Incoming&quot;,shaperdroprcvdbyte=0,vwlid=0,utmaction=&quot;allow&quot;,countapp=1 mastersrcmac=&quot;XXX&quot;,srcmac=&quot;XXX&quot;,srcserver=0" I guess replacing all the ',' with ';' would work. But i have no Idea how to do that. If you need more infos im going to send them asap.

Good Morning, Hoping someone can help me find out where I have gone wrong here. I'm trying to get these xml files through nxlog using multiline. I'm targeting each section between <row></row> tags each as an event but nxlog seems to still be grabbing individual lines instead (checked via log_info and what comes up in logz.io). config: define ROOT C:\Program Files (x86)\nxlog define ROOT_STRING C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension charconv> Module xm_charconv AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2 </Extension> <Extension xml> Module xm_xml </Extension> <Extension json> Module xm_json </Extension> <Extension multiline> Module xm_multiline HeaderLine /<row>/ </Extension> <Input OBLogs> Module im_file SavePos TRUE #ReadFromLast False File "D:\SERVER1\LogFiles\Hyland\error-profile\error-profile*.xml" InputType multiline Exec log_info("Reading log file: [" + file_name() + "]"); #Exec if $raw_event !~ /^<row>/ drop(); Exec parse_xml(); #Exec log_info("ParsedxmlRaw: [" + $raw_event + "]"); Exec $Hostname = hostname(); Exec to_json(); Exec log_info("Sending: [" + $raw_event + "]"); Exec $raw_event = '[Redact][type=onbase-xml]' + $raw_event; </Input> <Output out> Module om_tcp Host listener-wa.logz.io Port 8010 </Output> <Route OB> Path OBLogs => out </Route> Sample log file: <?xml version="1.0" encoding="utf-8"?> <diagnosticsLog type="error-profile" startDate="06/26/2021 08:04:55"> <!--Build 60--> <columns> <column friendlyName="time" name="time" /> <column friendlyName="Result" name="Result" /> <column friendlyName="Module" name="Module" /> <column friendlyName="Class" name="Class" /> <column friendlyName="SourceFile" name="SourceFile" /> <column friendlyName="Method" name="Method" /> <column friendlyName="SourceLine" name="SourceLine" /> <column friendlyName="Severity" name="Severity" /> <column friendlyName="MachineName" name="MachineName" /> <column friendlyName="IpAddress" name="IpAddress" /> <column friendlyName="ErrorId" name="ErrorId" /> <column friendlyName="ProcessID" name="ProcessID" /> <column friendlyName="ThreadID" name="ThreadID" /> <column friendlyName="TimeSpan" name="TimeSpan" /> <column friendlyName="User" name="User" /> <column friendlyName="HTTPSessionID" name="HTTPSessionID" /> <column friendlyName="HTTPForward" name="HTTPForward" /> <column friendlyName="SessionID" name="SessionID" /> <column friendlyName="SessionGUID" name="SessionGUID" /> <column friendlyName="Datasource" name="Datasource" /> <column friendlyName="Sequence" name="Sequence" /> <column friendlyName="LocalSequence" name="LocalSequence" /> <column friendlyName="Message" name="Message" /> <column friendlyName="AppPoolName" name="AppPoolName" /> </columns> <rows> <row> <col name="time">06/26/2021 08:04:55</col> <col name="TimeSpan">N/A</col> <col name="ThreadID">0x0000000B</col> <col name="User">UNITYSCHEDSERVICE</col> <col name="HTTPSessionID"></col> <col name="HTTPForward"></col> <col name="SessionGUID">cb5ce31f-641e-4eba-aaab-906691d26dec</col> <col name="SessionID">251185112</col> <col name="Datasource">Prod</col> <col name="AppPoolName"></col> <col name="IpAddress"></col> <col name="MachineName"></col> <col name="Result">0xFFFFFFFF80131500</col> <col name="Message">'Doc - Create PDF/TIFF File for This Document' was not executed because the document with ID: (123) has invalid extension 'rtf'</col> <col name="Module">Hyland.Core.Workflow.Tasks</col> <col name="Class">Hyland.Core.Workflow.Tasks.Foundation.Actions.CreatePdfTiffFile.ExecutionService</col> <col name="Method">ExecuteImpl</col> <col name="SourceFile"></col> <col name="SourceLine">0</col> <col name="Severity">Error</col> <col name="ErrorId">48c99a2c-facf-4a4e-948e-5f933ad2eae2</col> </row> <row> <col name="time">06/26/2021 08:04:55</col> <col name="TimeSpan">N/A</col> <col name="ThreadID">0x0000000B</col> <col name="User">UNITYSCHEDSERVICE</col> <col name="HTTPSessionID"></col> <col name="HTTPForward"></col> <col name="SessionGUID">cb5ce31f-641e-4eba-aaab-906691d26dec</col> <col name="SessionID">251185112</col> <col name="Datasource">Prod</col> <col name="AppPoolName"></col> <col name="IpAddress"></col> <col name="MachineName"></col> <col name="Result">0xFFFFFFFF80131500</col> <col name="Message"></col> <col name="Module">Hyland.Core.Workflow.Tasks</col> <col name="Class">Hyland.Core.Workflow.Tasks.ExecutionServiceBase</col> <col name="Method">Execute</col> <col name="SourceFile"></col> <col name="SourceLine">0</col> <col name="Severity">Error</col> <col name="ErrorId">48c99a2c-facf-4a4e-948e-5f933ad2eae2</col> </row> <row> <col name="time">06/26/2021 08:04:55</col> <col name="TimeSpan">N/A</col> <col name="ThreadID">0x0000000B</col> <col name="User">UNITYSCHEDSERVICE</col> <col name="HTTPSessionID"></col> <col name="HTTPForward"></col> <col name="SessionGUID">cb5ce31f-641e-4eba-aaab-906691d26dec</col> <col name="SessionID">251185112</col> <col name="Datasource">Prod</col> <col name="AppPoolName"></col> <col name="IpAddress"></col> <col name="MachineName"></col> <col name="Result">0xFFFFFFFF80131500</col> <col name="Message"></col> <col name="Module">Hyland.Core.Workflow</col> <col name="Class">Hyland.Core.Workflow.Action</col> <col name="Method">Execute</col> <col name="SourceFile"></col> <col name="SourceLine">0</col> <col name="Severity">Error</col> <col name="ErrorId">48c99a2c-facf-4a4e-948e-5f933ad2eae2</col> </row> </diagnosticsLog> Thank you so much for any help you can offer!

I am using nxlog to send logs to another nxlog server set up as a concentrator. The TCP connection is going via an Amazon Load Balancer. The nxlog sender gets tcp connection error if it hasn't sent for a while. When it goes to send another message, it reconnects ok. The problem is that the line it sends ends up appearing as garbage on the concentrator. It's not really an option to remove the load balancer, we need to have the concentrator server autorestart if it crashes so this is the easiest way. Any ideas?

Hello, I've been using the Community edition of NXlog, I've read there is a Bug related to the 256 windows channel error, has there been a fix or does anybody have a workaround for this. The agent on some of my machines stop work after a couple days. Any Advice would be appreciated.

Hello, I've been using the Community edition of NXlog, I've read there is a Bug related to the 256 windows channel error, has there been a fix or does anybody have a workaround for this. The agent on some of my machines stop work after a couple days. Any Advice would be appreciated.