Hello,

I have installed nxlogs on my infrastructure. I can catch the logs from all my servers Windows, Linux, Vcenter 6.5, exept for the ESX servers 6.5. Is nxlogs compatible with ESX 6.5 ? because when I read admin guide, they speak about vcenter but not ESX.

Best regards,

Guy

Hi,

i'm trying to use this module (server side), seems all ok, but this processor generate an event with user "nxlog-ce" and messages like "event repeated n times" it's possible to drop this message?

Thanks You

<Processor norepeat> Module pm_norepeat CheckFields Hostname, Message </Processor>

Hi team,

I have opendistro elasticsearch installed and has a password to ingest data; I am using nxlog community version to send json data directly in elasticsearch. However I am not finding any relevant option for username password for om_elasticsearch module

Any clue?

<Output distroout> Module om_elasticsearch URL https://localhost:9200/_bulk FlushInterval 2 FlushLimit 100 HTTPSAllowUntrusted TRUE

# Create an index daily
Index       strftime($EventTime, "nxlog-%Y%m%d")

# Use the following if you do not have $EventTime set
#Index      strftime($EventReceivedTime, "nxlog-%Y%m%d")

</Output>

I have setup NXlog for purpose of consuming DNS analytical events and forwarding to a NDR solution. I'm using im_etw as the input and parse to syslog with xm_syslog and om_file. The output is to a file stored locally on the DNS server.

When I take a closer look at event IDs 256 and 257, DNS analytical log provides some interesting field such as source, query and packet data, which seems to be a hex value of query or response.

Has anyone decoded the PacketData field into a readable format?

Config below:

<Extension _syslog> Module xm_syslog </Extension>

<Input etw> Module im_etw Provider Microsoft-Windows-DNSServer </Input>

<Output file> Module om_file File 'C:\Users\Administrator\Documents\output_syslog.log' Exec parse_syslog(); </Output>

<Route etw_file> Path etw => file </Route>

Hi Team,

I am trying to achieve ingesting json logs with nxlog community edition. Is that possible? And wanted to know if below condition can be achieved with nxlog config file?

if auth_spf == pass then insert Tag DMARC aligned True OR if auth_dkim == pass then insert Tag DMARC aligned True OR if auth_spf || auth_dkim == pass then insert Tag DMARC aligned True

TIA Blason R

We are running into issues with AD user enumeration issues with NXlog community edition

this began shortly after Powershell 7.1 came out in November

any troubleshooting steps we can look into

Hi, I'm trying to send a raw event in our specific logfile to another server via tcp using NXlog CE. The receiving end requires snare or bsd format. I already used the to_syslog_snare() and to_syslog_bsd() in the om_tcp module but it didn't work. I also tried to parse input module by adding empty condition to check raw event but it didn't work too. If I hardcode the raw event using exec then convert to snare or bsd in the output module, I'm receiving the hardcoded and formatted event in my server. Have I missed any configurations? Below is mysample config. Thanks a lot! Module xm_syslog Module im_file File "C:/test.txt" ReadFromLast TRUE SavePos TRUE # if empty line then do not send if $raw_event !~ /^.*$/ { drop(); } else { $raw_event = to_syslog_bsd(); } Module om_tcp Host myserver Port 8888 # to_syslog_snare(); # not receiving raw event in myserver # to_syslog_bsd(); # not receiving raw event in myserver # Exec $raw_event = "Hello there!"; to_syslog_bsd(); # this works; hardcoded one and formatted to syslog_bsd Path in => out ------------------------ C:/test.txt Hello This is a test! 3rd line Bye

Hello, New NXLog v5 automatically parse $EventData to $Data_1, $Data_2 and so on And this is very good, but is it possible to keep also original $UserData and $EventData fields unparsed as in v4?

We need this for our logstash pipelines compatibility.

Hello, After updating 4.7 → 5.2 every 20-40mins ERROR appears,

ERROR [im_msvistalog|winlog] Couldn't retrieve eventlog fields from xml, EvtRender() failed; The data area passed to a system call is too small.

Is it safe to ignore?

Hi Raf,

Have you got any updates on the release date of Nxlog CE 2.11 for Debian Buster ?

https://nxlog.co/question/6073/nxlog-community-edition-package-debian-buster https://nxlog.co/question/6285/nxlog-ce-211-release-date

Many thanks,

Paul.

Hi All,

i'm testing the possibility of forwarding windows security logs to SIEM. Seems all ok, but i'm not able to drop messages with some values.

For example we have some event with

$TargetUsername = DWM-"1to11" (example : DWM-1) $TargetUsername = UMFD-"1to11" (example : UMFD-4) $TargetUsername = pcname$ (example : HOSTNAME$) $TargetUsername = Anonymous Access

I'm able to drop "Anonymous Access" with this command :

Exec if $TargetUserName == "Anonymous Access" drop();

but with the other events, i can't use

Exec if $TargetUserName == "UMFD" drop();

because the events are multiple like UMFD-1 UMFD-2 UMFD-3, or username with "$" at the end of the $TargetUserName Value

i have tried with this configuration but seems doesn't work

Exec if $TargetUserName =~ /UMFD/ drop(); Exec if $TargetUserName =~ /DWM/ drop(); Exec if $TargetUserName =~ /$/ drop();

Can you help me?

Thanks you

The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. This attack requires a specific configuration. Also, the name of the directory created must use a Syslog field. (For example, on Linux it is not possible to create a .. directory. On Windows, it is not possible to create a CON directory.)

Is there a fix available for this security vulnerability?

https://nvd.nist.gov/vuln/detail/CVE-2020-35488

Hello, I want to send IIS W3C logs to the Syslog server. The nxlog.conf file is as follows. If we assume that there are too many domains on the server, I want to quickly create this config file with powershell. Is this possible? In this configuration file, I can define the website and log directories manually. This is true, but it may be easier to add website and log directories by creating a "dynamically" config file. When I add a wildcard "*" instead of website-name and folders with site ids such as W3SVC10, W3SVC11, no log is sent to the syslog server. # Domain list: Get-ChildItem C:\inetpub\vhosts -Directory -Exclude .skel,default,forwarding,Servers,sitebuilder,webmail | ForEach-Object {$_.Name} # Log Directories Path: Get-Website domain1.org | % { Join-Path ($_.logFile.Directory -replace '%SystemDrive%', $env:SystemDrive) "W3SVC$($_.id)" } Get-Website domain2.net | % { Join-Path ($_.logFile.Directory -replace '%SystemDrive%', $env:SystemDrive) "W3SVC$($_.id)" } If we can do this with an alternative method, it is not necessary to do it with powershell. Do you have any suggestions? Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_json Module xm_syslog Module im_internal # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain1.org\logs\iis\W3SVC8\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain2.net\logs\iis\W3SVC9\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain3.com\logs\iis\W3SVC10\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain4.ru\logs\iis\W3SVC11\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain5.de\logs\iis\W3SVC12\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; # Watch your IIS log files Module im_file File 'C:\Inetpub\vhosts\domain6.nl\logs\iis\W3SVC13\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; Module om_udp Host 8.8.4.4 Port 514 Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message"); Exec $raw_event = to_json(); # Uncomment for debug output # Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n"); Path internal, domain1.org, domain2.net, domain3.com, domain4.ru, domain5.de, domain6.nl => out

I have a question regarding running nxlog with the om_udpspoof module inside of a docker container. It appears that I should be able to do this, but in practice it does not work. I have tried the following:

1. Using --add-cap=net_raw on the container
2. Using --privileged flag on the container
3. Using the Capabilities "cap_net_raw=+ep" in the NXLOG configuration

I keep getting the following error from the nxlog process inside the container.

nxlog_1 | 2021-01-19 19:14:02 ERROR [om_udpspoof|graylog] couldn't create raw socket;Operation not permitted

Has anyone been able to get the om_udpspoof module to work inside of a docker container?

hi there, I have a query. Got Windows servers with MS SQL installed and the NXLog 32 bits agent installed. Unfortunately no SQL logs are seen on our SIEM solution (Alienvault) and it seems the issue is because we should use the 64 bits agent (available for the Enterprise edition only). Has anyone experienced the same? Any tips? Any help would be appreciated

Many thanks!

Hi,

Regarding the Elasticsearch module:

Currently, I am using Nxlog Manager, NxLog agent and I want to send the log to elasticsearch. Where I should put the elastic username and password on NXLog config file?

Thanks

Hi,

I want to convert one of the field in audit message from hex to String for better readability. Could you please let me know if there is any function available for this?

Thanks, Mahantesh

Hi,

Regarding the File Integrity Monitoring module:

1. Is it possible to detect the user who performs the changes? Currently, there is no detail of who made the changes in the NXLog logs.
2. What is the recommended scan-interval to be set? Will it affect the performance of the system?

Thank You

I have three different sites and configured nxlog to push logs to graylog.Below is my config.In one server hostname is getting in NXLOG but in other server with same NXLOG config and same IIS config Domain Name is getting captured instead of hostname.Both servers having same O.S windows server 2012 R2.

Any help would be greatly appreciated here

#NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

<Extension _syslog>
Module xm_syslog
</Extension>

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
Module xm_exec
</Extension>

<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>

#######################################################################
#### EXTENTIONS #####
#######################################################################

<Extension _gelf>
Module xm_gelf
</Extension>

<Extension _json>
Module xm_json
</Extension>

#######################################################################
#### IIS NXLOG ######
#######################################################################

<Extension w3c>
Module xm_csv
Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken, $x-forwarded-for
FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>

<Input pr-iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC3\u_ex*"
SavePos TRUE

Exec if $raw_event =~/^#/ drop();\
else\
{\
w3c->parse_csv();\
$EventTime = parsedate($date + " " + $time);\
$EventTime = parsedate($date + " " + $time + "Z");\
$SourceName = "PR-IIS";\
$raw_event = to_json();\
}
</Input>

<Input pp1-iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*"
SavePos TRUE

Exec if $raw_event =~/^#/ drop();\
else\
{\
w3c->parse_csv();\
$EventTime = parsedate($date + " " + $time);\
$EventTime = parsedate($date + " " + $time + "Z");\
$SourceName = "PP1-IIS";\
$raw_event = to_json();\
}
</Input>

<Input pp2-iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC2\u_ex*"
SavePos TRUE

Exec if $raw_event =~/^#/ drop();\
else\
{\
w3c->parse_csv();\
$EventTime = parsedate($date + " " + $time);\
$EventTime = parsedate($date + " " + $time + "Z");\
$SourceName = "PP2-IIS";\
$raw_event = to_json();\
}
</Input>

<Output graylog>
Module om_udp
Host x.x.x.x
Port xxxx
OutputType GELF

Exec $Hostname = hostname_fqdn();
Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event;
#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);
</Output>

<Route iis-to-graylog>
Path pr-iis => graylog
</Route>

<Route iis-to-graylog>
Path pp1-iis => graylog
</Route>

<Route iis-to-graylog>
Path pp2-iis => graylog
</Route>
#######################################################################
#### /IIS NXLOG #####
#######################################################################

Hi Everybody,

I'm trying to forward osquery logs stored in windows event log. That part seems to work, except that the "message" field inside of EventData isn't included. However, the "Location" field inside of EventData is. I'm thinking that since the name the location field is just "location", the message field should be message. It looks like the message field exists, and just contains generic text instead of the data. I'm wondering if the two names (Message, and EventData.Message) are in conflict. Is that a possibility? Is there a way to read EventData fields as "EventData.Fieldname" instead of just "FieldName"?

A snippit of the to_json() output: "AccountType":"User","Message":"Information","Location":"&lt;empty&gt;:0"

A snippit from the event viewer xml view: <EventData> <Data Name="Message">{"name":"disk_info","hostIdentifier":"XXXXXXXXX","calendarTime":"Fri Jan 15 15:16:57 2021 UTC","

Thanks