I've got a simple config listening on 514 UDP/TCP and forwarding everything received out to another server for ingest. One of the things I've been having trouble figuring out is how to do simple event aggregation for firewall logs. Ideally it would aggregate over a time window and append the message with a new field containing the count of messages. I know something like this used to be done via module "pm_norepeat", but I think this is being deprecated, and I'm not aware that it is capable of appending message count to the original message. It seems this should somehow be done using variables going forward. To add to the complexity, we have two separate firewall types within our environment, (Cisco ASA's and Palo's). Greatly appreciate if anyone can point me in the right direction.

Hello NXLog user, I'm new to Nxlog and I'm looking to send the contents of files (*.log) located in a single directory to a Syslog Watcher server (snmpsoft). A trace can be on one or multiple lines but each start of a new trace starts with the time. Here is an example of a trace on one line (columns => time type severity thread file function content) : 17:13:00.000 APP__ WARNING 1aa20b54100 <capp.cpp:56> [[CApp::ExistInDirectory]] File 'tool.exe' not found in C:/prog Here is an example of multiple traces and one on multiple line (columns => time type severity thread file function content) : 10:57:25.924 SQL__ ERROR__ 20d962b1270 <csqlquery.cpp:292> [[CSqlQuery::ErrQuery]] [cnx2238] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Violation de la contrainte PRIMARY KEY « PK__T__3214EC27053CB3F2 ». Impossible d'insérer une clé en double dans l'objet « B.T ». Valeur de clé dupliquée : (44422). [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]L'instruction a été arrêtée. QODBC3: Impossible d'exécuter l'instruction Source query * .. Query with values * ... 10:57:25.926 APP__ ERROR__ 20d962b1270 <chistosystemautomate.cpp:67> [[CHistoSystemAutomate::MsgReceivedSystem]] { "code": 500004, "details": "", "message": "Impossible d'exécuter la requête SQL." } Nxlog.conf that I tried to do Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %ROOT%\data\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Input messages> Module im_file File "C:\Users\toto\Documents\nxlog*.log" Exec $Message = $raw_event; </Input> <Output tcp> Module om_tcp Host 0.0.0.0 Port 514 Exec to_syslog_bsd(); </Output> <Output udp> Module om_udp Host 0.0.0.0 Port 514 Exec to_syslog_bsd(); </Output> <Route messages_to_tcp> Path messages => tcp </Route> <Route messages_to_udp> Path messages => udp </Route> Can you help me to write the conf file. A big thank you in advance Christophe

We probably found a bug in nxlog-5.2.6388. We use om_http to transfer logs to the server. If there are some new logs in our log file, the nxlog on start connects to server, makes ssl handshake and sucessfully sends logs. BUT if there is no new log entry during the nxlog startup, the om_http connects to the server while NOT doing SSL handshake (only tcp handshake), after some time the web server closes the connection (sends FIN+ACK because it expects SSL handshake to occur during its timeout), after that the nxlog sends ACK and client hello. This seems to be very buggy behaviour as nxlog does not perform ssl handshake until the server tries to close the connection BUT ALWAYS tries to after the server initiates TCP closing. After adding some new line to the log file, the nxlog succefully connects to web server, makes ssl handshake and keeps the connection. Could you confirm the bug?

So I'm working on moving our logging away from SolarWinds and into nxlog. We like to punt off our logs to Splunk so that our security department can create dashboards and such for the events they care about. I've just about got the output perfect, besides ONE random extra comma and I can't figure out where it's coming from. Here is my config: define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LOGFILE %ROOT%\data\nxlog.log LogLevel INFO <Extension syslog> Module xm_syslog </Extension> define MonitoredEventIDs 1100, 1102, 1104, 4608, 4609, 4624, 4625, 4634, 4647, 4648, 4656, 4658, 4659, 4660, 4661, 4662, 4663, 4664, 4670, 4672, 4673, 4724, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4739, 4740, 4766, 4767, 4768, 4776, 4781, 4801, 4825, 4907, 5136, 5137, 5139, 5141, 5145, 6416, 13002, 13003, 18500, 18502, 307 <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security"></Select> <Select Path="Microsoft-Windows-PrintService/Operational"></Select> </Query> </QueryList> </QueryXML> <Exec> if $EventID NOT IN (%MonitoredEventIDs%) drop(); </Exec> </Input> <Input GFI> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="GFI EndPointSecurity">*</Select> </Query> </QueryList> </QueryXML> </Input> <Output out> Module om_udp Host 10.1.0.1 Port 514 Exec to_syslog_snare();$raw_event = replace($raw_event, "\t", ","); </Output> <Route> Path eventlog, GFI => out </Route> That creates this beautiful output in Splunk, except for the random extra comma before 'An account was logged off.' This single extra comma is throwing off the parsing of the logs that our customer receives and I need to get rid of it... Any advice? Mar 1 21:58:26 mycomputer.com MSWinEventLog,1,Security,79,Mon Mar 01 14:58:26 2021,4634,Microsoft-Windows-Security-Auditing,N/A,N/A,Success Audit,mycomputer.com,Logoff,,An account was logged off. Subject: Security ID: S-1-5-21-2294171146-2094350030-1588952898-500 Account Name: pcgroup Account Domain: mycomputer Logon ID: 0x2D069A2F Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.,1023042

I am having an issue with nxlog manager docker version starting up. After running docker-compose up and waiting, the webpage is never accessible. When looking in the logs I see nxlog-manager constantly exiting with code 1 and restarting. Below are some of the logs, anyone have ideas on this? nxlog-manager_1 | 2021-02-25 01:48:39.757:INFO:oejr.Runner:main: Runner nxlog-manager_1 | 2021-02-25 01:48:39.947:INFO:oejs.Server:main: jetty-9.0.7.v20131107 nxlog-manager_1 | SLF4J: Class path contains multiple SLF4J bindings. nxlog-manager_1 | SLF4J: Found binding in [jar:file:/opt/nxlog-manager/webapps/nxlog-manager/WEB-INF/lib/slf4j-log4j12-1.7.21.jar!/org/slf4j/impl/StaticLoggerBinder.class] nxlog-manager_1 | SLF4J: Found binding in [jar:file:/opt/nxlog-manager/lib/slf4j-log4j12-1.7.21.jar!/org/slf4j/impl/StaticLoggerBinder.class] nxlog-manager_1 | SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. nxlog-manager_1 | SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory] nxlog-manager_1 | 2021-02-25 01:48:52.957:INFO:/:main: 2 Spring WebApplicationInitializers detected on classpath nxlog-manager_1 | 2021-02-25 01:48:53.429:INFO:/:main: Initializing Spring root WebApplicationContext nxlog-manager_1 | 2021-02-25 01:49:04.694:INFO:/:main: Initializing Spring FrameworkServlet 'dispatcher' nxlog-manager_1 | 2021-02-25 01:56:28.869:INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContext@636be97c{/nxlog-manager,[file:/opt/nxlog-manager/webapps/nxlog-manager/, jar:file:/opt/nxlog-manager/webapps/nxlog-manager/WEB-INF/lib/springfox-swagger-ui-2.9.2.jar!/META-INF/resources/],AVAILABLE}{/nxlog-manager/} nxlog-manager_1 | 2021-02-25 01:56:28.870:WARN:oejsh.RequestLogHandler:main: !RequestLog nxlog-manager_1 | 2021-02-25 01:56:28.881:INFO:oejs.ServerConnector:main: Started ServerConnector@31c1dce1{HTTP/1.1}{0.0.0.0:9090} nxlog-manager_1 | log4j:WARN No appenders could be found for logger (com.nxsec.log4ensics.dbmanager.common.server.util.ssl.SslContextFactory). nxlog-manager_1 | log4j:WARN Please initialize the log4j system properly. nxlog-manager_1 | log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info. nxlog-manager_1 | 2021-02-25 01:56:29.023:WARN:oejuc.AbstractLifeCycle:main: FAILED SslContextFactory@73ea0918(null,null): java.io.FileNotFoundException: /opt/nxlog-manager/conf/jetty9-cert.pem (No such file or directory) nxlog-manager_1 | java.io.FileNotFoundException: /opt/nxlog-manager/conf/jetty9-cert.pem (No such file or directory) nxlog-manager_1 | at java.io.FileInputStream.open0(Native Method) nxlog-manager_1 | at java.io.FileInputStream.open(FileInputStream.java:195) nxlog-manager_1 | at java.io.FileInputStream.<init>(FileInputStream.java:138) nxlog-manager_1 | at com.nxsec.log4ensics.dbmanager.common.server.util.ssl.SslContextFactory.initializeKeyStore(SslContextFactory.java:39) nxlog-manager_1 | at com.nxsec.log4ensics.dbmanager.common.server.util.ssl.SslContextFactory.doStart(SslContextFactory.java:56)

I'm trying to collect EventID 4624 and 4634 for Logon Type 10, to store RDP access to my 2 Domain Controllers. same Windows version (2012 R2) same audit config in windows same NXlog version installed (community edition) same nxlog.conf file My issue: from DC 1 I'm getting both 4624 and 4634 from DC 2 I'm getting only 4634 :( Additional info: in windows Event Viewer I have my 4624 in DC2 ... reinstalled nxlog rebooted my DC DEBUG level in nxlog but no evidence of problem Thx a lot for your support, Benno

Hello, after upgrading to nxlog v5, we ran into the problem while nxlog hangs. Last message in log in 95% cases is: 2021-02-24 15:12:46 ERROR [im_msvistalog|winlog] Couldn't retrieve eventlog fields from xml, EvtRender() failed; The data area passed to a system call is too small. We are searching for logs that triggers that condition with log_info($raw_event); and discovered: 4104 from PowerShell/Operational 800 from PowerShell And some of other logs with huge values in <EventData>...</EventData> field If disable 4104 and 800 EventID's from windows subscription, NXLog works much longer without hangs, but problem still exist. And we need this EventID's. Can you please fix this or provide any workaround to disable auto parsing <EventData> for specific EventIDs (im_msvistalog module) ?

My team is currently experiencing an issue with duplicate logs being produced in NXLog's outbound syslog feed. NXLog is reading from a flat file and sending a syslog feed to another machine for processing. Running a TCPdump for the incoming data on that second machine shows that multiple copies of the same log are being sent by NXlog. Moreover, the duplicates are not sent sequentially, but instead are sent almost exactly 5 minutes apart as show by five minute gaps between the "EventReceivedTime" syslog header values. We have reviewed the flat file and confirmed that it does not produce the duplicates, and thus must be related to the configuration of NXLog and the way it reads the flat file. I'd appreciate any insight others might have on what is causing this problem. The NXLog configuration is as follows: Panic Soft #NoFreeOnExit TRUE define ROOT D:\NX Log\Program Files define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Input in> Module im_file File "D:[Ingested File Path].cef" InputType LineBased SavePos TRUE ReadFromLast TRUE PollInterval 1 </Input> <Processor norepeat> Module pm_norepeat </Processor> <Output out> Module om_ssl Host [Second Machine IP] Port 515 Exec to_syslog_ietf(); Allows using self-signed certificates AllowUntrusted FALSE Certificate from the peer host CAFile D:\[CA File Path].pem Certificate file CertFile D:\[Certificate File Path].pem Keypair file CertKeyFile D:\[Key File Path].pem </Output> <Route sitecollector> Path in => norepeat => out </Route>

Is there a package to install the 'help' button's content for NXLog-Manager's UI? When any of the help buttons are clicked in any section, an error is produced. Looking where the content should be, doesn't reflect the links the button is attempting to access. Suggestions? Example error text: (clicking 'Help' from 'Home' page): Help page not found: en/dashboard.html#nxlog_manager_dashboard (clicking 'Help' from 'Agent List' tab): Help page not found: en/agents.html#nxlog_manager_agent_list CLI listing contents of the help/en directory: [XXXXX@XXXXXXXX en]$ pwd /opt/nxlog-manager/webapps/nxlog-manager/help/en [XXXXX@XXXXXXXX en]$ ls ch01.html ch02.html ch03.html ch04.html ch05.html ch06.html ch07.html ch08.html ch09.html ch10.html ch11.html ch12.html ch13.html ch14.html images index.html [XXXXX@XXXXXXXX en]$

Hi Team, Hope all are well. I am new to nxlog and trying to plan for an upgrade from vUpgrade from nxlog-ce-2.9 to latest 5.x. Can someone please help us in below queries. Can we upgrade to the latest version IS upgrading to latest version is recomended? can we directly upgrade it or its a multihop upgrade from v3.x -> 4.x -> 5.x is there any link to go through the upgrade process in windows environment? Thanks in advance and any info would be helpfull Regards Anjan Kumar Tripathy

I'm using NXLog to sending Windows events and IIS logs to Loggly. We've recently onboarded a new MSSP and they have asked us to check off all IIS logging fields. This seems to break parsing of IIS logs that need to be sent to Loggly. I've contact Loggly support and they can't seem to come to a resolution. Below is the code that we had been using for Loggly previously. This is a sample NXLog configuration file created by Loggly. June 2013 See the nxlog reference manual about the configuration options. It should be installed locally and is also available online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start. #define ROOT C:\Program Files\nxlog #define ROOT_STRING C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog define ROOT_STRING C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define LOGFILE %ROOT%\data\nxlog.log Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Include fileop while debugging, also enable in the output module below <Extension fileop> Module xm_fileop </Extension> <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Input internal> Module im_internal Exec $Message = to_json(); </Input> Windows Event Log <Input eventlog> #Uncomment im_msvistalog for Windows Vista/2008 and later Module im_msvistalog Query &lt;QueryList&gt;\ &lt;Query Id=&quot;0&quot;&gt;\ &lt;Select Path=&quot;Application&quot;&gt;*&lt;/Select&gt;\ &lt;Select Path=&quot;System&quot;&gt;*&lt;/Select&gt;\ &lt;Select Path=&quot;Security&quot;&gt;*&lt;/Select&gt;\ &lt;/Query&gt;\ &lt;/QueryList&gt; #Uncomment im_mseventlog for Windows XP/2000/2003 #Module im_mseventlog Exec $Message = to_json(); </Input> <Processor buffer> Module pm_buffer # 100Mb disk buffer MaxSize 102400 Type disk </Processor> <Processor buffer_iis> Module pm_buffer # 100Mb disk buffer MaxSize 102400 Type disk </Processor> <Output out> Module om_tcp Host logs-01.loggly.com Port 514 Exec to_syslog_ietf(); Exec $raw_event =~ s/(\[.*] )//g; $raw_event = replace($raw_event, '{', '[CUSTOMER ID tag=&quot;windows&quot;] {', 1); #Use the following line for debugging (uncomment the fileop extension above as well) #Exec file_write(&quot;C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log&quot;, $raw_event); </Output> <Output _nxlog> Module om_file File '%LOGFILE%' &lt;Schedule&gt; When @hourly Exec if (file_size('%LOGFILE%') &gt;= 1M) { file_cycle('%LOGFILE%', 5); _nxlog-&gt;reopen(); } &lt;/Schedule&gt; </Output> <Route 1> Path internal, eventlog => buffer => out </Route> <Route 2> Path internal => _nxlog </Route> Create the parse rule for IIS logs. You can copy these from the header of the IIS log file. <Extension w3c> Module xm_csv Fields $date, $time, $s-computername, $cs-method, $cs-uri-stem, $cs-uri-query, $c-ip, $cs(User-Agent), $cs(Referer), $cs-host, $sc-status, $sc-substatus, $sc-bytes, $cs-bytes, $time-taken, X-Forwarded-For, RequestId, PrincipalId FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, integer, integer, integer, string, string, string Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> Convert the IIS logs to JSON and use the original event time <Input SC> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c-&gt;parse_csv(); \ $SourceName = &quot;IIS&quot;; \ $Message = to_json(); \ } </Input> <Input SC_WebAPI> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC2\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c-&gt;parse_csv(); \ $SourceName = &quot;IIS&quot;; \ $Message = to_json(); \ } </Input> <Route IIS> Path SC,SC_WebAPI => buffer_iis => out </Route> The error we received in data.log looks like below: 2021-02-18 14:11:12 "SERVERNAME" ERROR if-else failed at line 144, character 261 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted procedure 'parse_csv' failed at line 144, character 156 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted couldn't parse integer: ELB-HealthChecker/2.0 2021-02-18 14:11:26 "SERVERNAME" ERROR if-else failed at line 131, character 261 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted procedure 'parse_csv' failed at line 131, character 156 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted couldn't parse integer: ELB-HealthChecker/2.0 It seems as if the cs-useragent is being evaluated as an integer. or possible the input has fewer fields than expected. Any help would be appreciated.

Hi, I'm working on a heavy log source which can only send syslog. Now currently i also have filters in the config to remove unwanted logs. I've noticed that some logs are successfully being processed whilst others are lost. Through packet capture I was able to conclude that from log source to nxlog server udp packets are all being received. Seems like nxlog (config) can’t handle the large amount of syslog UDP messages coming in. <Extension _syslog> Module xm_syslog </Extension> <Input x_sys_in> Module im_udp Port 514 Host 0.0.0.0 <Exec> parse_syslog_bsd(); if (($Message =~ /dstip=x\.x\.x\.(?:[0-9]+){1,255} dstport=(?:12|5)3/) #DNS & NTP from x.x.x.x or ($Message =~ /dstip=x\.x\.x\.(?:[0-9]+){1,255} dstport=(?:12|5)3/) #DNS & NTP from x.x.x.x or ($Message =~ /srcip=[\d.]+ srcport=\d+ srcintf="x" srcintfrole=".+" dstip=[\d.]+ dstport=16[12]/) #x from x Range or ($Message =~ /srcip=[\d.]+ srcport=\d+ srcintf=".+" srcintfrole=".+" dstip=[\d.]+ dstport=16[12] dstintf="x"/) # #.... more filters drop(); </Exec> </Input> <Output x_sys_out> Module om_udp Host x.x.x.x Port 514 Exec to_syslog_bsd(); </Output> <Route x> Path x_sys_in => x_sys_out </Route> NOTE: I tried already to remove the filter as i initally thought that the filter was mistakenly filtering out unwanted logs, but it wasn't the case. Is this a license problem? can i increase log capacity intake from nxlog?

I I'mtrying to forward windows events to flume, the log should start with CEF:0, but the log nxlog send are formatted as this: 02-16-2021 12:02:46 User.Info 192.168.3.205 Feb 16 12:02:46 nxlogserver-01 SOC[0]: CEF:0|NXLog|NXLog|5.2.6388-trial|0|-|7|end=1613473366200 dvchost=nxlogserver-01 Keywords=36028797018963968 outcome=INFO SeverityValue=2 Severity=INFO externalId=4647 SourceName=SOC TaskValue=1 RecordNumber=5124 ExecutionProcessID=0 ExecutionThreadID=0 deviceFacility=System msg=Test Resisto Opcode=Info Data=Test Resisto EventReceivedTime=1613473366575 SourceModuleName=from_eventlog SourceModuleType=im_msvistalog is there a way to have them formatted so they begin with CEF:0 ? Thanks

Hi I receive this error ERROR [CORE|main] Failed to load module from C:\Program Files\nxlog\modules\extension\om_kafka.dll, The specified module could not be found. ; The specified module could not be found. version nxlog-trial-5.2.6388_windows_x64 Any idea? I have already reinstalled the nxlog server but same error

I have Nxlog exe with config file and bunch of Powershell scripts to be executed part of config file. I want to create one MSI package with all those files for easy installation. I have tried some methods but nothing seems to be working. Can any one suggest here with the process of creating MSI for NXLog ( it includes .exe + certs + config + Powershell scripts )

Hello, I have installed nxlogs on my infrastructure. I can catch the logs from all my servers Windows, Linux, Vcenter 6.5, exept for the ESX servers 6.5. Is nxlogs compatible with ESX 6.5 ? because when I read admin guide, they speak about vcenter but not ESX. Best regards, Guy

Hi, i'm trying to use this module (server side), seems all ok, but this processor generate an event with user "nxlog-ce" and messages like "event repeated n times" it's possible to drop this message? Thanks You <Processor norepeat> Module pm_norepeat CheckFields Hostname, Message </Processor>

Hi team, I have opendistro elasticsearch installed and has a password to ingest data; I am using nxlog community version to send json data directly in elasticsearch. However I am not finding any relevant option for username password for om_elasticsearch module Any clue? <Output distroout> Module om_elasticsearch URL https://localhost:9200/_bulk FlushInterval 2 FlushLimit 100 HTTPSAllowUntrusted TRUE # Create an index daily Index strftime($EventTime, &quot;nxlog-%Y%m%d&quot;) # Use the following if you do not have $EventTime set #Index strftime($EventReceivedTime, &quot;nxlog-%Y%m%d&quot;) </Output>

I have setup NXlog for purpose of consuming DNS analytical events and forwarding to a NDR solution. I'm using im_etw as the input and parse to syslog with xm_syslog and om_file. The output is to a file stored locally on the DNS server. When I take a closer look at event IDs 256 and 257, DNS analytical log provides some interesting field such as source, query and packet data, which seems to be a hex value of query or response. Has anyone decoded the PacketData field into a readable format? Config below: <Extension _syslog> Module xm_syslog </Extension> <Input etw> Module im_etw Provider Microsoft-Windows-DNSServer </Input> <Output file> Module om_file File 'C:\Users\Administrator\Documents\output_syslog.log' Exec parse_syslog(); </Output> <Route etw_file> Path etw => file </Route>

Hi Team, I am trying to achieve ingesting json logs with nxlog community edition. Is that possible? And wanted to know if below condition can be achieved with nxlog config file? if auth_spf == pass then insert Tag DMARC aligned True OR if auth_dkim == pass then insert Tag DMARC aligned True OR if auth_spf || auth_dkim == pass then insert Tag DMARC aligned True TIA Blason R