Hi. I have a problem that I can't find a solution.

use IM_ File entered some text as follows

[20210816-094441] ID=123  some information1
[20210816-094441] ID=123  some information2
[20210816-094441] ID=124  some information3
[20210816-094441] ID=124  some information4

need to merge events according to the ID field. The expected output is as follows. I find some data and try to use PM_ Evcorr, but the community version lacks get_ prev_ event_ data()

[20210816-094441] ID=123  some information1 some information2
[20210816-094441] ID=124  some information3 some information4

Environment: VMware vSphere 6.7 running a VM with Windows 2019 Datacenter + Docker Enterprise version 20.10.6 Windows detects Intel Xeon Silver 4414 CPU.

Tried command: docker-compose up -d Results: Pulling db (mysql:5.5)... 5.5: Pulling from library/mysql ERROR: no matching manifest for windows/amd64 10.0.17763 in the manifest list entries

What can I do to get the NXLog Docker image loaded?

Hello folks:

I downloaded the latest msi file for the CE edition and used it on Azure Intune to deploy as a "Line of Business Application". Unfortunately, the status for the app deployment remains as "Waiting for install status" on the intune portal.

So I decided the test the powershell install on my Win10 laptop using the following command on powershell with elevated privileges:

msiexec.exe /i .\nxlog-ce-2.11.2190.msi /quiet /l*v "C:\NXLogCE-Install.log"

I am not having any luck on my laptop either. I basically see the following:

=== Verbose logging started: 8/23/2021 15:53:19 Build type: SHIP UNICODE 5.00.10011.00 Calling process: C:\Windows\system32\msiexec.exe ===
MSI (c) (E4:B4) [15:53:19:924]: Resetting cached policy values
MSI (c) (E4:B4) [15:53:19:924]: Machine policy value 'Debug' is 0
MSI (c) (E4:B4) [15:53:19:924]: ******* RunEngine:
******* Product: .\nxlog-ce-2.11.2190.msi
******* Action:
******* CommandLine: **********
MSI (c) (E4:B4) [15:53:19:924]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (E4:B4) [15:53:19:924]: Grabbed execution mutex.
MSI (c) (E4:B4) [15:53:19:930]: Cloaking enabled.
MSI (c) (E4:B4) [15:53:19:930]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (E4:B4) [15:53:19:931]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (24:4C) [15:53:19:934]: Running installation inside multi-package transaction C:\Users\palezvar\Desktop\.\nxlog-ce-2.11.2190.msi
MSI (s) (24:4C) [15:53:19:934]: Grabbed execution mutex.
MSI (s) (24:2C) [15:53:19:935]: Resetting cached policy values
MSI (s) (24:2C) [15:53:19:935]: Machine policy value 'Debug' is 0
MSI (s) (24:2C) [15:53:19:935]: ******* RunEngine:
******* Product: C:\Users\palezvar\Desktop\.\nxlog-ce-2.11.2190.msi
******* Action:
******* CommandLine: **********
MSI (s) (24:2C) [15:53:19:935]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (24:2C) [15:53:19:952]: Note: 1: 2203 2: C:\WINDOWS\Installer\inprogressinstallinfo.ipi 3: -2147287038
MSI (s) (24:2C) [15:53:19:952]: SRSetRestorePoint skipped for this transaction.
MSI (s) (24:2C) [15:53:19:953]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3: 2
MSI (s) (24:2C) [15:53:19:953]: Note: 1: 1324 2: . 3: 1
MSI (s) (24:2C) [15:53:19:953]: MainEngineThread is returning 2
MSI (s) (24:4C) [15:53:19:953]: No System Restore sequence number for this installation.
MSI (s) (24:4C) [15:53:19:954]: User policy value 'DisableRollback' is 0
MSI (s) (24:4C) [15:53:19:954]: Machine policy value 'DisableRollback' is 0
MSI (s) (24:4C) [15:53:19:954]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (24:4C) [15:53:19:954]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (24:4C) [15:53:19:954]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (24:4C) [15:53:19:954]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (E4:B4) [15:53:19:954]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (E4:B4) [15:53:19:955]: MainEngineThread is returning 2
=== Verbose logging stopped: 8/23/2021 15:53:19 ===

What am I doing wrong?

Thanks,

Hello,

We have two Windows servers we are using NxLog agent to forward windows events to a log collection platform.

The servers have two NICs and we are getting the wrong NIC IP address in the messages forwarded by NxLog

The agent version is 4.6.4640

The server is Windows 2016 standard server

Here is the output module from the template applied

<module>om_udp</module> <config xsi:type="module-connect-address-config-mapping" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <type>OUTPUT</type> <verbatim>Exec $Hostname = string(host_ip()); Exec to_syslog_snare(); </verbatim> <connect-address>SERVERIP</connect-address> <port>514</port> <output-format>Dgram</output-format> </config>

Hi,

Please help me with the solution of the below issue that I am facing while doing the configuration of oracle on windows server with nxlog. I have used below nxlog conf file to fetch Oracle event logs:

This is a sample configuration file. See the nxlog reference manual about the

configuration options. It should be installed locally and is also available

online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

Please set the ROOT to the folder your nxlog was installed into,

otherwise it will not start.

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension syslog> Module xm_syslog </Extension>

<Input in_Oracle> Module im_file File 'D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace' SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input>

<Output out_Oracle> Module om_udp Host CCE-IP Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'oracle_logs'; Exec to_syslog_bsd();

</Output>

<Route 1> Path in_Oracle => out_Oracle </Route>

Below is the patch where Oracle events are storing and I have put the same path in conf file as well: D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace

When I have restarted the nxlog services, I found below error in data folder: 2021-08-12 15:14:02 ERROR failed to open D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace; Access is denied. 2021-08-12 15:14:06 ERROR last message repeated 2 times 2021-08-12 15:14:10 ERROR failed to open D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace; Access is denied.
2021-08-12 15:14:18 ERROR failed to open D:\app\Administrator\diag\rdbms\svxlive\svxlive2\trace; Access is denied.

Can you please let me know why its showing access denied and how I can resolve this?

Thanks, Priyanka

We use NXlog on Windows server to send audit logs from MariaDB to a syslog server. On certain messages I execute a powershell script with exec_async. We discoverred that the powershell.exe subprocesses is not closed correctly which leads to excessive memory use which can be seen by using RamMap and then the Page Table value. In the processes tab a lot of powershell.exe's can be seen with 4KB memory use. With Process Explorer I can see a large number of Handles in the NXlog.exe process. A restart of the nxlog service temporary resolves the issue by cleaning up the (zombie?) powershell.exe processes. I could reproduce the issue with a very simple powershell script with only 1 line: "exit". When I run "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy ByPass -NonInteractive -File C:\temp\test.ps1" from a cmd.exe it exits normally and the powershell.exe subprocess doesn't stay visible in RamMap. Could this be a bug? Or should I call powershell.exe differently? Excerpt of my config: define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_exec ..... Module pm_null # Discard messages with 'keepalive' if( $auditlog_object == "SELECT 0 FROM DUAL" ) exec_async("C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "-ExecutionPolicy", "ByPass", "-NonInteractive", "-File", "C:\\temp\\test.ps1"); if( $auditlog_object == "SELECT 0 FROM DUAL" ) drop(); .... Module im_file File 'C:\mariadb\data\server_audit.log' PollInterval 1 SavePos True ReadFromLast True Recursive False RenameCheck False Exec $FileName = file_name(); # Send file name with each message Module om_udp Host x.x.x.x Port 12201 OutputType GELF Exec $short_message = $raw_event; # Avoids truncation of the short_message field. Exec $Hostname = hostname_fqdn(); Path mariadb_audit_file => preprocess => extract_fields => discard_messages => whitelist_queries => output_graylog

I'm trying to set up nxlog on a windows host and break out configuration files for specific applications. I followed the example in the documentation ( https://nxlog.co/documentation/nxlog-user-guide/ref-config.html#config_general_include ) but when I include a wildcard character, the nxlog service fails to start with the following error in the log file:

nxlog failed to start: Invalid 'include' directive at c:\Program Files (x86)\nxlog\conf\nxlog.conf:19 Failed to open config file C:\Program Files (x86)\nxlog\conf\nxlog.d*.conf The filename, directory name, or volume label syntax is incorrect.

The nxlog.d sub-directory exists and I have an application-specific config file there. If I specify the filename explicitly, the nxlog service starts. I'd like to use the wildcard in the main nxlog.conf file so I can scale this to multiple servers with different apps.

Say I have the following nxlog.conf file:

<Input lc1> Module im_file File "/var/log/messages" </Input>

<Input lc2> Module im_file File "/var/log/mything.txt" </Input>

<Output fileout> Module om_file Exec if $Message =~ /error/ $SeverityValue = syslog_severity_value("error"); Exec to_syslog_bsd(); File "/var/log/logmsg2.txt" </Output>

<Route lcroute1> Path lc1 => fileout </Route>

<Route lcroute2> Path lc2 => fileout </Route>

Is there a way to just turn off the harvesting of Ic2 or the lcroute2 without having to modify or manually change the nxlog.conf file? Basically for this example nxlog.conf file have fine-grained adjustment/control of the logs if someone decides they want to turn off a log getting routed to the output file.

Thank you!

Hi, I am doing a test with the agent nxlog EE v.5.3.6735_windows_x64 and after the installation of the agent on the server I stopped receiving the windows audit logs (im_msvistalog module) that I was receiving regularly with the version of nxlog CE v.2.10.2150 and I am not getting the IIS logs either. I attach the implemented configuration file:

Panic Soft

define INSTALLDIR C:\Program Files\nxlog

#ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data

define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d

Note that these two lines define constants only; the log file location

is ultimately set by the LogFile directive (see below). The

MYLOGFILE define is also used to rotate the log file automatically

(see the _fileop block).

define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log

If you are not using NXLog Manager, disable the include line

and enable LogLevel and LogFile.

#include %CONFDIR%*.conf

LogLevel INFO LogFile %MYLOGFILE%

<Extension gelf> Module xm_gelf </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _json> Module xm_json </Extension>

<Extension syslog> Module xm_syslog </Extension>

This block rotates %MYLOGFILE% on a schedule. Note that if LogFile

is changed in managed.conf via NXLog Manager, rotation of the new

file should also be configured there.

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    <Exec>
        if ( file_exists('%MYLOGFILE%') and
             (file_size('%MYLOGFILE%') >= 5M) )
        {
             file_cycle('%MYLOGFILE%', 8);
        }
    </Exec>
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>

</Extension>

<Input eventlog> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="System"></Select>
<Select Path="Security"></Select>
<Select Path="Microsoft-IIS-Logging/Logs">*</Select>
</Query>
</QueryList> </Input>

<Input iis_w3c> Module im_file File "X:\inetpub\logs\LogFiles\W3SVC2\u_ex*.log" SavePos TRUE InputType LineBased

Exec		if $raw_event =~ /^#/ drop(); \
            else \
            { \
                w3c_parser->parse_csv(); \
				$EventTime = parsedate($date + " " + $time); \
				$EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \
				$SourceName = "IIS"; \
				$SiteName   = "Test"; \
				$Message = to_json(); \
            }

</Input>

<Output udp> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP Exec to_syslog_bsd();

Exec log_info("sending data: " + $raw_event);

</Output>

<Route eventlog_to_udp_win> Path eventlog => udp </Route>

<Route iis_w3c_to_udp_iis> Path iis_w3c => udp </Route>

Hi, I am doing a test with the agent nxlog EE v.5.3.6735_windows_x64 and after the installation of the agent on the server I stopped receiving the windows audit logs (im_msvistalog module) that I was receiving regularly with the version of nxlog CE v.2.10.2150 and I am not getting the SQL logs either. I attach the implemented configuration files:

nxlog.con (nxlog EE v.5.3.6735):

Panic Soft

define INSTALLDIR C:\Program Files\nxlog

#ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data

define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d

Note that these two lines define constants only; the log file location

is ultimately set by the LogFile directive (see below). The

MYLOGFILE define is also used to rotate the log file automatically

(see the _fileop block).

define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log

If you are not using NXLog Manager, disable the include line

and enable LogLevel and LogFile.

include %CONFDIR%*.conf

#LogLevel INFO #LogFile %MYLOGFILE%

<Extension gelf> Module xm_gelf </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

This block rotates %MYLOGFILE% on a schedule. Note that if LogFile

is changed in managed.conf via NXLog Manager, rotation of the new

file should also be configured there.

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    <Exec>
        if ( file_exists('%MYLOGFILE%') and
             (file_size('%MYLOGFILE%') >= 5M) )
        {
             file_cycle('%MYLOGFILE%', 8);
        }
    </Exec>
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>

</Extension>

<Input eventlog> Module im_msvistalog </Input>

<Input eventlogSQL> Module im_odbc ConnectionString Driver={ODBC Driver 17 for SQL Server}; Server=<server_name>;
Trusted_Connection=yes; DATABASE=MASTER; PollInterval 5 IdType timestamp SQL SELECT event_time AS 'id', f., a.name AS action_name
FROM fn_get_audit_file('X:\SQLDATA\Log\logfiles\Audit-.sqlaudit', default,
default) AS f
INNER JOIN sys.dm_audit_actions AS a
ON f.action_id = a.action_id
WHERE event_time > ? <Exec> delete($id); rename_field($event_time, $EventTime); </Exec> </Input>

<Output udp> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP </Output>

<Output udpSQL> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP </Output>

<Route eventlog_to_udp> Path eventlog => udp </Route>

<Route eventlog_to_udpSQL> Path eventlogSQL => udpSQL </Route>

nxlog.con (nxlog CEv.2.10.2150):

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension gelf> Module xm_gelf </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') >= 5M)) \
                file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>

</Extension>

<Input eventlog> Module im_msvistalog </Input>

<Output udp> Module om_udp Host XXX.XXX.XXX.XXX --> my_graylog_server Port XXXX --> port OutputType GELF_UDP </Output>

<Route eventlog_to_udp> Path eventlog => udp </Route>

I want to use pattern matching on different streams, and have different patterndb xml file, like this ...

Filter for system logs

<Processor client_filter> Module pm_pattern PatternFile /data/conf/patterndb.xml </Processor>

Filter for SEQ

<Processor seq_filter> Module pm_pattern PatternFile /data/conf/seq_pattern.xml </Processor>

#Filter for RDS <Processor rds_filter> Module pm_pattern PatternFile /data/conf/rds_pattern.xml </Processor>

and call them like this...

<Route route2001> Path client2001 => client_filter => client_to_sumo,judo-sumo-uat,client_master </Route>

<Route route2002> Path client2002 => seq_filter => client_to_sumo,judo-sumo-uat,client_master </Route>

etc...

Is that possible? It doesn't seem to be working as I hoped.

Hello

I have tried this link below, still struggling... https://nxlog.co/documentation/nxlog-user-guide/ref-config.html#config_global_dateformat

How to get following following Timestamp ? RFC 5424 Heure locale : 2021-05-21T03:05:03.001+02:00 RFC 5424 UTC : 2021-05-21T01:05:03.001Z

Thanks in advance for your help.

Hi,

I have installed nxlog inside the Virtual Machine in vCenter whenever i am starting nxlog service then by default it's try to connect one particular IP which is gate way of vCenter and then connection gets failed so changed IP address to Virtual Machine IP from config.d file but still connection gets failed but whenever performing query from nxlog then it successfully send event logs to Splunk. Can you please help me here to understand the issue. I am doing POC(Prof of Concept) on NXlog for philips products.

2021-07-29 22:58:32 INFO [CORE|main] nxlog-5.3.6735-trial started 2021-07-29 22:58:32 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-29 22:58:32 INFO [om_tcp|out] connecting to 10.232.44.92:1524 2021-07-29 22:58:32 INFO [om_tcp|out] successfully connected to 10.232.44.92:1524 2021-07-29 22:58:33 ERROR [xm_admin|agent_managment] couldn't connect to 10.232.44.1:4041; No connection could be made because the target machine actively refused it.
2021-07-29 22:58:33 INFO [xm_admin|agent_managment] reconnecting in 1 sec 2021-07-29 22:58:34 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-29 22:58:35 ERROR [xm_admin|agent_managment] couldn't connect to 10.232.44.1:4041; No connection could be made because the target machine actively refused it.
2021-07-29 22:58:35 INFO [xm_admin|agent_managment] reconnecting in 2 sec

Hi, I am doing POC on NXlog for Philips product and when i am extracting eventlogs only for security by using im_msvistalog module then it's successfully extracting logs & sending to splunk server but when i am putting filter by referring https://nxlog.co/documentation/nxlog-user-guide/eventlog-eventids.html where i have used ExtendedWindowsToCollect in Input tag then facing multiple error like unused modules, couldn't parse to Exec. Please see the below details of conf & log files. Please help me here if config file is required any changes. Note: Defined Event IDs are just an example since i have big list to be added in config file.

config file Panic Soft

define INSTALLDIR C:\Program Files\nxlog

#ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data

define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d

Note that these two lines define constants only; the log file location

is ultimately set by the LogFile directive (see below). The

MYLOGFILE define is also used to rotate the log file automatically

(see the _fileop block).

define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log

If you are not using NXLog Manager, disable the include line

and enable LogLevel and LogFile.

include %CONFDIR%*.conf

#LogLevel INFO #LogFile %MYLOGFILE%

Define security IDs

define Security 4634, 4647, 4648, 4656, 4661, 4662, 4672, 4688,
4689, 4704, 4705, 4706, 4707, 4713, 4716, 4717, \ 4718, 4719, 4720, 4722, 4723, 4724, 4725, 4726,
4727, 4728, 4729, 4730

<Extension _syslog>

Module      xm_syslog

</Extension>

<Extension _json>

Module      xm_json

</Extension>

<Input ExtendedWindowsToCollect>

Module               im_msvistalog
TolerateQueryErrors  TRUE
<QueryXML>
    <QueryList>
         <Query Id='0'>
             <Select Path ='Security'>*</Select>

</Query> </QueryList> </QueryXML> <Exec> if ($EventID NOT IN (%Security%) drop(); </Exec> </Input>

<Output TCP>

Module      om_tcp
Host        10.232.44.92
Port        1524
Exec        to_json();

</Output> <Route Out>

Path        ExtendedWindowsToCollect = TCP

</Route>

This block rotates %MYLOGFILE% on a schedule. Note that if LogFile

is changed in managed.conf via NXLog Manager, rotation of the new

file should also be configured there.

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    <Exec>
        if ( file_exists('%MYLOGFILE%') and
             (file_size('%MYLOGFILE%') >= 5M) )
        {
             file_cycle('%MYLOGFILE%', 8);
        }
    </Exec>
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>

</Extension>

config log file 2021-07-30 00:02:23 INFO [CORE|main] nxlog-5.3.6735-trial started 2021-07-30 00:02:23 WARNING [CORE|main] not starting unused module TCP 2021-07-30 00:02:23 WARNING [CORE|main] not starting unused module ExtendedWindowsToCollect 2021-07-30 00:03:53 ERROR [CORE|main] module 'ExtendedWindowsToCollect' is already defined at C:\Program Files\nxlog\conf\nxlog.conf:63 2021-07-30 00:03:53 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:55; couldn't parse statement at line 56, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:03:53 WARNING [CORE|main] no functional input modules! 2021-07-30 00:03:53 ERROR [CORE|main] module 'ExtendedWindowsToCollect' has configuration errors, not adding to route 'Out' at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:03:53 ERROR [CORE|main] module 'ExtendedWindowsToCollect' has configuration errors, not adding to route 'Out' at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:03:53 ERROR [CORE|main] route Out is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:03:53 INFO [CORE|main] nxlog-5.3.6735-trial started 2021-07-30 00:03:53 WARNING [CORE|main] not starting unused module ExtendedWindowsToCollect 2021-07-30 00:03:53 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-30 00:03:54 ERROR [xm_admin|agent_managment] couldn't connect to 10.232.44.1:4041; No connection could be made because the target machine actively refused it.
2021-07-30 00:03:54 INFO [xm_admin|agent_managment] reconnecting in 1 sec 2021-07-30 00:03:55 INFO [xm_admin|agent_managment] connecting to 10.232.44.1:4041 2021-07-30 00:23:22 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:55; couldn't parse statement at line 56, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:23:22 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:23:22 WARNING [CORE|main] no functional input modules! 2021-07-30 00:23:22 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:23:22 ERROR [CORE|main] exiting... 2021-07-30 00:24:27 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:55; couldn't parse statement at line 56, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:24:27 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:24:27 WARNING [CORE|main] no functional input modules! 2021-07-30 00:24:27 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:71 2021-07-30 00:24:27 ERROR [CORE|main] exiting... 2021-07-30 00:25:32 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:25:32 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:25:32 WARNING [CORE|main] no functional input modules! 2021-07-30 00:25:32 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:25:32 ERROR [CORE|main] exiting... 2021-07-30 00:25:43 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:25:43 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:25:43 WARNING [CORE|main] no functional input modules! 2021-07-30 00:25:43 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:25:43 ERROR [CORE|main] exiting... 2021-07-30 00:26:36 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:26:36 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:26:36 WARNING [CORE|main] no functional input modules! 2021-07-30 00:26:36 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:26:36 ERROR [CORE|main] exiting... 2021-07-30 00:27:02 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:27:02 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:27:02 WARNING [CORE|main] no functional input modules! 2021-07-30 00:27:02 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:27:02 ERROR [CORE|main] exiting... 2021-07-30 00:27:40 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:27:40 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:27:40 WARNING [CORE|main] no functional input modules! 2021-07-30 00:27:40 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:27:40 ERROR [CORE|main] exiting... 2021-07-30 00:27:53 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:27:53 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:27:53 WARNING [CORE|main] no functional input modules! 2021-07-30 00:27:53 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:27:53 ERROR [CORE|main] exiting... 2021-07-30 00:28:07 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:28:07 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:28:07 WARNING [CORE|main] no functional input modules! 2021-07-30 00:28:07 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:28:07 ERROR [CORE|main] exiting... 2021-07-30 00:28:46 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:28:46 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:28:46 WARNING [CORE|main] no functional input modules! 2021-07-30 00:28:46 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:28:46 ERROR [CORE|main] exiting... 2021-07-30 00:28:58 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:28:58 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:28:58 WARNING [CORE|main] no functional input modules! 2021-07-30 00:28:58 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:28:58 ERROR [CORE|main] exiting... 2021-07-30 00:29:13 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:29:13 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:29:13 WARNING [CORE|main] no functional input modules! 2021-07-30 00:29:13 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:29:13 ERROR [CORE|main] exiting... 2021-07-30 00:29:50 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:29:50 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:29:50 WARNING [CORE|main] no functional input modules! 2021-07-30 00:29:50 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:29:50 ERROR [CORE|main] exiting... 2021-07-30 00:30:02 ERROR [im_msvistalog|ExtendedWindowsToCollect] Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:54; couldn't parse statement at line 55, character 143 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '' (0x5c) 2021-07-30 00:30:02 WARNING [om_tcp|TCP] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2021-07-30 00:30:02 WARNING [CORE|main] no functional input modules! 2021-07-30 00:30:02 ERROR [CORE|main] invalid path at C:\Program Files\nxlog\conf\nxlog.conf:70 2021-07-30 00:30:02 ERROR [CORE|main] exiting...

Hello

We have the NXLog Enterprise Edition.

1. How to include milliseconds in Timestamps of NXLog? Eg: yyyy-mm-dd ... ss-mm + 2.00

2. Reconnecting cable after removing it loses log output.
   How to fix the such failover issue with NXLOG?

Thanks for your attentions.

Hello, I have a question regarding the xm_json module of nxlog-ce v2.10. I am sending windows logs to out syslog server and using json message with a BSD header like so: ``` Module im_msvistalog * * * $SyslogFacilityValue = syslog_facility_value("local1"); Module om_udp Host 10.10.231.62 port 514 $Hostname = string(host_ip()); $Keywords = string($Keywords); $Message = to_json(); $Message =~ s/}$/,"field":"value"}\n/g; $Message =~ s/\\[r|n|t]/ /g; $Message =~ s/\s{2,}/ /g; to_syslog_bsd(); ``` So on output I convert the message to json, then add an extra field to the end of it, then remove the \t, \r, \n characters in the message and finally cleanup the extra whitespaces left by the previous substitution. This has a side-effect of modifying any string that contain the \t, \t or \n character in it, typically the **"A user DOMAIN\ruser1"** string will be changed to **"A user DOMAIN\ user1"** (space after backslash) mangling the json string in the process. So to prevent this, I changed the output to the following: ``` Module om_udp Host 10.10.231.62 port 514 $Hostname = string(host_ip()); $Keywords = string($Keywords); $Message = replace($Message, "\r", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\t", " "); $Message = to_json(); $Message =~ s/}$/,"field":"value"}\n/g; $Message =~ s/\\r\\n\\t\\t\\t/ /g; $Message =~ s/\s{2,}/ /g; # $Message =~ s/\\[r|n|t]/ /g; to_syslog_bsd(); ``` This time doing the substitutions before converting to json. Using this configuration when the `to_json();` is executed I see on **eventID 4672** that the **privilegelist** field is populated along with a **\r\n\t\t\t** sequence. I would have though that the replace actions would have gotten rid of those, is this an expected behavior or am I doing this the wrong way? For the moment I added `$Message =~ s/\\r\\n\\t\\t\\t/ /g;` to get rid of this specific sequence but how can I be sure that other messages are not affected with another sequence of tabulations and carriage return ? Thanks for your time. Vincent

Hello, I just setup the NXLog to work with Graylog to process CSV file (converted from some java.utils.logging logs (WebSphere and FileNet). It's a lab environment (docker) to test and evaluate the tools.

The solution is woking ok so far but while I am feeding the csv file I am getting errors for some of the lines.

I started the nxlog container by mapping a volume for the csv (input) file like: logs_filenet.csv:/var/log/filenet/logs.csv. I am echoing lines ou cating files and directing it's output to logs_filenet.csv file on the docker host.

Below is my nxlog.conf:

===================================================================================================
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally under
## /usr/share/doc/nxlog-ce/ and is also available online at
## http://nxlog.org/docs

########################################
# Global directives #
########################################
User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel INFO

########################################
# Modules #
########################################
<Extension gelf>
Module xm_gelf
</Extension>

<Extension csv>
Module xm_csv
Fields $fn_source, $fn_event_date, $fn_event_time, $fn_thread, $fn_sub, $fn_error_code, $fn_event_type, $fn_full_message
Delimiter ;
</Extension>

<Input file>
Module im_file
File "/var/log/filenet/logs.csv"
<Exec>
csv->parse_csv();
</Exec>
</Input>

<Output tcp>
Module om_tcp
Host 172.17.0.4
Port 12201
OutputType GELF_TCP
</Output>

########################################
# Routes #
########################################
<Route csv_to_gelf>
Path file => tcp
</Route>
===================================================================================================

And this is the errors I am getting from the nxlog.log:

===================================================================================================
2021-07-22 00:15:36 WARNING already running as gid 998
2021-07-22 00:15:36 WARNING already running as uid 999
2021-07-22 00:55:08 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-19;21:00:42;752A06AC;ENG;FNRCE0043E;ERROR;"2021-07-19 21:00:42 752A06AC ENG FNRCE0043E - ERROR method name: checkNameCollision principal name: XXXXXXX Global Transaction: true User Transaction: false Exception Info: A uniqueness requirement has been violated. The value for property FolderName of class someClass is nfcm:server;2021-07-19;21:00:42;752A06AC;ENG;FNRCE0043E;ERROR;"2021-07-19 21:00:42 752A06AC ENG FNRCE0043E - ERROR method name: checkNameCollision principal name: XXXXXXX Global Transaction: true User Transaction: false Exception Info: A uniqueness requirement has been violated. The value for property FolderName of class someClass is not unique."'
2021-07-22 02:22:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;09:08:27;EC70023B;ENG;FNRCR0080E;ERROR;"2021-07-20 09:08:27 EC70023B ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."'
2021-07-22 02:22:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;09:08:44;6F09F23D;ENG;FNRCR0080E;ERROR;"2021-07-20 09:08:44 6F09F23D ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."'
2021-07-22 02:24:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;09:19:14;44DA04B6;ENG;FNRCR0080E;ERROR;"2021-07-20 09:19:14 44DA04B6 ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."'
2021-07-22 02:24:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;09:26:38;C38C4FD0;ENG;FNRCR0080E;ERROR;"2021-07-20 09:26:38 C38C4FD0 ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."'
2021-07-22 02:30:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;10:20:29;6447AF17;ENG;FNRCR0080E;ERROR;"2021-07-20 10:20:29 6447AF17 ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."'
2021-07-22 02:34:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;10:54:12;62F887F6;ENG;FNRCE0066E;ERROR;"2021-07-20 10:54:12 62F887F6 ENG FNRCE0066E - ERROR method name: executeSearch principal name: I362279 Global Transaction: false User Transaction: false Exception Info: An unexpected exception occurred. Message was: For input string: "35997028887""'
2021-07-22 02:34:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;10:55:08;D36E314A;ENG;FNRCR0080E;ERROR;"2021-07-20 10:55:08 D36E314A ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."'
2021-07-22 02:48:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-06-02;23:40:45;CMR1.ICM35BF;PESecondary2;PESecondary2;Error;"2021-06-02 23:40:45 CMR1.ICM35BF PESecondary2 DB=SOME_DB Reg#1 [Error] FNRPE2131090436E CMQueueInfo:getServerConfigEntries caught unexpected exception when get farm config; Exception: Assertion failed in file "DbTransaction.java", method "PushTransaction", line 245. "'
2021-07-22 02:48:05 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-02;20:25:43;EventExp25B5;PESecondary2;PESecondary2;Error;"2021-07-02 20:25:43 EventExp25B5 PESecondary2 [Error] Exception while attempting to begin processing a store CADB.; Exception: com.filenet.api.exception.EngineRuntimeException: FNRCE0066E: E_UNEXPECTED_EXCEPTION: An unexpected exception occurred. Message was: A communication failure occurred while attempting to obtain an initial context with the provider URL: "corbaloc:rir:/NameServiceServerRoot". Make sure that any bootstrap address information in the URL is correct and that the target name server is running. A bootstrap address with no port specification defaults to port 2809. Possible causes other than an incorrect bootstrap address or unavailable name server include the network environment and workstation network configuration. errorStack={ "'
2021-07-22 02:54:06 ERROR procedure 'parse_csv' failed at line 32, character 25 in /etc/nxlog.conf. statement execution has been aborted;Invalid CSV input: 'fcm:server;2021-07-20;09:17:20;AC4CFEFB;ENG;FNRCR0080E;ERROR;"2021-07-20 09:17:20 AC4CFEFB ENG FNRCR0080E - ERROR method name: getFolderIdNoError principal name: XXXXXXX Global Transaction: false User Transaction: false Exception Info: The path "Não informado" does not start with the required forward or reverse slash."'
===================================================================================================

I am achieving success on most of the lines on the csv but I am wondering what are the errors above. Any clue on what is the problem or how to troubleshoot it ?

Andre

Can everyone share what script for my testing, what I want to happen is I have a CSV file and I want to send it to my Syslog server?.


This is my config.

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

########################################
# Modules #
########################################
<Extension csv>
Module xm_csv
Fields $LogFilename, $RowNumber, $date, $time, $c-ip, $cs-username, $cs-username, %s-ip, $s-port, $cs-method, $cs-uri-stem, $sc-status, $sc-win32-status, $sc-substatus, $x-session, $x-fullpath
Delimiter ,
</Extension>

<Extension _syslog>
Module xm_syslog
</Extension>

<Input in>
Module im_file
File 'C:/Users/Administrator/Desktop/Test/*.csv'
ReadFromLast FALSE
SavePos FALSE
<Exec>
csv->parse_csv();
to_syslog_ietf();

$EventTime = strptime($Date + " " + $Time, "%m/%d/%Y %H:%M:%S");
</Exec>
</Input>

<Output out>
Module om_udp
Host 192.168.2.192
Port 514
#Exec to_syslog_bsd();
Exec to_syslog_ietf();
</Output>

########################################
# Routes #
########################################
<Route 1>
Path in =>out

</Route>

This is the error that appears. What am I missing here in the script ?.

2021-07-25 19:00:48 WARNING stopping nxlog service
2021-07-25 19:00:49 WARNING nxlog-ce received a termination request signal, exiting...
2021-07-25 19:00:53 INFO nxlog-ce-2.11.2190 started
2021-07-25 19:00:53 WARNING Module in has no input files to read

Hello All.

I am new to the forum as well as Linux and NXlog. (triple issue I know)

I am attempting to install NXLog (nxlog-ce-2.11.2190_rhel8.x86_64.rpm) on a CentOS 8 machine. I am using the NXLog user guide (9. REHL & CentOS) for installing the program. When I run the command to install the rpm package below, I receive the following error message. I have been unsuccessful searching the internet for a resolution so I though I would give the forum a try. I would appreciate any help or tip which might steer me in the right direction.

Thanks in advance, Mark

Problem: conflicting requests

• Nothing provides libdbi >= 0.8.1 needed by nxlog-ce-2.11.2190_rhel8.x86_64

I would like to use Nxlog CE agent to forward logs as snare log to an S3 bucket from Windows and Linux servers. I've read the documentation https://nxlog.co/documentation/nxlog-user-guide/addon-amazon-s3.html. But I'm a bit confused because it is stating that I need to install Boto3. Do I need to install Boto3 on all my servers to be able to forward Windows event log and other logs such as DNS, etc. to S3 using Nxlog CE? Also, does anyone know what ports are needed to let this pass through the firewall?

Thank you so much!