In the NXLog User Guide (https://nxlog.co/documentation/nxlog-user-guide/pm_hmac.html) I read the pm_hmac module is deprecated and will be removed in future releases. I need to implement an hash chaining log flow, how can I do without that module in future?

Thank you

Hi,

I would like to send logs of nxlog.log to an external SIEM. Here are the sample log file but I need hostname added as prefix to each log file as shown below. Is there a way we can use rsyslog or nxlog.conf file to do ot?

Before 2021-04-28 17:18:36 INFO connecting to agent manager at nxlogmgr.amgen.com:4041 2021-04-28 17:19:06 INFO reconnecting to agent manager (nxlogmgr.amgen.com) in 128 seconds 2021-04-28 17:19:06 ERROR couldn't connect to agent manager's SSL socket on nxlogmgr.amgen.com:40

After Apr 28 17:23:36 Hostname bash[XXXXX]: INFO connecting to agent manager at nxlogmgr.amgen.com:4041 Apr 28 17:23:36 Hostname bash[XXXXX]: INFO reconnecting to agent manager (nxlogmgr.amgen.com) in 128 seconds Apr 28 17:23:36 Hostname bash[XXXXX]: ERROR couldn't connect to agent manager's SSL socket on nxlogmgr.amgen.com:40

Hi,everyone. I would appreciate if you could give me useful tips to clarify problem and collect event log (ID 4624) on the NX Log. FYI, the configuration file is pasted below, as something may be wrong with a part of it. IP address and port No. in the config, file were replaced intentionally.

<Background> -Event logs such as ID 4624 and 4634 has been output to Security.evtx. -Security log has been sent to Log Collection Sever by NxLog. <Input In_MSEventlogs> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="Application"></Select>
<Select Path="System"></Select>
<Select Path="Security">*</Select>
</Query>
</QueryList> </Input>

-Currently, a part of windows event log (ID 4624) has not been sent to the windows log collection server, while event log (ID 4634) has been sent.

-- nxlog.conf --

This is a sample configuration file. See the nxlog reference manual about the

configuration options. It should be installed locally and is also available

online at http://nxlog.org/docs/

Please set the ROOT to the folder your nxlog was installed into,

otherwise it will not start.

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension charconv> Module xm_charconv AutodetectCharsets UTF-8, UCS-2LE </Extension>

Load the json extension

<Extension json> Module xm_json </Extension>

<Input msdns> Module im_file File "C:\Windows\Sysnative\dns\dns.log" ReadFromLast False SavePos False Exec $FileName = file_name(); Exec $Hostname = hostname_fqdn(); Exec $raw_event = "NXLOG|" + $Hostname + "|OFFBOX-MSDNS-TO-LCP|" + $FileName + "::::" + $raw_event; </Input>

Send the read log lines out to nxlog server

<Output out-msdns> Module om_tcp Host IP address of the Log server Port DNS OutputType LineBased </Output>

Build the route from nxlog on Windows to nxlog on server

<Extension _syslog> Module xm_syslog </Extension>

<Input In_PowerShell> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="Windows PowerShell"></Select>
<Select Path="Microsoft-Windows-PowerShell/Operational"></Select>
</Query>
</QueryList>

For windows 2003 and earlier use the following:

Module im_mseventlog

</Input>

<Input In_MSEventlogs> Module im_msvistalog Exec if ($EventID == 5156) drop(); Query <QueryList>
<Query Id="0">
<Select Path="Application"></Select>
<Select Path="System"></Select>
<Select Path="Security">*</Select>
</Query>
</QueryList> </Input>

<Output Out_MSEventlogs> Module om_udp Host IP address of the Log server Port WEL Exec to_syslog_snare(); </Output>

<Output Out_PowerShell> Module om_udp Host IP address of the Log server Port PS Exec to_syslog_snare();

Exec $raw_event = replace($raw_event, "MSWinEventLog", "PowerShell"); </Output>

<Route 1> Path msdns => out-msdns </Route>

<Route 2> Path In_PowerShell => Out_PowerShell </Route>

<Route 3> Path In_MSEventlogs => Out_MSEventlogs </Route>

2021-04-25 00:00:00 INFO LogFile C:\Program Files (x86)\nxlog\data\nxlog.log reopened 2021-04-25 00:00:14 ERROR apr_stat failed on file C:\Windows\Sysnative\dhcp\DhcpSrvLog-Sun.log; Access is denied.
2021-04-25 00:00:16 WARNING input file was deleted: C:\Windows\Sysnative\dhcp\DhcpSrvLog-Sun.log 2021-04-26 00:00:45 ERROR apr_stat failed on file C:\Windows\Sysnative\dhcp\DhcpSrvLog-Mon.log; Access is denied.
2021-04-26 00:00:47 WARNING input file was deleted: C:\Windows\Sysnative\dhcp\DhcpSrvLog-Mon.log

Starting our first install and would appreciate a step by step or similar doc.

I am using nxLog CE as log shipper, but I found issue for GELP module with millisecond precision in time stamp. The millisecond precision is not added to timestamp (EventTime as well)
When I use gelf extension the millisecond precision is dropped. Basically although I have in log file something like this:
```
...
2021-04-26T14:28:14.269+00:00 [sync_ldap_trigger.sh] [DEBUG] Get list of users from AD/LDAP successfully (with 1 records)
...
```
and for parsing I am using REGEX for multi line detection. Doesn't matter if I am using parsing date function parsedate or strptime or nothing just pure $1
```
#Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = parsedate($1); $script = $2 ; $Severity = $3 ; $Message = $4 ;
#Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = strptime($1, '%Y-%m-%d%t%H:%M:%S.%N%Z'); $script = $2 ; $Severity = $3 ; $Message = $4 ;
Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = $1; $script = $2 ; $Severity = $3 ; $Message = $4 ;
```
I excluded "buffer" from path to be sure and all parsing are done in im_file section. For sure I am testing it with file output from the same source. But on the tcpdump I still have timestamp without the millisecond precision - which I confirmation form me that this information is lost on shipper site.

_tcpdump detailed packet output:_
```
CNSCNc@{"version":"1.1","_EventReceivedTime":"2021-04-26 14:32:15","_SourceModuleName":"peosynclog","_SourceModuleType":"im_file","_script":"sync_ldap_trigger.sh","_Severity":"DEBUG","_SyslogSeverityValue":7,"_FileName":"/home/adsync/bin/adsync2amish/log/sync_general.log","_order":"VNB","_environment":"TEST","host":"amishd-test.vnbrno.cz","short_message":"Get list of users from AD/LDAP successfully (with 1 records)","full_message":"Get list of users from AD/LDAP successfully (with 1 records)","timestamp":1619447535,"level":7}
```

_nxlog.conf:_
```
########################################
# Global directives #
########################################
User nxlog
Group nxlog
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO
# PeoSYNC
define PEOSYNCREGEX /^(?\d{4}\-\d{2}\-\d{2}T\d{2}\:\d{2}\:\d{2}.\d{3}\+\d{4})[\ ,\t]*\[(?[\S,\.,\_]+)\][\ ,\t]*\[(?[\S,\-,\ ]+)\][\ ,\t]*(?[\S,\s]*)/
define ROOT /var/spool/nxlog
CacheDir %ROOT%/data
SpoolDir %ROOT%/data
########################################
# Modules #
########################################

Module xm_multiline
HeaderLine %PEOSYNCREGEX%


Module xm_gelf

########################################
# Inputs #
########################################

Module im_file
File "/home/adsync/bin/engine/log/sync_general.log"
InputType multilinepeosync
SavePos TRUE
#Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = parsedate($1); $script = $2 ; $Severity = $3 ; $Message = $4 ;
#Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = strptime($1, '%Y-%m-%d%t%H:%M:%S.%N%Z'); $script = $2 ; $Severity = $3 ; $Message = $4 ;
Exec if $raw_event =~ %PEOSYNCREGEX% $EventTime = $1; $script = $2 ; $Severity = $3 ; $Message = $4 ;

if $Severity !~ /NEVERUSEDSTRING/
{
if $Severity =~ /ALERT/ $SyslogSeverityValue = 1;
if $Severity =~ /CRIT/ $SyslogSeverityValue = 2;
if $Severity =~ /ERR/ $SyslogSeverityValue = 3;
if $Severity =~ /WARN/ $SyslogSeverityValue = 4;
if $Severity =~ /NOTICE/ $SyslogSeverityValue = 5;
if $Severity =~ /INFO/ $SyslogSeverityValue = 6;
if $Severity =~ /---/ $SyslogSeverityValue = 6;
if $Severity =~ /SQL/ $SyslogSeverityValue = 7;
if $Severity =~ /DEBUG/ $SyslogSeverityValue = 7;
} else {
# Parsing and dropping all messages which are NEVERUSEDSTRING (or INFO|DEBUG if you want change) severity
drop();
}
$FileName = file_name();
$Hostname = 'someserver-dev.loc';
$order = 'ORDER';
$environment = 'DEV';
# if not defined($EventTime) $EventTime = now();


########################################
# Outputs #
########################################

Module om_tcp
Host 127.0.0.1
Port 20228
OutputType GELF_TCP


Module om_file
File "/tmp/sync_general.log"

########################################
# Define Processor Modules #
########################################

Module pm_buffer
MaxSize 524288
Type disk
WarnLimit 393216

########################################
# Routes #
########################################

#Path peosynclog => bufferpeosync => graylogtcppeosyncrewrite
Path peosynclog => graylogtcppeosyncrewrite


Path peosynclog => file

```

Please anyone for help or solution for this issue.

Michal

BTW: Of course that I tried more format for timestamp as 2021-04-26T14:28:04.240+02:00 or 2021-04-26T14:28:04.240+0200 etc. The format in log is in my hands too.

Design: strict network design with multiple security zones, nxlog client on all Linux servers forward logs to local zone Collector (nxlog listen on 0.0.0.0 port 514), zone collectors forward to single master collectors, master collectors dump all incoming into a dump file for long time storage + forward to a SIEM. This has worked OK for a year, albeit with a few glitches, but recently we have experienced that the Master collectors stop writing to dump file (apparentely at random), yet the nxlog service remains up and running. Fix is to restart the nxlog service. All collectors have defined buffers - could there something wrong with that part of the setup?

All suggestions are welcome :)

Can we relocate the directory structure to our preferred folder while configuring nxlog like below

/opt ---> /<ouruser>/opt

What are the changes we need to do if we want to do that ?

I changed the /<ouruser>/nxlog/etc/init file to point to new folder ALSO nxlog.conf --- path also .

but Got error as "Could not load program <ouruser>/nxlog/bin/nxlog : Dependent module libnx.so could not be loaded "

I'm trying to figure out a good way of only forwarding along events of significance and to filter out the rest - but without having hundreds of lines of XPath queries in nxlog.conf file. I understand that multiple blocks are AND'd together and that 'type' may only be "exact or regexp", but there doesn't appear to be any negation logic (e.g. NOT item or OR item). Is the 'pm_pattern' module the best approach for trying to accomplish this? Can pattern matches in the patterndb.xml file be defined to drop matching messages? Would a viable approach be to define capture groups to set a variable, then just have something like 'Exec if defined $unwantedMatch { drop();}? **XPath Query**: *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and (EventID=4624 or EventID=4625 or EventID=4634)]] and *[EventData[ ( (Data[@Name='LogonType']='5' or Data[@Name='LogonType']='0') or Data[@Name='TargetUserName']='ANONYMOUS LOGON' or Data[@Name='TargetUserSID']='S-1-5-18' )]] **patterndb.xml attempt**: 7 Suppress Service Logons EventID regexp 4624|4625|4634 Level regexp 0|4 if ( $LogonType =~ /0|5/ or $TargetUserName == 'ANONYMOUS LOGON' or $TargetUserSID == 'S-1-5-18' ) drop(); **XPath Query**: *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and EventID=4624]] and *[EventData[Data[@Name='LogonType']='3']] and *[EventData[Data[@Name='AuthenticationPackageName']='NTLM']] and *[EventData[Data[@Name='TargetUserName']!='ANONYMOUS LOGON']] and *[EventData[Data[@Name='TargetDomainName']!='TEST']] **patterndb.xml attempt**: 2 Pass the Hash Success Detection EventID exact 4624 Severity exact INFO LogonType exact 3 AuthenticationPackageName exact NTLM TargetUserName regexp (?!ANONYMOUS LOGON) TargetDomainName regexp (?!TEST) $PatternID=2; Thank you for any wisdom/assisstance.

Hello! I'd like to log syslog messages received via broadcast on UPD:514. In the logger PC there are multiple NICs, but I'm interested only to syslog messages received from these local interfaces: `10.200.255.254` and `127.0.0.1`. I've tried with the configuration posted below, but it doesn't always work (especially at system boot) because of the following error by the NXLog Windows Service. ``` ERROR failed to start im_udp; couldn't bind udp socket to 10.200.255.254:514; The requested address is not valid in its context. ``` This is my actual configuration ``` ... define LOGS_FILE ... ... Module xm_syslog Module xm_exec Module im_udp Host 10.200.255.254 Port 514 Exec parse_syslog(); Module im_udp Host 127.0.0.1 Port 514 Exec parse_syslog(); Module om_file CreateDir TRUE Sync TRUE File '%LOGS_FILE%' Path udp_lan, udp_host => file_syslog ``` The NIC has a static IP address, but I'm not sure it is already up when the nxlog service is executed at system boot by Windows. How can I perform this sort of filtering without using the firewall? I know I can listen to anything and `drop()` received messages with an `Exec` statement, but I don't know which variable to use (e.g. like `$MessageSourceAddress`) to specify the interface the message was received by. I was thinking to something like that: ``` Module im_udp Host 0.0.0.0 #

Setup according to documentation here:

vCenter CLI installed

The issue I'm having isn't so much with NXLog, but rather the .pl script in the documentation. When attempting to run the script:

c:\ perl vcenter.pl -s=x.x.x.x -u=ServiceAccount -p=password

I receive the following:

`{"EventTime":"2021-04-15T19:40:39","Message":"Server version unavailable at 'https://x.x.x.x:443/sdk/vimService.wsdl' at C:/Program Files (x86)/VMware/VMware vSphere CLI/Perl/lib/VMware/VICommon.pm line 551.

","UserName":"ServiceAccount"}
{"EventTime":"2021-04-15T19:40:39","Message":"Vim::get_service_content called, but no global session is defined at vcenter.pl line 87
","UserName":"ServiceAccount"}`

I can confirm these credentials were working before, as I used to have an Arcsight Smart Connector pulling these logs. Any insight that can be provided would be greatly appreciated. Thanks in advance!

Hi I'm trying to get nxlog ee running with Microsoft Sentinel still get the error

2021-04-14 19:02:04 INFO [om_http|AzureHTTP] connecting to xxxxxxxx.ods.opinsights.azure.com(xx.xx.xx.xx):443 2021-04-14 19:02:04 ERROR [om_http|AzureHTTP] SSL error, failed to load ca cert from 'C:\Program Files\nxlog\cert\test.crt', reason: no certificate or crl found 2021-04-14 19:02:04 INFO [om_http|AzureHTTP] reconnecting in 4 sec

Forwarding to Sentinel Logspace is not working.

What's wrong ? Johannes

Panic Soft

define INSTALLDIR C:\Program Files\nxlog

#ModuleDir %INSTALLDIR%\modules #CacheDir %INSTALLDIR%\data #SpoolDir %INSTALLDIR%\data

define CERTDIR %INSTALLDIR%\cert define CONFDIR %INSTALLDIR%\conf\nxlog.d define WORKSPACE xxxxxxxxxxxxxxxxxxxx define SHAREDKEY xxxxxxxxxxxxxxxxxxxx define SUBDOMAIN ods.opinsights.azure.com define RESOURCE api/logs define APIVER api-version=2016-04-01 define SIZELIMIT 65000

Note that these two lines define constants only; the log file location

is ultimately set by the LogFile directive (see below). The

MYLOGFILE define is also used to rotate the log file automatically

(see the _fileop block).

define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log

If you are not using NXLog Manager, disable the include line

and enable LogLevel and LogFile.

include %CONFDIR%*.conf

#LogLevel INFO #LogFile %MYLOGFILE%

<Extension _json> Module xm_json </Extension>

<Input VAT_Eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="ForwardedEvents"> *[System[Level=0 and (EventID=4624 or EventID=4647)]] </Select> </Query> </QueryList> </QueryXML> RemoteServer xxx RemoteUser xxx RemoteDomain hq RemotePassword xxx </Input>

<Extension plxm> Module xm_perl PerlCode %INSTALLDIR%\modules\extension\perl\sentinelauth.pl </Extension>

<Output AzureHTTP> Module om_http URL https://%WORKSPACE%.%SUBDOMAIN%/%RESOURCE%?%APIVER% ContentType application/json HTTPSAllowUntrusted TRUE HTTPSCAFile %INSTALLDIR%\cert\test.crt <Exec> create_stat('ec', 'COUNT'); create_stat('bc', 'COUNT'); create_var('batch'); create_var('nextbatch'); add_stat('ec',1);

    #---BEGIN--- the enrichment of this event with any new fields:
    $BatchNumber = get_stat('bc');
    $EventNumber = get_stat('ec');
    to_json();
    #---END--- the enrichment of this event

    if (size(get_var('batch')) + size($raw_event) + 3) > %SIZELIMIT%
    # Flush this batch of events
    {
        set_var('nextbatch', $raw_event);
        $raw_event = '[' + get_var('batch') + ']';
        add_stat('bc',1);
        set_var('batch',get_var('nextbatch'));
        $Workspace = "%WORKSPACE%";
        $SharedKey = "%SHAREDKEY%";
        $ContentLength = string(size($raw_event));
        $dts = strftime(now(),'YYYY-MM-DDThh:mm:ssUTC');
        $dts_no_tz = replace($dts,'Z','');
        $parsedate_utc_false = parsedate($dts_no_tz,FALSE);
        $x_ms_date = strftime($parsedate_utc_false, '%a, %d %b %Y %T GMT');
        plxm->call("genauth");
        add_http_header('Authorization',$authorization);
        add_http_header('Log-Type',$SourceModuleName);
        add_http_header('x-ms-date',$x_ms_date);
    }
    else
    {
        $delimiter = get_stat('ec') == 1 ? '' : ",\n";
        set_var('batch', get_var('batch') + $delimiter + $raw_event);
        drop();
    }
</Exec>

</Output>

#<Output TempFile>

Module om_file

File 'C:\Program Files\nxlog\data\dnsetw.json'

#</Output>

<Route DnsRoute1> Path VAT_Eventlog => AzureHTTP </Route>

Hi, I am trying to test/deploy the "Extended configuration example of security-focused event IDs to monitor" NXlog configuration for Windows events, as per the article/NXlog conf file example here: https://nxlog.co/documentation/nxlog-user-guide/eventlog-eventids.html (Example 543). I am using NXLog CE (latest version) on Windows 2012R2. Here's the NXlog.conf I have, using the above conf example and added to the usual NXLog conf needs: # NXLog.conf define ROOT C:\Program Files (x86)\nxlog define OUTPUT_DESTINATION_ADDRESS define OUTPUT_DESTINATION_PORT 514 # define Account Usage Events define AccountUsage 4740, 4648, 4781, 4733, 1518, 4776, 5376, 5377, \ 4625, 300, 4634, 4672, 4720, 4722, 4782, 4793, \ 4731, 4735, 4766, 4765, 4624, 1511, 4726, 4725, \ 4767, 4728, 4732, 4756, 4704 # define Application Crash Events define AppCrashes 1000, 1002, 1001 # define Application Whitelisting Events define AppWhitelisting 8023, 8020, 8002, 8003, 8004, 8006, 8007, 4688, \ 4689, 8005, 865, 866, 867, 868, 882 # define Boot Events define BootEvents 13, 12 # define Certificate Services Events define CertServices 95, 4886, 4890, 4874, 4873, 4870, 4887, 4885, \ 4899, 4896, 1006, 1004, 1007, 1003, 1001, 1002 # define Clearing Event Logs Events define ClearingLogs 1100, 104, 1102 # define DNS and Directory Services Events define DNSDirectoryServ 5137, 5141, 5136, 5139, 5138, 3008, 3020 # define External Media Detection events define ExtMedia 400, 410 # define Group Policy Error Events define GroupPolicyError 112, 1001, 1125, 1126, 1127, 1129 # define Kernel Driver Signing Events define KernelDriver 3001, 3002, 3003, 3004, 3010, 3023, 5038, \ 6281, 219 # define Microsoft Cryptography API Events define MSFTCryptoAPI 11, 70, 90 # define Mobile Device Activities define MobileDeviceEvents 10000, 10001 # define Network Host Activities define NetworkHost 4714, 4713, 4769, 6273, 6275, 6274, 6272, \ 6278, 6277, 6279, 6276, 6280, 5140, 5145, \ 5142, 5144, 4706, 1024, 4897, 4719, 4716, \ 4779, 4778, 5632 # define PassTheHash Detection Events define PassTheHash 4624, 4625 # define PowerShell Activities define PowerShell 800, 169, 4103, 4104, 4105, 4106 # define Printing Services Events define PrintingServices 307 # define Logon Events define LogonEvents 4624, 4634 # define Software Service Installation Events define Installation 903, 904, 6, 1022, 1033, 7045, 907, 908, 7000, \ 800, 2, 905, 906, 19 # define System Integrity Events define SystemIntegrity 4657, 1, 4616 # define System or Service Failure Events define SystemServiceFail 7022, 7023, 7024, 7026, 7031, 7032, 7034 # define Task Scheduler Activities define TaskScheduler 106, 141, 142, 200 # define Windows Defender Activities define WinDefender 1008, 1006, 1116, 1010, 2003, 2001, 1009, 1118, \ 1119, 1007, 1117, 3002, 2004, 1005, 5008 # define Windows Firewall Events define WinFirewall 2009, 2004, 2005, 2006, 2033 # define Windows Update Error Events define WinUpdateError 1009, 20, 24, 25, 31, 34, 35 Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_json Module xm_syslog Module im_internal Module im_msvistalog * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *[System[Provider[@Name='Microsoft-Windows-CodeIntegrity']]] * if ($EventID NOT IN (%AccountUsage%)) and ($EventID NOT IN (%AppCrashes%)) and ($EventID NOT IN (%AppWhitelisting%)) and ($EventID NOT IN (%BootEvents%)) and ($EventID NOT IN (%CertServices%)) and ($EventID NOT IN (%ClearingLogs%)) and ($EventID NOT IN (%DNSDirectoryServ%)) and ($EventID NOT IN (%ExtMedia%)) and ($EventID NOT IN (%GroupPolicyError%)) and ($EventID NOT IN (%KernelDriver%)) and ($EventID NOT IN (%MSFTCryptoAPI%)) and ($EventID NOT IN (%MobileDeviceEvents%)) and ($EventID NOT IN (%NetworkHost%)) and ($EventID NOT IN (%PassTheHash%)) and ($EventID NOT IN (%PowerShell%)) and ($EventID NOT IN (%PrintingServices%)) and ($EventID NOT IN (%LogonEvents%)) and ($EventID NOT IN (%Installation%)) and ($EventID NOT IN (%SystemIntegrity%)) and ($EventID NOT IN (%SystemServiceFail%)) and ($EventID NOT IN (%TaskScheduler%)) and ($EventID NOT IN (%WinDefender%)) and ($EventID NOT IN (%WinFirewall%)) and ($EventID NOT IN (%WinUpdateError%)) drop(); # Output MS Event Log Module om_udp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000000; Exec $Message = to_json(); to_syslog_bsd(); # Route for MS eventlog logs: Path extendedeventlog => out_mseventlog_nxlog But this results in the following errors in the log: > 2021-04-12 16:26:55 ERROR invalid keyword: TolerateQueryErrors at C:\Program Files (x86)\nxlog\conf\nxlog.conf:116 > 2021-04-12 16:26:55 ERROR module 'extendedeventlog' has configuration errors, not adding to route 'route_msevent_nxlog' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:201 > 2021-04-12 16:26:55 ERROR route route_msevent_nxlog is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:201 > 2021-04-12 16:26:55 WARNING no routes defined! > 2021-04-12 16:26:55 WARNING not starting unused module internal > 2021-04-12 16:26:55 WARNING not starting unused module extendedeventlog > 2021-04-12 16:26:55 WARNING not starting unused module out_mseventlog_nxlog If I remove 'TolerateQueryErrors', I get: > 2021-04-12 17:42:04 INFO nxlog-ce-2.10.2150 started > 2021-04-12 17:42:04 ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found. Check channel configuration. Any obvious things for me to start checking/debugging this? Thanks in advance!

I'm new to NXLog. I have inherited this from previous engineers no longer with my company. I have to update the server OS and wanted to know when updating the server, do I have to immediately update the NXLog software or will the previous software work? If I update the NXLog software, do I have to immediately deploy the newest version of the endpoint application in my environment?

I am also asking if there are any alerts I can configure on the server. We recently learned a connection was lost and want to ensure we are notified when this happens.

Thanks all!

We are looking the log file for n number of Application and pushing into one centralized log. We are reading the log file for every 15 min.Now I want read only last line of all logfiles and need to push that into centralized log. Any cone could you please help on this.

I'm seeing we can add an agent https://nxlog.co/documentation/nxlog-user-guide/nxlog_manager_installation.html#nxlog_manager_agentinstall But I'm not seeing it in the downloads https://nxlog.co/products/nxlog-manager/download so, I'm not able to download the agent. Could someone help me to connect to NXLog Service from NXLog Manager to query or search.

Hello,

I am having issues setting up the config file for NXlog to pull security events from DC and send to Graylog for my school Capstone project. In the log I keep getting an error "Couldnt parse Exec block at ... couldnt parse statement at line 58, character 218 in .... sytnax error, unexpected )". I utilized a config setup from NXlog documentation and adjusted for my needs. I am not sure what is wrong as the exec block looks proper to me. Here is what I have in my config file:

define SecuritySrc Microsoft-Windows-Security-Auditing

<Input DC_events> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security">*[System[Provider[ @Name='%SecuritySrc%']]] </Select> </Query> </QueryList> </QueryXML> <Exec> if not (defined($SourceName) and ($EventID IN (%SecurityIDs%) and $SourceName == "%SecuritySrc%")) <------ line 58 drop(); </Exec> </Input>

I appreciate any help on this!

Hi Team,

We are planning to upgrade nxlog enterprise edition from 3.x to 5.x version.

While planning we were looking at the compatibility matrix of nxlog collector , agent , elastic search and kibana.

to be precise what version of Elastic search will be supoourted with Nxlong v5.x.

Regards Anjan Kumar Tripathy

Hello everyone,

I have been noticing some seemingly unnecessary logs being sent to our SIEM when using nxlog for Windows DNS syslog forwarding.

Here is my current configuration:

nxlog.conf

define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension syslog> Module xm_syslog </Extension>

<Input in> Module im_file File 'C:\Windows\Sysnative\dns\dns.log' SavePos TRUE ReadFromLast TRUE PollInterval 1 Exec $Message = $raw_event; $SyslogFacilityValue = 22; </Input>

<Output out1> Module om_tcp Host 10.5.1.3 Port 1470 Exec to_syslog_bsd(); </Output>

<Route 1> Path in => out1 </Route>

<Extension _fileop> Module xm_fileop </Extension>

Windows DNS Debug Logging Configuration:

Log packets for debugging: check Packet direction: Outgoing: check Incoming: check

Transport protocol: UDP: check TCP: check

Packet contents: Queries/Transfers: check Updates: check Notifications: not checked

Packet Type: Request: check Response: check

Other options: Log unmatched incoming response packets: not checked Details: not checked Filter packets by IP address: not checked

File path and name: c:\windows\system32\dns\dns.log Maximum size (bytes): 500000000

The result is that all of the necessary logs are being sent to our SIEM, but there are a bunch of unnormalized logs being sent that I do not quite understand.

Here are examples:

<181>(date/time) (System Name) As an example, for a server named DC1 on March 19th, 14:39. <181>Mar 19 14:39:17 DC1

A ton of these are being sent, close to 1 for each normal DNS log. As you could imagine this is using a lot of our event log storage. Does anyone know what is causing this? Or what this <181> is referring to?

Thank you!

`xm_kvp` seems to not tolerate empty fields. Used in the following scenario: ``` Module xm_kvp KVPDelimiter | KVDelimiter : ``` The test values are: ``` dummy:|hello:world ``` How can I allow empty values for values?