Hello,
I have installed nxlogs on my infrastructure. I can catch the logs from all my servers Windows, Linux, Vcenter 6.5, exept for the ESX servers 6.5. Is nxlogs compatible with ESX 6.5 ? because when I read admin guide, they speak about vcenter but not ESX.
Best regards,
Guy
GB_667538 created
Hi,
i'm trying to use this module (server side), seems all ok, but this processor generate an event with user "nxlog-ce" and messages like "event repeated n times" it's possible to drop this message?
Thanks You
<Processor norepeat> Module pm_norepeat CheckFields Hostname, Message </Processor>
IB_956097 created
Hi team,
I have opendistro elasticsearch installed and has a password to ingest data; I am using nxlog community version to send json data directly in elasticsearch. However I am not finding any relevant option for username password for om_elasticsearch module
Any clue?
<Output distroout> Module om_elasticsearch URL https://localhost:9200/_bulk FlushInterval 2 FlushLimit 100 HTTPSAllowUntrusted TRUE
# Create an index daily
Index strftime($EventTime, "nxlog-%Y%m%d")
# Use the following if you do not have $EventTime set
#Index strftime($EventReceivedTime, "nxlog-%Y%m%d")
</Output>
BR_606953 created
I have setup NXlog for purpose of consuming DNS analytical events and forwarding to a NDR solution. I'm using im_etw as the input and parse to syslog with xm_syslog and om_file. The output is to a file stored locally on the DNS server.
When I take a closer look at event IDs 256 and 257, DNS analytical log provides some interesting field such as source, query and packet data, which seems to be a hex value of query or response.
Has anyone decoded the PacketData field into a readable format?
Config below:
<Extension _syslog> Module xm_syslog </Extension>
<Input etw> Module im_etw Provider Microsoft-Windows-DNSServer </Input>
<Output file> Module om_file File 'C:\Users\Administrator\Documents\output_syslog.log' Exec parse_syslog(); </Output>
<Route etw_file> Path etw => file </Route>
PD_085948 created
Hi Team,
I am trying to achieve ingesting json logs with nxlog community edition. Is that possible? And wanted to know if below condition can be achieved with nxlog config file?
if auth_spf == pass then insert Tag DMARC aligned True OR if auth_dkim == pass then insert Tag DMARC aligned True OR if auth_spf || auth_dkim == pass then insert Tag DMARC aligned True
TIA Blason R
BR_606953 created
We are running into issues with AD user enumeration issues with NXlog community edition
this began shortly after Powershell 7.1 came out in November
any troubleshooting steps we can look into
MT_238601 created
emyatsuna created
Hello,
New NXLog v5 automatically parse $EventData
to $Data_1
, $Data_2
and so on
And this is very good, but is it possible to keep also original $UserData
and $EventData
fields unparsed as in v4?
We need this for our logstash pipelines compatibility.
Roman_Andreev created
Hello, After updating 4.7 → 5.2 every 20-40mins ERROR appears,
ERROR [im_msvistalog|winlog] Couldn't retrieve eventlog fields from xml, EvtRender() failed; The data area passed to a system call is too small.
Is it safe to ignore?
RAZR created
Hi Raf,
Have you got any updates on the release date of Nxlog CE 2.11 for Debian Buster ?
https://nxlog.co/question/6073/nxlog-community-edition-package-debian-buster https://nxlog.co/question/6285/nxlog-ce-211-release-date
Many thanks,
Paul.
pboniface created
Hi All,
i'm testing the possibility of forwarding windows security logs to SIEM. Seems all ok, but i'm not able to drop messages with some values.
For example we have some event with
$TargetUsername = DWM-"1to11" (example : DWM-1) $TargetUsername = UMFD-"1to11" (example : UMFD-4) $TargetUsername = pcname$ (example : HOSTNAME$) $TargetUsername = Anonymous Access
I'm able to drop "Anonymous Access" with this command :
Exec if $TargetUserName == "Anonymous Access" drop();
but with the other events, i can't use
Exec if $TargetUserName == "UMFD" drop();
because the events are multiple like UMFD-1 UMFD-2 UMFD-3, or username with "$" at the end of the $TargetUserName Value
i have tried with this configuration but seems doesn't work
Exec if $TargetUserName =~ /UMFD/ drop(); Exec if $TargetUserName =~ /DWM/ drop(); Exec if $TargetUserName =~ /$/ drop();
Can you help me?
Thanks you
IB_956097 created
The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. This attack requires a specific configuration. Also, the name of the directory created must use a Syslog field. (For example, on Linux it is not possible to create a .. directory. On Windows, it is not possible to create a CON directory.)
Is there a fix available for this security vulnerability?
https://nvd.nist.gov/vuln/detail/CVE-2020-35488
imfeldc created
adam created
I have a question regarding running nxlog with the om_udpspoof module inside of a docker container. It appears that I should be able to do this, but in practice it does not work. I have tried the following:
- Using
--add-cap=net_raw
on the container - Using
--privileged
flag on the container - Using the
Capabilities "cap_net_raw=+ep"
in the NXLOG configuration
I keep getting the following error from the nxlog process inside the container.
nxlog_1 | 2021-01-19 19:14:02 ERROR [om_udpspoof|graylog] couldn't create raw socket;Operation not permitted
Has anyone been able to get the om_udpspoof module to work inside of a docker container?
rp25818 created
hi there, I have a query. Got Windows servers with MS SQL installed and the NXLog 32 bits agent installed. Unfortunately no SQL logs are seen on our SIEM solution (Alienvault) and it seems the issue is because we should use the 64 bits agent (available for the Enterprise edition only). Has anyone experienced the same? Any tips? Any help would be appreciated
Many thanks!
fcolzani created
Hi,
Regarding the Elasticsearch module:
Currently, I am using Nxlog Manager, NxLog agent and I want to send the log to elasticsearch. Where I should put the elastic username and password on NXLog config file?
Thanks
aurox3d_fc created
Hi,
I want to convert one of the field in audit message from hex to String for better readability. Could you please let me know if there is any function available for this?
Thanks, Mahantesh
MG_655287 created
Hi,
Regarding the File Integrity Monitoring module:
- Is it possible to detect the user who performs the changes? Currently, there is no detail of who made the changes in the NXLog logs.
- What is the recommended scan-interval to be set? Will it affect the performance of the system?
Thank You
aurox3d_fc created
Any help would be greatly appreciated here
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
#######################################################################
#### EXTENTIONS #####
#######################################################################
<Extension _gelf>
Module xm_gelf
</Extension>
<Extension _json>
Module xm_json
</Extension>
#######################################################################
#### IIS NXLOG ######
#######################################################################
<Extension w3c>
Module xm_csv
Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken, $x-forwarded-for
FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>
<Input pr-iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC3\u_ex*"
SavePos TRUE
Exec if $raw_event =~/^#/ drop();\
else\
{\
w3c->parse_csv();\
$EventTime = parsedate($date + " " + $time);\
$EventTime = parsedate($date + " " + $time + "Z");\
$SourceName = "PR-IIS";\
$raw_event = to_json();\
}
</Input>
<Input pp1-iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*"
SavePos TRUE
Exec if $raw_event =~/^#/ drop();\
else\
{\
w3c->parse_csv();\
$EventTime = parsedate($date + " " + $time);\
$EventTime = parsedate($date + " " + $time + "Z");\
$SourceName = "PP1-IIS";\
$raw_event = to_json();\
}
</Input>
<Input pp2-iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC2\u_ex*"
SavePos TRUE
Exec if $raw_event =~/^#/ drop();\
else\
{\
w3c->parse_csv();\
$EventTime = parsedate($date + " " + $time);\
$EventTime = parsedate($date + " " + $time + "Z");\
$SourceName = "PP2-IIS";\
$raw_event = to_json();\
}
</Input>
<Output graylog>
Module om_udp
Host x.x.x.x
Port xxxx
OutputType GELF
Exec $Hostname = hostname_fqdn();
Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event;
#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);
</Output>
<Route iis-to-graylog>
Path pr-iis => graylog
</Route>
<Route iis-to-graylog>
Path pp1-iis => graylog
</Route>
<Route iis-to-graylog>
Path pp2-iis => graylog
</Route>
#######################################################################
#### /IIS NXLOG #####
#######################################################################
NP_278933 created
Hi Everybody,
I'm trying to forward osquery logs stored in windows event log. That part seems to work, except that the "message" field inside of EventData isn't included. However, the "Location" field inside of EventData is. I'm thinking that since the name the location field is just "location", the message field should be message. It looks like the message field exists, and just contains generic text instead of the data. I'm wondering if the two names (Message, and EventData.Message) are in conflict. Is that a possibility? Is there a way to read EventData fields as "EventData.Fieldname" instead of just "FieldName"?
A snippit of the to_json() output: "AccountType":"User","Message":"Information","Location":"<empty>:0"
A snippit from the event viewer xml view: <EventData> <Data Name="Message">{"name":"disk_info","hostIdentifier":"XXXXXXXXX","calendarTime":"Fri Jan 15 15:16:57 2021 UTC","
Thanks
IB_227778 created