How can I protect passwords that are stored in the nxlog config to access different systems. I am using the sql connector with a local sql account and it requires the username and password to be inputed into the config.

Do we have NXLog modules to process Citrix Access Gateway & Citrix NetScaler logs?

I am looking to output syslog logs from Dell Firewall into a local directory on my windows box and I am getting error message as below: === 2020-12-11 07:01:21 WARNING not starting unused module syslogs 2020-12-11 07:01:21 INFO nxlog-ce-2.10.2150 started 2020-12-11 07:01:21 ERROR failed to open tmp/output; The system cannot find the path specified. ===== I do not understand where i can reference the "tmp/output" within the "C:\Program Files (x86)\nxlog*" or how i can point the output file to another directory. This is a windows box and i will like the files to be written to a folder path under C directory. Can anyone help?

I would like to forward Windows Security Events into Azure's Log Analytics using NXLog instead of the Microsoft Monitoring Agent (MMA). Does anyone been able to do this? If so, would you care to share your config file setup?

Hi, I'm currently using nxlog to forward RADIUS messages via syslog to my firewall. However, it has recently started complaining that the packets are too big, and so fragmentation is occurring which it doesn't like. The temporary fix was to force the packets to cut at 1450 bytes, and this is my current config: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _xml> Module xm_xml </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Input NPS> Module im_file File "C:\Windows\System32\LogFiles\IN*.log" InputType LineBased SavePos TRUE ReadFromLast TRUE &lt;Exec&gt; # Discard everything that doesn't seem to be an xml event if $raw_event !~ /^&lt;Event&gt;/ drop(); # Filter to only events containing all required data (type, username and ip) if $raw_event !~ /(Type\sdata_type=&quot;0&quot;&gt;)(\d{1,2})(&lt;\/Acct)(.+)(Name\sdata_type=&quot;1&quot;&gt;)([a-zA-Z0-9\$\._-]{3,15})(.*)(&lt;\/User)(.+)(Address\sdata_type=&quot;3&quot;&gt;)([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})(&lt;\/Framed)/ drop (); # Truncates event to 1400 bytes due to MTU limits $raw_event = substr($raw_event, 0, 1450); # Reduces event string to just required data (type, username and ip) # Parse xml parse_xml(); &lt;/Exec&gt; </Input> <Output Firewall> Module om_udp # Put your Firewal Management interface IP address # Don't change port or protocol (should be UDP 514 or TCP 6514) Host 192.168.1.1 Port 514 </Output> <Output SyslogServer> # Put your Syslog Server IP address and port # Allows monitoring of messages being sent to firewall Module om_udp Host 192.168.1.10 Port 514 </Output> <Route 1> Path NPS => Firewall </Route> <Route 2> Path NPS => SyslogServer </Route> However, I'd prefer a neater solution, rather than just chopping the end off the packet. The only parts of the packet I'm interested in forwarding are: Event Regex: <Acct-Status-Type\sdata_type="0">1</Acct-Status-Type>{1} Username Regex: <User-Name\sdata_type="1">([a-zA-Z0-9\._-]+)</User-Name> Address Regex: <Framed-IP-Address\sdata_type="3">([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})</Framed-IP-Address> Is there a way to extract just those bits and parse that to the output? Apologies if it's obvious, but I don't really understand how nxlog works! Give me powershell and I'm happy.... Thanks, Stephen

Hi, i'm forwarding windows event to SIEM with nxlog i'm trying to send to SIEM the username of logged user (the user of event), without success it's possible to send username ? thanks you

Hi All, I'm trying solution to forward windows evento log to centralized server (Adiscon Loganalyzer, if you know free alternative please help me) it's possible to convert raw data or filter data in "messages" to set it in respective fields? For example, in SIEM (loganalyzer), i have two views (syslog and eventlog) syslog view is all ok eventlog view has blank field : Eventlog Type Event Source Event ID Event User It's possible to filter message and write it to respective blank fields? i have this basic nxlog.conf configuration <Extension _syslog> Module xm_syslog </Extension> <Input eventlog> Module im_msvistalog </Input> <Output out> Module om_tcp Host 10.0.2.50 Port 514 Exec to_syslog_bsd(); </Output> <Route eventlog_to_out> Path eventlog => out </Route> OUTPUT (excuse me for the language) : � stato tentato un accesso utilizzando credenziali esplicite. Soggetto: #011ID sicurezza:#011#011S-1-5-21-2102024564-1642127871-3539904672-1001 #011Nome account:#011#011prova #011Dominio account:#011#011PCNAME #011ID accesso:#011#0110x1E125 #011GUID accesso:#011#011{00000000-0000-0000-0000-000000000000} Account di cui sono state utilizzate le credenziali: #011Nome account:#011#011admin #011Dominio account:#011#011PCNAME #011GUID accesso:#011#011{00000000-0000-0000-0000-000000000000} Server di destinazione: #011Nome server di destinazione:#011nasbackup #011Informazioni aggiuntive:#011nasbackup Informazioni sul processo: #011ID processo:#011#0110x4 #011Nome processo:#011#011 Informazioni di rete: #011Indirizzo di rete:#01110.0.2.128More Information #011Porta:#011#011#011445 Questo evento viene generato quando un processo tenta di far accedere un account specificando esplicitamente le credenziali dell'account. Generalmente si verifica in configurazioni di tipo batch, ad esempio attività pianificate, oppure quando si utilizza il comando RUNAS.#015

Hi! We have some logs that we would like for NXLog to monitor. The logs are located in a folder where lots of logs also reside. For that reason we don't wish to use a wildcard, because many of the logs we don't care to monitor. How can we in a single input module monitor three files, say file1, file2, and file3? The information found here indicates that you can use multiple File directives but when I tried it didn't work. Example: <Input inLog> Module im_file File "/var/log/file1.log" File "/var/log/file2.log" File "/var/log/file3.log" <Exec> $logtime = strptime($raw_event, '%Y-%m-%d %H:%M:%S'); $timestamp = strftime($logtime, '%s'); $server = hostname_fqdn(); if $raw_event =~ /\[INFO\]/ $log_type = 'INFO'; if $raw_event =~ /\[WARNING\]/ $log_type = 'WARNING'; if $raw_event =~ /\[ERROR\]/ $log_type = 'ERROR'; </Exec> </Input> Do I need three different input modules or can I use just one? Thanks in advance!

hi guys, Does anyone knows where to find the nxlog-5.1.6303_rpm_x86_64.rpm i am planning to install it on the oracle linux 7 and the epel of oracle linux 7 does not have the rpm for the nxlog. any help is greatly appreciated. Tim

Hi, I have found a number of items on collecting logs from CloudWatch, but none on forwarding events to CloudWatch? I think we would need those App Keys we generate etc. Anyone have any information on this or better yet - a CloudWatch Forwarder Template. My thanks, MG

Take for example event 4624, with output as JSON to kafka, there is a JSON field in im_msvistalog: "Category":"Logon", ... "Task":12544, Now, looking at an event 4624 collected via im_wseventing, the JSON looks like this: "Task":"Logon" Note: Field Category is missing! As "Task" contains the category, in reality, the Task is missing here.. Please fix that for the WEC collector. Best regards Theo

For event 4688 I can only extract the parent process id out of the message body but there is no field in JSON containing only the parent process id. In im_msvistalog this field is properly added to JSON. Example in im_wseventing: { "EventTime":"2020-11-23 00:25:57", "Hostname":"...", "Keywords":-9214364837600034816, "EventType":"AUDIT_SUCCESS", "SeverityValue":2, "Severity":"INFO", "EventID":4688, "SourceName":"Microsoft-Windows-Security-Auditing", "ProviderGuid":"{ANONYMIZED}", "Version":2, "Task":13312, "OpcodeValue":0, "RecordNumber":14699970, "ProcessID":4, "ThreadID":7924, "Channel":"Security", "Message":"A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\ANON$\r\n\tAccount Domain:\t\ANON\r\n\tLogon ID:\t\tANON\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x114c\r\n\tNew Process Name:\tC:\\Windows\\System32\\cmd.exe\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\n\tCreator Process ID:\t0x1f8c\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", "Category":"Process Creation", "Opcode":"Info", "SubjectUserSid":"ANON", "SubjectUserName":"ANON", "SubjectDomainName":"ANON", "SubjectLogonId":"ANON", "NewProcessId":"0x114c", "NewProcessName":"C:\\Windows\\System32\\cmd.exe", "TokenElevationType":"%%1936", "TargetUserSid":"S-1-0-0", "TargetUserName":"-", "TargetDomainName":"-", "TargetLogonId":"0x0", "EventReceivedTime":"2020-11-23 02:13:00", "SourceModuleName":"security_event_collect", "SourceModuleType":"im_msvistalog"} Please add the missing field. Best regards Theo

When I check the Windows "Services", it is running, but the logs are not transferred. After restarting the service, it works fine for a few days. After a few days, the logs will not be transferred. I think that "★" is because the transfer destination server is temporarily offline. If I can't connect even once, can I connect after that? 2020-11-12 14:41:17 INFOnxlog-ce-2.10.2150 has started ★ 2020-11-12 14:41:17 Error 10.17.140.209 Failed to connect to udp socket: 514; An attempt was made to perform a socket operation on an unreachable host. 2020-11-2009: 56: 06 Warning nxlog service outage 2020-11-2009: 56: 06 Warning nxlog-ce received end request signal and ended ... 2020-11-20 09:56:08 INFOnxlog-ce-2.10.2150 has started

Hello everyone. I'm new to NXLog but I'm glad to be here and to learn. We have the Enterprise edition and I'm trying to work out how the template structure works. The user doc (135.3. Creating Templates) references the image below. However when I try and create a template, I don't have the label or drop down to select MASTER / SUB as a template type as shown in the screenshot. --> Missing Template Option Is there something in the config to turn that function on and off that I might be missing? For reference, we're using version 5.5.5398 of the NXLog Manager via Docker image.

I'm looking at a slightly unusual application logging which has turned out quite challenging to handle with NXLog, as is, and for that I've been experimenting of running PS scripts using NXLog. In principle, I'd like to know if it is possible to build the following scenario using NXLog Enterprise agent. Running of PS script (using NXLog) to fetch log files at interval from variable directories and putting them into another (a copy of logs not older than 1 hour, PS script would manage this, but needs to be invoked by NXLog agent). Reading selected events from the fetched logs and dispatching them to another system (note, this is completed in another scenario already so I know this would work). Deleting of all logs from the import directory after they have been read. This could be managed with the xm_fileop, I believe. I have been experimenting of running PS scripts, unsuccesfully so far, but I'm going through the docs and examples to understand how would one execute a (any) script using the NXLog agent. Any advice will be highly appreciated.

Hi team, Can someone please help me with parsing the below tomcat log (contains multiple lines) ? **tomcat log snippet: ** 19-Aug-2020 12:39:51.412 INFO [Catalina-utility-2] org.apache.catalina.startup.HostConfig.undeploy Undeploying context [/front] 19-Aug-2020 12:40:31.462 INFO [Catalina-utility-2] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [D:\Tomcat\webapps\front] 19-Aug-2020 12:40:32.813 SEVERE [Catalina-utility-2] org.apache.catalina.startup.HostConfig.deployDirectory Error deploying web application directory [D:\Tomcat\webapps\front] java.lang.IllegalStateException: Error starting child at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:690) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1133) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1866) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) I am trying to use the same example (url below) from nxlog official guide, but didn't help. https://nxlog.co/documentation/nxlog-user-guide/apache-tomcat.html **Please see my conf file content below: ** define REGEX /(?x)^(?<EventTime>\d{2}-\d{3}-\d{4}\ \d{2}:\d{2}:\d{2}).\d{3}\ (?<Severity>\S+)\ [(?<Class>\S+)]\ (?<Message>[\s\S]+)/ Module xm_multiline HeaderLine %REGEX% Module im_file File 'D:\Tomcat\logs\catalina.*.log' SavePos TRUE InputType multiline Exec if $raw_event =~ %REGEX% $EventTime = parsedate($EventTime); log_info($raw_event); log_info($Message); Exec $Message = 'TOMCAT_Catalina ' + $raw_event ; $SyslogFacilityValue = 1; $SyslogSeverityValue=5; **And getting below errors: ** 2020-11-13 14:25:54 ERROR failed to compile regular expression '(?x)^(?<EventTime>\d{2}-\d{3}-\d{4}\ \d{2}:\d{2}:\d{2}).\d{3}\ (?<Severity>\S+)\ [(?<Class>\S+)]\ (?<Message>[\s\S]+)', error at position 136: unmatched parentheses 2020-11-13 14:25:54 ERROR invalid expression in 'HeaderLine' at C:\Program Files (x86)\nxlog\conf\custom\tomcatCatalina.conf:7 2020-11-13 14:25:54 ERROR Invalid InputType 'multiline' at C:\Program Files (x86)\nxlog\conf\custom\tomcatCatalina.conf:19 2020-11-13 14:25:54 ERROR module 'tomcat_catalina_log' has configuration errors, not adding to route '4' at C:\Program Files (x86)\nxlog\conf\custom\tomcatCatalina.conf:53 2020-11-13 14:25:54 ERROR route 4 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\custom\tomcatCatalina.conf:53 Please help. Thanks in advance!

Hi, I posted a question on september regarding the release of nxlog for debian buster: https://nxlog.co/question/6073/nxlog-community-edition-package-debian-buster Raf answered that the release will be available soon, it has been 2 months, have you any idea of the release date ? Thanks in advance, Best regards. Paul

Hello, I'm using NXlog CE 2.10.2150 on a Win2016 server to collect "Forwarded Events" and send to a syslog server as snare formatted. However, some events only contain their System segment, missing their entire EventData. Here's my configuration (EventData Missing): <Input eventlog> Module im_msvistalog Query <QueryList> <Query Id=""> <Select Path="ForwardedEvents">*</Select> </Query> </QueryList> </Input> <Output out> Module om_tcp Host ip_syslogs_server Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path eventlog => out </Route> Resulting in (tcpdump): <14>Nov 11 10:50:37 server2.domain MSWinEventLog 1 Security 2189 Wed Nov 11 10:50:37 2020 4768 Microsoft-Windows-Security-Auditing N/A N/A Success Audit server2.domain Kerberos Authentication Service N/A 998061427 Here's my configuration (EventData Included): <Input eventlog> Module im_msvistalog Query <QueryList> <Query Id=""> <Select Path="ForwardedEvents">*</Select> </Query> </QueryList> Exec $Message =~ s/(\t|\R)/ /g; Exec $Message = to_json(); </Input> <Output out> Module om_tcp Host ip_syslogs_server Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path eventlog => out </Route> Resulting in (tcpdump): <14>Nov 11 10:49:36 server1 MSWinEventLog 1 Security 1593 Wed Nov 11 10:49:36 2020 4768 Microsoft-Windows-Security-Auditing N/A N/A Success Audit server1 Kerberos Authentication Service {"EventTime":"2020-11-11 10:49:36","Hostname":"server1","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4768,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328CXXX}","Version":0,"Task":14339,"OpcodeValue":0,"RecordNumber":953757340,"ProcessID":708,"ThreadID":11484,"Channel":"Security","ERROR_EVT_UNRESOLVED":true,"Category":"Kerberos Authentication Service","Opcode":"Info","TargetUserName":"User1","TargetDomainName":"domain","TargetSid":"S-1-5-21-3493186346-123456789-198542525-123456","ServiceName":"krbtgt","ServiceSid":"S-1-5-21-123456789-2449186506-123456525-502","TicketOptions":"0x40000000","Status":"0x0","TicketEncryptionType":"0x12","PreAuthType":"2","IpAddress":"10.xxx.xxx.xxx","IpPort":"33925","EventReceivedTime":"2020-11-11 10:49:38","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"} 953757340 As you can see NXLog fills the EventData with "N/A" in my first example and wiht JSON Encoded Full EventData in my Second Example. The Problem I have is my Parser on the syslogserver does not expect JSON Encoded Data. Any Hints? Thx Johannes

Hello, I'm logging event logs from a custom c++ app to a server and am trying to setup file cycling for both the application event logs and NXLog log file. When I add a second Output to my Route, I start to see the event logs showing up in the NXLog log file, which I wasn't expecting. I'm not sure how to approach this ... should I be setting up a second path for the NXLog cycling? Here's what my config file is looking like: Keep 2 weeks of app log files <Output app_log_cycle> Module om_file File 'C:/Users/Jeremy/Documents/myApp/myApp.log' <Schedule> When @daily <Exec> file_cycle(file_name(), 7); app_log_cycle->reopen(); </Exec> </Schedule> </Output> Keep 2 weeks of nxlog log files <Output nxlog_log_cycle> Module om_file File 'C:/Program Files (x86)/nxlog/data/nxlog.log' <Schedule> When @daily <Exec> file_cycle(file_name(), 14); nxlog_log_cycle->reopen(); </Exec> </Schedule> </Output> <Route 1> Path watchfile => syslogout, app_log_cycle, nxlog_log_cycle </Route> Thanks++ for any tips! Jeremy

Hey everyone! I'm attempting to use the om_ssl module on an NXLog Community Edition but checking the logs at "C:\Program Files (x86)\nxlog\data\nxlog" showed the following message: "ERROR invalid keyword: CAThumbprint" After not finding anything about the error above, I decided to use a combination of CAFile, CertFile, CertKeyFile and KeyPass on the Output configuration which worked but I'd rather use the CAThumbprint directive. What am I doing wrong? Output tag from the "C:\Program Files (x86)\nxlog\conf\nxlog.conf" looked like this: <Output out> Module om_ssl CAThumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxxx # numbers and letters, without spaces Host 10.0.0.10 # representative IP Port 1514 Exec to_syslog_bsd(); </Output>