We are running into issues with AD user enumeration issues with NXlog community edition this began shortly after Powershell 7.1 came out in November any troubleshooting steps we can look into

Hi, I'm trying to send a raw event in our specific logfile to another server via tcp using NXlog CE. The receiving end requires snare or bsd format. I already used the to_syslog_snare() and to_syslog_bsd() in the om_tcp module but it didn't work. I also tried to parse input module by adding empty condition to check raw event but it didn't work too. If I hardcode the raw event using exec then convert to snare or bsd in the output module, I'm receiving the hardcoded and formatted event in my server. Have I missed any configurations? Below is mysample config. Thanks a lot! <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_file File "C:/test.txt" ReadFromLast TRUE SavePos TRUE # if empty line then do not send if $raw_event !~ /^.*$/ { drop(); } else { $raw_event = to_syslog_bsd(); } </Input> <Output out> Module om_tcp Host myserver Port 8888 # to_syslog_snare(); # not receiving raw event in myserver # to_syslog_bsd(); # not receiving raw event in myserver # Exec $raw_event = "Hello there!"; to_syslog_bsd(); # this works; hardcoded one and formatted to syslog_bsd </Output> <Route testroute> Path in => out </Route> C:/test.txt Hello This is a test! 3rd line Bye

Hello, New NXLog v5 automatically parse $EventData to $Data_1, $Data_2 and so on And this is very good, but is it possible to keep also original $UserData and $EventData fields unparsed as in v4? We need this for our logstash pipelines compatibility.

Hello, After updating 4.7 → 5.2 every 20-40mins ERROR appears, ERROR [im_msvistalog|winlog] Couldn't retrieve eventlog fields from xml, EvtRender() failed; The data area passed to a system call is too small. Is it safe to ignore?

Hi Raf, Have you got any updates on the release date of Nxlog CE 2.11 for Debian Buster ? https://nxlog.co/question/6073/nxlog-community-edition-package-debian-buster https://nxlog.co/question/6285/nxlog-ce-211-release-date Many thanks, Paul.

Hi All, i'm testing the possibility of forwarding windows security logs to SIEM. Seems all ok, but i'm not able to drop messages with some values. For example we have some event with $TargetUsername = DWM-"1to11" (example : DWM-1) $TargetUsername = UMFD-"1to11" (example : UMFD-4) $TargetUsername = pcname$ (example : HOSTNAME$) $TargetUsername = Anonymous Access I'm able to drop "Anonymous Access" with this command : Exec if $TargetUserName == "Anonymous Access" drop(); but with the other events, i can't use Exec if $TargetUserName == "UMFD" drop(); because the events are multiple like UMFD-1 UMFD-2 UMFD-3, or username with "$" at the end of the $TargetUserName Value i have tried with this configuration but seems doesn't work Exec if $TargetUserName =~ /UMFD/ drop(); Exec if $TargetUserName =~ /DWM/ drop(); Exec if $TargetUserName =~ /$/ drop(); Can you help me? Thanks you

The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. This attack requires a specific configuration. Also, the name of the directory created must use a Syslog field. (For example, on Linux it is not possible to create a .. directory. On Windows, it is not possible to create a CON directory.) Is there a fix available for this security vulnerability? https://nvd.nist.gov/vuln/detail/CVE-2020-35488

Hello, I want to send IIS W3C logs to the Syslog server. The nxlog.conf file is as follows. If we assume that there are too many domains on the server, I want to quickly create this config file with powershell. Is this possible? In this configuration file, I can define the website and log directories manually. This is true, but it may be easier to add website and log directories by creating a "dynamically" config file. When I add a wildcard "*" instead of website-name and folders with site ids such as W3SVC10, W3SVC11, no log is sent to the syslog server. # Domain list: Get-ChildItem C:\inetpub\vhosts -Directory -Exclude .skel,default,forwarding,Servers,sitebuilder,webmail | ForEach-Object {$_.Name} # Log Directories Path: Get-Website domain1.org | % { Join-Path ($_.logFile.Directory -replace '%SystemDrive%', $env:SystemDrive) "W3SVC$($_.id)" } Get-Website domain2.net | % { Join-Path ($_.logFile.Directory -replace '%SystemDrive%', $env:SystemDrive) "W3SVC$($_.id)" } If we can do this with an alternative method, it is not necessary to do it with powershell. Do you have any suggestions? Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Input internal> Module im_internal </Input> # Watch your IIS log files <Input domain1.org> Module im_file File 'C:\Inetpub\vhosts\domain1.org\logs\iis\W3SVC8\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; </Input> # Watch your IIS log files <Input domain2.net> Module im_file File 'C:\Inetpub\vhosts\domain2.net\logs\iis\W3SVC9\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; </Input> # Watch your IIS log files <Input domain3.com> Module im_file File 'C:\Inetpub\vhosts\domain3.com\logs\iis\W3SVC10\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; </Input> # Watch your IIS log files <Input domain4.ru> Module im_file File 'C:\Inetpub\vhosts\domain4.ru\logs\iis\W3SVC11\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; </Input> # Watch your IIS log files <Input domain5.de> Module im_file File 'C:\Inetpub\vhosts\domain5.de\logs\iis\W3SVC12\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; </Input> # Watch your IIS log files <Input domain6.nl> Module im_file File 'C:\Inetpub\vhosts\domain6.nl\logs\iis\W3SVC13\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; </Input> <Output out> Module om_udp Host 8.8.4.4 Port 514 Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message"); Exec $raw_event = to_json(); # Uncomment for debug output # Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n"); </Output> <Route 1> Path internal, domain1.org, domain2.net, domain3.com, domain4.ru, domain5.de, domain6.nl => out </Route>

I have a question regarding running nxlog with the om_udpspoof module inside of a docker container. It appears that I should be able to do this, but in practice it does not work. I have tried the following: Using --add-cap=net_raw on the container Using --privileged flag on the container Using the Capabilities "cap_net_raw=+ep" in the NXLOG configuration I keep getting the following error from the nxlog process inside the container. nxlog_1 | 2021-01-19 19:14:02 ERROR [om_udpspoof|graylog] couldn't create raw socket;Operation not permitted Has anyone been able to get the om_udpspoof module to work inside of a docker container?

hi there, I have a query. Got Windows servers with MS SQL installed and the NXLog 32 bits agent installed. Unfortunately no SQL logs are seen on our SIEM solution (Alienvault) and it seems the issue is because we should use the 64 bits agent (available for the Enterprise edition only). Has anyone experienced the same? Any tips? Any help would be appreciated Many thanks!

Hi, Regarding the Elasticsearch module: Currently, I am using Nxlog Manager, NxLog agent and I want to send the log to elasticsearch. Where I should put the elastic username and password on NXLog config file? Thanks

Hi, I want to convert one of the field in audit message from hex to String for better readability. Could you please let me know if there is any function available for this? Thanks, Mahantesh

Hi, Regarding the File Integrity Monitoring module: Is it possible to detect the user who performs the changes? Currently, there is no detail of who made the changes in the NXLog logs. What is the recommended scan-interval to be set? Will it affect the performance of the system? Thank You

I have three different sites and configured nxlog to push logs to graylog.Below is my config.In one server hostname is getting in NXLOG but in other server with same NXLOG config and same IIS config Domain Name is getting captured instead of hostname.Both servers having same O.S windows server 2012 R2. Any help would be greatly appreciated here #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and (file_size('%LOGFILE%') >= 5M)) file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule> </Extension> ####################################################################### #### EXTENTIONS ##### ####################################################################### <Extension _gelf> Module xm_gelf </Extension> <Extension _json> Module xm_json </Extension> ####################################################################### #### IIS NXLOG ###### ####################################################################### <Extension w3c> Module xm_csv Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken, $x-forwarded-for FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Input pr-iis> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC3\u_ex*" SavePos TRUE Exec if $raw_event =~/^#/ drop(); else { w3c->parse_csv(); $EventTime = parsedate($date + " " + $time); $EventTime = parsedate($date + " " + $time + "Z"); $SourceName = "PR-IIS"; $raw_event = to_json(); } </Input> <Input pp1-iis> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*" SavePos TRUE Exec if $raw_event =~/^#/ drop(); else { w3c->parse_csv(); $EventTime = parsedate($date + " " + $time); $EventTime = parsedate($date + " " + $time + "Z"); $SourceName = "PP1-IIS"; $raw_event = to_json(); } </Input> <Input pp2-iis> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC2\u_ex*" SavePos TRUE Exec if $raw_event =~/^#/ drop(); else { w3c->parse_csv(); $EventTime = parsedate($date + " " + $time); $EventTime = parsedate($date + " " + $time + "Z"); $SourceName = "PP2-IIS"; $raw_event = to_json(); } </Input> <Output graylog> Module om_udp Host x.x.x.x Port xxxx OutputType GELF Exec $Hostname = hostname_fqdn(); Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event; #Use the following line for debugging (uncomment the fileop extension above as well) #Exec file_write("C:\Program Files (x86)\nxlog\data\nxlog_output.log", $raw_event); </Output> <Route iis-to-graylog> Path pr-iis => graylog </Route> <Route iis-to-graylog> Path pp1-iis => graylog </Route> <Route iis-to-graylog> Path pp2-iis => graylog </Route> ####################################################################### #### /IIS NXLOG ##### #######################################################################

Hi Everybody, I'm trying to forward osquery logs stored in windows event log. That part seems to work, except that the "message" field inside of EventData isn't included. However, the "Location" field inside of EventData is. I'm thinking that since the name the location field is just "location", the message field should be message. It looks like the message field exists, and just contains generic text instead of the data. I'm wondering if the two names (Message, and EventData.Message) are in conflict. Is that a possibility? Is there a way to read EventData fields as "EventData.Fieldname" instead of just "FieldName"? A snippit of the to_json() output: "AccountType":"User","Message":"Information","Location":"&lt;empty&gt;:0" A snippit from the event viewer xml view: <EventData> <Data Name="Message">{"name":"disk_info","hostIdentifier":"XXXXXXXXX","calendarTime":"Fri Jan 15 15:16:57 2021 UTC"," Thanks

Hello, I have porblem with install nxlog-ce-2.10.2150.msi at a domain controler on windoes server 2012R2 , When I try to install program, I get that error "Installation directory must be a local hard driver". But I chosed local path "C:\Program Files (x86)\nxlog&quot;. I tried to change path to another local paths C:\ and C:\user_name.I all time get the same error. Someone know what I can do at this error?

Hello NxLog CE 2.10.2150 is installed on two Windows Server 2019 Standard (version 1809) But every X minutes, the service crash and cause PRODUCTION issues. Here the Event Viewer Report : Nom du journal :Application Source : Application Error Date : 15/01/2021 09:46:15 ID de l’événement :1000 Catégorie de la tâche :(100) Niveau : Erreur Mots clés : Classique Utilisateur : N/A Ordinateur : XXX Description : Nom de l’application défaillante nxlog.exe, version : 0.0.0.0, horodatage : 0x5beed9da Nom du module défaillant : msvcrt.dll, version : 7.0.17763.475, horodatage : 0xba51b082 Code d’exception : 0xc0000005 Décalage d’erreur : 0x0008a1dc ID du processus défaillant : 0x39bc Heure de début de l’application défaillante : 0x01d6eb18ce58bc81 Chemin d’accès de l’application défaillante : C:\Program Files (x86)\nxlog\nxlog.exe Chemin d’accès du module défaillant: C:\Windows\System32\msvcrt.dll ID de rapport : 1108635a-e7f7-4e3b-8aee-76a841ef2ea9 Nom complet du package défaillant : ID de l’application relative au package défaillant : XML de l’événement : <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Error" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>100</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2021-01-15T08:46:15.538549700Z" /> <EventRecordID>1632347</EventRecordID> <Channel>Application</Channel> <Computer>XXX</Computer> <Security /> </System> <EventData> <Data>nxlog.exe</Data> <Data>0.0.0.0</Data> <Data>5beed9da</Data> <Data>msvcrt.dll</Data> <Data>7.0.17763.475</Data> <Data>ba51b082</Data> <Data>c0000005</Data> <Data>0008a1dc</Data> <Data>39bc</Data> <Data>01d6eb18ce58bc81</Data> <Data>C:\Program Files (x86)\nxlog\nxlog.exe</Data> <Data>C:\Windows\System32\msvcrt.dll</Data> <Data>1108635a-e7f7-4e3b-8aee-76a841ef2ea9</Data> <Data> </Data> <Data> </Data> </EventData> </Event> How can I solved the issue ?

Hi support, We are trying to send logs from a server with NXLog agent installed to SIEM, with SSL/TLS (encrypted traffic) Would it be possible to only use ONE certificate for each agent? For NXLog manager and the agents is it possible to use only ONE CA for One agent?

I do not see an install file for Ubuntu 20.04. Will one be made available when NXLog 2.11 is released? Thanks in advance. TonyC

Is Anyone using NXLog to send Windows Events to Azure's Log Analytics, replacing Microsoft's OMS\MMA agent? The MS MMA agent is very limited on its outbound filtering, so NXLog is being considered. If someone is successful doing this, a example of the config file would be awesome. Thanks.