Hi Raf, Have you got any updates on the release date of Nxlog CE 2.11 for Debian Buster ? https://nxlog.co/question/6073/nxlog-community-edition-package-debian-buster https://nxlog.co/question/6285/nxlog-ce-211-release-date Many thanks, Paul.

Hi All, i'm testing the possibility of forwarding windows security logs to SIEM. Seems all ok, but i'm not able to drop messages with some values. For example we have some event with $TargetUsername = DWM-"1to11" (example : DWM-1) $TargetUsername = UMFD-"1to11" (example : UMFD-4) $TargetUsername = pcname$ (example : HOSTNAME$) $TargetUsername = Anonymous Access I'm able to drop "Anonymous Access" with this command : Exec if $TargetUserName == "Anonymous Access" drop(); but with the other events, i can't use Exec if $TargetUserName == "UMFD" drop(); because the events are multiple like UMFD-1 UMFD-2 UMFD-3, or username with "$" at the end of the $TargetUserName Value i have tried with this configuration but seems doesn't work Exec if $TargetUserName =~ /UMFD/ drop(); Exec if $TargetUserName =~ /DWM/ drop(); Exec if $TargetUserName =~ /$/ drop(); Can you help me? Thanks you

The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. This attack requires a specific configuration. Also, the name of the directory created must use a Syslog field. (For example, on Linux it is not possible to create a .. directory. On Windows, it is not possible to create a CON directory.) Is there a fix available for this security vulnerability? https://nvd.nist.gov/vuln/detail/CVE-2020-35488

Hello, I want to send IIS W3C logs to the Syslog server. The nxlog.conf file is as follows. If we assume that there are too many domains on the server, I want to quickly create this config file with powershell. Is this possible? In this configuration file, I can define the website and log directories manually. This is true, but it may be easier to add website and log directories by creating a "dynamically" config file. When I add a wildcard "*" instead of website-name and folders with site ids such as W3SVC10, W3SVC11, no log is sent to the syslog server. # Domain list: Get-ChildItem C:\inetpub\vhosts -Directory -Exclude .skel,default,forwarding,Servers,sitebuilder,webmail | ForEach-Object {$_.Name} # Log Directories Path: Get-Website domain1.org | % { Join-Path ($_.logFile.Directory -replace '%SystemDrive%', $env:SystemDrive) "W3SVC$($_.id)" } Get-Website domain2.net | % { Join-Path ($_.logFile.Directory -replace '%SystemDrive%', $env:SystemDrive) "W3SVC$($_.id)" } If we can do this with an alternative method, it is not necessary to do it with powershell. Do you have any suggestions? Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Input internal> Module im_internal </Input> # Watch your IIS log files <Input domain1.org> Module im_file File 'C:\Inetpub\vhosts\domain1.org\logs\iis\W3SVC8\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; </Input> # Watch your IIS log files <Input domain2.net> Module im_file File 'C:\Inetpub\vhosts\domain2.net\logs\iis\W3SVC9\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; </Input> # Watch your IIS log files <Input domain3.com> Module im_file File 'C:\Inetpub\vhosts\domain3.com\logs\iis\W3SVC10\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; </Input> # Watch your IIS log files <Input domain4.ru> Module im_file File 'C:\Inetpub\vhosts\domain4.ru\logs\iis\W3SVC11\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; </Input> # Watch your IIS log files <Input domain5.de> Module im_file File 'C:\Inetpub\vhosts\domain5.de\logs\iis\W3SVC12\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; </Input> # Watch your IIS log files <Input domain6.nl> Module im_file File 'C:\Inetpub\vhosts\domain6.nl\logs\iis\W3SVC13\u_ex*.log' SavePos TRUE Recursive TRUE Exec $Message = $raw_event; </Input> <Output out> Module om_udp Host 8.8.4.4 Port 514 Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message"); Exec $raw_event = to_json(); # Uncomment for debug output # Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n"); </Output> <Route 1> Path internal, domain1.org, domain2.net, domain3.com, domain4.ru, domain5.de, domain6.nl => out </Route>

I have a question regarding running nxlog with the om_udpspoof module inside of a docker container. It appears that I should be able to do this, but in practice it does not work. I have tried the following: Using --add-cap=net_raw on the container Using --privileged flag on the container Using the Capabilities "cap_net_raw=+ep" in the NXLOG configuration I keep getting the following error from the nxlog process inside the container. nxlog_1 | 2021-01-19 19:14:02 ERROR [om_udpspoof|graylog] couldn't create raw socket;Operation not permitted Has anyone been able to get the om_udpspoof module to work inside of a docker container?

hi there, I have a query. Got Windows servers with MS SQL installed and the NXLog 32 bits agent installed. Unfortunately no SQL logs are seen on our SIEM solution (Alienvault) and it seems the issue is because we should use the 64 bits agent (available for the Enterprise edition only). Has anyone experienced the same? Any tips? Any help would be appreciated Many thanks!

Hi, Regarding the Elasticsearch module: Currently, I am using Nxlog Manager, NxLog agent and I want to send the log to elasticsearch. Where I should put the elastic username and password on NXLog config file? Thanks

Hi, I want to convert one of the field in audit message from hex to String for better readability. Could you please let me know if there is any function available for this? Thanks, Mahantesh

Hi, Regarding the File Integrity Monitoring module: Is it possible to detect the user who performs the changes? Currently, there is no detail of who made the changes in the NXLog logs. What is the recommended scan-interval to be set? Will it affect the performance of the system? Thank You

I have three different sites and configured nxlog to push logs to graylog.Below is my config.In one server hostname is getting in NXLOG but in other server with same NXLOG config and same IIS config Domain Name is getting captured instead of hostname.Both servers having same O.S windows server 2012 R2. Any help would be greatly appreciated here #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and (file_size('%LOGFILE%') >= 5M)) file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule> </Extension> ####################################################################### #### EXTENTIONS ##### ####################################################################### <Extension _gelf> Module xm_gelf </Extension> <Extension _json> Module xm_json </Extension> ####################################################################### #### IIS NXLOG ###### ####################################################################### <Extension w3c> Module xm_csv Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken, $x-forwarded-for FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Input pr-iis> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC3\u_ex*" SavePos TRUE Exec if $raw_event =~/^#/ drop(); else { w3c->parse_csv(); $EventTime = parsedate($date + " " + $time); $EventTime = parsedate($date + " " + $time + "Z"); $SourceName = "PR-IIS"; $raw_event = to_json(); } </Input> <Input pp1-iis> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC1\u_ex*" SavePos TRUE Exec if $raw_event =~/^#/ drop(); else { w3c->parse_csv(); $EventTime = parsedate($date + " " + $time); $EventTime = parsedate($date + " " + $time + "Z"); $SourceName = "PP1-IIS"; $raw_event = to_json(); } </Input> <Input pp2-iis> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC2\u_ex*" SavePos TRUE Exec if $raw_event =~/^#/ drop(); else { w3c->parse_csv(); $EventTime = parsedate($date + " " + $time); $EventTime = parsedate($date + " " + $time + "Z"); $SourceName = "PP2-IIS"; $raw_event = to_json(); } </Input> <Output graylog> Module om_udp Host x.x.x.x Port xxxx OutputType GELF Exec $Hostname = hostname_fqdn(); Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event; #Use the following line for debugging (uncomment the fileop extension above as well) #Exec file_write("C:\Program Files (x86)\nxlog\data\nxlog_output.log", $raw_event); </Output> <Route iis-to-graylog> Path pr-iis => graylog </Route> <Route iis-to-graylog> Path pp1-iis => graylog </Route> <Route iis-to-graylog> Path pp2-iis => graylog </Route> ####################################################################### #### /IIS NXLOG ##### #######################################################################

Hi Everybody, I'm trying to forward osquery logs stored in windows event log. That part seems to work, except that the "message" field inside of EventData isn't included. However, the "Location" field inside of EventData is. I'm thinking that since the name the location field is just "location", the message field should be message. It looks like the message field exists, and just contains generic text instead of the data. I'm wondering if the two names (Message, and EventData.Message) are in conflict. Is that a possibility? Is there a way to read EventData fields as "EventData.Fieldname" instead of just "FieldName"? A snippit of the to_json() output: "AccountType":"User","Message":"Information","Location":"&lt;empty&gt;:0" A snippit from the event viewer xml view: <EventData> <Data Name="Message">{"name":"disk_info","hostIdentifier":"XXXXXXXXX","calendarTime":"Fri Jan 15 15:16:57 2021 UTC"," Thanks

Hello, I have porblem with install nxlog-ce-2.10.2150.msi at a domain controler on windoes server 2012R2 , When I try to install program, I get that error "Installation directory must be a local hard driver". But I chosed local path "C:\Program Files (x86)\nxlog&quot;. I tried to change path to another local paths C:\ and C:\user_name.I all time get the same error. Someone know what I can do at this error?

Hello NxLog CE 2.10.2150 is installed on two Windows Server 2019 Standard (version 1809) But every X minutes, the service crash and cause PRODUCTION issues. Here the Event Viewer Report : Nom du journal :Application Source : Application Error Date : 15/01/2021 09:46:15 ID de l’événement :1000 Catégorie de la tâche :(100) Niveau : Erreur Mots clés : Classique Utilisateur : N/A Ordinateur : XXX Description : Nom de l’application défaillante nxlog.exe, version : 0.0.0.0, horodatage : 0x5beed9da Nom du module défaillant : msvcrt.dll, version : 7.0.17763.475, horodatage : 0xba51b082 Code d’exception : 0xc0000005 Décalage d’erreur : 0x0008a1dc ID du processus défaillant : 0x39bc Heure de début de l’application défaillante : 0x01d6eb18ce58bc81 Chemin d’accès de l’application défaillante : C:\Program Files (x86)\nxlog\nxlog.exe Chemin d’accès du module défaillant: C:\Windows\System32\msvcrt.dll ID de rapport : 1108635a-e7f7-4e3b-8aee-76a841ef2ea9 Nom complet du package défaillant : ID de l’application relative au package défaillant : XML de l’événement : <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Error" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>100</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2021-01-15T08:46:15.538549700Z" /> <EventRecordID>1632347</EventRecordID> <Channel>Application</Channel> <Computer>XXX</Computer> <Security /> </System> <EventData> <Data>nxlog.exe</Data> <Data>0.0.0.0</Data> <Data>5beed9da</Data> <Data>msvcrt.dll</Data> <Data>7.0.17763.475</Data> <Data>ba51b082</Data> <Data>c0000005</Data> <Data>0008a1dc</Data> <Data>39bc</Data> <Data>01d6eb18ce58bc81</Data> <Data>C:\Program Files (x86)\nxlog\nxlog.exe</Data> <Data>C:\Windows\System32\msvcrt.dll</Data> <Data>1108635a-e7f7-4e3b-8aee-76a841ef2ea9</Data> <Data> </Data> <Data> </Data> </EventData> </Event> How can I solved the issue ?

Hi support, We are trying to send logs from a server with NXLog agent installed to SIEM, with SSL/TLS (encrypted traffic) Would it be possible to only use ONE certificate for each agent? For NXLog manager and the agents is it possible to use only ONE CA for One agent?

I do not see an install file for Ubuntu 20.04. Will one be made available when NXLog 2.11 is released? Thanks in advance. TonyC

Is Anyone using NXLog to send Windows Events to Azure's Log Analytics, replacing Microsoft's OMS\MMA agent? The MS MMA agent is very limited on its outbound filtering, so NXLog is being considered. If someone is successful doing this, a example of the config file would be awesome. Thanks.

Hello, I configured my conf file (comm. edition) with a query for certain event id's. The output works, however, is there a way to prevent every event from creating it's own log file? For instance, create 1 large file for the date vs having 200k+ logfiles daily.

I have just purchased the Enterprise Edition NX Log software as well as BH Support. Can someone advise how I can get the products added to my subscription as well as access to the software downloads and support portal? Alternatively, if a vendor support contact can contact me directly that would be great. Thanks

Hello everyone, I'm new to NXLOG and I'm trying to understand how event creation and forwarding work. I have a question about the parse_json() function or maybe the to_syslog_ietf() function, I'm not sure. Is it possible to use parse_json($Message) then to_syslog_ietf() to forward $Message without all the fields obtained with parse_json included in the forwarded syslog event? Here are more explanations: I receive a syslog event and use parse_syslog_ietf() I get $Message which is json formated, so I use parse_json($Message) As I want to forward a specific field (let's say MsgToForward) I define $Message = $MsgToForward Then use to_syslog_ietf to forward it through syslog. In the forwarded event everything is ok, except that all the fields in the json (the original $Message field) are included in the forwarded message. But I don't understand why because if I put a log_info($raw_event) after the parse_syslog and after the parse_json, $raw_event has not changed. So is it to_parse-ietf() function which includes all the fields available? Can we avoid that? For instance the original event is: 2020-12-29 03:05:19 INFO <7>1 2020-12-29T03:05:19.692869 admin-PC send-logs 3556 send-logs.exe - {"user":"NT AUTHORITY\\SYSTEM","name":"main","programSource":"send-logs","msgToForward":"Send-logs started"}; Then the forwarded message: 2020-12-29 03:05:19 INFO <7>1 2020-12-29T03:05:19.692869 admin-PC send-logs 3556 send-logs.exe [NXLOG@14506 MessageSourceAddress="127.0.0.1" EventReceivedTime="2020-12-29 03:05:19" SourceModuleName="inSyslog" SourceModuleType="im_udp" user="NT AUTHORITY\\SYSTEM" name="main" programSource="send-logs" msgToForward="Send-logs started"] Send-logs started We can see the fields available in the json in the first event (user, name, programSource and msgToForward) are added in the second event. But there are useless here, so I'm trying to have this result : 2020-12-29 03:05:19 INFO <7>1 2020-12-29T03:05:19.692869 admin-PC send-logs 3556 send-logs.exe [NXLOG@14506 MessageSourceAddress="127.0.0.1" EventReceivedTime="2020-12-29 03:05:19" SourceModuleName="inSyslog" SourceModuleType="im_udp"] Send-logs started Is there a way to avoid parse_json or to_syslog_ietf to add these fields? (The number of fields and their names are not always the same.) Or should I just not use parse_json and use regexp instead to get the value of MsgToForward? My configuration if needed. <Input inSyslog> Module im_udp Host 127.0.0.1 Port 514 </Input> <Output outSyslog2> Module om_udp Host 127.0.0.1 Port 1514 Exec parse_syslog_ietf(); parse_json($Message); $Message = $MsgToForward; to_syslog_ietf(); </Output> <Route Syslog> Path inSyslog => outSyslog2 </Route> Any help is welcomed. Thank you :) Whok.

HI Everyone, I'm evaluating various Log centralization / log analysis tools for our enterprise. I've been looking into graylog for some time and have gotten to the point where I'm comfortable in it. I just started to look into NXLOG and I'm wondering which offering to choose. From what I can see, NXLog is more capable than graylog as far as log collection goes. Can someone help me understand this better? I see a lot of setups using BOTH, and I'm not really sure I want to use two systems --- we're not all that complex here to warrant that kind of setup. Thank you!!! Brad