Hi I receive this error ERROR [CORE|main] Failed to load module from C:\Program Files\nxlog\modules\extension\om_kafka.dll, The specified module could not be found. ; The specified module could not be found.

version nxlog-trial-5.2.6388_windows_x64

Any idea? I have already reinstalled the nxlog server but same error

I have Nxlog exe with config file and bunch of Powershell scripts to be executed part of config file. I want to create one MSI package with all those files for easy installation. I have tried some methods but nothing seems to be working.

Can any one suggest here with the process of creating MSI for NXLog ( it includes .exe + certs + config + Powershell scripts )

Hello,

I have installed nxlogs on my infrastructure. I can catch the logs from all my servers Windows, Linux, Vcenter 6.5, exept for the ESX servers 6.5. Is nxlogs compatible with ESX 6.5 ? because when I read admin guide, they speak about vcenter but not ESX.

Best regards,

Guy

Hi,

i'm trying to use this module (server side), seems all ok, but this processor generate an event with user "nxlog-ce" and messages like "event repeated n times" it's possible to drop this message?

Thanks You

<Processor norepeat> Module pm_norepeat CheckFields Hostname, Message </Processor>

Hi team,

I have opendistro elasticsearch installed and has a password to ingest data; I am using nxlog community version to send json data directly in elasticsearch. However I am not finding any relevant option for username password for om_elasticsearch module

Any clue?

<Output distroout> Module om_elasticsearch URL https://localhost:9200/_bulk FlushInterval 2 FlushLimit 100 HTTPSAllowUntrusted TRUE

# Create an index daily
Index       strftime($EventTime, "nxlog-%Y%m%d")

# Use the following if you do not have $EventTime set
#Index      strftime($EventReceivedTime, "nxlog-%Y%m%d")

</Output>

I have setup NXlog for purpose of consuming DNS analytical events and forwarding to a NDR solution. I'm using im_etw as the input and parse to syslog with xm_syslog and om_file. The output is to a file stored locally on the DNS server.

When I take a closer look at event IDs 256 and 257, DNS analytical log provides some interesting field such as source, query and packet data, which seems to be a hex value of query or response.

Has anyone decoded the PacketData field into a readable format?

Config below:

<Extension _syslog> Module xm_syslog </Extension>

<Input etw> Module im_etw Provider Microsoft-Windows-DNSServer </Input>

<Output file> Module om_file File 'C:\Users\Administrator\Documents\output_syslog.log' Exec parse_syslog(); </Output>

<Route etw_file> Path etw => file </Route>

Hi Team,

I am trying to achieve ingesting json logs with nxlog community edition. Is that possible? And wanted to know if below condition can be achieved with nxlog config file?

if auth_spf == pass then insert Tag DMARC aligned True OR if auth_dkim == pass then insert Tag DMARC aligned True OR if auth_spf || auth_dkim == pass then insert Tag DMARC aligned True

TIA Blason R

We are running into issues with AD user enumeration issues with NXlog community edition

this began shortly after Powershell 7.1 came out in November

any troubleshooting steps we can look into

Hi, I'm trying to send a raw event in our specific logfile to another server via tcp using NXlog CE. The receiving end requires snare or bsd format. I already used the to_syslog_snare() and to_syslog_bsd() in the om_tcp module but it didn't work. I also tried to parse input module by adding empty condition to check raw event but it didn't work too. If I hardcode the raw event using exec then convert to snare or bsd in the output module, I'm receiving the hardcoded and formatted event in my server. Have I missed any configurations? Below is mysample config. Thanks a lot! Module xm_syslog Module im_file File "C:/test.txt" ReadFromLast TRUE SavePos TRUE # if empty line then do not send if $raw_event !~ /^.*$/ { drop(); } else { $raw_event = to_syslog_bsd(); } Module om_tcp Host myserver Port 8888 # to_syslog_snare(); # not receiving raw event in myserver # to_syslog_bsd(); # not receiving raw event in myserver # Exec $raw_event = "Hello there!"; to_syslog_bsd(); # this works; hardcoded one and formatted to syslog_bsd Path in => out ------------------------ C:/test.txt Hello This is a test! 3rd line Bye

Hello, New NXLog v5 automatically parse $EventData to $Data_1, $Data_2 and so on And this is very good, but is it possible to keep also original $UserData and $EventData fields unparsed as in v4?

We need this for our logstash pipelines compatibility.

Hello, After updating 4.7 → 5.2 every 20-40mins ERROR appears,

ERROR [im_msvistalog|winlog] Couldn't retrieve eventlog fields from xml, EvtRender() failed; The data area passed to a system call is too small.

Is it safe to ignore?

Hi Raf,

Have you got any updates on the release date of Nxlog CE 2.11 for Debian Buster ?

https://nxlog.co/question/6073/nxlog-community-edition-package-debian-buster https://nxlog.co/question/6285/nxlog-ce-211-release-date

Many thanks,

Paul.

Hi All,

i'm testing the possibility of forwarding windows security logs to SIEM. Seems all ok, but i'm not able to drop messages with some values.

For example we have some event with

$TargetUsername = DWM-"1to11" (example : DWM-1) $TargetUsername = UMFD-"1to11" (example : UMFD-4) $TargetUsername = pcname$ (example : HOSTNAME$) $TargetUsername = Anonymous Access

I'm able to drop "Anonymous Access" with this command :

Exec if $TargetUserName == "Anonymous Access" drop();

but with the other events, i can't use

Exec if $TargetUserName == "UMFD" drop();

because the events are multiple like UMFD-1 UMFD-2 UMFD-3, or username with "$" at the end of the $TargetUserName Value

i have tried with this configuration but seems doesn't work

Exec if $TargetUserName =~ /UMFD/ drop(); Exec if $TargetUserName =~ /DWM/ drop(); Exec if $TargetUserName =~ /$/ drop();

Can you help me?

Thanks you

The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. This attack requires a specific configuration. Also, the name of the directory created must use a Syslog field. (For example, on Linux it is not possible to create a .. directory. On Windows, it is not possible to create a CON directory.)

Is there a fix available for this security vulnerability?

https://nvd.nist.gov/vuln/detail/CVE-2020-35488

Hello, I want to send IIS W3C logs to the Syslog server. The nxlog.conf file is as follows. If we assume that there are too many domains on the server, I want to quickly create this config file with powershell. Is this possible? In this configuration file, I can define the website and log directories manually. This is true, but it may be easier to add website and log directories by creating a "dynamically" config file. When I add a wildcard "*" instead of website-name and folders with site ids such as W3SVC10, W3SVC11, no log is sent to the syslog server. # Domain list: Get-ChildItem C:\inetpub\vhosts -Directory -Exclude .skel,default,forwarding,Servers,sitebuilder,webmail | ForEach-Object {$_.Name} # Log Directories Path: Get-Website domain1.org | % { Join-Path ($_.logFile.Directory -replace '%SystemDrive%', $env:SystemDrive) "W3SVC$($_.id)" } Get-Website domain2.net | % { Join-Path ($_.logFile.Directory -replace '%SystemDrive%', $env:SystemDrive) "W3SVC$($_.id)" } If we can do this with an alternative method, it is not necessary to do it with powershell. Do you have any suggestions? Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_json Module xm_syslog Module im_internal # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain1.org\logs\iis\W3SVC8\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain2.net\logs\iis\W3SVC9\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain3.com\logs\iis\W3SVC10\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain4.ru\logs\iis\W3SVC11\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain5.de\logs\iis\W3SVC12\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain6.nl\logs\iis\W3SVC13\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; Module om_udp Host 8.8.4.4 Port 514 Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message"); Exec $raw_event = to_json(); # Uncomment for debug output # Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n"); Path internal, domain1.org, domain2.net, domain3.com, domain4.ru, domain5.de, domain6.nl => out

I have a question regarding running nxlog with the om_udpspoof module inside of a docker container. It appears that I should be able to do this, but in practice it does not work. I have tried the following:

1. Using --add-cap=net_raw on the container
2. Using --privileged flag on the container
3. Using the Capabilities "cap_net_raw=+ep" in the NXLOG configuration

I keep getting the following error from the nxlog process inside the container.

nxlog_1 | 2021-01-19 19:14:02 ERROR [om_udpspoof|graylog] couldn't create raw socket;Operation not permitted

Has anyone been able to get the om_udpspoof module to work inside of a docker container?

hi there, I have a query. Got Windows servers with MS SQL installed and the NXLog 32 bits agent installed. Unfortunately no SQL logs are seen on our SIEM solution (Alienvault) and it seems the issue is because we should use the 64 bits agent (available for the Enterprise edition only). Has anyone experienced the same? Any tips? Any help would be appreciated

Many thanks!

Hi,

Regarding the Elasticsearch module:

Currently, I am using Nxlog Manager, NxLog agent and I want to send the log to elasticsearch. Where I should put the elastic username and password on NXLog config file?

Thanks

Hi,

I want to convert one of the field in audit message from hex to String for better readability. Could you please let me know if there is any function available for this?

Thanks, Mahantesh

Hi,

Regarding the File Integrity Monitoring module:

1. Is it possible to detect the user who performs the changes? Currently, there is no detail of who made the changes in the NXLog logs.
2. What is the recommended scan-interval to be set? Will it affect the performance of the system?

Thank You