JP_128812 created
Hope someone can provide some pointers.
I have an application that uses mySQL database and it is installed on Windows Server 2019. I just downloaded NXLog CE on the same Windows Server 2019. I am new to this but the goal is to extract a table from mySQL and output it as JSON format so that I can ingest it to another platform. Appreciate if someone can point me to the right direction to make this work.
Thanks !
DC_475094 created
- I am using https://nxlog.co/system/files/products/files/348/nxlog-ce-2.10.2150.msi to download the nxlog file.
- I am using below configuration:
This is a sample configuration file. See the nxlog reference manual about the
configuration options. It should be installed locally and is also available
online at http://nxlog.org/docs/
Please set the ROOT to the folder your nxlog was installed into,
otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
<Extension _json> Module xm_json </Extension>
<Input in>
Module im_msvistalog
Query <QueryList>
<Query Id="0">
<Select Path="Security">* </Select>
<Select Path="Application">* </Select>
<Select Path="Setup">* </Select>
<Select Path="System">* </Select>
</Query>
</QueryList>
<Exec>
if ($EventID NOT IN (%aisiem%)) drop();
</Exec>
</Input>
<Output out> Module om_udp Host CCE_IP_ADDRESS Port 5154 Exec to_json(); </Output>
<Route 1> Path in => out </Route>
-
Getting this error: 2020-10-22 19:11:05 WARNING stopping nxlog service 2020-10-22 19:11:05 WARNING nxlog-ce received a termination request signal, exiting... 2020-10-22 19:11:16 ERROR Failed to load module from C:\Program Files (x86)\nxlog\modules\output\om_udp .dll, Invalid argument; Invalid argument 2020-10-22 19:11:16 ERROR module 'out' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:52 2020-10-22 19:11:16 ERROR route 1> is not functional without output modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:52 2020-10-22 19:11:16 WARNING no routes defined! 2020-10-22 19:11:16 WARNING not starting unused module in 2020-10-22 19:11:16 INFO nxlog-ce-2.10.2150 started
-
I am using windows 10. Please suggest what should I change to configure successfully.
PS_793095 created
Hello,
I'm trying to query some EventID with a specific SeverityValue in "im_msvistalog", the config is something like this:
<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='System'>*[System[(EventID=6005 or EventID=6008 or EventID=7036)]</Select>
</Query>
</QueryList>
</QueryXML>
Exec if $SeverityValue NOT IN (2, 4) drop();
Exec $Message =~ s/(\t|\R)/ /g;
I'm trying for a test to output on file, but nothing is outputted.
Anyone has some hint?
Thanks
LP_577584 created
Hi everyone,
I'm getting this issue of
-
assignment failed at line 215, character 67 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted function 'strftime' failed at line 215, character 66 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. expression evaluation has been aborted got 'unknown' for first argument of function 'strftime(datetime, string)'.
-
if-else failed at line 208, character 277 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted procedure 'parse_csv' failed at line 208, character 129 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted Not enough fields in CSV input, expected 17, got 0 in input ''
Below is the line the error is refering to:
- Exec $EventTime = strftime($EventTime, '%Y-%m-%d %H:%M:%S, %z');
- }
Kindly help me out to fix this issue and what is causing the error.
Thanks.
vishnus9330 created
Hi guys,
I must forwarding some logs, but only of some users. this's my current configuration.
Panic Soft #NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data
<Extension _syslog> Module xm_syslog </Extension>
<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>
<Extension _exec> Module xm_exec </Extension>
<Extension _fileop> Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'>*[System[(EventID=4720 or EventID=4634 or EventID=4625 or EventID=4624 or EventID=4726)]]</Select> </Query> </QueryList> </QueryXML> Exec $Message = 'EventID: ' + $EventID +' Source: '+ $IpAddress + ' Username: ' + $TargetUserName ; </Input>
<Output tcp> Module om_udp Host xx.xxx.xx.xxx Port xxx Exec to_syslog_bsd(); </Output>
<Route eventlog_to_tcp> Path eventlog => tcp </Route>
can you help me? thank you
Emanuele created
Hello,
After looking on the community forum i didn't really get the answer i was seeking.
I'm sending windows log to a syslog and to a splunk,
I got some issue about parsing the Message part as you can see : https://cdn.discordapp.com/attachments/700242491227635714/766300884971159562/unknown.png
This is my conf : https://cdn.discordapp.com/attachments/700242491227635714/766301478897451048/unknown.png https://cdn.discordapp.com/attachments/700242491227635714/766301597541335060/unknown.png
Maybe this is not the good way to do it, i have to send in syslog because i'm sending it after to an elasticsearch and the splunk.
Thank you for your help :)
MB_318874 created
Hello In the end I have to come to you because I can't find the way to do it and I'm going a bit crazy.
I have a record entry from a file. This file sends the data in a disorderly way and I have managed to assign it to variables.
Now the only thing I want is to create an output in a file but with the order I need.
EJ of log entry :
user1 2020 barcelona 12 13:39 12 spaghetti
And I want an exit like
Place: <variable of place> , Date: <variable of date> , Age :<variable of age> To generate a line like this : Place : barcelona , Date : 2020 , Age : 12 ....
This is my config.
<Input LOG_IN> Module im_file File "C:\logs\u_ex*" SavePos TRUE <Exec> if $raw_event =~ /(.?)\s"(.?)"\s"(.?)"\s(.?)\s(.?)\s(.?)\s"(.?)"\s"(.?)"\s(.?)\s(.?)\s(.?)\s"(.?)"\s"(.?)"\s(.?)\s(.?)\s"(.?)"/; { $a = $1; $b = $2; $c = $3; $d = $4; $e = $5; $f = $6; $g = $7; $h = $8; $i = $9; $j = $10; $k = $11; $l = $12; $m = $13; $n = $14; $o = $15; $p = $16; } </Exec> </Input>
<Output file> Module om_file File "C:\logs\output.log" </Output>
JM_782883 created
Hi. I'm new to both Graylog and NxLog. I am getting the following errors when trying to add inputs.
2020-10-14 11:48:27 WARNING stopping nxlog service 2020-10-14 11:48:27 WARNING nxlog-ce received a termination request signal, exiting... 2020-10-14 11:48:28 ERROR invalid keyword: Output at C:\Program Files (x86)\nxlog\conf\nxlog.conf:66 2020-10-14 11:48:28 ERROR module 'graylog' has configuration errors, not adding to route 'graylog_route' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:70 2020-10-14 11:48:28 ERROR route graylog_route is not functional without output modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:70 2020-10-14 11:48:28 WARNING no routes defined! 2020-10-14 11:48:28 WARNING not starting unused module win 2020-10-14 11:48:28 WARNING not starting unused module graylog 2020-10-14 11:48:28 INFO nxlog-ce-2.10.2150 started
I added the following lines to my config file
<Extension _gelf> Module xm_gelf </Extension>
<Input win>
Module im_msvistalog
Query <QueryList>
<Query Id="0">
<Select Path="Application"></Select>
<Select Path="System"></Select>
<Select Path="Security">*</Select>
</Query>
</QueryList>
</Input>
<Output graylog> Module om_udp host 172.16.101.33 Port 12201 Output Type GELF </Output>
<Route graylog_route> Path win => graylog </Route>
Any help is appreciated.
ZE_043114 created
DS_534595 created
JF_427179 created
TK_276781 created
hello i have i question about windows 2012 > nxlog ce > graylog my nxlog-ce ver is 2.10.2150
question : my nxlog-ce to graylog have question but the log is not go to graylog so im open windows taskmgr to see nxlog.exe PID and Internet connection
- nxlog source ip and Destination is "ipv4 Loopback " 2.nxlog log : WARNING The following sources are omitted to avoid exceeding the limit in the generated query: Microsoft-Windows-Workplace Join/Admin Microsoft-Windows-WPD-ClassInstaller/Operational Microsoft-Windows-WPD-CompositeClassDriver/Operational Microsoft-Windows-WPD-MTPClassDriver/Operational Microsoft-WS-Licensing/Admin Setup WitnessClientAdmin
my nxlog.conf
Panic Soft #NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data
<Extension _syslog> Module xm_gelf </Extension>
<Input in>
Module im_msvistalog
</Input>
<Output out> Module om_udp Host Port 10554 OutputType GELF </Output>
<Route 1> Path in => out </Route>
so how can i do to Solve the problem
please help me thx~~
lokeliu created
Our setup: we have Windows Server 2019 servers that are forwarding some "Security" events to a single Windows Server 2019 event collector. On that single Windows Server 2019 event collector, we have installed NXLog, which is forwarding to Graylog.
Summary: servers --> event collector server (where NXLog is installed) --> Graylog server
All selected events are getting to the event collector, but only some are getting to Graylog. So the problem is somewhere on or after the event collector server.
Here is the complete NXLog config:
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
<Extension _gelf> Module xm_gelf ShortMessageLength 500 </Extension>
<Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='ForwardedEvents'>*</Select> </Query> </QueryList> </QueryXML> </Input>
<Output out> Module om_tcp Host graylog.local Port 12201 OutputType GELF_TCP </Output>
<Route 1> Path in => out </Route>
Is anything obvious missing?
JF_427179 created
DS_534595 created
We have installed nxlog community edition on Red Hat Enterprise Linux version 7.6. We included auth.conf but are not seeing any auth messages forwarded. I'm not understanding why Rsyslog is required since Rsyslog is capable for forwarding events by itself. Please share configs and experiences getting security and auth messages to forward.
sschomer created
Hello!
I noticed that the value of the ProcessID field in sysmon event does not match the value of the ProcessID field which is nested in the Message field. Is it normal?
The sample sysmon event from https://nxlog.co/documentation/nxlog-user-guide/sysmon.html is bellow
{
"EventTime": "2015-04-27 15:23:46",
"Hostname": "WIN-OUNNPISDHIG",
"Keywords": -9223372036854776000,
"EventType": "INFO",
"SeverityValue": 2,
"Severity": "INFO",
"EventID": 1,
"SourceName": "Microsoft-Windows-Sysmon",
"ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"Version": 3,
"Task": 1,
"OpcodeValue": 0,
"RecordNumber": 2335906,
"ProcessID": 1680,
"ThreadID": 1728,
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Domain": "NT AUTHORITY",
"AccountName": "SYSTEM",
"UserID": "SYSTEM",
"AccountType": "Well Known Group",
"Message": "Process Create:\r\nUtcTime: 2015.04.27. 13:23\r\nProcessGuid: {00000000-3862-553E-0000-001051D40527}\r\nProcessId: 25848\r\nImage: c:\\Program Files (x86)\\nxlog\\nxlog.exe\r\nCommandLine: \"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f\r\nUser: WIN-OUNNPISDHIG\\Administrator\r\nLogonGuid: {00000000-568E-5453-0000-0020D5ED0400}\r\nLogonId: 0x4edd5\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashType: SHA1\r\nHash: 1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94\r\nParentProcessGuid: {00000000-3862-553E-0000-001088D30527}\r\nParentProcessId: 26544\r\nParentImage: C:\\msys\\1.0\\bin\\sh.exe\r\nParentCommandLine: C:\\msys\\1.0\\bin\\sh.exe",
"Opcode": "Info",
"UtcTime": "2015.04.27. 13:23",
"ProcessGuid": "{00000000-3862-553E-0000-001051D40527}",
"Image": "c:\\Program Files (x86)\\nxlog\\nxlog.exe",
"CommandLine": "\"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f",
"User": "WIN-OUNNPISDHIG\\Administrator",
"LogonGuid": "{00000000-568E-5453-0000-0020D5ED0400}",
"LogonId": "0x4edd5",
"TerminalSessionId": "2",
"IntegrityLevel": "High",
"HashType": "SHA1",
"Hash": "1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94",
"ParentProcessGuid": "{00000000-3862-553E-0000-001088D30527}",
"ParentProcessId": "26544",
"ParentImage": "C:\\msys\\1.0\\bin\\sh.exe",
"ParentCommandLine": "C:\\msys\\1.0\\bin\\sh.exe",
"EventReceivedTime": "2015-04-27 15:23:47",
"SourceModuleName": "in",
"SourceModuleType": "im_msvistalog"
}
Alexander created
Hi - pardon my ignorance
I would like to use the om_python module to run a Python script s3_write.py which outputs to an S3 bucket on AWS I noticed the module wasn't included on the Community edition so I downloaded a trial of Enterprise and installed it, but im_python and om_python are not included with that either Nor can I find anywhere to download that module. How can I get hold of om_python please ?
Kind regards
SD_119859 created
Installing nxlog to a 2008sp2 server. There is no C:\program files (x86) directory. Only Program Files. The service won't start because it is unable to find the program files (x86) directory. Are there other steps that need to be done to get this to work?
BS_816201 created
Windows serveur 2019
NXLOG-CE 2.10.21.50
i have difficulties to transfert Windows 2016/2019 sercurity logs to a Syslog host.
i think that my nxlog.conf is not working right, sometimes i receive the logs some time not
can you help me please ?
###############
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input in_eventlog>
# For windows 2008/vista/7/8/2012/2012R2 and latter use the following:
Module im_msvistalog
Query <QueryList> \
<Query Id="0"> \
<Select Path="Security">*[System[(EventID=1100)]]</Select> \
<Select Path="Security">*[System[(EventID=4768)]]</Select> \
<Select Path="Security">*[System[(EventID=4769)]]</Select> \
<Select Path="Security">*[System[(EventID=4771)]]</Select> \
<Select Path="Security">*[System[(EventID=4616)]]</Select> \
<Select Path="Security">*[System[(EventID=4625)]]</Select> \
<Select Path="Security">*[System[(EventID=4647)]]</Select> \
<Select Path="Security">*[System[(EventID=4648)]]</Select> \
<Select Path="Security">*[System[(EventID=4656)]]</Select> \
<Select Path="Security">*[System[(EventID=4719)]]</Select> \
<Select Path="Security">*[System[(EventID=4720)]]</Select> \
<Select Path="Security">*[System[(EventID=4722)]]</Select> \
<Select Path="Security">*[System[(EventID=4723)]]</Select> \
<Select Path="Security">*[System[(EventID=4724)]]</Select> \
<Select Path="Security">*[System[(EventID=4725)]]</Select> \
<Select Path="Security">*[System[(EventID=4726)]]</Select> \
<Select Path="Security">*[System[(EventID=4727)]]</Select> \
<Select Path="Security">*[System[(EventID=4728)]]</Select> \
<Select Path="Security">*[System[(EventID=4729)]]</Select> \
<Select Path="Security">*[System[(EventID=4730)]]</Select> \
<Select Path="Security">*[System[(EventID=4731)]]</Select> \
<Select Path="Security">*[System[(EventID=4732)]]</Select> \
<Select Path="Security">*[System[(EventID=4733)]]</Select> \
<Select Path="Security">*[System[(EventID=4734)]]</Select> \
<Select Path="Security">*[System[(EventID=4735)]]</Select> \
<Select Path="Security">*[System[(EventID=4737)]]</Select> \
<Select Path="Security">*[System[(EventID=4738)]]</Select> \
<Select Path="Security">*[System[(EventID=4739)]]</Select> \
<Select Path="Security">*[System[(EventID=4740)]]</Select> \
<Select Path="Security">*[System[(EventID=4741)]]</Select> \
<Select Path="Security">*[System[(EventID=4742)]]</Select> \
<Select Path="Security">*[System[(EventID=4743)]]</Select> \
<Select Path="Security">*[System[(EventID=4744)]]</Select> \
<Select Path="Security">*[System[(EventID=4745)]]</Select> \
<Select Path="Security">*[System[(EventID=4748)]]</Select> \
<Select Path="Security">*[System[(EventID=4749)]]</Select> \
<Select Path="Security">*[System[(EventID=4750)]]</Select> \
<Select Path="Security">*[System[(EventID=4753)]]</Select> \
<Select Path="Security">*[System[(EventID=4754)]]</Select> \
<Select Path="Security">*[System[(EventID=4755)]]</Select> \
<Select Path="Security">*[System[(EventID=4756)]]</Select> \
<Select Path="Security">*[System[(EventID=4758)]]</Select> \
<Select Path="Security">*[System[(EventID=4759)]]</Select> \
<Select Path="Security">*[System[(EventID=4760)]]</Select> \
<Select Path="Security">*[System[(EventID=4763)]]</Select> \
<Select Path="Security">*[System[(EventID=4764)]]</Select> \
<Select Path="Security">*[System[(EventID=4767)]]</Select> \
<Select Path="Security">*[System[(EventID=4778)]]</Select> \
<Select Path="Security">*[System[(EventID=4783)]]</Select> \
<Select Path="Security">*[System[(EventID=4800)]]</Select> \
<Select Path="Security">*[System[(EventID=4801)]]</Select> \
<Select Path="System">*[System[(EventID=7036)]]</Select> \
<Select Path="Application">*[System[(EventID=18454)]]</Select> \
<Select Path="Application">*[System[(EventID=18456)]]</Select> \
</Query> \
</QueryList>
Exec $Message=to_json();
# to_syslog_bsd();
# Exec $ModuleType = 'event_log';
# ReadFromLast TRUE
</Input>
<Output out_eventlog>
Module om_udp
Host xx.xx.xx.xx
#Port 514
Exec to_syslog_bsd();
</Output>
<Route eventlog>
Path in_eventlog => out_eventlog
</Route>
#####################################
Ahmed.MEZRAG created