Hello there! I was wondering how one can forward the raw XML events (open Event Viewer, double click an event, click Details, then XML View) from the Windows Event Log to a SIEM/log file using nxlog EE. Currently, if I don't specify any options, it ends up in a log format that isn't XML, and if I use Exec $Message = to_xml(); to_syslog_bsd(); then I get an XML that isn't formatted the same way as the Windows Event XML, which confuses the SIEM. Thank you! As an aside, this is what I want: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> <EventID Qualifiers="16384">7036</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2021-06-25T08:54:27.604250100Z" /> <EventRecordID>718</EventRecordID> <Correlation /> <Execution ProcessID="592" ThreadID="3300" /> <Channel>System</Channel> <Computer>Lab-NXServer</Computer> <Security /> </System> <EventData> <Data Name="param1">Client License Service (ClipSVC)</Data> <Data Name="param2">running</Data> <Binary>43006C00690070005300560043002F0034000000</Binary> </EventData> </Event>

Hi,We recently upgraded our NXlog agents to version 5*, and have noticed the following warning in the logs on some servers:2023-05-16 08:03:32 WARNING [CORE|main] not starting unused module logfile_IMAP42023-05-16 08:03:32 WARNING [CORE|main] not starting unused module logfile_POP3…We figured out that this happens when we have more then one _include.conf file on top of the main nxlog.conf file. It seems that it reads one of them, and then spews out this warning for all the modules/inputs in the other include.conf files. This is a new behavior. We use the following syntax at the bottom of the main nxlog.conf file:include  C:\\Program Files\\nxlog\\conf\\*_include.confIt used to work till the upgrade to version 5. Anyone else has this issue? 

Good Day, I installed nxlog to ready to ready my mssql errorlog file, and send it to graylog server, but for some reason the message is not coming complete,here is my confI omitted the rest because it just the default configuration file <Extension charconv>    Module      xm_charconv   AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32,UCS-2LE</Extension> <Extension gelf>   Module xm_gelf</Extension><Input mssql_errorlog>   Module      im_file   File        "D:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Log\ERRORLOG"</Input><Output graylog_udp>   Module om_udp   Host 10.0.1.208   Port 12202   OutputType    GELF_UDP</Output><Route graylog_route_mssql_errorlog>   Path mssql_errorlog => graylog_udp_204</Route> This is the line in my ERRORLOG 2023-05-26 10:00:13.50 Logon       Login failed for user 'localnet\sqljobs'. Reason: Could not find a login matching the name provided. [CLIENT: <local machine>] And this is the message i get in graylog { "gl2_accounted_message_size": 242, "SourceModuleType": "im_file", "level": 6, "gl2_remote_ip": "10.0.1.239", "gl2_remote_port": 60459, "streams": [   "000000000000000000000001" ], "gl2_message_id": "01H1C5R90HW9F49TPRA9XXQ93E", "source": "sql-dev", "message": "2\u00000\u00002\u00003\u0000-\u00000\u00005\u0000-\u00002\u00006\u0000 \u00001\u00000\u0000:\u00000\u00000\u0000:\u00001\u00003\u0000.\u00005\u00000\u0000 \u0000L\u0000o\u0000g\u0000o\u0000n", "gl2_source_input": "646f94d504777573d7d0c945", "EventReceivedTime": "2023-05-26 10:00:13", "SourceModuleName": "mssql_errorlog", "gl2_source_node": "332a47fa-bf25-4d8f-8e25-ce6dedb6a67a", "_id": "a2c1f101-fbcd-11ed-87a7-00505687667c", "timestamp": "2023-05-26T14:00:13.000Z"}  And this is the result parsed by graylogmessage : 2023-05-26 10:00:13.50 LogonAny one has any idea what could be wrong? 

We're using nxlog-ce-3.1.2319 and have configuration files in the nxlog.d folder.  The windows event logs configuration looks like below.# Configuration for converting and sending Windows logs# directly to Devo## Compatible with NXLog 3.x## Place in C:\Program Files\nxlog\conf\nxlog.d\## Last modification: 2023-2-15## Output destination. Valid options are: ssl_devo local_devodefine DEVO_OUTPUT ssl_devo# Vars for local Devo relay communication#define OUTPUT_DEVO_RELAY_IP {REPLACE_WITH_RELAY_IP}define OUTPUT_DEVO_RELAY_PORT 13000# Vars for direct Devo communicationdefine OUTPUT_DESTINATION_ADDRESS redacted.logtrust.netdefine OUTPUT_DESTINATION_PORT 443define CHAIN %CERTDIR%\chain.crtdefine CERT %CERTDIR%\domain.crtdefine KEY %CERTDIR%\domain.keydefine KEYPASS *******define IIS_TAG web.iis.access-w3c.env.app.clon<Extension json>   Module      xm_json   DateFormat YYYY-MM-DD hh:mm:ss.sUTC   GenerateDateInUTC TRUE</Extension>######## Send to Devo Start ########<Output ssl_devo>   Module          om_ssl   Host            %OUTPUT_DESTINATION_ADDRESS%   Port            %OUTPUT_DESTINATION_PORT%   CAFile          %CHAIN%   CertFile        %CERT%   CertKeyFile     %KEY%   KeyPass         %KEYPASS%   AllowUntrusted  TRUE</Output># <Output local_devo>#    Module  om_tcp#    Host    %OUTPUT_DEVO_RELAY_IP%#    Port    %OUTPUT_DEVO_RELAY_PORT%#</Output>######## Send to Devo End ################ Windows Events Start ########<Input win_event_in>   Module      im_msvistalog <QueryXML>       <QueryList>           <Query Id="0">               <Select Path="Application">*</Select>               <Select Path="System">*</Select>               <Select Path="Security">*</Select>               <Select Path="Windows PowerShell">*</Select>           </Query>       </QueryList>   </QueryXML>   <Exec>       $Message = to_json();       $SourceName="box.win_nxlog."+lc($Channel);       delete($ProcessID);       to_syslog_bsd();   </Exec></Input><Route eventlog>   Path  win_event_in => %DEVO_OUTPUT%</Route>Do you have any ideas on how to prevent it from resending the same logs again?Thanks

Hi,We're trying to deploy NXLog to our Windows 10 and Windows 7 32-bit machines. Installation can't push through and the following error message shows up:“This installation package is not supported by this processor type. Contact your product vendor.”

The installation of the nxlog-windows_x64.msi fails on a Windows 2016 server, installing as Domain Administrator, and the error displayed was "Not enough permissions". In the log file, errors occur around line 39 with three consecutive errors : [27F4:2EBC][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to install MSI package. [27F4:2EBC][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to execute MSI package. [2294:25C8][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to configure per-machine MSI package The complete log file is below: [2294:25C8][2021-09-16T13:48:41]i001: Burn v3.11.2.4516, Windows v10.0 (Build 14393: Service Pack 0), path: C:\Windows\Temp{3D88D7A8-546D-45A9-94E7-3F78B7E791B6}.cr\CyglassADAgent_CyGlassAgent.exe [2294:25C8][2021-09-16T13:48:41]i009: Command Line: '-burn.clean.room=C:\Users\administrator.STRATEJM\Downloads\CyglassADAgent_CyGlassAgent.exe -burn.filehandle.attached=524 -burn.filehandle.self=520' [2294:25C8][2021-09-16T13:48:41]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\administrator.STRATEJM\Downloads\CyglassADAgent_CyGlassAgent.exe' [2294:25C8][2021-09-16T13:48:41]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\administrator.STRATEJM\Downloads' [2294:25C8][2021-09-16T13:48:41]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\ADMINI~1.STR\AppData\Local\Temp\Cyglass_Log_Collection_Agent_20210916134841.log' [2294:25C8][2021-09-16T13:48:41]i000: Setting string variable 'WixBundleName' to value 'Cyglass Log Collection Agent' [2294:25C8][2021-09-16T13:48:41]i000: Setting string variable 'WixBundleManufacturer' to value 'CyGlass' [2294:2F8C][2021-09-16T13:48:42]i000: Setting numeric variable 'WixStdBALanguageId' to value 1033 [2294:2F8C][2021-09-16T13:48:42]i000: Setting version variable 'WixBundleFileVersion' to value '2.1.0.0' [2294:25C8][2021-09-16T13:48:42]i100: Detect begin, 2 packages [2294:25C8][2021-09-16T13:48:42]i101: Detected package: NXLog, state: Absent, cached: None [2294:25C8][2021-09-16T13:48:42]i101: Detected package: NXLogconf, state: Absent, cached: Complete [2294:25C8][2021-09-16T13:48:42]i199: Detect complete, result: 0x0 [2294:2F8C][2021-09-16T13:48:44]i000: Setting numeric variable 'EulaAcceptCheckbox' to value 1 [2294:25C8][2021-09-16T13:48:44]i200: Plan begin, 2 packages, action: Install [2294:25C8][2021-09-16T13:48:44]i000: Setting string variable 'WixBundleRollbackLog_NXLog' to value 'C:\Users\ADMINI~1.STR\AppData\Local\Temp\Cyglass_Log_Collection_Agent_20210916134841_000_NXLog_rollback.log' [2294:25C8][2021-09-16T13:48:44]i000: Setting string variable 'WixBundleLog_NXLog' to value 'C:\Users\ADMINI~1.STR\AppData\Local\Temp\Cyglass_Log_Collection_Agent_20210916134841_000_NXLog.log' [2294:25C8][2021-09-16T13:48:44]i000: Setting string variable 'WixBundleRollbackLog_NXLogconf' to value 'C:\Users\ADMINI~1.STR\AppData\Local\Temp\Cyglass_Log_Collection_Agent_20210916134841_001_NXLogconf_rollback.log' [2294:25C8][2021-09-16T13:48:44]i000: Setting string variable 'WixBundleLog_NXLogconf' to value 'C:\Users\ADMINI~1.STR\AppData\Local\Temp\Cyglass_Log_Collection_Agent_20210916134841_001_NXLogconf.log' [2294:25C8][2021-09-16T13:48:44]i201: Planned package: NXLog, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register [2294:25C8][2021-09-16T13:48:44]i201: Planned package: NXLogconf, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: No, uncache: No, dependency: Register [2294:25C8][2021-09-16T13:48:44]i299: Plan complete, result: 0x0 [2294:25C8][2021-09-16T13:48:44]i300: Apply begin [2294:25C8][2021-09-16T13:48:44]i010: Launching elevated engine process. [2294:25C8][2021-09-16T13:48:44]i011: Launched elevated engine process. [2294:25C8][2021-09-16T13:48:44]i012: Connected to elevated engine. [27F4:2EBC][2021-09-16T13:48:44]i358: Pausing automatic updates. [27F4:2EBC][2021-09-16T13:48:44]i359: Paused automatic updates. [27F4:2EBC][2021-09-16T13:48:44]i360: Creating a system restore point. [27F4:2EBC][2021-09-16T13:48:44]i362: System restore disabled, system restore point not created. [27F4:2EBC][2021-09-16T13:48:44]i370: Session begin, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, options: 0x7, disable resume: No [27F4:2EBC][2021-09-16T13:48:44]i000: Caching bundle from: 'C:\Windows\Temp{FB49C0F4-C065-4621-9ED3-AE2008A17091}.be\cyglass-agent-x64.exe' to: 'C:\ProgramData\Package Cache{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}\cyglass-agent-x64.exe' [27F4:2EBC][2021-09-16T13:48:44]i320: Registering bundle dependency provider: {6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, version: 2.1.0.0 [27F4:2EBC][2021-09-16T13:48:44]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, resume: Active, restart initiated: No, disable resume: No [27F4:34E8][2021-09-16T13:48:44]i305: Verified acquired payload: NXLog at path: C:\ProgramData\Package Cache.unverified\NXLog, moving to: C:\ProgramData\Package Cache{2A263730-5A99-4953-96EE-58D5AD4F9145}v5.3.6735\nxlog-windows_x64.msi. [27F4:34E8][2021-09-16T13:48:44]i304: Verified existing payload: NXLogconf at path: C:\ProgramData\Package Cache{3E825850-75A4-4646-902D-9BCCB94CAEED}v1.0.0\nxlog-conf_x64.msi. [27F4:2EBC][2021-09-16T13:48:44]i323: Registering package dependency provider: {2A263730-5A99-4953-96EE-58D5AD4F9145}, version: 5.3.6735, package: NXLog [27F4:2EBC][2021-09-16T13:48:44]i301: Applying execute package: NXLog, action: Install, path: C:\ProgramData\Package Cache{2A263730-5A99-4953-96EE-58D5AD4F9145}v5.3.6735\nxlog-windows_x64.msi, arguments: ' ALLUSERS="1" ARPSYSTEMCOMPONENT="1" MSIFASTINSTALL="7"' [27F4:2EBC][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to install MSI package. [27F4:2EBC][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to execute MSI package. [2294:25C8][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to configure per-machine MSI package. [2294:25C8][2021-09-16T13:50:32]i319: Applied execute package: NXLog, result: 0x80070643, restart: None [2294:25C8][2021-09-16T13:50:32]e000: Error 0x80070643: Failed to execute MSI package. [27F4:2EBC][2021-09-16T13:50:32]i318: Skipped rollback of package: NXLog, action: Uninstall, already: Absent [2294:25C8][2021-09-16T13:50:32]i319: Applied rollback package: NXLog, result: 0x0, restart: None [27F4:2EBC][2021-09-16T13:50:32]i329: Removed package dependency provider: {2A263730-5A99-4953-96EE-58D5AD4F9145}, package: NXLog [27F4:2EBC][2021-09-16T13:50:32]i351: Removing cached package: NXLog, from path: C:\ProgramData\Package Cache{2A263730-5A99-4953-96EE-58D5AD4F9145}v5.3.6735 [27F4:2EBC][2021-09-16T13:50:32]i372: Session end, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, resume: None, restart: None, disable resume: No [27F4:2EBC][2021-09-16T13:50:32]i330: Removed bundle dependency provider: {6d503fdf-ecb1-46c8-bbdc-14b706fb9d77} [27F4:2EBC][2021-09-16T13:50:32]i352: Removing cached bundle: {6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, from path: C:\ProgramData\Package Cache{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77} [27F4:2EBC][2021-09-16T13:50:32]i371: Updating session, registration key: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{6d503fdf-ecb1-46c8-bbdc-14b706fb9d77}, resume: None, restart initiated: No, disable resume: No [2294:25C8][2021-09-16T13:50:33]i399: Apply complete, result: 0x80070643, restart: None, ba requested restart: No

I've configured the NxLog for forwarding the security event logs from windows using the om_udp module and it is working as I can see those logs on the destination AWS EC2(rsyslog) instance. But when I tried to tweak the NxLog configuration for tcp forwarding using the om_tcp, it is throwing an error as shown below: "ERROR couldn't connect to tcp socket on <REDACTED>; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond." Can someone assist here to overcome this error. FYI, both UDP and TCP reception rules are in place.

Hi,I am using NXLog with the Example 108. “File Rotation Based on Size” from the NXLog Community Edition Reference Manual.In rare cases i have the problem that rotate_to uses the wrong filename and overwrite some other logfile. In the example below “logid.log” to “Mod-002”.  See nxlog.logVersion:  nxlog-ce-3.1.2319nxlog.logZeile 3644025: 2023-03-14 10:28:02 INFO om_file successfully rotated file 'C:\Program Files\nxlog\data\10.87.243.24\logid.log' to 'C:\Program Files\nxlog\data\10.87.243.24\Mod-002.20230314102802.log'nxlog.conf## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start. define ROOT C:\Program Files\nxlog #define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension exec> Module xm_exec </Extension> <Extension syslog> Module xm_syslog </Extension> <Extension fileop> Module xm_fileop </Extension> <Input udp> Module im_udp Host 10.87.243.20 Port 514 Exec parse_syslog(); Exec dir_make('%LOGDIR%' + $Hostname); </Input> <Output udpfile> Module om_file CreateDir TRUE File '%LOGDIR%' + $Hostname + '' + $SourceName + '.log' Exec if udpfile->file_size() > 5M { $newfile = '%LOGDIR%' + $Hostname + '' + $SourceName + '.' + strftime(now(), "%Y%m%d%H%M%S") + '.log'; udpfile->rotate_to($newfile); exec_async('%CONFDIR%\bzip2.exe', $newfile); } </Output> <Route udp> Path udp => udpfile </Route>Any ideas what's going wrong here?Thanks

HiI have noticed that my alerts are about 2 hours behind.  My SIEM rule retrohunts every 10 minutes.What is the default schedule for nxlog community edition? I think I need to input code similar to the below to make my rule retrohunts trigger in a more realtime way<Input in>   Module  im_tcp   Port    2345   <Schedule>       Every   1 sec       First   2010-12-17 00:19:06       Exec    log_info("scheduled execution at " + now());   </Schedule>   <Schedule>       When    1 */2 2-4 * *       Exec    log_info("scheduled execution at " + now());   </Schedule></Input>

Hi everyone, I have the following problem. 1 The problem:I trace the performance counters of several Windows clients. For that, CSV files are created and their inputs then are forwarded to our logging system. Each counter type (RAM, CPU, storage, etc) has its own CSV and therefore its own input in NXlog. While it works without any problems on nearly all clients, there is one Workstation where the im_file inputs are not forwardedBesides the im_file module we use the im_msvistalog module for Windows Event entries as well. And the Workstation does forward these events without any problems. It just has problems with the im_file inputs. Log file does not indicate any error and as I said: this configuration (with minor differences) already works flawlessly on the other systems. 2 The configuration:define ROOT C:\Program Files\nxlog define CERTDIR C:\Program Files\nxlog\keys define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _gelf> Module xm_gelf </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension> define MonitoredEventIDsSecurity 4624, 4634, 4672 Collecting event log <Input in> Module im_msvistalog SavePos TRUE ReadFromLast TRUE <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security">*</Select> </Query> </QueryList> </QueryXML> <Exec> if $EventID NOT IN (%MonitoredEventIDsSecurity%) drop(); </Exec> </Input> <Input trace_cpu> Module im_file File 'C:\tracing\trace_cpu.csv' SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; </Input> <Input trace_ram> Module im_file File 'C:\tracing\trace_ram.csv' SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; </Input> <Input trace_networkmain> Module im_file File 'C:\tracing\trace_networkmain.csv' SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; </Input> <Input trace_diskc> Module im_file File 'C:\tracing\trace_diskc.csv' SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; </Input> <Input trace_diskd> Module im_file File 'C:\tracing\trace_diskd.csv' SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; </Input> <Input trace_diske> Module im_file File 'C:\tracing\trace_diske.csv' SavePos TRUE ReadFromLast TRUE Exec $Message = $raw_event; </Input> <Output x> Module om_ssl Host %IP_Address% Port %Port% OutputType GELF_TCP CAFile %CERTDIR%\cafile.pem CertFile %CERTDIR%\certfile.pem CertKeyFile %CERTDIR%\certkeyfile.pem KeyPass %password% Exec to_syslog_snare(); </Output> #Connect input 'in' to output 'out' <Route 1> Path in, trace_cpu, trace_ram, trace_networkmain, trace_diskc, trace_diskd, trace_diske => x </Route> 3 The NXLog log:I think it's irrelevant because it only shows this entries:2023-05-09 09:13:13 WARNING stopping nxlog service 2023-05-09 09:13:13 WARNING nxlog-ce received a termination request signal, exiting... 2023-05-09 09:13:16 INFO connecting to %IP_Address%:%Port% 2023-05-09 09:13:16 INFO nxlog-ce-3.1.2319 started 2023-05-09 09:13:16 INFO successfully connected to %IP_Address%:%Port% 4 Environment info:The mentioned client runs Windows 10 Pro 22H2, currently installed NXLog Version is ce-3.1.2319 (but also tested it with ce-3.2.2329)5 Relevant details: Config works on other clients without problemsOnly im_file module not working, im_msvistalog entries are being forwardedUntil two weeks ago I used one central CSV file for all performance counters and this was forwarded correctly until the separation into individual inputsWhen deleting the “Exec $Message = $raw_event;” directive from an input, the respective messages get forwarded to logging system but are in a cryptic format and not useableThat would be it for now. Please feel free to ask if you need further information :)Thanks in advance!

I'm trying to to save syslog and saving logs with a specific hostname based on the IP address. I'm using a if statement and a vaiable to define the file path I want to use. unfortunately I'm getting the folloging error message: nxlog.conf:32; couldn't parse statement at line 36, character 9 in C:\Program Files\nxlog\conf\nxlog.conf; function 'create_var()' does not exist or takes different arguments. My conf file is below. Any hint?  define ROOT C:\Program Files\nxlog Moduledir %ROOT%\modules CacheDir C:\syslog Pidfile C:\syslog\nxlog.pid SpoolDir C:\syslog LogFile C:\syslog\nxlog.log <Extension exec> Module xm_exec </Extension> <Extension syslog> Module xm_syslog </Extension> <Input syslog514udp> Module im_udp Port 514 Host 0.0.0.0 </Input> <Input syslog514tcp> Module im_tcp Port 514 Host 0.0.0.0 </Input> <Output consolefile> Module om_file #defining log path based on hostname &lt;Exec&gt; if $MessageSourceAddress == "10.1.62.61" { create_var('logPath', 'MySBC/Syslog-'+ strftime(now(), '%Y-%m-%d-%H') + '.log') } else { create_var('logPath', $MessageSourceAddress+'/Syslog-'+ strftime(now(), '%Y-%m-%d-%H') + '.log') } &lt;/Exec&gt; File get_var('logPath') # Addiere Zeitstempel an den Event Exec $raw_event = now() + " " + $raw_event; &lt;Exec&gt; if consolefile-&gt;file_size() &gt;= 100M { $newfile = $MessageSourceAddress+"/Syslog-"+ strftime(now(),"%Y-%m-%d-%H-%M") + ".log"; consolefile-&gt;rotate_to($newfile); } &lt;/Exec&gt; CreateDir TRUE </Output> <Output cdrlogger> Module om_udp Host 127.0.0.1 Port 1514 </Output> <Route udp> Priority 1 Path syslog514udp => consolefile, cdrlogger </Route> <Route tcp> Priority 2 Path syslog514tcp => consolefile, cdrlogger </Route>

Hi, I have a bit of an unconventional setup where I collect windows logs on one server, I then send these logs to another nxlog server via om_tcp. With the outputType GELF_TCP. From this second nxlog server, I then forward the logs to a graylog server using om_udp and outputType GELF_UDP. But the problem is that graylog seems to receive one message for each row in the windows log full message. If I instead forward directly from nxlog to graylog without the second nxlog-server inbetween, they arrive in the correct format. But I really need the other setup to work. Is there something I need to consider when it comes to formatting when first forwarding the logs to a second nxlog-server and then to the graylog server from there? 

We have a folder structure like:/opt/tomcat-onesite/bin | /logs | /etc.... |-/tomcat-anothersite/bin | /logs | /etc.... |-/tomcat-somewhereelse/bin | /logs | /etc.... |-/tomcat-etc... |-/tomcat-logs/onesite -> /opt/tomcat-onesite/logs /anothersite -> /opt/tomcat-anothersite/logs /somewhereelse -> /opt/tomcat-somewhereelse/logs /etc ....All folders directly under /opt/tomcat-logs are symlinks to the corresponding logs folder under each tomcat instance. We wanted to define a File of /opt/tomcat-logs/*.logwith Recursive   TRUE but nxlog-ce doesnt pick up anything. We also tried /opt/tomcat-logs/*/*.log but it seems like nxlog-ce is unable to follow a * symlink or recurse through a symlink. I have no problems with /opt/tomcat-logs/onesite/*.log which works OK. Is this a bug? Is there a reason it does not follow implicit symlinks but does follow them if named?Note with further testing I have /opt/tomcat-*/logs/*.log working and this will do for now but I feel sure this is an error.

Hi,we've configured im_maculs and have noticed, that it does not handle expected ULS logs (which are seen with log stream command).We then configured im_exec module, to run log stream and have compared configurations head-to-head, the input with im_exec receives expected logs, while im_maculs does not.Here is configuration:<Input m_uls>Module im_maculs<Exec># Filterif ($subsystem == 'com.apple.launchservices' and $category == 'open'){$Hostname = hostname();} else{drop();}to_json();</Exec></Input> <Input m_logstream>Module im_execCommand /usr/bin/logArg streamArg --style=ndjsonArg --type=log<Exec>if $raw_event =~ /^{/{# Filterif ($subsystem == 'com.apple.launchservices' and $category == 'open'){$Hostname = hostname();} else{drop();}to_json();} else{# Fix ERROR [im_exec|m_logstream] failed to parse json string, lexical error: invalid char in json text.; Filtering the log data using "t; (right here) ------^; [Filtering the log data using "type == 1024"]# Since first log stream output line is not a json log entry, but informational messagedrop();}</Exec></Input>The m_logstream Input produces log message every time a graphical application is openned in macOS, while the m_uls - does not. 

Hello,I'm deploying nxlog-ce docker container in order to collect logs from several servers.My container is running and stores logs in files. I would like store logs in a postgresql database but the om_dbi module is missing in the container.How can I add this module?

Hi folks,Is NXLog CE compatible with Windows Server 2003?  I am getting “The installation is not supported by this processor type” error.  Works fine on other OS's.RegardsBen

Is anyone else having problems trying to download NXLog CE?  I select the file I want to download and click the “Download” button, and it just hangs. 

Hello, i used option AllowUntrusted TRUE with the ssl output module but i have still error ssl verification failedERROR SSL certificate verification failed: unable to get local issuer certificatethis option is not supposed to avoid this error ?https://docs.nxlog.co/ce/current/index.html#om_sslMy output conf:<Output ssl>    Module  om_ssl    Host    mysyslogserverPort 514AllowUntrusted TRUEOutputType  Syslog_TLSExec        to_syslog_ietf();CAFile      </Output>regardsGuillaume

hello.  I have nxlog working oh so well sending Windows Events to Graylog.  Works perfectly, couldnt be happier.I however wanted to start sending some logs that an application creates.  Seems to be configured properly to send.  I can see the in the message section of graylog the lines of the log and they come into graylog as they're created.  However the line gets cut off after 64 characters per each line.  How can I get the full line of the log?

Hi, we are using nxlog-ce-3.0.2272 on Linux (CentOS 7), after a server reboot nxlog is not started. The error message in nxlog logfile is: ERROR: couldn't open pidfile /run/nxlog/nxlog.pid. After the reboot of the server the directory /run/nxlog is missing, which seems to cause the error. The directory is created when nxlog-ce is installed on the server and nxlog is started OK. If I manually create the directory /run/nxlog and then start nxlog it also works. Is this a known error or have missed something ? BR Joakim