NXlog CE stops sending logs


I've been using the Community edition of NXlog, I've read there is a Bug related to the 256 windows channel error, has there been a fix or does anybody have a workaround for this. The agent on some of my machines stop work after a couple days. Any Advice would be appreciated.

AskedJune 25, 2021 - 3:30pm

How to forward the raw XML for Windows logs

Hello there! I was wondering how one can forward the raw XML events (open Event Viewer, double click an event, click Details, then XML View) from the Windows Event Log to a SIEM/log file using nxlog EE.

Currently, if I don't specify any options, it ends up in a log format that isn't XML, and if I use

Exec $Message = to_xml(); to_syslog_bsd();

then I get an XML that isn't formatted the same way as the Windows Event XML, which confuses the SIEM.

AskedJune 25, 2021 - 10:58am

No logs are collected from Fortinet units, but tcpdump on NXlog collector shows ingoing traffic coming from them

I have a setup using NXlog instances as collectors in a large number of security zones.

<Input in0>
    Module   im_tcp
    Host      XXX.XXX.XXX.XXX

but for some reason this does not capture logs coming in on port 514 from Fortinet units; all other logs (from Windows and Linux servers) are received and processed just fine.

tcpdump -nvvA host [Fortinet unit IP]

AskedJune 22, 2021 - 12:28pm

NXLog EE Trial Limitations


We are testing the NXLog EE Trial version on Windows and want to know what are its limitations?

Will be expire after some time?

Are some modules not working?

How many days can we try it?

Is there a FAQ to explain further the Trial limitations? because we did not find any.

Thank you.

AskedJune 15, 2021 - 1:49pm

NX .conf - Drop Windows events based on hostname

Hello everyone

I have the following EXEC IF statement in my configuration file to drop events if username fields are equal to the computer account name. As you know Windows computer account names always end in $.

if $EventID == 4624 AND ($TargetUserName == 'DESKTOP-XY43$' OR $SubjectUserName == 'DESKTOP-XY43$') drop();

AskedJune 13, 2021 - 5:00am