I am having an issue with nxlog manager docker version starting up. After running docker-compose up and waiting, the webpage is never accessible. When looking in the logs I see nxlog-manager constantly exiting with code 1 and restarting. Below are some of the logs, anyone have ideas on this? nxlog-manager_1 | 2021-02-25 01:48:39.757:INFO:oejr.Runner:main: Runner nxlog-manager_1 | 2021-02-25 01:48:39.947:INFO:oejs.Server:main: jetty-9.0.7.v20131107 nxlog-manager_1 | SLF4J: Class path contains multiple SLF4J bindings. nxlog-manager_1 | SLF4J: Found binding in [jar:file:/opt/nxlog-manager/webapps/nxlog-manager/WEB-INF/lib/slf4j-log4j12-1.7.21.jar!/org/slf4j/impl/StaticLoggerBinder.class] nxlog-manager_1 | SLF4J: Found binding in [jar:file:/opt/nxlog-manager/lib/slf4j-log4j12-1.7.21.jar!/org/slf4j/impl/StaticLoggerBinder.class] nxlog-manager_1 | SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. nxlog-manager_1 | SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory] nxlog-manager_1 | 2021-02-25 01:48:52.957:INFO:/:main: 2 Spring WebApplicationInitializers detected on classpath nxlog-manager_1 | 2021-02-25 01:48:53.429:INFO:/:main: Initializing Spring root WebApplicationContext nxlog-manager_1 | 2021-02-25 01:49:04.694:INFO:/:main: Initializing Spring FrameworkServlet 'dispatcher' nxlog-manager_1 | 2021-02-25 01:56:28.869:INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContext@636be97c{/nxlog-manager,[file:/opt/nxlog-manager/webapps/nxlog-manager/, jar:file:/opt/nxlog-manager/webapps/nxlog-manager/WEB-INF/lib/springfox-swagger-ui-2.9.2.jar!/META-INF/resources/],AVAILABLE}{/nxlog-manager/} nxlog-manager_1 | 2021-02-25 01:56:28.870:WARN:oejsh.RequestLogHandler:main: !RequestLog nxlog-manager_1 | 2021-02-25 01:56:28.881:INFO:oejs.ServerConnector:main: Started ServerConnector@31c1dce1{HTTP/1.1}{0.0.0.0:9090} nxlog-manager_1 | log4j:WARN No appenders could be found for logger (com.nxsec.log4ensics.dbmanager.common.server.util.ssl.SslContextFactory). nxlog-manager_1 | log4j:WARN Please initialize the log4j system properly. nxlog-manager_1 | log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info. nxlog-manager_1 | 2021-02-25 01:56:29.023:WARN:oejuc.AbstractLifeCycle:main: FAILED SslContextFactory@73ea0918(null,null): java.io.FileNotFoundException: /opt/nxlog-manager/conf/jetty9-cert.pem (No such file or directory) nxlog-manager_1 | java.io.FileNotFoundException: /opt/nxlog-manager/conf/jetty9-cert.pem (No such file or directory) nxlog-manager_1 | at java.io.FileInputStream.open0(Native Method) nxlog-manager_1 | at java.io.FileInputStream.open(FileInputStream.java:195) nxlog-manager_1 | at java.io.FileInputStream.<init>(FileInputStream.java:138) nxlog-manager_1 | at com.nxsec.log4ensics.dbmanager.common.server.util.ssl.SslContextFactory.initializeKeyStore(SslContextFactory.java:39) nxlog-manager_1 | at com.nxsec.log4ensics.dbmanager.common.server.util.ssl.SslContextFactory.doStart(SslContextFactory.java:56)

I'm trying to collect EventID 4624 and 4634 for Logon Type 10, to store RDP access to my 2 Domain Controllers. same Windows version (2012 R2) same audit config in windows same NXlog version installed (community edition) same nxlog.conf file My issue: from DC 1 I'm getting both 4624 and 4634 from DC 2 I'm getting only 4634 :( Additional info: in windows Event Viewer I have my 4624 in DC2 ... reinstalled nxlog rebooted my DC DEBUG level in nxlog but no evidence of problem Thx a lot for your support, Benno

Hello, after upgrading to nxlog v5, we ran into the problem while nxlog hangs. Last message in log in 95% cases is: 2021-02-24 15:12:46 ERROR [im_msvistalog|winlog] Couldn't retrieve eventlog fields from xml, EvtRender() failed; The data area passed to a system call is too small. We are searching for logs that triggers that condition with log_info($raw_event); and discovered: 4104 from PowerShell/Operational 800 from PowerShell And some of other logs with huge values in <EventData>...</EventData> field If disable 4104 and 800 EventID's from windows subscription, NXLog works much longer without hangs, but problem still exist. And we need this EventID's. Can you please fix this or provide any workaround to disable auto parsing <EventData> for specific EventIDs (im_msvistalog module) ?

My team is currently experiencing an issue with duplicate logs being produced in NXLog's outbound syslog feed. NXLog is reading from a flat file and sending a syslog feed to another machine for processing. Running a TCPdump for the incoming data on that second machine shows that multiple copies of the same log are being sent by NXlog. Moreover, the duplicates are not sent sequentially, but instead are sent almost exactly 5 minutes apart as show by five minute gaps between the "EventReceivedTime" syslog header values. We have reviewed the flat file and confirmed that it does not produce the duplicates, and thus must be related to the configuration of NXLog and the way it reads the flat file. I'd appreciate any insight others might have on what is causing this problem. The NXLog configuration is as follows: Panic Soft #NoFreeOnExit TRUE define ROOT D:\NX Log\Program Files define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Input in> Module im_file File "D:[Ingested File Path].cef" InputType LineBased SavePos TRUE ReadFromLast TRUE PollInterval 1 </Input> <Processor norepeat> Module pm_norepeat </Processor> <Output out> Module om_ssl Host [Second Machine IP] Port 515 Exec to_syslog_ietf(); Allows using self-signed certificates AllowUntrusted FALSE Certificate from the peer host CAFile D:\[CA File Path].pem Certificate file CertFile D:\[Certificate File Path].pem Keypair file CertKeyFile D:\[Key File Path].pem </Output> <Route sitecollector> Path in => norepeat => out </Route>

Is there a package to install the 'help' button's content for NXLog-Manager's UI? When any of the help buttons are clicked in any section, an error is produced. Looking where the content should be, doesn't reflect the links the button is attempting to access. Suggestions? Example error text: (clicking 'Help' from 'Home' page): Help page not found: en/dashboard.html#nxlog_manager_dashboard (clicking 'Help' from 'Agent List' tab): Help page not found: en/agents.html#nxlog_manager_agent_list CLI listing contents of the help/en directory: [XXXXX@XXXXXXXX en]$ pwd /opt/nxlog-manager/webapps/nxlog-manager/help/en [XXXXX@XXXXXXXX en]$ ls ch01.html ch02.html ch03.html ch04.html ch05.html ch06.html ch07.html ch08.html ch09.html ch10.html ch11.html ch12.html ch13.html ch14.html images index.html [XXXXX@XXXXXXXX en]$

Hi Team, Hope all are well. I am new to nxlog and trying to plan for an upgrade from vUpgrade from nxlog-ce-2.9 to latest 5.x. Can someone please help us in below queries. Can we upgrade to the latest version IS upgrading to latest version is recomended? can we directly upgrade it or its a multihop upgrade from v3.x -> 4.x -> 5.x is there any link to go through the upgrade process in windows environment? Thanks in advance and any info would be helpfull Regards Anjan Kumar Tripathy

I'm using NXLog to sending Windows events and IIS logs to Loggly. We've recently onboarded a new MSSP and they have asked us to check off all IIS logging fields. This seems to break parsing of IIS logs that need to be sent to Loggly. I've contact Loggly support and they can't seem to come to a resolution. Below is the code that we had been using for Loggly previously. This is a sample NXLog configuration file created by Loggly. June 2013 See the nxlog reference manual about the configuration options. It should be installed locally and is also available online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start. #define ROOT C:\Program Files\nxlog #define ROOT_STRING C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog define ROOT_STRING C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define LOGFILE %ROOT%\data\nxlog.log Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Include fileop while debugging, also enable in the output module below <Extension fileop> Module xm_fileop </Extension> <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Input internal> Module im_internal Exec $Message = to_json(); </Input> Windows Event Log <Input eventlog> #Uncomment im_msvistalog for Windows Vista/2008 and later Module im_msvistalog Query &lt;QueryList&gt;\ &lt;Query Id=&quot;0&quot;&gt;\ &lt;Select Path=&quot;Application&quot;&gt;*&lt;/Select&gt;\ &lt;Select Path=&quot;System&quot;&gt;*&lt;/Select&gt;\ &lt;Select Path=&quot;Security&quot;&gt;*&lt;/Select&gt;\ &lt;/Query&gt;\ &lt;/QueryList&gt; #Uncomment im_mseventlog for Windows XP/2000/2003 #Module im_mseventlog Exec $Message = to_json(); </Input> <Processor buffer> Module pm_buffer # 100Mb disk buffer MaxSize 102400 Type disk </Processor> <Processor buffer_iis> Module pm_buffer # 100Mb disk buffer MaxSize 102400 Type disk </Processor> <Output out> Module om_tcp Host logs-01.loggly.com Port 514 Exec to_syslog_ietf(); Exec $raw_event =~ s/(\[.*] )//g; $raw_event = replace($raw_event, '{', '[CUSTOMER ID tag=&quot;windows&quot;] {', 1); #Use the following line for debugging (uncomment the fileop extension above as well) #Exec file_write(&quot;C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log&quot;, $raw_event); </Output> <Output _nxlog> Module om_file File '%LOGFILE%' &lt;Schedule&gt; When @hourly Exec if (file_size('%LOGFILE%') &gt;= 1M) { file_cycle('%LOGFILE%', 5); _nxlog-&gt;reopen(); } &lt;/Schedule&gt; </Output> <Route 1> Path internal, eventlog => buffer => out </Route> <Route 2> Path internal => _nxlog </Route> Create the parse rule for IIS logs. You can copy these from the header of the IIS log file. <Extension w3c> Module xm_csv Fields $date, $time, $s-computername, $cs-method, $cs-uri-stem, $cs-uri-query, $c-ip, $cs(User-Agent), $cs(Referer), $cs-host, $sc-status, $sc-substatus, $sc-bytes, $cs-bytes, $time-taken, X-Forwarded-For, RequestId, PrincipalId FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, integer, integer, integer, string, string, string Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> Convert the IIS logs to JSON and use the original event time <Input SC> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c-&gt;parse_csv(); \ $SourceName = &quot;IIS&quot;; \ $Message = to_json(); \ } </Input> <Input SC_WebAPI> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC2\u_ex*" SavePos TRUE Exec if $raw_event =~ /^#/ drop(); \ else \ { \ w3c-&gt;parse_csv(); \ $SourceName = &quot;IIS&quot;; \ $Message = to_json(); \ } </Input> <Route IIS> Path SC,SC_WebAPI => buffer_iis => out </Route> The error we received in data.log looks like below: 2021-02-18 14:11:12 "SERVERNAME" ERROR if-else failed at line 144, character 261 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted procedure 'parse_csv' failed at line 144, character 156 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted couldn't parse integer: ELB-HealthChecker/2.0 2021-02-18 14:11:26 "SERVERNAME" ERROR if-else failed at line 131, character 261 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted procedure 'parse_csv' failed at line 131, character 156 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted couldn't parse integer: ELB-HealthChecker/2.0 It seems as if the cs-useragent is being evaluated as an integer. or possible the input has fewer fields than expected. Any help would be appreciated.

Hi, I'm working on a heavy log source which can only send syslog. Now currently i also have filters in the config to remove unwanted logs. I've noticed that some logs are successfully being processed whilst others are lost. Through packet capture I was able to conclude that from log source to nxlog server udp packets are all being received. Seems like nxlog (config) can’t handle the large amount of syslog UDP messages coming in. <Extension _syslog> Module xm_syslog </Extension> <Input x_sys_in> Module im_udp Port 514 Host 0.0.0.0 <Exec> parse_syslog_bsd(); if (($Message =~ /dstip=x\.x\.x\.(?:[0-9]+){1,255} dstport=(?:12|5)3/) #DNS & NTP from x.x.x.x or ($Message =~ /dstip=x\.x\.x\.(?:[0-9]+){1,255} dstport=(?:12|5)3/) #DNS & NTP from x.x.x.x or ($Message =~ /srcip=[\d.]+ srcport=\d+ srcintf="x" srcintfrole=".+" dstip=[\d.]+ dstport=16[12]/) #x from x Range or ($Message =~ /srcip=[\d.]+ srcport=\d+ srcintf=".+" srcintfrole=".+" dstip=[\d.]+ dstport=16[12] dstintf="x"/) # #.... more filters drop(); </Exec> </Input> <Output x_sys_out> Module om_udp Host x.x.x.x Port 514 Exec to_syslog_bsd(); </Output> <Route x> Path x_sys_in => x_sys_out </Route> NOTE: I tried already to remove the filter as i initally thought that the filter was mistakenly filtering out unwanted logs, but it wasn't the case. Is this a license problem? can i increase log capacity intake from nxlog?

I I'mtrying to forward windows events to flume, the log should start with CEF:0, but the log nxlog send are formatted as this: 02-16-2021 12:02:46 User.Info 192.168.3.205 Feb 16 12:02:46 nxlogserver-01 SOC[0]: CEF:0|NXLog|NXLog|5.2.6388-trial|0|-|7|end=1613473366200 dvchost=nxlogserver-01 Keywords=36028797018963968 outcome=INFO SeverityValue=2 Severity=INFO externalId=4647 SourceName=SOC TaskValue=1 RecordNumber=5124 ExecutionProcessID=0 ExecutionThreadID=0 deviceFacility=System msg=Test Resisto Opcode=Info Data=Test Resisto EventReceivedTime=1613473366575 SourceModuleName=from_eventlog SourceModuleType=im_msvistalog is there a way to have them formatted so they begin with CEF:0 ? Thanks

Hi I receive this error ERROR [CORE|main] Failed to load module from C:\Program Files\nxlog\modules\extension\om_kafka.dll, The specified module could not be found. ; The specified module could not be found. version nxlog-trial-5.2.6388_windows_x64 Any idea? I have already reinstalled the nxlog server but same error

I have Nxlog exe with config file and bunch of Powershell scripts to be executed part of config file. I want to create one MSI package with all those files for easy installation. I have tried some methods but nothing seems to be working. Can any one suggest here with the process of creating MSI for NXLog ( it includes .exe + certs + config + Powershell scripts )

Hello, I have installed nxlogs on my infrastructure. I can catch the logs from all my servers Windows, Linux, Vcenter 6.5, exept for the ESX servers 6.5. Is nxlogs compatible with ESX 6.5 ? because when I read admin guide, they speak about vcenter but not ESX. Best regards, Guy

Hi, i'm trying to use this module (server side), seems all ok, but this processor generate an event with user "nxlog-ce" and messages like "event repeated n times" it's possible to drop this message? Thanks You <Processor norepeat> Module pm_norepeat CheckFields Hostname, Message </Processor>

Hi team, I have opendistro elasticsearch installed and has a password to ingest data; I am using nxlog community version to send json data directly in elasticsearch. However I am not finding any relevant option for username password for om_elasticsearch module Any clue? <Output distroout> Module om_elasticsearch URL https://localhost:9200/_bulk FlushInterval 2 FlushLimit 100 HTTPSAllowUntrusted TRUE # Create an index daily Index strftime($EventTime, &quot;nxlog-%Y%m%d&quot;) # Use the following if you do not have $EventTime set #Index strftime($EventReceivedTime, &quot;nxlog-%Y%m%d&quot;) </Output>

I have setup NXlog for purpose of consuming DNS analytical events and forwarding to a NDR solution. I'm using im_etw as the input and parse to syslog with xm_syslog and om_file. The output is to a file stored locally on the DNS server. When I take a closer look at event IDs 256 and 257, DNS analytical log provides some interesting field such as source, query and packet data, which seems to be a hex value of query or response. Has anyone decoded the PacketData field into a readable format? Config below: <Extension _syslog> Module xm_syslog </Extension> <Input etw> Module im_etw Provider Microsoft-Windows-DNSServer </Input> <Output file> Module om_file File 'C:\Users\Administrator\Documents\output_syslog.log' Exec parse_syslog(); </Output> <Route etw_file> Path etw => file </Route>

Hi Team, I am trying to achieve ingesting json logs with nxlog community edition. Is that possible? And wanted to know if below condition can be achieved with nxlog config file? if auth_spf == pass then insert Tag DMARC aligned True OR if auth_dkim == pass then insert Tag DMARC aligned True OR if auth_spf || auth_dkim == pass then insert Tag DMARC aligned True TIA Blason R

We are running into issues with AD user enumeration issues with NXlog community edition this began shortly after Powershell 7.1 came out in November any troubleshooting steps we can look into

Hi, I'm trying to send a raw event in our specific logfile to another server via tcp using NXlog CE. The receiving end requires snare or bsd format. I already used the to_syslog_snare() and to_syslog_bsd() in the om_tcp module but it didn't work. I also tried to parse input module by adding empty condition to check raw event but it didn't work too. If I hardcode the raw event using exec then convert to snare or bsd in the output module, I'm receiving the hardcoded and formatted event in my server. Have I missed any configurations? Below is mysample config. Thanks a lot! <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_file File "C:/test.txt" ReadFromLast TRUE SavePos TRUE # if empty line then do not send if $raw_event !~ /^.*$/ { drop(); } else { $raw_event = to_syslog_bsd(); } </Input> <Output out> Module om_tcp Host myserver Port 8888 # to_syslog_snare(); # not receiving raw event in myserver # to_syslog_bsd(); # not receiving raw event in myserver # Exec $raw_event = "Hello there!"; to_syslog_bsd(); # this works; hardcoded one and formatted to syslog_bsd </Output> <Route testroute> Path in => out </Route> C:/test.txt Hello This is a test! 3rd line Bye

Hello, New NXLog v5 automatically parse $EventData to $Data_1, $Data_2 and so on And this is very good, but is it possible to keep also original $UserData and $EventData fields unparsed as in v4? We need this for our logstash pipelines compatibility.

Hello, After updating 4.7 → 5.2 every 20-40mins ERROR appears, ERROR [im_msvistalog|winlog] Couldn't retrieve eventlog fields from xml, EvtRender() failed; The data area passed to a system call is too small. Is it safe to ignore?