Anyone experience this? New to NXLOG Community, first experience deploying. Servers are Windows 2019 Datacenter.

Want to check out if the links issue is still persists.

Hi can anyone help me out with this error:

2021-09-02 11:30:35 ERROR pcre match_limit reached for regexp /(?-i:vd=")(?!X|Y|Z).*".*dstport=999/

does this mean that the regex is performing poorly and the engine is skipping the argument?

TIA.

I want to know is possible send, with the iis log message, a custom field and value. Actually this is my config: ``` define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data #Module xm_syslog Module xm_gelf #Module xm_json Module xm_csv Fields date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, \ s-port, cs-username, c-ip, cs(User-Agent), cs(Referer), \ sc-status, sc-substatus, sc-win32-status, time-taken FieldTypes string, string, string, string, string, string, integer, \ string, string, string, string, integer, integer, integer, \ integer Delimiter ' ' EscapeChar '"' QuoteChar '"' EscapeControl FALSE UndefValue - Module im_file File "c:\\logs\\app\\iislog\\u_extend1.log" if $raw_event =~ /^#/ drop(); else { w3c_parser->parse_csv(); $EventTime = parsedate($date + "T" + $time + ".000Z"); } Module om_udp Host 172.28.36.25 Port 12201 #Exec to_syslog_snare(); OutputType GELF Path in2 => out ``` This work great but i need to add a custom and static value in the message, like : FIELD: "system" , VALUE: "program1". and this value is always the same ``` date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip, cs(User-Agent), cs(Referer), sc-status, sc-substatus, sc-win32-status, time-taken,**system** ``` Is this possible? Thanks!

Hi. I have a problem that I can't find a solution.

use IM_ File entered some text as follows

[20210816-094441] ID=123  some information1
[20210816-094441] ID=123  some information2
[20210816-094441] ID=124  some information3
[20210816-094441] ID=124  some information4

need to merge events according to the ID field. The expected output is as follows. I find some data and try to use PM_ Evcorr, but the community version lacks get_ prev_ event_ data()

[20210816-094441] ID=123  some information1 some information2
[20210816-094441] ID=124  some information3 some information4

Environment: VMware vSphere 6.7 running a VM with Windows 2019 Datacenter + Docker Enterprise version 20.10.6 Windows detects Intel Xeon Silver 4414 CPU.

Tried command: docker-compose up -d Results: Pulling db (mysql:5.5)... 5.5: Pulling from library/mysql ERROR: no matching manifest for windows/amd64 10.0.17763 in the manifest list entries

What can I do to get the NXLog Docker image loaded?

Hello folks:

I downloaded the latest msi file for the CE edition and used it on Azure Intune to deploy as a "Line of Business Application". Unfortunately, the status for the app deployment remains as "Waiting for install status" on the intune portal.

So I decided the test the powershell install on my Win10 laptop using the following command on powershell with elevated privileges:

msiexec.exe /i .\nxlog-ce-2.11.2190.msi /quiet /l*v "C:\NXLogCE-Install.log"

I am not having any luck on my laptop either. I basically see the following:

=== Verbose logging started: 8/23/2021 15:53:19 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Windows\system32\msiexec.exe ===
MSI (c) (E4:B4) [15:53:19:924]: Resetting cached policy values
MSI (c) (E4:B4) [15:53:19:924]: Machine policy value 'Debug' is 0
MSI (c) (E4:B4) [15:53:19:924]: ******* RunEngine:
******* Product: .\nxlog-ce-2.11.2190.msi
******* Action:
******* CommandLine: **********
MSI (c) (E4:B4) [15:53:19:924]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (E4:B4) [15:53:19:924]: Grabbed execution mutex.
MSI (c) (E4:B4) [15:53:19:930]: Cloaking enabled.
MSI (c) (E4:B4) [15:53:19:930]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (E4:B4) [15:53:19:931]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (24:4C) [15:53:19:934]: Running installation inside multi-package transaction C:\Users\palezvar\Desktop\.\nxlog-ce-2.11.2190.msi
MSI (s) (24:4C) [15:53:19:934]: Grabbed execution mutex.
MSI (s) (24:2C) [15:53:19:935]: Resetting cached policy values
MSI (s) (24:2C) [15:53:19:935]: Machine policy value 'Debug' is 0
MSI (s) (24:2C) [15:53:19:935]: ******* RunEngine:
******* Product: C:\Users\palezvar\Desktop\.\nxlog-ce-2.11.2190.msi
******* Action:
******* CommandLine: **********
MSI (s) (24:2C) [15:53:19:935]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (24:2C) [15:53:19:952]: Note: 1: 2203 2: C:\WINDOWS\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (24:2C) [15:53:19:952]: SRSetRestorePoint skipped for this transaction.
MSI (s) (24:2C) [15:53:19:953]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3: 2
MSI (s) (24:2C) [15:53:19:953]: Note: 1: 1324 2: . 3: 1
MSI (s) (24:2C) [15:53:19:953]: MainEngineThread is returning 2
MSI (s) (24:4C) [15:53:19:953]: No System Restore sequence number for this installation.
MSI (s) (24:4C) [15:53:19:954]: User policy value 'DisableRollback' is 0
MSI (s) (24:4C) [15:53:19:954]: Machine policy value 'DisableRollback' is 0
MSI (s) (24:4C) [15:53:19:954]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (24:4C) [15:53:19:954]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (24:4C) [15:53:19:954]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (24:4C) [15:53:19:954]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (E4:B4) [15:53:19:954]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (E4:B4) [15:53:19:955]: MainEngineThread is returning 2
=== Verbose logging stopped: 8/23/2021 15:53:19 ===

What am I doing wrong?

Thanks,

Hello,

We have two Windows servers we are using NxLog agent to forward windows events to a log collection platform.

The servers have two NICs and we are getting the wrong NIC IP address in the messages forwarded by NxLog

The agent version is 4.6.4640

The server is Windows 2016 standard server

Here is the output module from the template applied

<module>om_udp</module> <config xsi:type="module-connect-address-config-mapping" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <type>OUTPUT</type> <verbatim>Exec $Hostname = string(host_ip()); Exec to_syslog_snare(); </verbatim> <connect-address>SERVERIP</connect-address> <port>514</port> <output-format>Dgram</output-format> </config>

Hi,

Please help me with the solution of the below issue that I am facing while doing the configuration of oracle on windows server with nxlog. I have used below nxlog conf file to fetch Oracle event logs:

This is a sample configuration file. See the nxlog reference manual about the

configuration options. It should be installed locally and is also available

online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

Please set the ROOT to the folder your nxlog was installed into,

otherwise it will not start.

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension syslog> Module xm_syslog </Extension>

<Input in_Oracle> Module im_file File 'D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace' SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input>

<Output out_Oracle> Module om_udp Host CCE-IP Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'oracle_logs'; Exec to_syslog_bsd();

</Output>

<Route 1> Path in_Oracle => out_Oracle </Route>

Below is the patch where Oracle events are storing and I have put the same path in conf file as well: D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace

When I have restarted the nxlog services, I found below error in data folder: 2021-08-12 15:14:02 ERROR failed to open D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace; Access is denied. 2021-08-12 15:14:06 ERROR last message repeated 2 times 2021-08-12 15:14:10 ERROR failed to open D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace; Access is denied.
2021-08-12 15:14:18 ERROR failed to open D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace; Access is denied.

Can you please let me know why its showing access denied and how I can resolve this?

Thanks, Priyanka

We use NXlog on Windows server to send audit logs from MariaDB to a syslog server. On certain messages I execute a powershell script with exec_async. We discoverred that the powershell.exe subprocesses is not closed correctly which leads to excessive memory use which can be seen by using RamMap and then the Page Table value. In the processes tab a lot of powershell.exe's can be seen with 4KB memory use. With Process Explorer I can see a large number of Handles in the NXlog.exe process. A restart of the nxlog service temporary resolves the issue by cleaning up the (zombie?) powershell.exe processes. I could reproduce the issue with a very simple powershell script with only 1 line: "exit". When I run "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy ByPass -NonInteractive -File C:\temp\test.ps1" from a cmd.exe it exits normally and the powershell.exe subprocess doesn't stay visible in RamMap. Could this be a bug? Or should I call powershell.exe differently? Excerpt of my config: define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_exec ..... Module pm_null # Discard messages with 'keepalive' if( $auditlog_object == "SELECT 0 FROM DUAL" ) exec_async("C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "-ExecutionPolicy", "ByPass", "-NonInteractive", "-File", "C:\\temp\\test.ps1"); if( $auditlog_object == "SELECT 0 FROM DUAL" ) drop(); .... Module im_file File 'C:\mariadb\data\server_audit.log' PollInterval 1 SavePos True ReadFromLast True Recursive False RenameCheck False Exec $FileName = file_name(); # Send file name with each message Module om_udp Host x.x.x.x Port 12201 OutputType GELF Exec $short_message = $raw_event; # Avoids truncation of the short_message field. Exec $Hostname = hostname_fqdn(); Path mariadb_audit_file => preprocess => extract_fields => discard_messages => whitelist_queries => output_graylog

I'm trying to set up nxlog on a windows host and break out configuration files for specific applications. I followed the example in the documentation ( https://nxlog.co/documentation/nxlog-user-guide/ref-config.html#config_general_include ) but when I include a wildcard character, the nxlog service fails to start with the following error in the log file:

nxlog failed to start: Invalid 'include' directive at c:\Program Files (x86)\nxlog\conf\nxlog.conf:19 Failed to open config file C:\Program Files (x86)\nxlog\conf\nxlog.d*.conf The filename, directory name, or volume label syntax is incorrect.

The nxlog.d sub-directory exists and I have an application-specific config file there. If I specify the filename explicitly, the nxlog service starts. I'd like to use the wildcard in the main nxlog.conf file so I can scale this to multiple servers with different apps.

Say I have the following nxlog.conf file:

<Input lc1> Module im_file File "/var/log/messages" </Input>

<Input lc2> Module im_file File "/var/log/mything.txt" </Input>

<Output fileout> Module om_file Exec if $Message =~ /error/ $SeverityValue = syslog_severity_value("error"); Exec to_syslog_bsd(); File "/var/log/logmsg2.txt" </Output>

<Route lcroute1> Path lc1 => fileout </Route>

<Route lcroute2> Path lc2 => fileout </Route>

Is there a way to just turn off the harvesting of Ic2 or the lcroute2 without having to modify or manually change the nxlog.conf file? Basically for this example nxlog.conf file have fine-grained adjustment/control of the logs if someone decides they want to turn off a log getting routed to the output file.

Thank you!

Hi, I am doing a test with the agent nxlog EE v.5.3.6735_windows_x64 and after the installation of the agent on the server I stopped receiving the windows audit logs (im_msvistalog module) that I was receiving regularly with the version of nxlog CE v.2.10.2150 and I am not getting the IIS logs either. I attach the implemented configuration file:

Panic Soft

define INSTALLDIR C:\Program Files\nxlog

#ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data

define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d

Note that these two lines define constants only; the log file location

is ultimately set by the LogFile directive (see below). The

MYLOGFILE define is also used to rotate the log file automatically

(see the _fileop block).

define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log

If you are not using NXLog Manager, disable the include line

and enable LogLevel and LogFile.

#include %CONFDIR%*.conf

LogLevel INFO LogFile %MYLOGFILE%

<Extension gelf> Module xm_gelf </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _json> Module xm_json </Extension>

<Extension syslog> Module xm_syslog </Extension>

This block rotates %MYLOGFILE% on a schedule. Note that if LogFile

is changed in managed.conf via NXLog Manager, rotation of the new

file should also be configured there.

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    <Exec>
        if ( file_exists('%MYLOGFILE%') and
             (file_size('%MYLOGFILE%') >= 5M) )
        {
             file_cycle('%MYLOGFILE%', 8);
        }
    </Exec>
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>

</Extension>

<Input eventlog> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="System"></Select>
<Select Path="Security"></Select>
<Select Path="Microsoft-IIS-Logging/Logs">*</Select>
</Query>
</QueryList> </Input>

<Input iis_w3c> Module im_file File "X:\inetpub\logs\LogFiles\W3SVC2\u_ex*.log" SavePos TRUE InputType LineBased

Exec		if $raw_event =~ /^#/ drop(); \
            else \
            { \
                w3c_parser->parse_csv(); \
				$EventTime = parsedate($date + " " + $time); \
				$EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \
				$SourceName = "IIS"; \
				$SiteName   = "Test"; \
				$Message = to_json(); \
            }

</Input>

<Output udp> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP Exec to_syslog_bsd();

Exec log_info("sending data: " + $raw_event);

</Output>

<Route eventlog_to_udp_win> Path eventlog => udp </Route>

<Route iis_w3c_to_udp_iis> Path iis_w3c => udp </Route>

Hi, I am doing a test with the agent nxlog EE v.5.3.6735_windows_x64 and after the installation of the agent on the server I stopped receiving the windows audit logs (im_msvistalog module) that I was receiving regularly with the version of nxlog CE v.2.10.2150 and I am not getting the SQL logs either. I attach the implemented configuration files:

nxlog.con (nxlog EE v.5.3.6735):

Panic Soft

define INSTALLDIR C:\Program Files\nxlog

#ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data

define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d

Note that these two lines define constants only; the log file location

is ultimately set by the LogFile directive (see below). The

MYLOGFILE define is also used to rotate the log file automatically

(see the _fileop block).

define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log

If you are not using NXLog Manager, disable the include line

and enable LogLevel and LogFile.

include %CONFDIR%*.conf

#LogLevel INFO #LogFile %MYLOGFILE%

<Extension gelf> Module xm_gelf </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

This block rotates %MYLOGFILE% on a schedule. Note that if LogFile

is changed in managed.conf via NXLog Manager, rotation of the new

file should also be configured there.

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    <Exec>
        if ( file_exists('%MYLOGFILE%') and
             (file_size('%MYLOGFILE%') >= 5M) )
        {
             file_cycle('%MYLOGFILE%', 8);
        }
    </Exec>
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>

</Extension>

<Input eventlog> Module im_msvistalog </Input>

<Input eventlogSQL> Module im_odbc ConnectionString Driver={ODBC Driver 17 for SQL Server}; Server=<server_name>;
Trusted_Connection=yes; DATABASE=MASTER; PollInterval 5 IdType timestamp SQL SELECT event_time AS 'id', f., a.name AS action_name
FROM fn_get_audit_file('X:\SQLDATA\Log\logfiles\Audit-.sqlaudit', default,
default) AS f
INNER JOIN sys.dm_audit_actions AS a
ON f.action_id = a.action_id
WHERE event_time > ? <Exec> delete($id); rename_field($event_time, $EventTime); </Exec> </Input>

<Output udp> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP </Output>

<Output udpSQL> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP </Output>

<Route eventlog_to_udp> Path eventlog => udp </Route>

<Route eventlog_to_udpSQL> Path eventlogSQL => udpSQL </Route>

nxlog.con (nxlog CEv.2.10.2150):

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension gelf> Module xm_gelf </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') >= 5M)) \
                file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>

</Extension>

<Input eventlog> Module im_msvistalog </Input>

<Output udp> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP </Output>

<Route eventlog_to_udp> Path eventlog => udp </Route>

I want to use pattern matching on different streams, and have different patterndb xml file, like this ...

Filter for system logs

<Processor client_filter> Module pm_pattern PatternFile /data/conf/patterndb.xml </Processor>

Filter for SEQ

<Processor seq_filter> Module pm_pattern PatternFile /data/conf/seq_pattern.xml </Processor>

#Filter for RDS <Processor rds_filter> Module pm_pattern PatternFile /data/conf/rds_pattern.xml </Processor>

and call them like this...

<Route route2001> Path client2001 => client_filter => client_to_sumo,judo-sumo-uat,client_master </Route>

<Route route2002> Path client2002 => seq_filter => client_to_sumo,judo-sumo-uat,client_master </Route>

etc...

Is that possible? It doesn't seem to be working as I hoped.

Hello

I have tried this link below, still struggling... https://nxlog.co/documentation/nxlog-user-guide/ref-config.html#config_global_dateformat

How to get following following Timestamp ? RFC 5424 Heure locale : 2021-05-21T03:05:03.001+02:00 RFC 5424 UTC : 2021-05-21T01:05:03.001Z

Thanks in advance for your help.

Hi,

I have installed nxlog inside the Virtual Machine in vCenter whenever i am starting nxlog service then by default it's try to connect one particular IP which is gate way of vCenter and then connection gets failed so changed IP address to Virtual Machine IP from config.d file but still connection gets failed but whenever performing query from nxlog then it successfully send event logs to Splunk. Can you please help me here to understand the issue. I am doing POC(Prof of Concept) on NXlog for philips products.

2021-07-29 22:58:32 INFO [CORE|main] nxlog-5.3.6735-trial started 2021-07-29 22:58:32 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-29 22:58:32 INFO [om_tcp|out] connecting to 10.232.44.92:1524 2021-07-29 22:58:32 INFO [om_tcp|out] successfully connected to 10.232.44.92:1524 2021-07-29 22:58:33 ERROR [xm_admin|agent_managment] couldn't connect to 10.232.44.1:4041; No connection could be made because the target machine actively refused it.
2021-07-29 22:58:33 INFO [xm_admin|agent_managment] reconnecting in 1 sec 2021-07-29 22:58:34 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-29 22:58:35 ERROR [xm_admin|agent_managment] couldn't connect to 10.232.44.1:4041; No connection could be made because the target machine actively refused it.
2021-07-29 22:58:35 INFO [xm_admin|agent_managment] reconnecting in 2 sec

Hi, I am doing POC on NXlog for Philips product and when i am extracting eventlogs only for security by using im_msvistalog module then it's successfully extracting logs & sending to splunk server but when i am putting filter by referring https://nxlog.co/documentation/nxlog-user-guide/eventlog-eventids.html where i have used ExtendedWindowsToCollect in Input tag then facing multiple error like unused modules, couldn't parse to Exec. Please see the below details of conf & log files. Please help me here if config file is required any changes. Note: Defined Event IDs are just an example since i have big list to be added in config file.

config file Panic Soft

define INSTALLDIR C:\Program Files\nxlog

#ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data

define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d

Note that these two lines define constants only; the log file location

is ultimately set by the LogFile directive (see below). The

MYLOGFILE define is also used to rotate the log file automatically

(see the _fileop block).

define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log

If you are not using NXLog Manager, disable the include line

and enable LogLevel and LogFile.

include %CONFDIR%*.conf

#LogLevel INFO #LogFile %MYLOGFILE%

Define security IDs

define Security 4634, 4647, 4648, 4656, 4661, 4662, 4672, 4688,
4689, 4704, 4705, 4706, 4707, 4713, 4716, 4717, \ 4718, 4719, 4720, 4722, 4723, 4724, 4725, 4726,
4727, 4728, 4729, 4730

<Extension _syslog>

Module      xm_syslog

</Extension>

<Extension _json>

Module      xm_json

</Extension>

<Input ExtendedWindowsToCollect>

Module               im_msvistalog
TolerateQueryErrors  TRUE
<QueryXML>
    <QueryList>
         <Query Id='0'>
             <Select Path ='Security'>*</Select>

</Query> </QueryList> </QueryXML> <Exec> if ($EventID NOT IN (%Security%) drop(); </Exec> </Input>

<Output TCP>

Module      om_tcp
Host        10.232.44.92
Port        1524
Exec        to_json();

</Output> <Route Out>

Path        ExtendedWindowsToCollect = TCP

</Route>

This block rotates %MYLOGFILE% on a schedule. Note that if LogFile

is changed in managed.conf via NXLog Manager, rotation of the new

file should also be configured there.

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    <Exec>
        if ( file_exists('%MYLOGFILE%') and
             (file_size('%MYLOGFILE%') >= 5M) )
        {
             file_cycle('%MYLOGFILE%', 8);
        }
    </Exec>
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>

</Extension>

config log file 2021-07-30 00:02:23 INFO [CORE|main] nxlog-5.3.6735-trial started 2021-07-30 00:02:23 WARNING [CORE|main] not starting unused module TCP 2021-07-30 00:02:23 WARNING [CORE|main] not starting unused module ExtendedWindowsToCollect 2021-07-30 00:03:53 ERROR [CORE|main] module 'ExtendedWindowsToCollect' is already defined at C:\Program Files\nxlog\conf\nxlog.conf:63 2021-07-30 00:03:53 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:55; couldn't parse statement at line 56, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:03:53 WARNING [CORE|main] no functional input modules! 2021-07-30 00:03:53 ERROR [CORE|main] module 'ExtendedWindowsToCollect' has configuration errors, not adding to route 'Out' at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:03:53 ERROR [CORE|main] module 'ExtendedWindowsToCollect' has configuration errors, not adding to route 'Out' at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:03:53 ERROR [CORE|main] route Out is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:03:53 INFO [CORE|main] nxlog-5.3.6735-trial started 2021-07-30 00:03:53 WARNING [CORE|main] not starting unused module ExtendedWindowsToCollect 2021-07-30 00:03:53 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-30 00:03:54 ERROR [xm_admin|agent_managment] couldn't connect to 10.232.44.1:4041; No connection could be made because the target machine actively refused it.
2021-07-30 00:03:54 INFO [xm_admin|agent_managment] reconnecting in 1 sec 2021-07-30 00:03:55 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-30 00:23:22 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:55; couldn't parse statement at line 56, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:23:22 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:23:22 WARNING [CORE|main] no functional input modules! 2021-07-30 00:23:22 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:23:22 ERROR [CORE|main] exiting... 2021-07-30 00:24:27 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:55; couldn't parse statement at line 56, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:24:27 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:24:27 WARNING [CORE|main] no functional input modules! 2021-07-30 00:24:27 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:24:27 ERROR [CORE|main] exiting... 2021-07-30 00:25:32 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:25:32 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:25:32 WARNING [CORE|main] no functional input modules! 2021-07-30 00:25:32 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:25:32 ERROR [CORE|main] exiting... 2021-07-30 00:25:43 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:25:43 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:25:43 WARNING [CORE|main] no functional input modules! 2021-07-30 00:25:43 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:25:43 ERROR [CORE|main] exiting... 2021-07-30 00:26:36 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:26:36 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:26:36 WARNING [CORE|main] no functional input modules! 2021-07-30 00:26:36 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:26:36 ERROR [CORE|main] exiting... 2021-07-30 00:27:02 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:27:02 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:27:02 WARNING [CORE|main] no functional input modules! 2021-07-30 00:27:02 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:27:02 ERROR [CORE|main] exiting... 2021-07-30 00:27:40 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:27:40 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:27:40 WARNING [CORE|main] no functional input modules! 2021-07-30 00:27:40 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:27:40 ERROR [CORE|main] exiting... 2021-07-30 00:27:53 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:27:53 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:27:53 WARNING [CORE|main] no functional input modules! 2021-07-30 00:27:53 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:27:53 ERROR [CORE|main] exiting... 2021-07-30 00:28:07 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:28:07 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:28:07 WARNING [CORE|main] no functional input modules! 2021-07-30 00:28:07 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:28:07 ERROR [CORE|main] exiting... 2021-07-30 00:28:46 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:28:46 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:28:46 WARNING [CORE|main] no functional input modules! 2021-07-30 00:28:46 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:28:46 ERROR [CORE|main] exiting... 2021-07-30 00:28:58 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:28:58 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:28:58 WARNING [CORE|main] no functional input modules! 2021-07-30 00:28:58 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:28:58 ERROR [CORE|main] exiting... 2021-07-30 00:29:13 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:29:13 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:29:13 WARNING [CORE|main] no functional input modules! 2021-07-30 00:29:13 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:29:13 ERROR [CORE|main] exiting... 2021-07-30 00:29:50 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:29:50 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:29:50 WARNING [CORE|main] no functional input modules! 2021-07-30 00:29:50 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:29:50 ERROR [CORE|main] exiting... 2021-07-30 00:30:02 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:30:02 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:30:02 WARNING [CORE|main] no functional input modules! 2021-07-30 00:30:02 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:30:02 ERROR [CORE|main] exiting...

Hello

We have the NXLog Enterprise Edition.

1. How to include milliseconds in Timestamps of NXLog? Eg: yyyy-mm-dd ... ss-mm + 2.00

2. Reconnecting cable after removing it loses log output.
   How to fix the such failover issue with NXLOG?

Thanks for your attentions.

Hello, I have a question regarding the xm_json module of nxlog-ce v2.10. I am sending windows logs to out syslog server and using json message with a BSD header like so: ``` Module im_msvistalog * * * $SyslogFacilityValue = syslog_facility_value("local1"); Module om_udp Host 10.10.231.62 port 514 $Hostname = string(host_ip()); $Keywords = string($Keywords); $Message = to_json(); $Message =~ s/}$/,"field":"value"}\n/g; $Message =~ s/\\[r|n|t]/ /g; $Message =~ s/\s{2,}/ /g; to_syslog_bsd(); ``` So on output I convert the message to json, then add an extra field to the end of it, then remove the \t, \r, \n characters in the message and finally cleanup the extra whitespaces left by the previous substitution. This has a side-effect of modifying any string that contain the \t, \t or \n character in it, typically the **"A user DOMAIN\ruser1"** string will be changed to **"A user DOMAIN\ user1"** (space after backslash) mangling the json string in the process. So to prevent this, I changed the output to the following: ``` Module om_udp Host 10.10.231.62 port 514 $Hostname = string(host_ip()); $Keywords = string($Keywords); $Message = replace($Message, "\r", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\t", " "); $Message = to_json(); $Message =~ s/}$/,"field":"value"}\n/g; $Message =~ s/\\r\\n\\t\\t\\t/ /g; $Message =~ s/\s{2,}/ /g; # $Message =~ s/\\[r|n|t]/ /g; to_syslog_bsd(); ``` This time doing the substitutions before converting to json. Using this configuration when the `to_json();` is executed I see on **eventID 4672** that the **privilegelist** field is populated along with a **\r\n\t\t\t** sequence. I would have though that the replace actions would have gotten rid of those, is this an expected behavior or am I doing this the wrong way? For the moment I added `$Message =~ s/\\r\\n\\t\\t\\t/ /g;` to get rid of this specific sequence but how can I be sure that other messages are not affected with another sequence of tabulations and carriage return ? Thanks for your time. Vincent