Hi, I am trying to use an ssl connection between client and server in "server-side authentication only" mode. I placed the certificates in the respective /conf folder of nxlog server. these are the current configurations: >>> CLIENT <<< <Output to_syslog_server> Module om_ssl Host 10.1.1.1 Port 516 Exec $Message = to_leef(); to_syslog_ietf(); </Output> >>> SERVER <<< <Input in_syslog_ssl> Module im_ssl Host 0.0.0.0 Port 516 CAFile %CERTDIR%/rootCA.pem CertFile %CERTDIR%/central.crt CertKeyFile %CERTDIR%/central.key KeyPass password FlowControl TRUE AllowUntrusted TRUE <Exec> if $raw_event =~ /LEEF/ parse_leef(); else parse_syslog(); </Exec> </Input> but it makes me this Error: 2019-09-06 17:43:26 ERROR remote ssl socket was reset? (SSL_ERROR_SSL with errno=9); End of file found Do you have any ideas to solve this? Thank you Antonio

All,Hopefully an easy question.I am currently collecting Windows event logs on a dedicated forwarding server (using native WEF) in a dedicated event log (named “Forwarded Events”).  I have NxLog installed on this server and logs are being sent properly to my SIEM.Currently I am having difficulties filtering events where the SubjectUserName field ends with “$” symbol (logs are still reaching my SIEM). Below is a snippet of my configuration.  I am running NXLog Enterprise version 6.2.Please advise.<Extension json> Module xm_json </Extension> <Input windows_security_eventlog> Module im_msvistalog ReadFromLast True SavePos True <QueryXML> <QueryList> <Query Id="0"> <Select Path="ForwardedEvents">*</Select> </Query> </QueryList> </QueryXML> <Exec> ################################################### # Drop noisy machine object access (4662) events.# ################################################### if $EventID == 4662 AND ($SubjectUserName =~ /(.)$/) drop(); </Exec> </Input>

Hello all,  In the below code, “CID.*” is the regex that im using but in order to make the code generic I need to use a variable instead of regex, kindly let me know the fix for it or a way to go arround it . Main issue: I need to run “supressed” function for every different log separately such that one log of every type is suppressed.Thanks!!<Processor dup_drop>   Module pm_evcorr <Suppressed>     Condition $raw_event =~ /CID.*/     Interval 90     Exec $MSG = $raw_event; </Suppressed> </Processor>

I have a Powershell script that is retrieving events from Windows Event logs that are written by a certain application.  It then parses the exception info from the Event_Data portion into separate fields and combines them into JSON (the exception info is written in one big block of text, but each line has fields that we want to separate out into distinct fields so that the data is easier to filter in Kibana.  I have an input im_exec module in nxlog.conf that runs that script and a route to send that input to an om_tcp output for our logstash instance.  This works fine when you restart the service, however I'm having a problem getting this to pick up events after the initial restart.  I've tried adding a schedule both to the input module and adding an xm_exec module to restart the input module on a scheduled basis.  Anyone have any ideas on how to get this script to run repeatedly so that i can pick up and format new events?  I've looked through the schedule documentation and tried some of the suggestions on other discussions that look a bit similar, but none seem to have worked so far. This is what I have in the conf file currently:    define ROOT C:\Program Files (x86)\nxlog      Moduledir %ROOT%\modules   CacheDir %ROOT%\data   Pidfile %ROOT%\data\nxlog.pid   SpoolDir %ROOT%\data   LogFile %ROOT%\data\nxlog.log   LogLevel INFO      <Extension json>         Module xm_json   </Extension>   define LogFile %ROOT%\data\nxlog.log   <Input input_logs_powershell>   Module  im_exec   Restart true    Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"   Arg     "-ExecutionPolicy"   Arg     "Bypass"   Arg     "-NoProfile"   # This specifies the path to the PowerShell script.   Arg     "-File"   Arg     "D:\Temp\events_parser.ps1"<Exec>       # Parse JSON       parse_json();   </Exec></Input> <Output logs_to_Kibana>      Module om_tcp      Host logstash_hostname      Port 6710   exec to_json();   </Output><Route input_logs_powershell>PATH input_logs_powershell =>logs_to_Kibana</Route> 

Hello there,I am experiencing the same reconnection issues on some VMs (Windows Server 2016 10.0.14393), but Nxlog connects successfully to our SIEM syslog sensor over port 601 from other VMs. When I run the netstat command on the affected servers, I see an “ESTABLISHED” connection between the server and the sensor (syslog server). The Windows firewall is disabled on all our servers.From the syslog server, there's a trace of successful packet exchange between the servers and the sensor. But I cannot see the Windows events in our SIEM platform.I have updated Nxlog CE to the latest version. Please help me resolve this issue.Thank you,Delvain

Hi teams, Hope you are doing well. I have some trouble implementing NXLOG on Windows 2016 server. I have this logs into my nxlog.log file : 2020-03-08 18:46:34 INFO reconnecting in 1 seconds 2020-03-08 18:46:35 INFO connecting to 10.7.x.2:12201 2020-03-08 18:46:35 INFO successfully connected to 10.7.x.2:12201 2020-03-08 18:46:35 INFO reconnecting in 1 seconds 2020-03-08 18:46:36 INFO connecting to 10.7.x.2:12201 2020-03-08 18:46:36 INFO successfully connected to 10.7.x.2:12201 2020-03-08 18:46:36 INFO reconnecting in 1 seconds 2020-03-08 18:46:37 INFO connecting to 10.7.x.2:12201 2020-03-08 18:46:37 INFO successfully connected to 10.7.x.2:12201 2020-03-08 18:46:37 INFO reconnecting in 1 seconds 2020-03-08 18:46:38 INFO connecting to 10.7.x.2:12201 2020-03-08 18:46:38 INFO successfully connected to 10.7.x.2:12201 2020-03-08 18:46:38 INFO reconnecting in 1 seconds 2020-03-08 18:46:39 INFO connecting to 10.7.x.2:12201 2020-03-08 18:46:39 INFO successfully connected to 10.7.x.2:12201 2020-03-08 18:46:39 INFO reconnecting in 1 seconds 2020-03-08 18:46:40 INFO connecting to 10.7.x.2:12201 Under my graylog input, i have following sceen : Throughput / Metrics 1 minute average rate: 13 msg/s Network IO: 308.0B 0B (total: 1.2MiB 0B ) Active connections: 0 (4,228 total) Empty messages discarded: 0 We can see, NXlog seems to send log to Graylog, but as i am in TCP connection i have to see at least 1 active connection. This is not the case. Can you help me to troubleshoot this issue please ? I have check Windows firewall, and network firewall. There is no filtering between NXLogs & my graylog server for sure. Many thanks

New Enterprise NxLog customer here…..hopefully any easy question.Today I am ingesting syslog messages from my PaloAlto Panorama instance into a dedicated syslog (Ununtu) server running syslog-ng.  I am using syslog-ng to parse the incoming logs into 3 distinct log files (traffic, threat, and system).   I am then using “logrotate” and “cron" to rotate, gzip, and retain the logs.I figure I have 2 options in terms of the log files themselves now that I am an nxlog customer.Option 1: Keep things as-is (since it is working now) and just use “im_file”.Option 2: Use nxlog to do the same things I am with syslog-ng.  Being new to nxlog, not sure how to best do this.If I want to go with Option #2, does anyone have a working configuration they would be willing to share on how they parsed the incoming syslog messages from Palo Alto into those 3 distinct files (or came up with a better alternative)? Thank you.

Hello NXlog world! I'm having some challenges to pull data from a SQL 2012 (running on W2K16) database using the im-odbc connector. This is my input: > <Input MSSQL_IN> > Module im_odbc > ConnectionString Driver={ODBC Driver 17 for SQL Server}; Server=XXXXXXXX; > Trusted_Connection=yes; DATABASE=XXXXX; > PollInterval 5 > IdType timestamp > SQL SELECT event_time AS 'id', f., a.name AS action_name > FROM fn_get_audit_file('C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\XXXXX\Log\Audit-File.sqlaudit', default, > default) AS f > INNER JOIN sys.dm_audit_actions AS a > ON f.action_id = a.action_id > WHERE event_time > ? > <Exec> > delete($id); > rename_field($event_time, $EventTime); > </Exec> > > </Input> The error I'm getting when starting NXlog is as follows: 2019-10-16 13:51:03 INFO nxlog-4.4.4431 started 2019-10-16 13:51:03 INFO im_odbc successfully connected to the database 2019-10-16 13:51:03 ERROR SQLExecDirect failed, 42000:2:300:[Microsoft][ODBC Driver 17 for SQL Server][SQL Server]CONTROL SERVER permission was denied on object 'server', database 'master'.; 42000:3:297:[Microsoft][ODBC Driver 17 for SQL Server][SQL Server]The user does not have permission to perform this action. (odbc error code: -1)` I have tried to enable of the permissions on the database (GRANT) but the CONTROL SERVER is throwing me off. I'm pretty sure is a stupid thing I haven't thought about, but since I am very new to NXlog, and obviously not a SQL admin, I am defeated! for now, so I'm hopeful someone, can help me with some guidance so I can troubleshoot further. TIA and happy hump day! JC

I am considering using NXLog Community Edition for a commercial application and wanted to confirm if this is permissible under the NXLog Public License. Are there any restrictions or limitations I should be aware of when using the Community Edition in a commercial setting? Additionally, could you please highlight the major differences between the Community and Enterprise editions that could impact a commercial deployment? Thank you for your assistance!

Hello team.We have followed the steps from this link: https://docs.nxlog.co/refman/v5.10/im/ms365.html#config-certkeyfile to obtain the logs from Office365.The following permissions have been applied:However, I am encountering the following errors when trying to extract the information:  2024-05-01 18:59:31 WARNING [im_ms365|microsoft_365] Retrying request Audit.Exchange, attempt 33 failed, error: {"error":{"code":"AF20055","message":"Start time and end time must both be specified (or both omitted) and must be less than or equal to 24 hours apart, with the start time prior to end time and start time no more than 7 days in the past. StartTime:2024-05-01T22:48:58Z, EndTime:2024-05-01T21:21:47Z"}}. (Retrying in 200 seconds). 2024-05-01 18:59:34 WARNING [im_ms365|microsoft_365] Retrying request HealthOverviewsWithServiceHealthIssues, attempt 33 failed, error: {"error":{"code":"UnknownError","message":"","innerError":{"date":"2024-05-01T22:59:34","request-id":"20d6e12b-eb61-4b2b-bffa-b69f8f5c4847","client-request-id":"20d6e12b-eb61-4b2b-bffa-b69f8f5c4847"}}}. (Retrying in 200 seconds). 2024-05-01 18:59:36 WARNING [im_ms365|microsoft_365] Retrying request AuditEvents, attempt 33 failed, error: {"error":{"code":"Forbidden","message":"{\r\n \"_version\": 3,\r\n \"Message\": \"Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementApps.Read.All, DeviceManagementApps.ReadWrite.All - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: e188947b-1412-4a09-9b64-548de1c1f6a6 - Url: https://fef.amsua0602.manage.microsoft.com/StatelessAuditingFEService/deviceManagement/auditEvents?api-version=5022-08-30&$filter=activityDateTime+ge+2024-04-01T21%3a21%3a47Z+and+activityDateTime+lt+2024-05-01T21%3a21%3a47Z&$top=50\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{}\"\r\n}","innerError":{"date":"2024-05-01T22:59:36","request-id":"e188947b-1412-4a09-9b64-548de1c1f6a6","client-request-id":"e188947b-1412-4a09-9b64-548de1c1f6a 2024-05-01 18:59:44 WARNING [im_ms365|microsoft_365] Retrying request SignIns, attempt 33 failed, error: {"error":{"code":"Authentication_RequestFromNonPremiumTenantOrB2CTenant","message":"Neither tenant is B2C or tenant doesn't have premium license","innerError":{"date":"2024-05-01T22:59:44","request-id":"6eb5223c-948f-42af-b28b-bbf3fbea96fb","client-request-id":"6eb5223c-948f-42af-b28b-bbf3fbea96fb"}}}. (Retrying in 200 seconds). 2024-05-01 19:00:05 WARNING [im_ms365|microsoft_365] Retrying request ReportingWebService/MessageTrace, attempt 33 failed, error: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">; <html xmlns="http://www.w3.org/1999/xhtml">; <head>; <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>; <title>401 - Unauthorized: Access is denied due to invalid credentials.</title>; <style type="text/css">; <!--; body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}; fieldset{padding:0 15px 10px 15px;} ; h1{font-size:2.4em;margin:0;color:#FFF;}; h2{font-size:1.7em;margin:0;color:#CC0000;} ; h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ; #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;; background-color:#555555;}; #content{margin:0 0 0 2%;position:relative;}; .content-container{background:#FFF;width:96%;margin-top:8px;padding:1 Could you help me understand these errors?

I uninstalled the community version and trying to install the enterprise version, I am getting this error - Service nxlog could not be stopped, verify that you have sufficient privileges to stop system services. I am a global admin. Please help

Whenever I try to run the .msi to install the Nxlog CE I get this error message Am doing something incorrectly or is the download file broken?

Hello all. I wanted to know if anyone has had any luck or if it is possible to add a second <Output Out> configuration to the current nxlog.conf? Currently want to test a new log collector (Taegis) along side our current collector (Masergy) so we have streaming logs concurrently to each collector. e.gOutput out1>   Module om_tcp   Host 192.168.1.100   Port 514</Output> # Define the output to send logs to the second destination IP<Output out2>   Module om_tcp   Host 192.168.1.101   Port 514</Output> Thank you. 

Looking to test some ingest into a data lake to test searches adn dashboards.

hi,I try  to DROP all messages, if they contains somewhere “/connection_status” or “/status”, but what ever I try, the filter won't fit on Nxlog, while it works in RegexTesterExample log:Apr 25 11:15:11 nomad-cde cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981: {"Hostname":"nomad-cde","ShortMessage":{"message":"Matched route \"status\".","context":{"route":"status","route_parameters":{"_route":"status","_controller":"App\\Controller\\Monitoring\\MonitoringController::getStatus"},"request_uri":"https://hpp.example.com/status","method":"GET"},"level":200,"level_name":"INFO","channel":"request","datetime":"2024-04-25T09:15:10.999734+00:00","extra":{}},"EventTime":"2024-04-25T11:15:11.000000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"2baaa8302059bbcb881aac339807d429b1d91e1a117659e37cb4edfb7bb1eeca","container_name":"cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981","image_id":"sha256:7ddb43de759bd8ef93975cf10b25289a4f8628587b6d31cbe3d16e8d39443572","image_name":"harbor.example.com/testing/hpp/test:433e16c7","tag":"production","EventReceivedTime":"2024-04-25T11:15:11.001689+02:00","SourceModuleName":"container","SourceName":"cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981","SyslogFacility":6}orApr 25 11:15:09 nomad-cde cde_iframes-3709bf3d-86a1-0264-fe9f-150ac2b14cdd: {"Hostname":"nomad-cde","ShortMessage":"172.16.0.40 - - [25/Apr/2024:09:15:09 +0000] \"GET /status HTTP/1.0\" 200 2 \"-\" \"-\" \"172.16.1.40\"","EventTime":"2024-04-25T11:15:09.479000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"c8b7c9357b1bc195f6d88d09e4c329627bfe165debc09cfe4bbfd556fdab966c","container_name":"cde_iframes-3709bf3d-86a1-0264-fe9f-150ac2b14cdd","image_id":"sha256:be421273041ffa5d7b8be4963f91c0376d9829ba942b86341413c59105ae671c","image_name":"harbor.example.com/testing/iframes/test:3cb57629","tag":"production","EventReceivedTime":"2024-04-25T11:15:09.524068+02:00","SourceModuleName":"container","SourceName":"cde_iframes-3709bf3d-86a1-0264-fe9f-150ac2b14cdd","SyslogFacility":6}orApr 25 11:15:09 nomad-cde cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981: {"Hostname":"nomad-cde","ShortMessage":{"message":"Matched route \"connection_status\".","context":{"route":"connection_status","route_parameters":{"_route":"connection_status","_controller":"App\\Controller\\Monitoring\\MonitoringController::getStatusDB"},"request_uri":"https://web:4433/connection_status","method":"GET"},"level":200,"level_name":"INFO","channel":"request","datetime":"2024-04-25T09:15:09.603963+00:00","extra":{}},"EventTime":"2024-04-25T11:15:09.605000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"2baaa8302059bbcb881aac339807d429b1d91e1a117659e37cb4edfb7bb1eeca","container_name":"cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981","image_id":"sha256:7ddb43de759bd8ef93975cf10b25289a4f8628587b6d31cbe3d16e8d39443572","image_name":"harbor.example.com/testing/hpp/test:433e16c7","tag":"production","EventReceivedTime":"2024-04-25T11:15:09.634920+02:00","SourceModuleName":"container","SourceName":"cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981","SyslogFacility":6}I tried in the end the simplest one:if $raw_event =~ /.*status.*/ drop(); but it does not match. The config looks like this: <Output syslog-container-server> Module om_udp Host ${user.logserver} Port 514 <Exec> if $raw_event =~ /.*status.*/ drop(); $Hostname = "nomad-cde"; $message =~ s/-p[^\s]+/-pXXX/; delete($SourceModuleType); delete($MessageSourceAddress); delete($version); delete($created); $SourceName = $container_name; $SyslogFacility = $SeverityValue; to_json(); to_syslog_bsd(); </Exec> </Output>Can someone give me an hint, where I have to look ?

Good Morning All,We would need to take advantage of the new features within NXLOG 6.0 EE.  Are there any instructions on to perform the upgrade from 5.0 to 6.0?  OR is this a revamp oft he whole environment and re-deployment of the agents?  I currently have 900 agents deployed and it would not make sense to re-deploy.

I'm currently using nxlog to collect windows event log and notice in the local log file there are time differences between event time and event received time. Event received time was about half an hour behind event time, any idea what would cause this to happen?

I noticed that many Azure heartbeat logs will send to SIEM, if i want to config the nxlog output file, how to filter it out and make it not send the logs to SIEM? Thanks.

Hi,Understand that the Community Edition .msi installer are not digitally signed and there are previous discussion on this. Hope that I can some answers on where I can get the hashes for nxlog-ce-3.2.2329.msi to verify the file downloaded.The following are the Hash values I got for my downloaded fileMD5: 31862b5f58bbd07c82fc5b3b507a3fd1SHA1: 3b9ef0f6886d57601b9a072554cd78d7870f1866  Thank you very much.

Hello,we using Nomad which sends logs in GELF format. We need to forward it to Rsyslog and also to Graylog. For Syslog I want to set $SourceName, which needs to be exracted from the JSON / GELF.The config looks like this: ... <Input container> Module im_tcp ListenAddr 127.0.0.1:12202 InputType GELF_TCP </Input> ... <Output syslog-container-server> Module om_udp Host ${user.logserver} Port 514 Exec to_json(); Exec $message =~ s/-p[^\s]+/-pXXX/; Exec to_syslog_bsd(); </Output> ... <Route container-to-syslog> Path container => syslog-container-buffer => syslog-container-server </Route>And the log on the rsyslog:Apr 15 15:24:26 qh-a07-nomad-agent-03 {"version": "1.1","Hostname":"qh-a07-nomad-agent-03","ShortMessage":"[2024-04-15 13:24:26] app.DEBUG: Connected to redis...PONG [] []","EventTime":"2024-04-15T15:24:26.376000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"f1...","container_name":"iframes-c77e666c-fd39-f6f6-4d57-b416a4a7e28a","created":"2024-04-12T08:58:36.870730597Z","image_id":"sha256:2a26fed9c075899cfe86d74f8f44c2729be0f392a96d10c938795fe84036506d","image_name":"repos/production/iframes/production:68c00192","tag":"production","MessageSourceAddress":"127.0.0.1","EventReceivedTime":"2024-04-15T15:24:26.376703+02:00","SourceModuleName":"container","SourceModuleType":"im_tcp"}How can I extract container_nameand use for $SourceName = 'my_application';  so that “my_application” is replaced with the content of "container_name ?cu denny