Hi Team,

Hope all are well.

I am new to nxlog and trying to plan for an upgrade from vUpgrade from nxlog-ce-2.9 to latest 5.x.

Can someone please help us in below queries.

1. Can we upgrade to the latest version
2. IS upgrading to latest version is recomended?
3. can we directly upgrade it or its a multihop upgrade from v3.x -> 4.x -> 5.x
4. is there any link to go through the upgrade process in windows environment?

Thanks in advance and any info would be helpfull

Regards Anjan Kumar Tripathy

I'm using NXLog to sending Windows events and IIS logs to Loggly. We've recently onboarded a new MSSP and they have asked us to check off all IIS logging fields. This seems to break parsing of IIS logs that need to be sent to Loggly. I've contact Loggly support and they can't seem to come to a resolution.

Below is the code that we had been using for Loggly previously.

This is a sample NXLog configuration file created by Loggly. June 2013

See the nxlog reference manual about the configuration options.

It should be installed locally and is also available

online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

Please set the ROOT to the folder your nxlog was installed into,

otherwise it will not start.

#define ROOT C:\Program Files\nxlog #define ROOT_STRING C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog define ROOT_STRING C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define LOGFILE %ROOT%\data\nxlog.log

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

Include fileop while debugging, also enable in the output module below

<Extension fileop> Module xm_fileop </Extension>

<Extension json> Module xm_json </Extension>

<Extension syslog> Module xm_syslog </Extension>

<Input internal> Module im_internal Exec $Message = to_json(); </Input>

Windows Event Log

<Input eventlog> #Uncomment im_msvistalog for Windows Vista/2008 and later Module im_msvistalog

Query <QueryList>\
		<Query Id="0">\
			<Select Path="Application">*</Select>\
			<Select Path="System">*</Select>\
			<Select Path="Security">*</Select>\
		</Query>\
   </QueryList>  	

#Uncomment im_mseventlog for Windows XP/2000/2003
#Module im_mseventlog

Exec  $Message = to_json();

</Input>

<Processor buffer> Module pm_buffer # 100Mb disk buffer MaxSize 102400 Type disk </Processor>

<Processor buffer_iis> Module pm_buffer # 100Mb disk buffer MaxSize 102400 Type disk </Processor>

<Output out> Module om_tcp Host logs-01.loggly.com Port 514

Exec to_syslog_ietf();
Exec $raw_event  =~ s/(\[.*] )//g; $raw_event = replace($raw_event, '{', '[CUSTOMER ID tag="windows"] {', 1);

#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log",  $raw_event);

</Output>

<Output _nxlog> Module om_file File '%LOGFILE%'

<Schedule>
	When @hourly
	Exec if (file_size('%LOGFILE%') >= 1M) { file_cycle('%LOGFILE%', 5); _nxlog->reopen(); }
</Schedule>		

</Output>

<Route 1> Path internal, eventlog => buffer => out </Route>

<Route 2> Path internal => _nxlog </Route>

Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.

<Extension w3c> Module xm_csv Fields $date, $time, $s-computername, $cs-method, $cs-uri-stem, $cs-uri-query, $c-ip, $cs(User-Agent), $cs(Referer), $cs-host, $sc-status, $sc-substatus, $sc-bytes, $cs-bytes, $time-taken, X-Forwarded-For, RequestId, PrincipalId FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, integer, integer, integer, string, string, string Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension>

Convert the IIS logs to JSON and use the original event time

<Input SC> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*" SavePos TRUE

Exec if $raw_event =~ /^#/ drop();    \
   else                               \
   {                                  \
        w3c->parse_csv();             \
        $SourceName = "IIS";          \
        $Message = to_json();         \
   }

</Input> <Input SC_WebAPI> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC2\u_ex*" SavePos TRUE

Exec if $raw_event =~ /^#/ drop();    \
   else                               \
   {                                  \
        w3c->parse_csv();             \
        $SourceName = "IIS";          \
        $Message = to_json();         \
   }

</Input>

<Route IIS> Path SC,SC_WebAPI => buffer_iis => out </Route>

The error we received in data.log looks like below:

2021-02-18 14:11:12 "SERVERNAME" ERROR if-else failed at line 144, character 261 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted procedure 'parse_csv' failed at line 144, character 156 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted couldn't parse integer: ELB-HealthChecker/2.0 2021-02-18 14:11:26 "SERVERNAME" ERROR if-else failed at line 131, character 261 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted procedure 'parse_csv' failed at line 131, character 156 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted couldn't parse integer: ELB-HealthChecker/2.0

It seems as if the cs-useragent is being evaluated as an integer. or possible the input has fewer fields than expected.

Any help would be appreciated.

Hi, I'm working on a heavy log source which can only send syslog. Now currently i also have filters in the config to remove unwanted logs. I've noticed that some logs are successfully being processed whilst others are lost. Through packet capture I was able to conclude that from log source to nxlog server udp packets are all being received. Seems like nxlog (config) can’t handle the large amount of syslog UDP messages coming in. Module xm_syslog Module im_udp Port 514 Host 0.0.0.0 parse_syslog_bsd(); if (($Message =~ /dstip=x\.x\.x\.(?:[0-9]+){1,255} dstport=(?:12|5)3/) #DNS & NTP from x.x.x.x or ($Message =~ /dstip=x\.x\.x\.(?:[0-9]+){1,255} dstport=(?:12|5)3/) #DNS & NTP from x.x.x.x or ($Message =~ /srcip=[\d.]+ srcport=\d+ srcintf="x" srcintfrole=".+" dstip=[\d.]+ dstport=16[12]/) #x from x Range or ($Message =~ /srcip=[\d.]+ srcport=\d+ srcintf=".+" srcintfrole=".+" dstip=[\d.]+ dstport=16[12] dstintf="x"/) # #.... more filters drop(); Module om_udp Host x.x.x.x Port 514 Exec to_syslog_bsd(); Path x_sys_in => x_sys_out **NOTE: I tried already to remove the filter as i initally thought that the filter was mistakenly filtering out unwanted logs, but it wasn't the case.** Is this a license problem? can i increase log capacity intake from nxlog?

I I'mtrying to forward windows events to flume, the log should start with CEF:0, but the log nxlog send are formatted as this:

02-16-2021 12:02:46 User.Info 192.168.3.205 Feb 16 12:02:46 nxlogserver-01 SOC[0]: CEF:0|NXLog|NXLog|5.2.6388-trial|0|-|7|end=1613473366200 dvchost=nxlogserver-01 Keywords=36028797018963968 outcome=INFO SeverityValue=2 Severity=INFO externalId=4647 SourceName=SOC TaskValue=1 RecordNumber=5124 ExecutionProcessID=0 ExecutionThreadID=0 deviceFacility=System msg=Test Resisto Opcode=Info Data=Test Resisto EventReceivedTime=1613473366575 SourceModuleName=from_eventlog SourceModuleType=im_msvistalog

is there a way to have them formatted so they begin with CEF:0 ?

Thanks

Hi I receive this error ERROR [CORE|main] Failed to load module from C:\Program Files\nxlog\modules\extension\om_kafka.dll, The specified module could not be found. ; The specified module could not be found.

version nxlog-trial-5.2.6388_windows_x64

Any idea? I have already reinstalled the nxlog server but same error

I have Nxlog exe with config file and bunch of Powershell scripts to be executed part of config file. I want to create one MSI package with all those files for easy installation. I have tried some methods but nothing seems to be working.

Can any one suggest here with the process of creating MSI for NXLog ( it includes .exe + certs + config + Powershell scripts )

Hello,

I have installed nxlogs on my infrastructure. I can catch the logs from all my servers Windows, Linux, Vcenter 6.5, exept for the ESX servers 6.5. Is nxlogs compatible with ESX 6.5 ? because when I read admin guide, they speak about vcenter but not ESX.

Best regards,

Guy

Hi,

i'm trying to use this module (server side), seems all ok, but this processor generate an event with user "nxlog-ce" and messages like "event repeated n times" it's possible to drop this message?

Thanks You

<Processor norepeat> Module pm_norepeat CheckFields Hostname, Message </Processor>

Hi team,

I have opendistro elasticsearch installed and has a password to ingest data; I am using nxlog community version to send json data directly in elasticsearch. However I am not finding any relevant option for username password for om_elasticsearch module

Any clue?

<Output distroout> Module om_elasticsearch URL https://localhost:9200/_bulk FlushInterval 2 FlushLimit 100 HTTPSAllowUntrusted TRUE

# Create an index daily
Index       strftime($EventTime, "nxlog-%Y%m%d")

# Use the following if you do not have $EventTime set
#Index      strftime($EventReceivedTime, "nxlog-%Y%m%d")

</Output>

I have setup NXlog for purpose of consuming DNS analytical events and forwarding to a NDR solution. I'm using im_etw as the input and parse to syslog with xm_syslog and om_file. The output is to a file stored locally on the DNS server.

When I take a closer look at event IDs 256 and 257, DNS analytical log provides some interesting field such as source, query and packet data, which seems to be a hex value of query or response.

Has anyone decoded the PacketData field into a readable format?

Config below:

<Extension _syslog> Module xm_syslog </Extension>

<Input etw> Module im_etw Provider Microsoft-Windows-DNSServer </Input>

<Output file> Module om_file File 'C:\Users\Administrator\Documents\output_syslog.log' Exec parse_syslog(); </Output>

<Route etw_file> Path etw => file </Route>

Hi Team,

I am trying to achieve ingesting json logs with nxlog community edition. Is that possible? And wanted to know if below condition can be achieved with nxlog config file?

if auth_spf == pass then insert Tag DMARC aligned True OR if auth_dkim == pass then insert Tag DMARC aligned True OR if auth_spf || auth_dkim == pass then insert Tag DMARC aligned True

TIA Blason R

We are running into issues with AD user enumeration issues with NXlog community edition

this began shortly after Powershell 7.1 came out in November

any troubleshooting steps we can look into

Hi, I'm trying to send a raw event in our specific logfile to another server via tcp using NXlog CE. The receiving end requires snare or bsd format. I already used the to_syslog_snare() and to_syslog_bsd() in the om_tcp module but it didn't work. I also tried to parse input module by adding empty condition to check raw event but it didn't work too. If I hardcode the raw event using exec then convert to snare or bsd in the output module, I'm receiving the hardcoded and formatted event in my server. Have I missed any configurations? Below is mysample config. Thanks a lot! Module xm_syslog Module im_file File "C:/test.txt" ReadFromLast TRUE SavePos TRUE # if empty line then do not send if $raw_event !~ /^.*$/ { drop(); } else { $raw_event = to_syslog_bsd(); } Module om_tcp Host myserver Port 8888 # to_syslog_snare(); # not receiving raw event in myserver # to_syslog_bsd(); # not receiving raw event in myserver # Exec $raw_event = "Hello there!"; to_syslog_bsd(); # this works; hardcoded one and formatted to syslog_bsd Path in => out ------------------------ C:/test.txt Hello This is a test! 3rd line Bye

Hello, New NXLog v5 automatically parse $EventData to $Data_1, $Data_2 and so on And this is very good, but is it possible to keep also original $UserData and $EventData fields unparsed as in v4?

We need this for our logstash pipelines compatibility.

Hello, After updating 4.7 → 5.2 every 20-40mins ERROR appears,

ERROR [im_msvistalog|winlog] Couldn't retrieve eventlog fields from xml, EvtRender() failed; The data area passed to a system call is too small.

Is it safe to ignore?

Hi Raf,

Have you got any updates on the release date of Nxlog CE 2.11 for Debian Buster ?

https://nxlog.co/question/6073/nxlog-community-edition-package-debian-buster https://nxlog.co/question/6285/nxlog-ce-211-release-date

Many thanks,

Paul.

Hi All,

i'm testing the possibility of forwarding windows security logs to SIEM. Seems all ok, but i'm not able to drop messages with some values.

For example we have some event with

$TargetUsername = DWM-"1to11" (example : DWM-1) $TargetUsername = UMFD-"1to11" (example : UMFD-4) $TargetUsername = pcname$ (example : HOSTNAME$) $TargetUsername = Anonymous Access

I'm able to drop "Anonymous Access" with this command :

Exec if $TargetUserName == "Anonymous Access" drop();

but with the other events, i can't use

Exec if $TargetUserName == "UMFD" drop();

because the events are multiple like UMFD-1 UMFD-2 UMFD-3, or username with "$" at the end of the $TargetUserName Value

i have tried with this configuration but seems doesn't work

Exec if $TargetUserName =~ /UMFD/ drop(); Exec if $TargetUserName =~ /DWM/ drop(); Exec if $TargetUserName =~ /$/ drop();

Can you help me?

Thanks you

The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. This attack requires a specific configuration. Also, the name of the directory created must use a Syslog field. (For example, on Linux it is not possible to create a .. directory. On Windows, it is not possible to create a CON directory.)

Is there a fix available for this security vulnerability?

https://nvd.nist.gov/vuln/detail/CVE-2020-35488

Hello, I want to send IIS W3C logs to the Syslog server. The nxlog.conf file is as follows. If we assume that there are too many domains on the server, I want to quickly create this config file with powershell. Is this possible? In this configuration file, I can define the website and log directories manually. This is true, but it may be easier to add website and log directories by creating a "dynamically" config file. When I add a wildcard "*" instead of website-name and folders with site ids such as W3SVC10, W3SVC11, no log is sent to the syslog server. # Domain list: Get-ChildItem C:\inetpub\vhosts -Directory -Exclude .skel,default,forwarding,Servers,sitebuilder,webmail | ForEach-Object {$_.Name} # Log Directories Path: Get-Website domain1.org | % { Join-Path ($_.logFile.Directory -replace '%SystemDrive%', $env:SystemDrive) "W3SVC$($_.id)" } Get-Website domain2.net | % { Join-Path ($_.logFile.Directory -replace '%SystemDrive%', $env:SystemDrive) "W3SVC$($_.id)" } If we can do this with an alternative method, it is not necessary to do it with powershell. Do you have any suggestions? Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_json Module xm_syslog Module im_internal # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain1.org\logs\iis\W3SVC8\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain2.net\logs\iis\W3SVC9\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain3.com\logs\iis\W3SVC10\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain4.ru\logs\iis\W3SVC11\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain5.de\logs\iis\W3SVC12\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain6.nl\logs\iis\W3SVC13\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; Module om_udp Host 8.8.4.4 Port 514 Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message"); Exec $raw_event = to_json(); # Uncomment for debug output # Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n"); Path internal, domain1.org, domain2.net, domain3.com, domain4.ru, domain5.de, domain6.nl => out

I have a question regarding running nxlog with the om_udpspoof module inside of a docker container. It appears that I should be able to do this, but in practice it does not work. I have tried the following:

1. Using --add-cap=net_raw on the container
2. Using --privileged flag on the container
3. Using the Capabilities "cap_net_raw=+ep" in the NXLOG configuration

I keep getting the following error from the nxlog process inside the container.

nxlog_1 | 2021-01-19 19:14:02 ERROR [om_udpspoof|graylog] couldn't create raw socket;Operation not permitted

Has anyone been able to get the om_udpspoof module to work inside of a docker container?