Hi,I am getting the following error when using the AllowIP Directive in Enterprise Edition 6.2:2024-04-02 15:17:42 ERROR [im_udp|SynologySyslog] invalid keyword: AllowIP at C:\Program Files\nxlog\conf\nxlog.conf:45The config snippit containing this is:<Input SynologySyslog> module im_udp ListenAddr 0.0.0.0:514 AllowIP 10.0.0.106 <Exec> parse_syslog_ietf(); </Exec> </Input><Input SynologySyslog>module  im_udpListenAddr 0.0.0.0:514AllowIP 10.0.0.106<Exec> parse_syslog_ietf();</Exec></Input>Any help would be greatly appreciated!! 

I spun up a brand-new Linux instance in AWS. I downloaded the RHEL9 CE package and got it onto that instance. I installed it as:yum -y localinstall nxlog-ce-3.2.2329_rhel9.x86_64.rpmThe problems:Nothing gets installed to /opt/nxlog; NXLog gets installed instead to /etc/nxlogThere aren't any modules downloaded/installedWhat am I missing?

Hello, Does anyone know how to install nxlog on a Windows 32-bit system? Windows Server 2003

Hi:I am new to nxlog but I do haves sending windows events into graylog via nxlogs so I know some basics.I am know trying to parse csv exchange logs.I am running the community version.I realize I have no output or routing statements yet.The log does not complain about the module xm_csv being found but does complain about module csv_parser not being found.I used this as starting point: https://docs.nxlog.co/integrate/exchange.html using the community section for reference.If someone could offer any hints I would be most grateful.--mikejVersion: nxlog-ce-3.2.2329LOGFILE:C:\Program Files\nxlog\data>type nxlog.log2024-03-25 15:15:51 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.d\\protocol.conf:21; couldn't parse statement at line 25, character 27 in C:\Program Files\nxlog\conf\nxlog.d\\protocol.conf; module csv_parser not found2024-03-25 15:15:51 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.d\\protocol.conf:34; couldn't parse statement at line 38, character 26 in C:\Program Files\nxlog\conf\nxlog.d\\protocol.conf; module csv_parser not found2024-03-25 15:15:51 WARNING not starting unused module smtp_receive2024-03-25 15:15:51 WARNING not starting unused module smtp_send2024-03-25 15:15:51 INFO nxlog-ce-3.2.2329 startedCONFIG FILE: protocol.conf - in nxlog.ddefine BASEDIR C:\Program Files\Microsoft\Exchange Server\V15#Software: Microsoft Exchange Server#Version: 15.0.0.0#Log-type: SMTP Receive Protocol Log#Date: 2024-03-25T19:00:26.686Z#Fields: date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context## MJ number of fields matches count<Extension csv>       Module    xm_csv       Fields    date-time, connector-id, session-id, sequence-number, \                 local-endpoint, remote-endpoint, event, data, context</Extension><Input smtp_receive>Module    im_file   File      '%BASEDIR%\TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive\RECV*.LOG'<Exec> if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop(); else {  csv_parser->parse_csv();  $EventTime = parsedate(${date-time}); }</Exec></Input><Input smtp_send>Module    im_fileFile      '%BASEDIR%\TransportRoles\Logs\Hub\ProtocolLog\SmtpSend\SEND*.LOG'<Exec>   if $raw_event =~ /^(\xEF\xBB\xBF)?(date-time,|#)/ drop();else{ csv_parser->parse_csv(); $EventTime = parsedate(${date-time});}</Exec></Input>

Hi team, Our current .conf file has only one output module and sending logs to only one destination. Can we send the logs to 2 different destination parallelly(Specifically we need to send to Accenture MSS) Regards, Anjani CM

Hello,I am getting the following error message with the SSL configured using om_ssl . Has anyone encountered this issue in the past? The config works without SSL but I want to make SSL to work.Please note that some information has been modified to avoid sensitive information exposure.2024-03-20 00:26:21 INFO connecting to destination_host:### 2024-03-20 00:26:21 INFO successfully connected to destination_host:### 2024-03-20 00:26:21 INFO reconnecting in 1 seconds 2024-03-20 00:26:21 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)This is my nxlog agent config code snippet:... <Output out_to_destination> Module om_ssl Host %OUTPUT_DESTINATION_HOST% Port %OUTPUT_DESTINATION_PORT% Exec $Message = to_json(); to_syslog_bsd(); CAFile %CERTDIR%\CA.pem CertFile %CERTDIR%\client-cert.pem CertKeyFile %CERTDIR%\client-key.pem AllowUntrusted TRUE </Output> ...Is there anyway to bypass verification? Is this issue on the nxlog agent side?

Been searching the internet to see if anyone has asked this before.Are there any plans for NXlog to support DTLS for secure low overhead forwarding?

Hi All, I am trying to test and evaluate the NXlog for collect the dns analytical log(ETL) and forward it to splunk directly. now I am using the community version of NXlog and get below error: 2024-03-14 10:35:31 ERROR Failed to load module from C:\Program Files\nxlog\modules\input\im_etw.dll, The specified module could not be found.  ; The specified module could not be found.  2024-03-14 10:35:31 ERROR invalid keyword: HTTPHeader at C:\Program Files\nxlog\conf\nxlog.conf:902024-03-14 10:35:31 ERROR module 'out_to_splunk' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:942024-03-14 10:35:31 ERROR route 1 is not functional without output modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:942024-03-14 10:35:31 WARNING no routes defined!Could someone please help to point the error/misconfiguration from the below NXlog.conf? thanks.  nxlog.confPanic Soft#NoFreeOnExit TRUEdefine ROOT     C:\Program Files\nxlogdefine CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data<Extension _syslog>   Module      xm_syslog</Extension><Extension _charconv>   Module      xm_charconv   AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec>   Module      xm_exec</Extension><Extension _fileop>   Module      xm_fileop   # Check the size of our log file hourly, rotate if larger than 5MB   <Schedule>       Every   1 hour       Exec    if (file_exists('%LOGFILE%') and \                  (file_size('%LOGFILE%') >= 5M)) \                   file_cycle('%LOGFILE%', 8);   </Schedule>   # Rotate our log file every week on Sunday at midnight   <Schedule>       When    @weekly       Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);   </Schedule></Extension># Snare compatible example configuration# Collecting event log# <Input in>#     Module      im_msvistalog# </Input># # Converting events to Snare format and sending them out over TCP syslog# <Output out>#     Module      om_tcp#     Host        192.168.1.1#     Port        514#     Exec        to_syslog_snare();# </Output># # Connect input 'in' to output 'out'# <Route 1>#     Path        in => out# </Route><Input in_dns>   Module      im_etw   Provider    Microsoft-Windows-DNSServer</Input><Input dns_analytical_log>   Module      im_msvistalog   Query       <QueryList>\                   <Query Id="0">\                       <Select Path="Microsoft-Windows-DNS-Server/Analytical">*</Select>\                   </Query>\               </QueryList></Input> <Output out_to_splunk>   Module      om_http   URL         http://192.168.1.85:8088/services/collector   ContentType application/json   Exec        to_json();   HTTPHeader  Authorization: 6aad1862-c232-4613-a248-bc58f0885ea8</Output><Route 1>   Path        dns_analytical_log => out_to_splunk</Route>

I find instructions for installing the Enterprise edition. I'm trying to install the Community edition. I can't find the tar file, only the rpm file.I cannot resolve all the missing dependencies:libc.so.6, libcrypt.so.2, libcrypto.so.3, libssl.so.3, libsystemd.so.0 I cannot convince my management to pay for the Enterprise edition without first demonstrating the Community edition. Since the documentation for the Community edition is so poor, I will not advocate paying to only find that the documentation for the Enterprise edition is no better. How do I install the needed dependencies?

Hello all, I have a bit of a problem and was hoping someone can put in their two cents. I have recently set up NXLogs to start sending DHCP logs to a second server for one of our security applications. However, there is no record of the logs being received by it (or any traffic to suggest that the logs are leaving the DHCP server). We are successfully receiving logs for the first Security Server, just not the second (most recent addition). I have ran a Netstat -a command from the DHCP server and it shows there is an active connection going to the correct IP range and port. We have looked at the firewall and found that there are no packets being dropped by it either, and also no records that traffic is going from our DHCP server to our second Security Server. So all in all, I'm at a bit of a loss for how to troubleshoot this and was wondering if anyone had any ideas? PSB for a copy of our .conf file, just in case anyone spots a glaring error (I have redacted IP ranges, ports, etc…) Panic Soft#NoFreeOnExit TRUEdefine ROOT     C:\Program Files\nxlogdefine WINDHCP_OUTPUT_DESTINATION_ADDRESS x.x.x.xdefine WINDHCP_OUTPUT_DESTINATION_ADDRESS2 x.x.x.xdefine WINDHCP_OUTPUT_DESTINATION_PORT xxxxdefine WINDHCP_OUTPUT_DESTINATION_PORT2 xxxModuledir   %ROOT%\modulesCacheDir    %ROOT%\dataPidfile     %ROOT%\data\nxlog.pidSpoolDir    %ROOT%\dataLogFile     %ROOT%\data\nxlog.log<Extension _json>   Module  xm_json</Extension><Input dhcp_server_eventlog>  Module      im_msvistalog  <QueryXML>       <QueryList>           <Query Id="0" Path="System">               <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-DHCP-Server']]]</Select>           </Query>           <Query Id="0">               <Select Path="DhcpAdminEvents">*</Select>               <Select Path="Microsoft-Windows-Dhcp-Server/FilterNotifications">*</Select>               <Select Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select>           </Query>      </QueryList>   </QueryXML>   Exec        $EventTime = integer($EventTime) / 1000;   Exec        $EventReceivedTime = integer($EventReceivedTime) /     1000;   Exec        to_json();</Input><Input audit_logs_csv>   Module      im_file   File        "c:\DHCP\-*.log"   SavePos     TRUE   InputType   LineBased   Exec        $Message = $raw_event;</Input><Output SecurityServer1>   Module      om_udp   Host        %WINDHCP_OUTPUT_DESTINATION_ADDRESS%   Port        %WINDHCP_OUTPUT_DESTINATION_PORT%</Output><Output SecurityServer2>   Module      om_udp   Host        %WINDHCP_OUTPUT_DESTINATION_ADDRESS2%   Port        %WINDHCP_OUTPUT_DESTINATION_PORT2%</Output><Route 1r>   Path     dhcp_server_eventlog,audit_logs_csv => SecurityServer1</Route><Route 2>   Path     dhcp_server_eventlog,audit_logs_csv => SecurityServer2</Route> Thanks in advance for the help. 

Hi So im a brand new user to NXLog,  and NXlog are refusing to offer me any support unless i pay for it, which i feel is a little unfair given i have literraly just purchased 8 Enterprise Editon licenses . However i have got a config file which im working with. So far i have two problems 1 - The resulting log file is empty2 - I am receiving the following errors2024-03-05 14:31:28 ERROR [im_maculs|uls] Could not get proc_info, skipping log @ 486802024-03-05 14:31:28 WARNING [im_maculs|uls] Avoided padding for log ending @ 0xBE39  I am not sure on the best course of action here, or wether i need to upload the actual config file, if anybody can offer any help or guidnace at all it would be greatly appreciated. More than happy to prove more info if it helps Thanks

Sorry if this has been asked before, but I couldn't find anything related.I'm after NXLOG version CE 2.9.1716 for Windows however only Ubuntu & Debian is available from the download section. Does anybody know how I can obtain the Windows file?

HiI have configured compression and encryption for locally stored logs, and it seems to be working fine. However, when I run the command c:\program files\nxlog\nxlog-processor.exe -c d:\data\decrypted.conf, I encounter an error while attempting to decrypt the currently active file. The error message reads: 'error [im_file:enc_in] Crypto SSL error: error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length.' Despite this error, the file is decrypted successfully, and we are able to read the log file clearly. Could you please advise on the meaning of this error? I have not encountered any errors for older encrypted files. Thank youOur current config is as follows:nxlog.confPanic Softdefine INSTALLDIR D:\Program Files\nxlog#ModuleDir %INSTALLDIR%\modules#CacheDir  %INSTALLDIR%\data#SpoolDir  %INSTALLDIR%\datadefine CERTDIR %INSTALLDIR%\certdefine CONFDIR %INSTALLDIR%\conf\nxlog.d# Note that these two lines define constants only; the log file location# is ultimately set by the `LogFile` directive (see below). The# `MYLOGFILE` define is also used to rotate the log file automatically# (see the `_fileop` block).define LOGDIR D:\Program Files\nxlog\datadefine MYLOGFILE %LOGDIR%/nxlog.log# If you are not using NXLog Manager, disable the `include` line# and enable LogLevel and LogFile.#include %CONFDIR%\*.confLogLevel    INFOLogFile     %MYLOGFILE%<Extension xml>   Module      xm_xml</Extension><Extension exec>   Module      xm_exec</Extension><Extension _syslog>Module xm_syslog</Extension><Extension zlib>   Module      xm_zlib</Extension><Extension crypto>   Module       xm_cryptoPasswordFile "d:\\Program Files\\nxlog\\conf\\nxlogkeyfile.pem"</Extension><Extension fileop>   Module      xm_fileop</Extension># Input from remote relay<Input nxlog_relay> Module   im_ssl ListenAddr 0.0.0.0:8514 CAFile  %CERTDIR%/root.pem CertFile %CERTDIR%/xxx..pem CertkeyFile %CERTDIR%/xxx..pem RequireCert FALSE Exec  $Hostname = hostname(); parse_syslog(); $DeviceHostname = $Hostname;</Input># This Section contains the configuration to receive logs forwarded by  Servers<Input servers_ssl> Module      im_ssl ListenAddr 0.0.0.0:7514 CAFile  %CERTDIR%/root.pem CertFile %CERTDIR%/xxx..pem CertkeyFile %CERTDIR%/xxx..pem RequireCert FALSE Exec  $Hostname = hostname(); parse_syslog(); $DeviceHostname = $Hostname; </Input><Output log_local_encrypted>Module   om_fileFile     "d:/data/nxlogstore/" + $DeviceHostname + "/" + $DeviceHostname + "-" + strftime(now(), '%Y%m%d') + ".log"CreateDir trueExec  to_syslog_ietf();OutputType zlib.compress, crypto.aes_encrypt</Output><Output log_remote_encrypted>   Module   om_fileFile     "d:/data/nxlogstore/" + $DeviceHostname + "/" + $DeviceHostname + "-" + strftime(now(), '%Y%m%d') + ".log.gz.enc"CreateDir trueExec  to_syslog_ietf();OutputType zlib.compress, crypto.aes_encrypt</Output># Path to forward logs to locally<Route Windows_Network_To_Locally>       Path    servers_ssl, network_tcp_ssl => log_local_encrypted</Route># Path to forward logs to locally<Route Remote_Windows_Network_To_Locally>       Path    nxlog_relay => log_remote_encrypted</Route># This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`# is changed in managed.conf via NXLog Manager, rotation of the new# file should also be configured there.<Extension _fileop>   Module  xm_fileop   # Check the size of our log file hourly, rotate if larger than 5MB   <Schedule>       Every   1 hour       <Exec>           if ( file_exists('%MYLOGFILE%') and                (file_size('%MYLOGFILE%') >= 5M) )           {                file_cycle('%MYLOGFILE%', 8);           }       </Exec>   </Schedule>   # Rotate our log file every week on Sunday at midnight   <Schedule>       When    @weekly       Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);   </Schedule></Extension>Regards, Billy

Hello everyone,I'm trying to solve a problem that seems simple.I would like to log Windows events on two different log servers. I would like to send all relevant logs to a Graylog but without the MSSQL logs. These are filtered and sent to another Graylog.Filtering by “MSSQL-ONLY” works fine, but dropping MSSQL events does not work. I get all logs including MSSQL an the "logs" output.Any idea? Windows Server 2022, nxlog-ce-3.2.2329.msi define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension gelf> Module xm_gelf </Extension> <Input eventlog> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="Application"></Select> <Select Path="System"></Select> <Select Path="Security"></Select> <Select Path="Microsoft-Windows-Windows Defender/Operational"></Select> </Query> </QueryList> <Exec> if ($SourceName = "SQLSERVER") drop(); </Exec> </Input> <Input sqllog> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="Application">*[System[Provider[@Name='MSSQLSERVER']]]</Select> </Query> </QueryList> </Input> <Output logs> Module om_tcp Host graylog01.something.com Port 12202 OutputType GELF_TCP Exec $Hostname = 'XYZ.somthing.com'; </Output> <Output sqllogs> Module om_tcp Host graylog02.something.com Port 12202 OutputType GELF_TCP Exec $Hostname = 'XYZ.somthing.com'; </Output> <Route eventlog_to_udp> Path eventlog => logs </Route> <Route sqllog_to_udp> Path sqllog => sqllogs </Route> 

I would like to know how to use the wildcard if the logs name file contains a date. # Monitor application log files<Input watchfile> Module im_file File 'C:\\Application\\log\\240220N.Log' Exec $Message = $raw_event; Exec if file_name() =~ /.*\\(.*)/ $SourceName = $1; SavePos TRUE Recursive TRUE</Input>Thank you

We have configured  NXLog to monitor DHCP server logs and  sends it to two different destinations using TCP:what is the correct way of routing the output to two diffrent distnations..<Output out1>   Module      om_tcp   Host        destination1   Port       XXX  </Output><Output out2>   Module      om_tcp   Host        destination2   Port        XXXX   </Output><Route route1>   Path        input1 => out1   Path        input2 => out2</Route>

I am experiencing a problem with the NXLog Graylog sidecarwhere large CSV messages are being truncated when sent to Graylog via im_file and xm_gelf. The issue occurs regardless of whether I use UDP or TCP transport. Specifically, when a single field (FullFormattedMessage) exceeds approximately 11,000 bytes, the message gets truncated to 64 characters in Graylog's interface causing the entire large field to be omitted. This truncation appears to be due to the $ShortMessage field, which has a character limit.Additionally, when the message is truncated, the $EventTime field, which is derived from a CSV column using parsedate(), does not parse correctly. It seems that when the message reaches its size limit, the $row_event is sent without executing any further processing. My current NXLog configuration is as follows:define INSTALLDIR /etc/nxlog define CERTDIR %INSTALLDIR%/cert define CONFDIR %INSTALLDIR%/nxlog.d define LOGDIR /var/log/nxlog define MYLOGFILE %LOGDIR%/nxlogCSVtest.log LogLevel INFO LogFile %MYLOGFILE% <Extension csv> Module xm_csv Fields IpAddress,UserAgent,Key,CreatedTime,UserName,FullFormattedMessage </Extension> <Extension gelf> Module xm_gelf </Extension> <Input file> Module im_file File '/home/user/test/logs_to_send.csv' <Exec> csv->parse_csv(); if ($UserName =~ /USER_A/) drop(); if (not defined($CreatedTime) or $CreatedTime=='' ) drop(); $EventTime = parsedate($CreatedTime); $CreatedTime = undef; # These fields are needed for Graylog $gl2_source_collector = '${sidecar.nodeId}'; $collector_node_id = '${sidecar.nodeName}'; &lt;/Exec&gt; </Input> <Output graylog_udp> Module om_udp Host 127.0.0.1 Port 5555 OutputType GELF_UDP </Output> <Route 1> Path file => graylog_udp </Route> The log file indicates an "Invalid CSV input" error for each row that is giving me the problem, but only displays the first 960 characters of the CSV rows in question.2024-02-13 16:59:08 ERROR Invalid CSV input: <the first 960 characters of the csv row> I am running NXLog CE on Ubuntu 22.04 with the Graylog sidecar, using package version nxlog-ce_3.2.2329_ubuntu22_amd64.On the data that desn't get the error it's working great, I know i'm hitting some limitation but i would like to know witch one and how can i change it.

Hi,  I can send the log to 1 Server only.  How do I send the same log to 2 server for just in case 1 got wipe out by ransomwareThis is the configuration that work for #1 Server.  My #2 Server has different IP.   What is the proper way to do this? <Extension _gelf>   Module      xm_gelf</Extension># Snare compatible example configuration# Collecting event log<Input in>    Module      im_msvistalog</Input># Sends Eevent in GELF format to Graylog Servers<Output out>    Module      om_udp    Host        10.10.12.68    Port        12201    OutputType  GELF</Output># # Connect input 'in' to output 'out'<Route 1>    Path        in => out</Route>

When sending data to InsightIDR, you have to specify a unique port for each data source.  For example, on an AD DC, you need a unique port for security event logs, DNS logs, and DHCP logs.  As it currently appears, I would need a template or individual configuration on each system. To optimize/simplify this, is it possible to use FIELDS and PATTERNS in templates?  e.g. DC1_SecLog=<port 1000>, DC1_DNS=<port 1001>.  In the template reference a FIELD/PATTERN based on the agent info like hostname and/or tags?  Just looking for a way to minimize the number of templates I have to manage.

Learning how to build out templates and I see in the documentation, that you there should be an option for “MASTER” or “SUB” template types as described here:  https://docs.nxlog.co/manager/current/templates/index.htmlHowever, my new server (5.7.5935) does not have that option when creating a template.  Is there something that needs to be enabled or some set of actions before that becomes visible?