2021-04-25 00:00:00 INFO LogFile C:\Program Files (x86)\nxlog\data\nxlog.log reopened 2021-04-25 00:00:14 ERROR apr_stat failed on file C:\Windows\Sysnative\dhcp\DhcpSrvLog-Sun.log; Access is denied. 2021-04-25 00:00:16 WARNING input file was deleted: C:\Windows\Sysnative\dhcp\DhcpSrvLog-Sun.log 2021-04-26 00:00:45 ERROR apr_stat failed on file C:\Windows\Sysnative\dhcp\DhcpSrvLog-Mon.log; Access is denied. 2021-04-26 00:00:47 WARNING input file was deleted: C:\Windows\Sysnative\dhcp\DhcpSrvLog-Mon.log

Starting our first install and would appreciate a step by step or similar doc.

I am using nxLog CE as log shipper, but I found issue for GELP module with millisecond precision in time stamp. The millisecond precision is not added to timestamp (EventTime as well) When I use gelf extension the millisecond precision is dropped. Basically although I have in log file something like this: <br/>... <br/>2021-04-26T14:28:14.269+00:00 [sync_ldap_trigger.sh] [DEBUG] Get list of users from AD/LDAP successfully (with 1 records) <br/>... <br/> and for parsing I am using REGEX for multi line detection. Doesn't matter if I am using parsing date function parsedate or strptime or nothing just pure $1 <br/>#Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = parsedate($1); $script = $2 ; $Severity = $3 ; $Message = $4 ; <br/>#Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = strptime($1, '%Y-%m-%d%t%H:%M:%S.%N%Z'); $script = $2 ; $Severity = $3 ; $Message = $4 ; <br/>Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = $1; $script = $2 ; $Severity = $3 ; $Message = $4 ; <br/> I excluded "buffer" from path to be sure and all parsing are done in im_file section. For sure I am testing it with file output from the same source. But on the tcpdump I still have timestamp without the millisecond precision - which I confirmation form me that this information is lost on shipper site. tcpdump detailed packet output: <br/>CNSCNc@{"version":"1.1","_EventReceivedTime":"2021-04-26 14:32:15","_SourceModuleName":"peosynclog","_SourceModuleType":"im_file","_script":"sync_ldap_trigger.sh","_Severity":"DEBUG","_SyslogSeverityValue":7,"_FileName":"/home/adsync/bin/adsync2amish/log/sync_general.log","_order":"VNB","_environment":"TEST","host":"amishd-test.vnbrno.cz","short_message":"Get list of users from AD/LDAP successfully (with 1 records)","full_message":"Get list of users from AD/LDAP successfully (with 1 records)","timestamp":1619447535,"level":7} <br/> nxlog.conf: <br/>######################################## <br/># Global directives # <br/>######################################## <br/>User nxlog <br/>Group nxlog <br/>LogFile /var/log/nxlog/nxlog.log <br/>LogLevel INFO <br/># PeoSYNC <br/>define PEOSYNCREGEX /^(?<EventTime>\d{4}\-\d{2}\-\d{2}T\d{2}\:\d{2}\:\d{2}.\d{3}\+\d{4})[\ ,\t]*\[(?<Script>[\S,\.,\_]+)\][\ ,\t]*\[(?<Severity>[\S,\-,\ ]+)\][\ ,\t]*(?<Message>[\S,\s]*)/ <br/>define ROOT /var/spool/nxlog <br/>CacheDir %ROOT%/data <br/>SpoolDir %ROOT%/data <br/>######################################## <br/># Modules # <br/>######################################## <br/><Extension multilinepeosync> <br/> Module xm_multiline <br/> HeaderLine %PEOSYNCREGEX% <br/></Extension> <br/><Extension gelf> <br/> Module xm_gelf <br/></Extension> <br/>######################################## <br/># Inputs # <br/>######################################## <br/><Input peosynclog> <br/> Module im_file <br/> File "/home/adsync/bin/engine/log/sync_general.log" <br/> InputType multilinepeosync <br/> SavePos TRUE <br/> #Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = parsedate($1); $script = $2 ; $Severity = $3 ; $Message = $4 ; <br/> #Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = strptime($1, '%Y-%m-%d%t%H:%M:%S.%N%Z'); $script = $2 ; $Severity = $3 ; $Message = $4 ; <br/> Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = $1; $script = $2 ; $Severity = $3 ; $Message = $4 ; <br/> <Exec> <br/> if $Severity !~ /NEVERUSEDSTRING/ <br/> { <br/> if $Severity =~ /ALERT/ $SyslogSeverityValue = 1; <br/> if $Severity =~ /CRIT/ $SyslogSeverityValue = 2; <br/> if $Severity =~ /ERR/ $SyslogSeverityValue = 3; <br/> if $Severity =~ /WARN/ $SyslogSeverityValue = 4; <br/> if $Severity =~ /NOTICE/ $SyslogSeverityValue = 5; <br/> if $Severity =~ /INFO/ $SyslogSeverityValue = 6; <br/> if $Severity =~ /---/ $SyslogSeverityValue = 6; <br/> if $Severity =~ /SQL/ $SyslogSeverityValue = 7; <br/> if $Severity =~ /DEBUG/ $SyslogSeverityValue = 7; <br/> } else { <br/> # Parsing and dropping all messages which are NEVERUSEDSTRING (or INFO|DEBUG if you want change) severity <br/> drop(); <br/> } <br/> $FileName = file_name(); <br/> $Hostname = 'someserver-dev.loc'; <br/> $order = 'ORDER'; <br/> $environment = 'DEV'; <br/> # if not defined($EventTime) $EventTime = now(); <br/> </Exec> <br/></Input> <br/>######################################## <br/># Outputs # <br/>######################################## <br/><Output graylogtcppeosyncrewrite> <br/> Module om_tcp <br/> Host 127.0.0.1 <br/> Port 20228 <br/> OutputType GELF_TCP <br/></Output> <br/><Output file> <br/> Module om_file <br/> File "/tmp/sync_general.log" <br/></Output> <br/>######################################## <br/># Define Processor Modules # <br/>######################################## <br/><Processor bufferpeosync> <br/> Module pm_buffer <br/> MaxSize 524288 <br/> Type disk <br/> WarnLimit 393216 <br/></Processor> <br/>######################################## <br/># Routes # <br/>######################################## <br/><Route 1> <br/> #Path peosynclog => bufferpeosync => graylogtcppeosyncrewrite <br/> Path peosynclog => graylogtcppeosyncrewrite <br/></Route> <br/><Route 2> <br/> Path peosynclog => file <br/></Route> <br/> Please anyone for help or solution for this issue. Michal BTW: Of course that I tried more format for timestamp as 2021-04-26T14:28:04.240+02:00 or 2021-04-26T14:28:04.240+0200 etc. The format in log is in my hands too.

Design: strict network design with multiple security zones, nxlog client on all Linux servers forward logs to local zone Collector (nxlog listen on 0.0.0.0 port 514), zone collectors forward to single master collectors, master collectors dump all incoming into a dump file for long time storage + forward to a SIEM. This has worked OK for a year, albeit with a few glitches, but recently we have experienced that the Master collectors stop writing to dump file (apparentely at random), yet the nxlog service remains up and running. Fix is to restart the nxlog service. All collectors have defined buffers - could there something wrong with that part of the setup? All suggestions are welcome :)

Can we relocate the directory structure to our preferred folder while configuring nxlog like below /opt ---> /<ouruser>/opt What are the changes we need to do if we want to do that ? I changed the /<ouruser>/nxlog/etc/init file to point to new folder ALSO nxlog.conf --- path also . but Got error as "Could not load program <ouruser>/nxlog/bin/nxlog : Dependent module libnx.so could not be loaded "

I'm trying to figure out a good way of only forwarding along events of significance and to filter out the rest - but without having hundreds of lines of XPath queries in nxlog.conf file. I understand that multiple blocks are AND'd together and that 'type' may only be "exact or regexp", but there doesn't appear to be any negation logic (e.g. NOT item or OR item). Is the 'pm_pattern' module the best approach for trying to accomplish this? Can pattern matches in the patterndb.xml file be defined to drop matching messages? Would a viable approach be to define capture groups to set a variable, then just have something like 'Exec if defined $unwantedMatch { drop();}? XPath Query: <Suppress Path="Security"> *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and (EventID=4624 or EventID=4625 or EventID=4634)]] and *[EventData[ ( (Data[@Name='LogonType']='5' or Data[@Name='LogonType']='0') or Data[@Name='TargetUserName']='ANONYMOUS LOGON' or Data[@Name='TargetUserSID']='S-1-5-18' )]] </Suppress> patterndb.xml attempt: 7 Suppress Service Logons EventID regexp 4624|4625|4634 Level regexp 0|4 if ( $LogonType =~ /0|5/ or $TargetUserName == 'ANONYMOUS LOGON' or $TargetUserSID == 'S-1-5-18' ) drop(); XPath Query: *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and EventID=4624]] and *[EventData[Data[@Name='LogonType']='3']] and *[EventData[Data[@Name='AuthenticationPackageName']='NTLM']] and *[EventData[Data[@Name='TargetUserName']!='ANONYMOUS LOGON']] and *[EventData[Data[@Name='TargetDomainName']!='TEST']] patterndb.xml attempt: 2 Pass the Hash Success Detection EventID exact 4624 Severity exact INFO LogonType exact 3 AuthenticationPackageName exact NTLM TargetUserName regexp (?!ANONYMOUS LOGON) TargetDomainName regexp (?!TEST) $PatternID=2; Thank you for any wisdom/assisstance.

Hello! I'd like to log syslog messages received via broadcast on UPD:514. In the logger PC there are multiple NICs, but I'm interested only to syslog messages received from these local interfaces: 10.200.255.254 and 127.0.0.1. I've tried with the configuration posted below, but it doesn't always work (especially at system boot) because of the following error by the NXLog Windows Service. ERROR failed to start im_udp; couldn't bind udp socket to 10.200.255.254:514; The requested address is not valid in its context. This is my actual configuration ... define LOGS_FILE ... ... <Extension _syslog> Module xm_syslog </Extension> <Extension _exec> Module xm_exec </Extension> <Input udp_lan> Module im_udp Host 10.200.255.254 Port 514 Exec parse_syslog(); </Input> <Input udp_host> Module im_udp Host 127.0.0.1 Port 514 Exec parse_syslog(); </Input> <Output file_syslog> Module om_file CreateDir TRUE Sync TRUE File '%LOGS_FILE%' </Output> <Route udp_to_file> Path udp_lan, udp_host => file_syslog </Route> The NIC has a static IP address, but I'm not sure it is already up when the nxlog service is executed at system boot by Windows. How can I perform this sort of filtering without using the firewall? I know I can listen to anything and drop() received messages with an Exec statement, but I don't know which variable to use (e.g. like $MessageSourceAddress) to specify the interface the message was received by. I was thinking to something like that: <Input udp_lan_host> Module im_udp Host 0.0.0.0 # <--- accept all Port 514 <Exec> if $??? != "10.200.255.254" and $??? != "127.0.0.1" drop(); # <--- which variable here? parse_syslog(); </Exec> </Input> Thanks, Giorgio

Setup according to documentation here: vCenter CLI installed The issue I'm having isn't so much with NXLog, but rather the .pl script in the documentation. When attempting to run the script: c:\ perl vcenter.pl -s=x.x.x.x -u=ServiceAccount -p=password I receive the following: `{"EventTime":"2021-04-15T19:40:39","Message":"Server version unavailable at 'https://x.x.x.x:443/sdk/vimService.wsdl' at C:/Program Files (x86)/VMware/VMware vSphere CLI/Perl/lib/VMware/VICommon.pm line 551. ","UserName":"ServiceAccount"} {"EventTime":"2021-04-15T19:40:39","Message":"Vim::get_service_content called, but no global session is defined at vcenter.pl line 87 ","UserName":"ServiceAccount"}` I can confirm these credentials were working before, as I used to have an Arcsight Smart Connector pulling these logs. Any insight that can be provided would be greatly appreciated. Thanks in advance!

Hi I'm trying to get nxlog ee running with Microsoft Sentinel still get the error 2021-04-14 19:02:04 INFO [om_http|AzureHTTP] connecting to xxxxxxxx.ods.opinsights.azure.com(xx.xx.xx.xx):443 2021-04-14 19:02:04 ERROR [om_http|AzureHTTP] SSL error, failed to load ca cert from 'C:\Program Files\nxlog\cert\test.crt', reason: no certificate or crl found 2021-04-14 19:02:04 INFO [om_http|AzureHTTP] reconnecting in 4 sec Forwarding to Sentinel Logspace is not working. What's wrong ? Johannes Panic Soft define INSTALLDIR C:\Program Files\nxlog #ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d define WORKSPACE xxxxxxxxxxxxxxxxxxxx define SHAREDKEY xxxxxxxxxxxxxxxxxxxx define SUBDOMAIN ods.opinsights.azure.com define RESOURCE api/logs define APIVER api-version=2016-04-01 define SIZELIMIT 65000 Note that these two lines define constants only; the log file location is ultimately set by the LogFile directive (see below). The MYLOGFILE define is also used to rotate the log file automatically (see the _fileop block). define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log If you are not using NXLog Manager, disable the include line and enable LogLevel and LogFile. include %CONFDIR%*.conf #LogLevel INFO #LogFile %MYLOGFILE% <Extension _json> Module xm_json </Extension> <Input VAT_Eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="ForwardedEvents"> *[System[Level=0 and (EventID=4624 or EventID=4647)]] </Select> </Query> </QueryList> </QueryXML> RemoteServer xxx RemoteUser xxx RemoteDomain hq RemotePassword xxx </Input> <Extension plxm> Module xm_perl PerlCode %INSTALLDIR%\modules\extension\perl\sentinelauth.pl </Extension> <Output AzureHTTP> Module om_http URL https://%WORKSPACE%.%SUBDOMAIN%/%RESOURCE%?%APIVER% ContentType application/json HTTPSAllowUntrusted TRUE HTTPSCAFile %INSTALLDIR%\cert\test.crt <Exec> create_stat('ec', 'COUNT'); create_stat('bc', 'COUNT'); create_var('batch'); create_var('nextbatch'); add_stat('ec',1); #---BEGIN--- the enrichment of this event with any new fields: $BatchNumber = get_stat('bc'); $EventNumber = get_stat('ec'); to_json(); #---END--- the enrichment of this event if (size(get_var('batch')) + size($raw_event) + 3) &gt; %SIZELIMIT% # Flush this batch of events { set_var('nextbatch', $raw_event); $raw_event = '[' + get_var('batch') + ']'; add_stat('bc',1); set_var('batch',get_var('nextbatch')); $Workspace = &quot;%WORKSPACE%&quot;; $SharedKey = &quot;%SHAREDKEY%&quot;; $ContentLength = string(size($raw_event)); $dts = strftime(now(),'YYYY-MM-DDThh:mm:ssUTC'); $dts_no_tz = replace($dts,'Z',''); $parsedate_utc_false = parsedate($dts_no_tz,FALSE); $x_ms_date = strftime($parsedate_utc_false, '%a, %d %b %Y %T GMT'); plxm-&gt;call(&quot;genauth&quot;); add_http_header('Authorization',$authorization); add_http_header('Log-Type',$SourceModuleName); add_http_header('x-ms-date',$x_ms_date); } else { $delimiter = get_stat('ec') == 1 ? '' : &quot;,\n&quot;; set_var('batch', get_var('batch') + $delimiter + $raw_event); drop(); } &lt;/Exec&gt; </Output> #<Output TempFile> Module om_file File 'C:\Program Files\nxlog\data\dnsetw.json' #</Output> <Route DnsRoute1> Path VAT_Eventlog => AzureHTTP </Route>

Hi, I am trying to test/deploy the "Extended configuration example of security-focused event IDs to monitor" NXlog configuration for Windows events, as per the article/NXlog conf file example here: https://nxlog.co/documentation/nxlog-user-guide/eventlog-eventids.html (Example 543). I am using NXLog CE (latest version) on Windows 2012R2. Here's the NXlog.conf I have, using the above conf example and added to the usual NXLog conf needs: # NXLog.conf define ROOT C:\Program Files (x86)\nxlog define OUTPUT_DESTINATION_ADDRESS <REDACT IP> define OUTPUT_DESTINATION_PORT 514 # define Account Usage Events define AccountUsage 4740, 4648, 4781, 4733, 1518, 4776, 5376, 5377, \ 4625, 300, 4634, 4672, 4720, 4722, 4782, 4793, \ 4731, 4735, 4766, 4765, 4624, 1511, 4726, 4725, \ 4767, 4728, 4732, 4756, 4704 # define Application Crash Events define AppCrashes 1000, 1002, 1001 # define Application Whitelisting Events define AppWhitelisting 8023, 8020, 8002, 8003, 8004, 8006, 8007, 4688, \ 4689, 8005, 865, 866, 867, 868, 882 # define Boot Events define BootEvents 13, 12 # define Certificate Services Events define CertServices 95, 4886, 4890, 4874, 4873, 4870, 4887, 4885, \ 4899, 4896, 1006, 1004, 1007, 1003, 1001, 1002 # define Clearing Event Logs Events define ClearingLogs 1100, 104, 1102 # define DNS and Directory Services Events define DNSDirectoryServ 5137, 5141, 5136, 5139, 5138, 3008, 3020 # define External Media Detection events define ExtMedia 400, 410 # define Group Policy Error Events define GroupPolicyError 112, 1001, 1125, 1126, 1127, 1129 # define Kernel Driver Signing Events define KernelDriver 3001, 3002, 3003, 3004, 3010, 3023, 5038, \ 6281, 219 # define Microsoft Cryptography API Events define MSFTCryptoAPI 11, 70, 90 # define Mobile Device Activities define MobileDeviceEvents 10000, 10001 # define Network Host Activities define NetworkHost 4714, 4713, 4769, 6273, 6275, 6274, 6272, \ 6278, 6277, 6279, 6276, 6280, 5140, 5145, \ 5142, 5144, 4706, 1024, 4897, 4719, 4716, \ 4779, 4778, 5632 # define PassTheHash Detection Events define PassTheHash 4624, 4625 # define PowerShell Activities define PowerShell 800, 169, 4103, 4104, 4105, 4106 # define Printing Services Events define PrintingServices 307 # define Logon Events define LogonEvents 4624, 4634 # define Software Service Installation Events define Installation 903, 904, 6, 1022, 1033, 7045, 907, 908, 7000, \ 800, 2, 905, 906, 19 # define System Integrity Events define SystemIntegrity 4657, 1, 4616 # define System or Service Failure Events define SystemServiceFail 7022, 7023, 7024, 7026, 7031, 7032, 7034 # define Task Scheduler Activities define TaskScheduler 106, 141, 142, 200 # define Windows Defender Activities define WinDefender 1008, 1006, 1116, 1010, 2003, 2001, 1009, 1118, \ 1119, 1007, 1117, 3002, 2004, 1005, 5008 # define Windows Firewall Events define WinFirewall 2009, 2004, 2005, 2006, 2033 # define Windows Update Error Events define WinUpdateError 1009, 20, 24, 25, 31, 34, 35 Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Input internal> Module im_internal </Input> <Input extendedeventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="Security">*</Select> <Select Path="System">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Inventory">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Program-Telemetry">*</Select> <Select Path="Microsoft-Windows-Application-Experience/Steps-Recorder">*</Select> <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">*</Select> <Select Path="Microsoft-Windows-AppLocker/MSI and Script">*</Select> <Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">*</Select> <Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">*</Select> <Select Path="Microsoft-Windows-CAPI2/Operational">*</Select> <Select Path="Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational">*</Select> <Select Path="Microsoft-Windows-DNS-Client/Operational">*</Select> <Select Path="Microsoft-Windows-GroupPolicy/Operational">*</Select> <Select Path="Microsoft-Windows-Kernel-PnP/Configuration">*</Select> <Select Path="Microsoft-Windows-NetworkProfile/Operational">*</Select> <Select Path="Microsoft-Windows-NTLM/Operational">*</Select> <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select> <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select> <Select Path="Microsoft-Windows-PrintService/Admin">*</Select> <Select Path="Microsoft-Windows-PrintService/Operational">*</Select> <Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select> <Select Path="Microsoft-Windows-TerminalServices-RDPClient/Operational">*</Select> <Select Path="Microsoft-Windows-User Profile Service/Operational">*</Select> <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select> <Select Path="Microsoft-Windows-Windows Defender/WHC">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics">*</Select> <Select Path="Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose">*</Select> <Select Path="Network Isolation Operational">*</Select> <Select Path="Microsoft-Windows-WindowsUpdateClient/Operational">*</Select> <Select Path="Windows PowerShell">*</Select> <Select Path="Microsoft-Windows-CodeIntegrity/Operational">*[System[Provider[@Name='Microsoft-Windows-CodeIntegrity']]]</Select> <Select Path="Microsoft-Windows-LSA/Operational">*</Select> </Query> </QueryList> </QueryXML> <Exec> if ($EventID NOT IN (%AccountUsage%)) and ($EventID NOT IN (%AppCrashes%)) and ($EventID NOT IN (%AppWhitelisting%)) and ($EventID NOT IN (%BootEvents%)) and ($EventID NOT IN (%CertServices%)) and ($EventID NOT IN (%ClearingLogs%)) and ($EventID NOT IN (%DNSDirectoryServ%)) and ($EventID NOT IN (%ExtMedia%)) and ($EventID NOT IN (%GroupPolicyError%)) and ($EventID NOT IN (%KernelDriver%)) and ($EventID NOT IN (%MSFTCryptoAPI%)) and ($EventID NOT IN (%MobileDeviceEvents%)) and ($EventID NOT IN (%NetworkHost%)) and ($EventID NOT IN (%PassTheHash%)) and ($EventID NOT IN (%PowerShell%)) and ($EventID NOT IN (%PrintingServices%)) and ($EventID NOT IN (%LogonEvents%)) and ($EventID NOT IN (%Installation%)) and ($EventID NOT IN (%SystemIntegrity%)) and ($EventID NOT IN (%SystemServiceFail%)) and ($EventID NOT IN (%TaskScheduler%)) and ($EventID NOT IN (%WinDefender%)) and ($EventID NOT IN (%WinFirewall%)) and ($EventID NOT IN (%WinUpdateError%)) drop(); </Exec> </Input> # Output MS Event Log <Output out_mseventlog_nxlog> Module om_udp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000000; Exec $Message = to_json(); to_syslog_bsd(); </Output> # Route for MS eventlog logs: <Route route_msevent_nxlog> Path extendedeventlog => out_mseventlog_nxlog </Route> But this results in the following errors in the log: 2021-04-12 16:26:55 ERROR invalid keyword: TolerateQueryErrors at C:\Program Files (x86)\nxlog\conf\nxlog.conf:116 2021-04-12 16:26:55 ERROR module 'extendedeventlog' has configuration errors, not adding to route 'route_msevent_nxlog' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:201 2021-04-12 16:26:55 ERROR route route_msevent_nxlog is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:201 2021-04-12 16:26:55 WARNING no routes defined! 2021-04-12 16:26:55 WARNING not starting unused module internal 2021-04-12 16:26:55 WARNING not starting unused module extendedeventlog 2021-04-12 16:26:55 WARNING not starting unused module out_mseventlog_nxlog If I remove 'TolerateQueryErrors', I get: 2021-04-12 17:42:04 INFO nxlog-ce-2.10.2150 started 2021-04-12 17:42:04 ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found. Check channel configuration. Any obvious things for me to start checking/debugging this? Thanks in advance!

I'm new to NXLog. I have inherited this from previous engineers no longer with my company. I have to update the server OS and wanted to know when updating the server, do I have to immediately update the NXLog software or will the previous software work? If I update the NXLog software, do I have to immediately deploy the newest version of the endpoint application in my environment? I am also asking if there are any alerts I can configure on the server. We recently learned a connection was lost and want to ensure we are notified when this happens. Thanks all!

We are looking the log file for n number of Application and pushing into one centralized log. We are reading the log file for every 15 min.Now I want read only last line of all logfiles and need to push that into centralized log. Any cone could you please help on this.

I'm seeing we can add an agent https://nxlog.co/documentation/nxlog-user-guide/nxlog_manager_installation.html#nxlog_manager_agentinstall But I'm not seeing it in the downloads https://nxlog.co/products/nxlog-manager/download so, I'm not able to download the agent. Could someone help me to connect to NXLog Service from NXLog Manager to query or search.

Hello, I am having issues setting up the config file for NXlog to pull security events from DC and send to Graylog for my school Capstone project. In the log I keep getting an error "Couldnt parse Exec block at ... couldnt parse statement at line 58, character 218 in .... sytnax error, unexpected )". I utilized a config setup from NXlog documentation and adjusted for my needs. I am not sure what is wrong as the exec block looks proper to me. Here is what I have in my config file: define SecuritySrc Microsoft-Windows-Security-Auditing <Input DC_events> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security">*[System[Provider[ @Name='%SecuritySrc%']]] </Select> </Query> </QueryList> </QueryXML> <Exec> if not (defined($SourceName) and ($EventID IN (%SecurityIDs%) and $SourceName == "%SecuritySrc%")) <------ line 58 drop(); </Exec> </Input> I appreciate any help on this!

Hi Team, We are planning to upgrade nxlog enterprise edition from 3.x to 5.x version. While planning we were looking at the compatibility matrix of nxlog collector , agent , elastic search and kibana. to be precise what version of Elastic search will be supoourted with Nxlong v5.x. Regards Anjan Kumar Tripathy

Hello everyone, I have been noticing some seemingly unnecessary logs being sent to our SIEM when using nxlog for Windows DNS syslog forwarding. Here is my current configuration: nxlog.conf define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> <Input in> Module im_file File 'C:\Windows\Sysnative\dns\dns.log' SavePos TRUE ReadFromLast TRUE PollInterval 1 Exec $Message = $raw_event; $SyslogFacilityValue = 22; </Input> <Output out1> Module om_tcp Host 10.5.1.3 Port 1470 Exec to_syslog_bsd(); </Output> <Route 1> Path in => out1 </Route> <Extension _fileop> Module xm_fileop </Extension> Windows DNS Debug Logging Configuration: Log packets for debugging: check Packet direction: Outgoing: check Incoming: check Transport protocol: UDP: check TCP: check Packet contents: Queries/Transfers: check Updates: check Notifications: not checked Packet Type: Request: check Response: check Other options: Log unmatched incoming response packets: not checked Details: not checked Filter packets by IP address: not checked File path and name: c:\windows\system32\dns\dns.log Maximum size (bytes): 500000000 The result is that all of the necessary logs are being sent to our SIEM, but there are a bunch of unnormalized logs being sent that I do not quite understand. Here are examples: <181>(date/time) (System Name) As an example, for a server named DC1 on March 19th, 14:39. <181>Mar 19 14:39:17 DC1 A ton of these are being sent, close to 1 for each normal DNS log. As you could imagine this is using a lot of our event log storage. Does anyone know what is causing this? Or what this <181> is referring to? Thank you!

xm_kvp seems to not tolerate empty fields. Used in the following scenario: <Extension kvp> Module xm_kvp KVPDelimiter | KVDelimiter : </Extension> The test values are: dummy:|hello:world How can I allow empty values for values?

Hi, we have a test setup with one Fortigate (v6.4.4) and we wanted to use tcp for log collection. We can see the Forti sending the packets (tcpdump) to our NXLog-Server and we can see them arriving (tcpdump) but the packets are not being processed by the NXLog. Using udp evertyhing works fine. The config on the Forti is standard: config log syslogd setting set status enable set server "10.0.172.41" set mode reliable set port 2570 end If we switch to mode legacy-reliable we can see log entries but the look rubbish. On the NXLog we use im_tcp as input and we route it with om_file into a text file. Pretty straight forward but it does not work. Has anyone ever used Fortinet tcp syslog with NXLog? Regards Hardy

Hi All, I've setup NXLog to read an application log file and forward the raw_event to Graylog manager. It seems initially when I start NXLog everything works correctly and the Headerline correctly breaks the log sections but after a while it seems to ignore the headerline and individual lines start coming through to graylog. I've loaded the log into regex testers and confirmed that the headerline is correctly recognised, is there anything else I can try? Can I confirm this is an NXLog issue instead of Graylog in some way? <Extension proforma_email_parse> Module xm_multiline HeaderLine /\d\d\d\d/\d\d/\d\d \d\d:\d\d:\d\d.\d\d\d .... ........ ----------------------------------------------------/ </Extension> <Input proforma_email> Module im_file File "D:\Program Files\ProformaEmailService\Logs\ProformaEmail_*.txt" SavePos true ReadFromLast true Exec $Message = $raw_event; InputType proforma_email_parse </Input> Thanks

Hi All, I need to change this format 'C:\logfile\directory1\directory2' into '\logfile\directory1\directory2\' using regex and the command exec $directory = this is to be able to set the destination folder the same as the location folder recursively