Hello, We have two Windows servers we are using NxLog agent to forward windows events to a log collection platform. The servers have two NICs and we are getting the wrong NIC IP address in the messages forwarded by NxLog The agent version is 4.6.4640 The server is Windows 2016 standard server Here is the output module from the template applied <module>om_udp</module> <config xsi:type="module-connect-address-config-mapping" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <type>OUTPUT</type> <verbatim>Exec $Hostname = string(host_ip()); Exec to_syslog_snare(); </verbatim> <connect-address>SERVERIP</connect-address> <port>514</port> <output-format>Dgram</output-format> </config>

Hi, Please help me with the solution of the below issue that I am facing while doing the configuration of oracle on windows server with nxlog. I have used below nxlog conf file to fetch Oracle event logs: This is a sample configuration file. See the nxlog reference manual about the configuration options. It should be installed locally and is also available online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> <Input in_Oracle> Module im_file File 'D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace' SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input> <Output out_Oracle> Module om_udp Host CCE-IP Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'oracle_logs'; Exec to_syslog_bsd(); </Output> <Route 1> Path in_Oracle => out_Oracle </Route> Below is the patch where Oracle events are storing and I have put the same path in conf file as well: D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace When I have restarted the nxlog services, I found below error in data folder: 2021-08-12 15:14:02 ERROR failed to open D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace; Access is denied. 2021-08-12 15:14:06 ERROR last message repeated 2 times 2021-08-12 15:14:10 ERROR failed to open D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace; Access is denied. 2021-08-12 15:14:18 ERROR failed to open D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace; Access is denied. Can you please let me know why its showing access denied and how I can resolve this? Thanks, Priyanka

We use NXlog on Windows server to send audit logs from MariaDB to a syslog server. On certain messages I execute a powershell script with exec_async. We discoverred that the powershell.exe subprocesses is not closed correctly which leads to excessive memory use which can be seen by using RamMap and then the Page Table value. In the processes tab a lot of powershell.exe's can be seen with 4KB memory use. With Process Explorer I can see a large number of Handles in the NXlog.exe process. A restart of the nxlog service temporary resolves the issue by cleaning up the (zombie?) powershell.exe processes. I could reproduce the issue with a very simple powershell script with only 1 line: "exit". When I run "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy ByPass -NonInteractive -File C:\temp\test.ps1" from a cmd.exe it exits normally and the powershell.exe subprocess doesn't stay visible in RamMap. Could this be a bug? Or should I call powershell.exe differently? Excerpt of my config: define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _exec> Module xm_exec </Extension> ..... <Processor discard_messages> Module pm_null <Exec> # Discard messages with 'keepalive' if( $auditlog_object == "SELECT 0 FROM DUAL" ) exec_async("C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "-ExecutionPolicy", "ByPass", "-NonInteractive", "-File", "C:\\temp\\test.ps1"); if( $auditlog_object == "SELECT 0 FROM DUAL" ) drop(); </Exec> </Processor> .... <Input mariadb_audit_file> Module im_file File 'C:\mariadb\data\server_audit.log' PollInterval 1 SavePos True ReadFromLast True Recursive False RenameCheck False Exec $FileName = file_name(); # Send file name with each message </Input> <Output output_graylog> Module om_udp Host x.x.x.x Port 12201 OutputType GELF Exec $short_message = $raw_event; # Avoids truncation of the short_message field. Exec $Hostname = hostname_fqdn(); </Output> <Route route-0> Path mariadb_audit_file => preprocess => extract_fields => discard_messages => whitelist_queries => output_graylog </Route>

I'm trying to set up nxlog on a windows host and break out configuration files for specific applications. I followed the example in the documentation ( https://nxlog.co/documentation/nxlog-user-guide/ref-config.html#config_general_include ) but when I include a wildcard character, the nxlog service fails to start with the following error in the log file: nxlog failed to start: Invalid 'include' directive at c:\Program Files (x86)\nxlog\conf\nxlog.conf:19 Failed to open config file C:\Program Files (x86)\nxlog\conf\nxlog.d*.conf The filename, directory name, or volume label syntax is incorrect. The nxlog.d sub-directory exists and I have an application-specific config file there. If I specify the filename explicitly, the nxlog service starts. I'd like to use the wildcard in the main nxlog.conf file so I can scale this to multiple servers with different apps.

Say I have the following nxlog.conf file: <Input lc1> Module im_file File "/var/log/messages" </Input> <Input lc2> Module im_file File "/var/log/mything.txt" </Input> <Output fileout> Module om_file Exec if $Message =~ /error/ $SeverityValue = syslog_severity_value("error"); Exec to_syslog_bsd(); File "/var/log/logmsg2.txt" </Output> <Route lcroute1> Path lc1 => fileout </Route> <Route lcroute2> Path lc2 => fileout </Route> Is there a way to just turn off the harvesting of Ic2 or the lcroute2 without having to modify or manually change the nxlog.conf file? Basically for this example nxlog.conf file have fine-grained adjustment/control of the logs if someone decides they want to turn off a log getting routed to the output file. Thank you!

Hi, I am doing a test with the agent nxlog EE v.5.3.6735_windows_x64 and after the installation of the agent on the server I stopped receiving the windows audit logs (im_msvistalog module) that I was receiving regularly with the version of nxlog CE v.2.10.2150 and I am not getting the IIS logs either. I attach the implemented configuration file: Panic Soft define INSTALLDIR C:\Program Files\nxlog #ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d Note that these two lines define constants only; the log file location is ultimately set by the LogFile directive (see below). The MYLOGFILE define is also used to rotate the log file automatically (see the _fileop block). define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log If you are not using NXLog Manager, disable the include line and enable LogLevel and LogFile. #include %CONFDIR%*.conf LogLevel INFO LogFile %MYLOGFILE% <Extension gelf> Module xm_gelf </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> This block rotates %MYLOGFILE% on a schedule. Note that if LogFile is changed in managed.conf via NXLog Manager, rotation of the new file should also be configured there. <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour &lt;Exec&gt; if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') &gt;= 5M) ) { file_cycle('%MYLOGFILE%', 8); } &lt;/Exec&gt; &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Input eventlog> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="System"></Select> <Select Path="Security"></Select> <Select Path="Microsoft-IIS-Logging/Logs">*</Select> </Query> </QueryList> </Input> <Input iis_w3c> Module im_file File "X:\inetpub\logs\LogFiles\W3SVC2\u_ex*.log" SavePos TRUE InputType LineBased Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c_parser-&gt;parse_csv(); \ $EventTime = parsedate($date + &quot; &quot; + $time); \ $EventTime = strftime($EventTime, &quot;%Y-%m-%dT%H:%M:%SZ&quot;); \ $SourceName = &quot;IIS&quot;; \ $SiteName = &quot;Test&quot;; \ $Message = to_json(); \ } </Input> <Output udp> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP Exec to_syslog_bsd(); Exec log_info("sending data: " + $raw_event); </Output> <Route eventlog_to_udp_win> Path eventlog => udp </Route> <Route iis_w3c_to_udp_iis> Path iis_w3c => udp </Route>

Hi, I am doing a test with the agent nxlog EE v.5.3.6735_windows_x64 and after the installation of the agent on the server I stopped receiving the windows audit logs (im_msvistalog module) that I was receiving regularly with the version of nxlog CE v.2.10.2150 and I am not getting the SQL logs either. I attach the implemented configuration files: nxlog.con (nxlog EE v.5.3.6735): Panic Soft define INSTALLDIR C:\Program Files\nxlog #ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d Note that these two lines define constants only; the log file location is ultimately set by the LogFile directive (see below). The MYLOGFILE define is also used to rotate the log file automatically (see the _fileop block). define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log If you are not using NXLog Manager, disable the include line and enable LogLevel and LogFile. include %CONFDIR%*.conf #LogLevel INFO #LogFile %MYLOGFILE% <Extension gelf> Module xm_gelf </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> This block rotates %MYLOGFILE% on a schedule. Note that if LogFile is changed in managed.conf via NXLog Manager, rotation of the new file should also be configured there. <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour &lt;Exec&gt; if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') &gt;= 5M) ) { file_cycle('%MYLOGFILE%', 8); } &lt;/Exec&gt; &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Input eventlog> Module im_msvistalog </Input> <Input eventlogSQL> Module im_odbc ConnectionString Driver={ODBC Driver 17 for SQL Server}; Server=<server_name>; Trusted_Connection=yes; DATABASE=MASTER; PollInterval 5 IdType timestamp SQL SELECT event_time AS 'id', f., a.name AS action_name FROM fn_get_audit_file('X:\SQLDATA\Log\logfiles\Audit-.sqlaudit', default, default) AS f INNER JOIN sys.dm_audit_actions AS a ON f.action_id = a.action_id WHERE event_time > ? <Exec> delete($id); rename_field($event_time, $EventTime); </Exec> </Input> <Output udp> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP </Output> <Output udpSQL> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP </Output> <Route eventlog_to_udp> Path eventlog => udp </Route> <Route eventlog_to_udpSQL> Path eventlogSQL => udpSQL </Route> nxlog.con (nxlog CEv.2.10.2150): Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension gelf> Module xm_gelf </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Input eventlog> Module im_msvistalog </Input> <Output udp> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP </Output> <Route eventlog_to_udp> Path eventlog => udp </Route>

I want to use pattern matching on different streams, and have different patterndb xml file, like this ... Filter for system logs <Processor client_filter> Module pm_pattern PatternFile /data/conf/patterndb.xml </Processor> Filter for SEQ <Processor seq_filter> Module pm_pattern PatternFile /data/conf/seq_pattern.xml </Processor> #Filter for RDS <Processor rds_filter> Module pm_pattern PatternFile /data/conf/rds_pattern.xml </Processor> and call them like this... <Route route2001> Path client2001 => client_filter => client_to_sumo,judo-sumo-uat,client_master </Route> <Route route2002> Path client2002 => seq_filter => client_to_sumo,judo-sumo-uat,client_master </Route> etc... Is that possible? It doesn't seem to be working as I hoped.

Hello I have tried this link below, still struggling... https://nxlog.co/documentation/nxlog-user-guide/ref-config.html#config_global_dateformat How to get following following Timestamp ? RFC 5424 Heure locale : 2021-05-21T03:05:03.001+02:00 RFC 5424 UTC : 2021-05-21T01:05:03.001Z Thanks in advance for your help.

Hi, I have installed nxlog inside the Virtual Machine in vCenter whenever i am starting nxlog service then by default it's try to connect one particular IP which is gate way of vCenter and then connection gets failed so changed IP address to Virtual Machine IP from config.d file but still connection gets failed but whenever performing query from nxlog then it successfully send event logs to Splunk. Can you please help me here to understand the issue. I am doing POC(Prof of Concept) on NXlog for philips products. 2021-07-29 22:58:32 INFO [CORE|main] nxlog-5.3.6735-trial started 2021-07-29 22:58:32 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-29 22:58:32 INFO [om_tcp|out] connecting to 10.232.44.92:1524 2021-07-29 22:58:32 INFO [om_tcp|out] successfully connected to 10.232.44.92:1524 2021-07-29 22:58:33 ERROR [xm_admin|agent_managment] couldn't connect to 10.232.44.1:4041; No connection could be made because the target machine actively refused it. 2021-07-29 22:58:33 INFO [xm_admin|agent_managment] reconnecting in 1 sec 2021-07-29 22:58:34 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-29 22:58:35 ERROR [xm_admin|agent_managment] couldn't connect to 10.232.44.1:4041; No connection could be made because the target machine actively refused it. 2021-07-29 22:58:35 INFO [xm_admin|agent_managment] reconnecting in 2 sec

Hi, I am doing POC on NXlog for Philips product and when i am extracting eventlogs only for security by using im_msvistalog module then it's successfully extracting logs & sending to splunk server but when i am putting filter by referring https://nxlog.co/documentation/nxlog-user-guide/eventlog-eventids.html where i have used ExtendedWindowsToCollect in Input tag then facing multiple error like unused modules, couldn't parse to Exec. Please see the below details of conf & log files. Please help me here if config file is required any changes. Note: Defined Event IDs are just an example since i have big list to be added in config file. config file Panic Soft define INSTALLDIR C:\Program Files\nxlog #ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d Note that these two lines define constants only; the log file location is ultimately set by the LogFile directive (see below). The MYLOGFILE define is also used to rotate the log file automatically (see the _fileop block). define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log If you are not using NXLog Manager, disable the include line and enable LogLevel and LogFile. include %CONFDIR%*.conf #LogLevel INFO #LogFile %MYLOGFILE% Define security IDs define Security 4634, 4647, 4648, 4656, 4661, 4662, 4672, 4688, 4689, 4704, 4705, 4706, 4707, 4713, 4716, 4717, \ 4718, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730 <Extension _syslog> Module xm_syslog </Extension> <Extension _json> Module xm_json </Extension> <Input ExtendedWindowsToCollect> Module im_msvistalog TolerateQueryErrors TRUE &lt;QueryXML&gt; &lt;QueryList&gt; &lt;Query Id='0'&gt; &lt;Select Path ='Security'&gt;*&lt;/Select&gt; </Query> </QueryList> </QueryXML> <Exec> if ($EventID NOT IN (%Security%) drop(); </Exec> </Input> <Output TCP> Module om_tcp Host 10.232.44.92 Port 1524 Exec to_json(); </Output> <Route Out> Path ExtendedWindowsToCollect = TCP </Route> This block rotates %MYLOGFILE% on a schedule. Note that if LogFile is changed in managed.conf via NXLog Manager, rotation of the new file should also be configured there. <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour &lt;Exec&gt; if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') &gt;= 5M) ) { file_cycle('%MYLOGFILE%', 8); } &lt;/Exec&gt; &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); &lt;/Schedule&gt; </Extension> config log file 2021-07-30 00:02:23 INFO [CORE|main] nxlog-5.3.6735-trial started 2021-07-30 00:02:23 WARNING [CORE|main] not starting unused module TCP 2021-07-30 00:02:23 WARNING [CORE|main] not starting unused module ExtendedWindowsToCollect 2021-07-30 00:03:53 ERROR [CORE|main] module 'ExtendedWindowsToCollect' is already defined at C:\Program Files\nxlog\conf\nxlog.conf:63 2021-07-30 00:03:53 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:55; couldn't parse statement at line 56, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:03:53 WARNING [CORE|main] no functional input modules! 2021-07-30 00:03:53 ERROR [CORE|main] module 'ExtendedWindowsToCollect' has configuration errors, not adding to route 'Out' at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:03:53 ERROR [CORE|main] module 'ExtendedWindowsToCollect' has configuration errors, not adding to route 'Out' at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:03:53 ERROR [CORE|main] route Out is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:03:53 INFO [CORE|main] nxlog-5.3.6735-trial started 2021-07-30 00:03:53 WARNING [CORE|main] not starting unused module ExtendedWindowsToCollect 2021-07-30 00:03:53 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-30 00:03:54 ERROR [xm_admin|agent_managment] couldn't connect to 10.232.44.1:4041; No connection could be made because the target machine actively refused it. 2021-07-30 00:03:54 INFO [xm_admin|agent_managment] reconnecting in 1 sec 2021-07-30 00:03:55 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-30 00:23:22 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:55; couldn't parse statement at line 56, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:23:22 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:23:22 WARNING [CORE|main] no functional input modules! 2021-07-30 00:23:22 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:23:22 ERROR [CORE|main] exiting... 2021-07-30 00:24:27 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:55; couldn't parse statement at line 56, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:24:27 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:24:27 WARNING [CORE|main] no functional input modules! 2021-07-30 00:24:27 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:24:27 ERROR [CORE|main] exiting... 2021-07-30 00:25:32 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:25:32 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:25:32 WARNING [CORE|main] no functional input modules! 2021-07-30 00:25:32 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:25:32 ERROR [CORE|main] exiting... 2021-07-30 00:25:43 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:25:43 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:25:43 WARNING [CORE|main] no functional input modules! 2021-07-30 00:25:43 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:25:43 ERROR [CORE|main] exiting... 2021-07-30 00:26:36 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:26:36 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:26:36 WARNING [CORE|main] no functional input modules! 2021-07-30 00:26:36 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:26:36 ERROR [CORE|main] exiting... 2021-07-30 00:27:02 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:27:02 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:27:02 WARNING [CORE|main] no functional input modules! 2021-07-30 00:27:02 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:27:02 ERROR [CORE|main] exiting... 2021-07-30 00:27:40 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:27:40 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:27:40 WARNING [CORE|main] no functional input modules! 2021-07-30 00:27:40 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:27:40 ERROR [CORE|main] exiting... 2021-07-30 00:27:53 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:27:53 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:27:53 WARNING [CORE|main] no functional input modules! 2021-07-30 00:27:53 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:27:53 ERROR [CORE|main] exiting... 2021-07-30 00:28:07 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:28:07 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:28:07 WARNING [CORE|main] no functional input modules! 2021-07-30 00:28:07 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:28:07 ERROR [CORE|main] exiting... 2021-07-30 00:28:46 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:28:46 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:28:46 WARNING [CORE|main] no functional input modules! 2021-07-30 00:28:46 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:28:46 ERROR [CORE|main] exiting... 2021-07-30 00:28:58 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:28:58 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:28:58 WARNING [CORE|main] no functional input modules! 2021-07-30 00:28:58 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:28:58 ERROR [CORE|main] exiting... 2021-07-30 00:29:13 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:29:13 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:29:13 WARNING [CORE|main] no functional input modules! 2021-07-30 00:29:13 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:29:13 ERROR [CORE|main] exiting... 2021-07-30 00:29:50 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:29:50 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:29:50 WARNING [CORE|main] no functional input modules! 2021-07-30 00:29:50 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:29:50 ERROR [CORE|main] exiting... 2021-07-30 00:30:02 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:30:02 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:30:02 WARNING [CORE|main] no functional input modules! 2021-07-30 00:30:02 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:30:02 ERROR [CORE|main] exiting...

Hello We have the NXLog Enterprise Edition. How to include milliseconds in Timestamps of NXLog? Eg: yyyy-mm-dd ... ss-mm + 2.00 Reconnecting cable after removing it loses log output. How to fix the such failover issue with NXLOG? Thanks for your attentions.

Hello, I have a question regarding the xm_json module of nxlog-ce v2.10. I am sending windows logs to out syslog server and using json message with a BSD header like so: <Input in_winlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="System">*</Select> <Select Path="Application">*</Select> <Select Path="Security">*</Select> </Query> </QueryList> </QueryXML> <Exec> $SyslogFacilityValue = syslog_facility_value("local1"); </Exec> </Input> <Output out_syslog> Module om_udp Host 10.10.231.62 port 514 <Exec> $Hostname = string(host_ip()); $Keywords = string($Keywords); $Message = to_json(); $Message =~ s/}$/,"field":"value"}\n/g; $Message =~ s/\\[r|n|t]/ /g; $Message =~ s/\s{2,}/ /g; to_syslog_bsd(); </Exec> </Output> So on output I convert the message to json, then add an extra field to the end of it, then remove the \t, \r, \n characters in the message and finally cleanup the extra whitespaces left by the previous substitution. This has a side-effect of modifying any string that contain the \t, \t or \n character in it, typically the "A user DOMAIN\ruser1" string will be changed to "A user DOMAIN\ user1" (space after backslash) mangling the json string in the process. So to prevent this, I changed the output to the following: <Output out_syslog> Module om_udp Host 10.10.231.62 port 514 <Exec> $Hostname = string(host_ip()); $Keywords = string($Keywords); $Message = replace($Message, "\r", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\t", " "); $Message = to_json(); $Message =~ s/}$/,"field":"value"}\n/g; $Message =~ s/\\r\\n\\t\\t\\t/ /g; $Message =~ s/\s{2,}/ /g; # $Message =~ s/\\[r|n|t]/ /g; to_syslog_bsd(); </Exec> </Output> This time doing the substitutions before converting to json. Using this configuration when the to_json(); is executed I see on eventID 4672 that the privilegelist field is populated along with a \r\n\t\t\t sequence. I would have though that the replace actions would have gotten rid of those, is this an expected behavior or am I doing this the wrong way? For the moment I added $Message =~ s/\\r\\n\\t\\t\\t/ /g; to get rid of this specific sequence but how can I be sure that other messages are not affected with another sequence of tabulations and carriage return ? Thanks for your time. Vincent

Hello, I just setup the NXLog to work with Graylog to process CSV file (converted from some java.utils.logging logs (WebSphere and FileNet). It's a lab environment (docker) to test and evaluate the tools. The solution is woking ok so far but while I am feeding the csv file I am getting errors for some of the lines. I started the nxlog container by mapping a volume for the csv (input) file like: logs_filenet.csv:/var/log/filenet/logs.csv. I am echoing lines ou cating files and directing it's output to logs_filenet.csv file on the docker host. Below is my nxlog.conf: =================================================================================================== ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally under ## /usr/share/doc/nxlog-ce/ and is also available online at ## http://nxlog.org/docs ######################################## # Global directives # ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ######################################## # Modules # ######################################## <Extension gelf> Module xm_gelf </Extension> <Extension csv> Module xm_csv Fields $fn_source, $fn_event_date, $fn_event_time, $fn_thread, $fn_sub, $fn_error_code, $fn_event_type, $fn_full_message Delimiter ; </Extension> <Input file> Module im_file File "/var/log/filenet/logs.csv" <Exec> csv->parse_csv(); </Exec> </Input> <Output tcp> Module om_tcp Host 172.17.0.4 Port 12201 OutputType GELF_TCP </Output> ######################################## # Routes # ######################################## <Route csv_to_gelf> Path file => tcp </Route> =================================================================================================== And this is the errors I am getting from the nxlog.log: =================================================================================================== 2021-07-22 00:15:36 WARNING already running as gid 998 2021-07-22 00:15:36 WARNING already running as uid 999 2021-07-22 00:55:08 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-19;21:00:42;752A06AC;ENG;FNRCE0043E;ERROR;"2021-07-19 21:00:42 752A06AC ENG FNRCE0043E - ERROR method name: checkNameCollision principal name: XXXXXXX Global Transaction: true User Transaction: false Exception Info: A uniqueness requirement has been violated. The value for property FolderName of class someClass is nfcm:server;2021-07-19;21:00:42;752A06AC;ENG;FNRCE0043E;ERROR;"2021-07-19 21:00:42 752A06AC ENG FNRCE0043E - ERROR method name: checkNameCollision principal name: XXXXXXX Global Transaction: true User Transaction: false Exception Info: A uniqueness requirement has been violated. The value for property FolderName of class someClass is not unique."' 2021-07-22 02:22:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;09:08:27;EC70023B;ENG;FNRCR0080E;ERROR;"2021-07-20 09:08:27 EC70023B ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."' 2021-07-22 02:22:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;09:08:44;6F09F23D;ENG;FNRCR0080E;ERROR;"2021-07-20 09:08:44 6F09F23D ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."' 2021-07-22 02:24:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;09:19:14;44DA04B6;ENG;FNRCR0080E;ERROR;"2021-07-20 09:19:14 44DA04B6 ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."' 2021-07-22 02:24:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;09:26:38;C38C4FD0;ENG;FNRCR0080E;ERROR;"2021-07-20 09:26:38 C38C4FD0 ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."' 2021-07-22 02:30:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;10:20:29;6447AF17;ENG;FNRCR0080E;ERROR;"2021-07-20 10:20:29 6447AF17 ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."' 2021-07-22 02:34:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;10:54:12;62F887F6;ENG;FNRCE0066E;ERROR;"2021-07-20 10:54:12 62F887F6 ENG FNRCE0066E - ERROR method name: executeSearch principal name: I362279 Global Transaction: false User Transaction: false Exception Info: An unexpected exception occurred. Message was: For input string: "35997028887""' 2021-07-22 02:34:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;10:55:08;D36E314A;ENG;FNRCR0080E;ERROR;"2021-07-20 10:55:08 D36E314A ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."' 2021-07-22 02:48:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-06-02;23:40:45;CMR1.ICM35BF;PESecondary2;PESecondary2;Error;"2021-06-02 23:40:45 CMR1.ICM35BF PESecondary2 DB=SOME_DB Reg#1 [Error] FNRPE2131090436E CMQueueInfo:getServerConfigEntries caught unexpected exception when get farm config; Exception: Assertion failed in file "DbTransaction.java", method "PushTransaction", line 245. "' 2021-07-22 02:48:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-02;20:25:43;EventExp25B5;PESecondary2;PESecondary2;Error;"2021-07-02 20:25:43 EventExp25B5 PESecondary2 [Error] Exception while attempting to begin processing a store CADB.; Exception: com.filenet.api.exception.EngineRuntimeException: FNRCE0066E: E_UNEXPECTED_EXCEPTION: An unexpected exception occurred. Message was: A communication failure occurred while attempting to obtain an initial context with the provider URL: "corbaloc:rir:/NameServiceServerRoot". Make sure that any bootstrap address information in the URL is correct and that the target name server is running. A bootstrap address with no port specification defaults to port 2809. Possible causes other than an incorrect bootstrap address or unavailable name server include the network environment and workstation network configuration. errorStack={ "' 2021-07-22 02:54:06 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;09:17:20;AC4CFEFB;ENG;FNRCR0080E;ERROR;"2021-07-20 09:17:20 AC4CFEFB ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."' =================================================================================================== I am achieving success on most of the lines on the csv but I am wondering what are the errors above. Any clue on what is the problem or how to troubleshoot it ? Andre

Can everyone share what script for my testing, what I want to happen is I have a CSV file and I want to send it to my Syslog server?. This is my config. Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data ######################################## # Modules # ######################################## <Extension csv> Module xm_csv Fields $LogFilename, $RowNumber, $date, $time, $c-ip, $cs-username, $cs-username, %s-ip, $s-port, $cs-method, $cs-uri-stem, $sc-status, $sc-win32-status, $sc-substatus, $x-session, $x-fullpath Delimiter , </Extension> <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_file File 'C:/Users/Administrator/Desktop/Test/*.csv' ReadFromLast FALSE SavePos FALSE <Exec> csv->parse_csv(); to_syslog_ietf(); $EventTime = strptime($Date + " " + $Time, "%m/%d/%Y %H:%M:%S"); </Exec> </Input> <Output out> Module om_udp Host 192.168.2.192 Port 514 #Exec to_syslog_bsd(); Exec to_syslog_ietf(); </Output> ######################################## # Routes # ######################################## <Route 1> Path in =>out </Route> This is the error that appears. What am I missing here in the script ?. 2021-07-25 19:00:48 WARNING stopping nxlog service 2021-07-25 19:00:49 WARNING nxlog-ce received a termination request signal, exiting... 2021-07-25 19:00:53 INFO nxlog-ce-2.11.2190 started 2021-07-25 19:00:53 WARNING Module in has no input files to read

Hello All. I am new to the forum as well as Linux and NXlog. (triple issue I know) I am attempting to install NXLog (nxlog-ce-2.11.2190_rhel8.x86_64.rpm) on a CentOS 8 machine. I am using the NXLog user guide (9. REHL & CentOS) for installing the program. When I run the command to install the rpm package below, I receive the following error message. I have been unsuccessful searching the internet for a resolution so I though I would give the forum a try. I would appreciate any help or tip which might steer me in the right direction. Thanks in advance, Mark Problem: conflicting requests Nothing provides libdbi >= 0.8.1 needed by nxlog-ce-2.11.2190_rhel8.x86_64

I would like to use Nxlog CE agent to forward logs as snare log to an S3 bucket from Windows and Linux servers. I've read the documentation https://nxlog.co/documentation/nxlog-user-guide/addon-amazon-s3.html. But I'm a bit confused because it is stating that I need to install Boto3. Do I need to install Boto3 on all my servers to be able to forward Windows event log and other logs such as DNS, etc. to S3 using Nxlog CE? Also, does anyone know what ports are needed to let this pass through the firewall? Thank you so much!

Hi, I am receiving a Defender SmartScreen message when trying to install nxlog-ce-2.11.2190.msi. I do not recall receiving this message when installing nxlog-ce-2.10.2150. Is this expected behaviour for the latest version on a fully patched Windows machine? (This has been tested on Windows 10 and Windows Server 2012 R2/2019 with the same outcome each time).

I set up a new port (2514/TCP) to receive logs messages from VMware Workspace One. I notice this new port was not writing the log messages to the file specified. (Other ports for other products work fine) I can see the messages come in when I run tcpdump, but they do not end up getting written to a file. When I looked at the /var/log/nxlog/nxlog.log file, I noticed a LOT of messages like this: 2021-07-07 22:44:31 INFO connection accepted from 10.42.32.149:60599 2021-07-07 22:44:31 WARNING TCP connection closed from 10.42.32.149:60599: End of file found I tried to google the error, but could not fine anything about it. My config file includes this: <Extension _syslog> Module xm_syslog </Extension> <Input vmwarelogtcp> Module im_tcp Port 2514 Host 0.0.0.0 Exec parse_syslog(); </Input> <Output vmwareout> Module om_file File "/log/SYSLOG_vmwarelog/VMWARELOG_" + $Hostname + ".log" CreateDir TRUE Exec to_syslog_bsd(); </Output> <Route 3> Path vmwarelogtcp => vmwareout </Route> Any ideas? Thank you

Hello, Is it possible to use password hash in config files instead plaintext while connecting to odbc Module om_odbc ConnectionString Driver={ODBC Driver 13 for SQL Server}; Server=MSSQL-HOST; UID=test; PWD=testpass; Database=TESTDB` or windows Module im_msvistalog RemoteUser nxlog RemotePassword nxlogpass1234