Hello, I have porblem with install nxlog-ce-2.10.2150.msi at a domain controler on windoes server 2012R2 , When I try to install program, I get that error "Installation directory must be a local hard driver". But I chosed local path "C:\Program Files (x86)\nxlog". I tried to change path to another local paths C:\ and C:\user_name.I all time get the same error. Someone know what I can do at this error?
MS_094464 created
Hello
NxLog CE 2.10.2150 is installed on two Windows Server 2019 Standard (version 1809) But every X minutes, the service crash and cause PRODUCTION issues. Here the Event Viewer Report :
Nom du journal :Application Source : Application Error Date : 15/01/2021 09:46:15 ID de l’événement :1000 Catégorie de la tâche :(100) Niveau : Erreur Mots clés : Classique Utilisateur : N/A Ordinateur : XXX Description : Nom de l’application défaillante nxlog.exe, version : 0.0.0.0, horodatage : 0x5beed9da Nom du module défaillant : msvcrt.dll, version : 7.0.17763.475, horodatage : 0xba51b082 Code d’exception : 0xc0000005 Décalage d’erreur : 0x0008a1dc ID du processus défaillant : 0x39bc Heure de début de l’application défaillante : 0x01d6eb18ce58bc81 Chemin d’accès de l’application défaillante : C:\Program Files (x86)\nxlog\nxlog.exe Chemin d’accès du module défaillant: C:\Windows\System32\msvcrt.dll ID de rapport : 1108635a-e7f7-4e3b-8aee-76a841ef2ea9 Nom complet du package défaillant : ID de l’application relative au package défaillant : XML de l’événement : <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Error" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>100</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2021-01-15T08:46:15.538549700Z" /> <EventRecordID>1632347</EventRecordID> <Channel>Application</Channel> <Computer>XXX</Computer> <Security /> </System> <EventData> <Data>nxlog.exe</Data> <Data>0.0.0.0</Data> <Data>5beed9da</Data> <Data>msvcrt.dll</Data> <Data>7.0.17763.475</Data> <Data>ba51b082</Data> <Data>c0000005</Data> <Data>0008a1dc</Data> <Data>39bc</Data> <Data>01d6eb18ce58bc81</Data> <Data>C:\Program Files (x86)\nxlog\nxlog.exe</Data> <Data>C:\Windows\System32\msvcrt.dll</Data> <Data>1108635a-e7f7-4e3b-8aee-76a841ef2ea9</Data> <Data> </Data> <Data> </Data> </EventData> </Event>
How can I solved the issue ?
JW_666731 created
Hi support,
-
We are trying to send logs from a server with NXLog agent installed to SIEM, with SSL/TLS (encrypted traffic) Would it be possible to only use ONE certificate for each agent?
-
For NXLog manager and the agents is it possible to use only ONE CA for One agent?
aurox3d_fc created
I do not see an install file for Ubuntu 20.04. Will one be made available when NXLog 2.11 is released?
Thanks in advance.
TonyC
TC_025725 created
Is Anyone using NXLog to send Windows Events to Azure's Log Analytics, replacing Microsoft's OMS\MMA agent? The MS MMA agent is very limited on its outbound filtering, so NXLog is being considered. If someone is successful doing this, a example of the config file would be awesome. Thanks.
slaterun1234 created
Hello,
I configured my conf file (comm. edition) with a query for certain event id's. The output works, however, is there a way to prevent every event from creating it's own log file? For instance, create 1 large file for the date vs having 200k+ logfiles daily.
JC_570223 created
I have just purchased the Enterprise Edition NX Log software as well as BH Support.
Can someone advise how I can get the products added to my subscription as well as access to the software downloads and support portal? Alternatively, if a vendor support contact can contact me directly that would be great.
Thanks
nharrison created
Whok1996 created
HI Everyone,
I'm evaluating various Log centralization / log analysis tools for our enterprise. I've been looking into graylog for some time and have gotten to the point where I'm comfortable in it. I just started to look into NXLOG and I'm wondering which offering to choose.
From what I can see, NXLog is more capable than graylog as far as log collection goes.
Can someone help me understand this better? I see a lot of setups using BOTH, and I'm not really sure I want to use two systems --- we're not all that complex here to warrant that kind of setup.
Thank you!!!
Brad
bturnbough created
How can I protect passwords that are stored in the nxlog config to access different systems. I am using the sql connector with a local sql account and it requires the username and password to be inputed into the config.
EH_272573 created
Do we have NXLog modules to process Citrix Access Gateway & Citrix NetScaler logs?
BC_471242 created
===
2020-12-11 07:01:21 WARNING not starting unused module syslogs
2020-12-11 07:01:21 INFO nxlog-ce-2.10.2150 started
2020-12-11 07:01:21 ERROR failed to open tmp/output; The system cannot find the path specified.
=====
I do not understand where i can reference the "tmp/output" within the "C:\Program Files (x86)\nxlog\*" or how i can point the output file to another directory.
This is a windows box and i will like the files to be written to a folder path under C directory.
Can anyone help?
FN_379889 created
I would like to forward Windows Security Events into Azure's Log Analytics using NXLog instead of the Microsoft Monitoring Agent (MMA). Does anyone been able to do this? If so, would you care to share your config file setup?
slaterun1234 created
Hi,
I'm currently using nxlog to forward RADIUS messages via syslog to my firewall. However, it has recently started complaining that the packets are too big, and so fragmentation is occurring which it doesn't like.
The temporary fix was to force the packets to cut at 1450 bytes, and this is my current config:
Panic Soft #NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data
<Extension _xml> Module xm_xml </Extension>
<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>
<Extension _exec> Module xm_exec </Extension>
<Extension _fileop> Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Input NPS>
Module im_file
File "C:\Windows\System32\LogFiles\IN*.log"
InputType LineBased
SavePos TRUE
ReadFromLast TRUE
<Exec>
# Discard everything that doesn't seem to be an xml event
if $raw_event !~ /^<Event>/ drop();
# Filter to only events containing all required data (type, username and ip)
if $raw_event !~ /(Type\sdata_type="0">)(\d{1,2})(<\/Acct)(.+)(Name\sdata_type="1">)([a-zA-Z0-9\$\._-]{3,15})(.*)(<\/User)(.+)(Address\sdata_type="3">)([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})(<\/Framed)/ drop ();
# Truncates event to 1400 bytes due to MTU limits
$raw_event = substr($raw_event, 0, 1450);
# Reduces event string to just required data (type, username and ip)
# Parse xml
parse_xml();
</Exec>
</Input>
<Output Firewall> Module om_udp # Put your Firewal Management interface IP address # Don't change port or protocol (should be UDP 514 or TCP 6514) Host 192.168.1.1 Port 514 </Output>
<Output SyslogServer> # Put your Syslog Server IP address and port # Allows monitoring of messages being sent to firewall Module om_udp Host 192.168.1.10 Port 514 </Output>
<Route 1> Path NPS => Firewall </Route>
<Route 2> Path NPS => SyslogServer </Route>
However, I'd prefer a neater solution, rather than just chopping the end off the packet. The only parts of the packet I'm interested in forwarding are:
Event Regex: <Acct-Status-Type\sdata_type="0">1</Acct-Status-Type>{1} Username Regex: <User-Name\sdata_type="1">([a-zA-Z0-9\._-]+)</User-Name> Address Regex: <Framed-IP-Address\sdata_type="3">([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})</Framed-IP-Address>
Is there a way to extract just those bits and parse that to the output?
Apologies if it's obvious, but I don't really understand how nxlog works! Give me powershell and I'm happy....
Thanks, Stephen
SP_895311 created
Hi,
i'm forwarding windows event to SIEM with nxlog i'm trying to send to SIEM the username of logged user (the user of event), without success it's possible to send username ?
thanks you
IB_956097 created
Hi All,
I'm trying solution to forward windows evento log to centralized server (Adiscon Loganalyzer, if you know free alternative please help me)
it's possible to convert raw data or filter data in "messages" to set it in respective fields?
For example, in SIEM (loganalyzer), i have two views (syslog and eventlog) syslog view is all ok
eventlog view has blank field :
Eventlog Type Event Source Event ID Event User
It's possible to filter message and write it to respective blank fields?
i have this basic nxlog.conf configuration
<Extension _syslog> Module xm_syslog </Extension>
<Input eventlog> Module im_msvistalog </Input>
<Output out> Module om_tcp Host 10.0.2.50 Port 514 Exec to_syslog_bsd(); </Output>
<Route eventlog_to_out> Path eventlog => out </Route>
OUTPUT (excuse me for the language) : � stato tentato un accesso utilizzando credenziali esplicite. Soggetto: #011ID sicurezza:#011#011S-1-5-21-2102024564-1642127871-3539904672-1001 #011Nome account:#011#011prova #011Dominio account:#011#011PCNAME #011ID accesso:#011#0110x1E125 #011GUID accesso:#011#011{00000000-0000-0000-0000-000000000000} Account di cui sono state utilizzate le credenziali: #011Nome account:#011#011admin #011Dominio account:#011#011PCNAME #011GUID accesso:#011#011{00000000-0000-0000-0000-000000000000} Server di destinazione: #011Nome server di destinazione:#011nasbackup #011Informazioni aggiuntive:#011nasbackup Informazioni sul processo: #011ID processo:#011#0110x4 #011Nome processo:#011#011 Informazioni di rete: #011Indirizzo di rete:#01110.0.2.128More Information #011Porta:#011#011#011445 Questo evento viene generato quando un processo tenta di far accedere un account specificando esplicitamente le credenziali dell'account. Generalmente si verifica in configurazioni di tipo batch, ad esempio attività pianificate, oppure quando si utilizza il comando RUNAS.#015
IB_956097 created
casey1234 created
hi guys,
Does anyone knows where to find the nxlog-5.1.6303_rpm_x86_64.rpm i am planning to install it on the oracle linux 7 and the epel of oracle linux 7 does not have the rpm for the nxlog.
any help is greatly appreciated.
Tim
SA_572107 created
Hi,
I have found a number of items on collecting logs from CloudWatch, but none on forwarding events to CloudWatch? I think we would need those App Keys we generate etc.
Anyone have any information on this or better yet - a CloudWatch Forwarder Template.
My thanks, MG
MG_649952 created
Take for example event 4624, with output as JSON to kafka, there is a JSON field in im_msvistalog
:
"Category":"Logon",
...
"Task":12544,
Now, looking at an event 4624 collected via im_wseventing
, the JSON looks like this:
"Task":"Logon"
Note: Field Category is missing! As "Task" contains the category, in reality, the Task is missing here..
Please fix that for the WEC collector.
Best regards Theo
TD_609646 created