OS:Windows server 2016 NXlog:CE-2.10.2150 I want to filter the Windows event log message string ("Test_Message"). .. It doesn't work. Please tell me what's wrong [nxlog.conf] <br/>Panic Soft <br/>#NoFreeOnExit TRUE <br/> <br/>define ROOT C:\Program Files (x86)\nxlog <br/>define CERTDIR %ROOT%\cert <br/>define CONFDIR %ROOT%\conf <br/>define LOGDIR %ROOT%\data <br/>define LOGFILE %LOGDIR%\nxlog.log <br/>LogFile %LOGFILE% <br/> <br/>Moduledir %ROOT%\modules <br/>CacheDir %ROOT%\data <br/>Pidfile %ROOT%\data\nxlog.pid <br/>SpoolDir %ROOT%\data <br/> <br/>&lt;Extension _syslog&gt; <br/> Module xm_syslog <br/>&lt;/Extension&gt; <br/> <br/> <br/>&lt;Extension charconv&gt; <br/> Module xm_charconv <br/> AutodetectCharsets shift_jis, utf-8 <br/>&lt;/Extension&gt; <br/> <br/>################################### <br/># define input <br/>################################### <br/>define SystemError 10016, 10028, 36882 <br/> <br/>&lt;Input in_eventlog&gt; <br/> Module im_msvistalog <br/> &lt;QueryXML&gt; <br/> &lt;QueryList&gt; <br/> &lt;Query Id=&quot;0&quot; Path=&quot;Application&quot;&gt; <br/> &lt;Select Path=&quot;Application&quot;&gt;*[System[(Level=1 or Level=2)]]&lt;/Select&gt; <br/> &lt;/Query&gt; <br/>&lt;/QueryList&gt; <br/> &lt;/QueryXML&gt; <br/> <br/>&lt;Exec&gt; <br/> if ($EventID IN (%SystemError%) and <br/> ($Data == &rsquo;Test_Message&rsquo;) <br/> ) drop(); <br/>&lt;/Exec&gt; <br/>Exec convert_fields(&quot;shift_jis&quot;, &quot;utf-8&quot;); <br/>&lt;/Input&gt; <br/>################################### <br/># difine output <br/>################################### <br/>&lt;Output out_eventlog&gt; <br/> Module om_udp <br/> Host ********** <br/> Port 514 <br/>&lt;/Output&gt; <br/> <br/>################################### <br/># Route monitor <br/>################################### <br/>&lt;Route route&gt; <br/> Path in_eventlog =&gt; out_eventlog <br/>&lt;/Route&gt; <br/> [Windows Eventlog]※XML <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="EventLog" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>1</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2020-09-09T01:41:53.762804400Z" /> <EventRecordID>16834</EventRecordID> <Channel>System</Channel> <Computer>sv-otebk.ads.nttdata.co.jp</Computer> <Security /> </System> - <EventData> <Data>Test_Message</Data> </EventData> </Event>

Hi , I'm not sure if this is NXLog Conf mistake, or I misunderstood it. The official NXLog conf file: https://nxlog.co/documentation/nxlog-user-guide/ad-domain-controller.html The events IDs included in the conf file, seems to be found in Domain Controller, -> Event Viewer -> Windows Logs ->Security. But in conf file below, NXlog is trying to look for these events in "Directory Service" , with [System[Provider[ @Name='Microsoft-Windows-ActiveDirectory_DomainService']]] I did a test and seems in "Directory Service" there is almost 0 events that listed in "HighEvents Ids", "MediumEventIds" and "LowEventIds" . Can someone tell me if this is an mistake in the offical Nxlog conf file ?, or I'm misunderstaning the conf file configuration ? Thanks define HighEventIds 4618, 4649, 4719, 4765, 4766, 4794, 4897, 4964, 5124, 1102 define MediumEventIds 4621, 4675, 4692, 4693, 4706, 4713, 4714, 4715, 4716, 4724, 4727, 4735, 4737, 4739, 4754, 4755, 4764, 4764, 4780, 4816, 4865, 4866, 4867, 4868, 4870, 4882, 4885, 4890, 4892, 4896, 4906, 4907, 4908, 4912, 4960, 4961, 4962, 4963, 4965, 4976, 4977, 4978, 4983, 4984, 5027, 5028, 5029, 5030, 5035, 5037, 5038, 5120, 5121, 5122, 5123, 5376, 5377, 5453, 5480, 5483, 5484, 5485, 6145, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280, 24586, 24592, 24593, 24594 define LowEventIds 4608, 4609, 4610, 4611, 4612, 4614, 4615, 4616, 4624, 4625, 4634, 4647, 4648, 4656, 4657, 4658, 4660, 4661, 4662, 4663, 4672, 4673, 4674, 4688, 4689, 4690, 4691, 4696, 4697, 4698, 4699, 4700, 4701, 4702, 4704, 4705, 4707, 4717, 4718, 4720, 4722, 4723, 4725, 4726, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4738, 4740, 4741, 4742, 4743, 4744, 4745, 4746, 4747, 4748, 4749, 4750, 4751, 4752, 4753, 4756, 4757, 4758, 4759, 4760, 4761, 4762, 4767, 4768, 4769, 4770, 4771, 4772, 4774, 4775, 4776, 4778, 4779, 4781, 4783, 4785, 4786, 4787, 4788, 4789, 4790, 4869, 4871, 4872, 4873, 4874, 4875, 4876, 4877, 4878, 4879, 4880, 4881, 4883, 4884, 4886, 4887, 4888, 4889, 4891, 4893, 4894, 4895, 4898, 5136, 5137 <Input events> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0" Path="Directory Service"> <Select Path="Directory Service">*[System[Provider[ @Name='Microsoft-Windows-ActiveDirectory_DomainService']]] </Select> </Query> </QueryList> </QueryXML> <Exec> if ($EventID NOT IN (%HighEventIds%)) and ($EventID NOT IN (%MediumEventIds%)) and ($EventID NOT IN (%LowEventIds%)) drop(); </Exec> </Input>

New to nxlog and have it deployed on several test systems. I have multiple logs under C:\Program Files\nxlog\data called which combined are more than 27GB of data. nxlog.log.1 nxlog.log.2 nxlog.log.3 and so on... Are these the logs that are generated by om_file module? How do I rotate these? I've read the documentation, but am a little confused. I've outlined the criteria that I'm wanting to implement for log retention - any help is much appreciated. Desired Retention Criteria Each log file is 100mb in size No more than 5 log files Anything beyond that is deleted

Hi all, I'm looking for a debian Buster package for nxlog-ce but i've noticed that it's not available on the download page. Is there a reason ? Can i expect a future release soon ? Thank you very much for your assistance. Paul.

Hi all I'd like to know if I could access to windows log for a windows server 2003 without installing agent locally. I'd like to use only one nxlog on a central server (Linux Centos 7) and access to different server agentless. Is it possible? I see that an option is Using the im_wmi input module that can pull eventlog data remotely over the WMI protocol. Do you have a sample in order to implement this option? Thank you Franco

We have a requirement to read CSV from one folder which is auto generated by the application with a new file name at schedule time say either Ex: 1 hour or 4 hours Following are the fields of first CSV file Example File Name: Tue Aug 25 20-21-49 2020_SessionHistory.CSV SessionID,User ID,Scan Time,Total Files Scanned,Total Files Processed,Total Files Skipped,Total Files Allowed,Total Files Blocked,Device ID,Device Type,Device Manufacturer,Device Model,Device Serial Number 56749F51A4-53CC-4CCF-B606-42334680F890,"Labuser1","08/28/2020 08:24:35",2,2,0,2,0,"USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_BLADE&REV_1.00\4C530000010112115155&0","USB Device","(Standard disk drives)","SanDisk Cruzer Blade USB Device","4C530000010112115155" 56749F51A4-53CC-4CCF-B606-42334680F890,"Labuser2","08/28/2020 09:24:35",2,2,0,2,0,"USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_BLADE&REV_1.00\4C530000010112115155&0","USB Device","(Standard disk drives)","SanDisk Cruzer Blade USB Device","4C530000010112115155" 56749F51A4-53CC-4CCF-B606-42334680F890,"Labuser3","08/28/2020 09:24:35",2,2,0,2,0,"USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_BLADE&REV_1.00\4C530000010112115155&0","USB Device","(Standard disk drives)","SanDisk Cruzer Blade USB Device","4C530000010112115155" Following are the fields of 2nd CSV file SessionID,File Name,SHA-256,Scan Result,Scan Result Description 50167E52-0380-4191-9DFC-8E1454948C50,E:\eicarcom2.zip,E1105070BA828007508566E28A2B8D4C65D192E9EAF3B7868382B7CAE747B397,0, Threat Detected 50167E52-0380-4191-9DFC-8E1454948C51,E:\eicarcom3.zip,E1105070BA828007508566E28A2B8D4C65D192E9EAF3B7868382B7CAE747B397,0, Threat Detected 50167E52-0380-4191-9DFC-8E1454948C51,E:\eicarcom4.zip,E1105070BA828007508566E28A2B8D4C65D192E9EAF3B7868382B7CAE747B397,0, Threat Detected I am looking for nxlog config to read both the CSV files and send it SIEM in multiple line, i.e means the Headings should show only once for CSV file like the above ones. In my case the headings is showing for each line. Ex: SessionID,File Name,SHA-256,Scan Result,Scan Result Description 50167E52-0380-4191-9DFC-8E1454948C51,E:\eicarcom3.zip,E1105070BA828007508566E28A2B8D4C65D192E9EAF3B7868382B7CAE747B397,0, Threat Detected SessionID,File Name,SHA-256,Scan Result,Scan Result Description 50167E52-0380-4191-9DFC-8E1454948C51,E:\eicarcom3.zip,E1105070BA828007508566E28A2B8D4C65D192E9EAF3B7868382B7CAE747B397,0, Threat Detected Also in cases the application generates the reports every 1 hour but the data will be empty only the headings in such cases I want ignore such fields which has empty data only with headings. #Here is my nxconfig #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog> Module xm_syslog </Extension> <Extension csv> Module xm_csv Fields $SessionID, $File Name, $SHA-256, $Scan Result, $Scan Result Description FieldTypes string, string, string, string, string Delimiter ; EscapeControl TRUE </Extension> <Input in1> Module im_file File 'C:\Program Files (x86)\ExportedLogs\\*.csv' Exec csv->parse_csv(); </Input> <Output out> Module om_udp Host xx.xx.xx.xx Port 514 </Output> <Route r> Path in1 => out </Route> Regards Sunil

While we have been using NXLog for years, we have always just had it forward logs to third party for evaluation. Now we are trying to forward some Windows Application Log events to a Slack channel. We can target the correct Windows Server Application events based on an EventID and output them to a text file using NXLog. But when we are trying to use om_http to Slack we are getting an error: 400 Bad Request. Previously we were getting errors around certs that they could not be evaluated, but we now have the certificates in a directory and a directive in our output for om_http and that error seems to have gone away. We have tried a simple Exec $message = "Hello" at the end of our input stanza just to simplify (and eliminate any special characters) what we might be sending to Slack Slack is expecting a JSON format. In our output om_http stanza, we specify: Exec to_json(); ContentType application/json nxlog.log just continuously shows this: 2020-08-27 21:06:42 ERROR HTTP response status is not OK: 400 Bad Request 2020-08-27 21:06:51 INFO reconnecting in 0 seconds 2020-08-27 21:06:51 ERROR http response timeout from server 2020-08-27 21:06:51 INFO connecting to hooks.slack.com:443 2020-08-27 21:06:52 ERROR HTTP response status is not OK: 400 Bad Request 2020-08-27 21:07:01 INFO reconnecting in 0 seconds 2020-08-27 21:07:01 ERROR http response timeout from server 2020-08-27 21:07:01 INFO connecting to hooks.slack.com:443 2020-08-27 21:07:02 ERROR HTTP response status is not OK: 400 Bad Request I started to go down the path of Wireshark to do some packet captures. All the traffic is encrypted, and I was hoping to capture the keys using a Windows environment variable (SSLKEYLOGFILE) on the NXLog host but that was to no avail. Anyone can tell me what I might be missing? I'm afraid I may have a fundamental misunderstanding, or just not seeing the obvious.

Has anyone managed to setup ODBC for Oracle?, please help i a running Nxlog on redhat 7

Hello I’m testing your NXlog EE in order to collect DNS Analytics from windows servers 2012. I got error message below : 2020-08-24 18:32:51 ERROR [im_msvistalog|ms_vistalog_filtered_dns] failed to seek to saved position in file 'C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl' (error:50): Cette demande n’est pas prise en charge. 2020-08-24 18:34:53 ERROR [im_msvistalog|ms_vistalog_filtered_dns] failed to seek to saved position in file 'C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl' (error:50): Cette demande n’est pas prise en charge. 2020-08-24 18:36:54 ERROR [im_msvistalog|ms_vistalog_filtered_dns] failed to seek to saved position in file 'C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl' (error:50): Cette demande n’est pas prise en charge. 2020-08-24 18:38:55 ERROR [im_msvistalog|ms_vistalog_filtered_dns] failed to seek to saved position in file 'C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl' (error:50): Cette demande n’est pas prise en charge. 2020-08-24 18:40:55 ERROR [im_msvistalog|ms_vistalog_filtered_dns] failed to seek to saved position in file 'C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl' (error:50): Cette demande n’est pas prise en charge. 2020-08-24 18:42:56 ERROR [im_msvistalog|ms_vistalog_filtered_dns] failed to seek to saved position in file 'C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl' (error:50): Cette demande n’est pas prise en charge. This is the configuration applied : <Input ms_vistalog_filtered_dns> Module im_msvistalog File C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl PollInterval 60 Exec if ($QNAME == 'americas1.notify.windows.com.akadns.net.') OR ($QNAME == 'cy2.vortex.data.microsoft.com.akadns.net.') OR ($QNAME == 'dm3p.wns.notify.windows.com.akadns.net.') OR ($QNAME == 'geo.vortex.data.microsoft.com.akadns.net.') OR ($QNAME == 'v10-win.vortex.data.microsoft.com.akadns.net.') OR ($QNAME == 'v10-win.vortex.data.microsoft.com.akadns.NET.') OR ($QNAME == 'v10.vortex-win.data.microsoft.com.') OR ($QNAME == 'wns.notify.windows.com.akadns.net.') OR ($QNAME == 'wns.notify.windows.com.akadns.NET.') OR ($QNAME == 'client.wns.windows.com.') OR ($QTYPE == '15') drop(); </Input>

Hi I'm running NXlog community for years with this configuration: ######################################## <Extension exec> Module xm_exec </Extension> <Extension syslog> Module xm_syslog </Extension> <Input syslog514udp> Module im_udp Port 514 Host 0.0.0.0 </Input> <Input syslog514tcp> Module im_tcp Port 514 Host 0.0.0.0 </Input> <Output consolefile> Module om_file File $MessageSourceAddress+"/Syslog-"+ strftime(now(),"%Y-%m-%d-%H") + ".log" # Addiere Zeitstempel an den Event Exec $raw_event = now() + " " + $raw_event; CreateDir TRUE </Output> <Output cdrfile> Module om_file File $MessageSourceAddress+"/CDR/CDR-"+ strftime(now(),"%Y-%m-%d-%H") + ".log" Exec if $raw_event =~ /<142>|<141>[S=\d+]\s|(.) / { $raw_event = $1 ; } else drop(); CreateDir TRUE </Output> <Output cdrlogger> Module om_udp Host 127.0.0.1 Port 1514 Exec if $raw_event =~ /<142>|<141>[S=\d+]\s|(.) / { $raw_event = $1 ; } else drop(); </Output> <Route udp> Priority 1 Path syslog514udp => consolefile, cdrfile, cdrlogger </Route> <Route tcp> Priority 2 Path syslog514tcp => consolefile, cdrfile, cdrlogger </Route> ############################################### With this configuration I receive one log file per hour. Now I have a system which generates a 400MB file which is to large my syslog viewer. Is there a way to get multiple files per hours? Let's say four 100MB file per hour. I've tried with to extend my configuration with: <Exec> if file->file_size() > 100M { $newfile = "tmp/output_" + $Hostname + "_" + strftime(now(), "%Y%m%d%H%M%S"); file->rotate_to($newfile); exec_async("/bin/bzip2", $newfile); } </Exec> But I get the following error: couldn't parse statement at line 24, character 28 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; module file not found Line 24 is the if statement. All required module are in the module folder. has somebody a hint?

I'm getting in syslog info from network devices. It looks like this: id=scsonicwall sn=18B169F5XXXX time="2020-08-24 19:32:49" fw=64.20.130.54 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" srcMac=00:01:5c:71:c6:46 src=173.188.249.226:58706:X1 srcZone=Untrusted natSrc=173.188.249.226:58706 dstMac=00:50:56:80:66:a6 dst=10.10.12.5:443:X0 dstZone=Trusted natDst=X.x.x.x:443 proto=tcp/https sent=920 rcvd=3262 spkt=10 rpkt=6 cdur=666 rule="14 (WAN->LAN)" app=11 n=2617279 fw_action="NA" dpi=0 When NXLog is relaying this out to Loggly, it's boogering up the timestamps: <134>1 2020-12-31T19:00:00.000000-05:00 10.10.12.1 - - - [XXXXXX@41058 tag="windows"] {"MessageSourceAddress":"10.10.12.1","EventReceivedTime":"2020-08-24 20:05:06","SourceModuleName":"udp","SourceModuleType":"im_udp","SyslogFacilityValue":16,"SyslogFacility":"LOCAL0","SyslogSeverityValue":6,"SyslogSeverity":"INFO","SeverityValue":2,"Severity":"INFO","Hostname":"10.10.12.1","EventTime":"2020-12-31 19:00:00","Message":"id=scsonicwall sn=18B169F52958 time=&quot;2020-08-24 20:05:06&quot; fw=X.X.X.X pri=6 c=262144 gcat=6 m=98 msg=&quot;Connection Opened&quot; src=206.74.83.165:61555:X1 natSrc=206.74.83.165:61555 dst=10.10.12.5:443:X0 natDst=X.X.X.X:443 proto=tcp/https sent=52 app=11 n=131486 fw_action=&quot;NA&quot; dpi=0"} Note the the "time" field internal to the message is correct, but the EventTime and the timestamp at the beginning of the message are completely wrong. My config is below. What do I need to do to fix this? This is a sample NXLog configuration file created by Loggly. June 2013 See the nxlog reference manual about the configuration options. It should be installed locally and is also available online at https://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start. #define ROOT C:\Program Files\nxlog #define ROOT_STRING C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog define ROOT_STRING C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Include fileop while debugging, also enable in the output module below <Extension fileop> Module xm_fileop </Extension> <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Input internal> Module im_internal Exec $Message = to_json(); </Input> Windows Event Log #<Input eventlog> Uncomment im_msvistalog for Windows Vista/2008 and later #Module im_msvistalog #Uncomment im_mseventlog for Windows XP/2000/2003 #Module im_mseventlog #Exec $Message = to_json(); #</Input> <Processor buffer> Module pm_buffer 100Mb disk buffer MaxSize 102400 Type disk </Processor> <Input udp> Module im_udp Host 0.0.0.0 Port 514 Exec parse_syslog_ietf(); Exec $Message = to_json(); </Input> <Output out> Module om_tcp Host logs-01.loggly.com Port 514 Exec to_syslog_ietf(); $raw_event =~ s/\[NXLOG.*?\]/\[XXXXXXXXXXXX@41058 tag=&quot;windows&quot;\]/g; </Output> <Route 1> Path udp, internal => buffer => out </Route>

<Output out> Module om_tcp Host 10.xx.xx.10 Port 10514 Exec to_json(); </Output> <Route 1> Path eventlog,dnslog => out </Route> Hi There, When using the “om_tcp” ouput module, is there a tcp timeout related to this? Or does nxlog open a connection and let it sit idle until data is sent? Many thanks Craig

Trying to set up NXLog to send syslog info from network devices to Loggly. I can see that it's sending the data and then relaying it to Loggly, but it is NOT manipulating the headers for the inputs received via UDP 514. It does send the Windows information (which I don't even want). I can see the information going out, unchanged using wireshark. Below is what I've got set up, and I would appreciate any assistance (or maybe a WORKING configuration sample) to straighten this out. <Input udp> Module im_udp Host 0.0.0.0 Port 514 Exec parse_syslog(); </Input> <Output out> Module om_tcp Host logs-01.loggly.com Port 514 Exec to_syslog_ietf(); Exec $raw_event =~ s/([.*])//g; $raw_event = replace($raw_event, '{', '[XXXXXXXXXXXXXXXXXXXXXXXX@41058 tag="windows"] {', 1); #Use the following line for debugging (uncomment the fileop extension above as well) Exec file_write("C:\Program Files (x86)\nxlog\data\nxlog_output.log", $raw_event); </Output> <Route 1> Path udp, internal, eventlog => buffer => out Path udp, internal, eventlog => out </Route>

Hi everyone! I`m trying to delay an event processing for a second, i.e.: if an event has a description I'll delay the output for a period. I found the sleep method in the Documentation, but it's not working as intended. Below is how my input is configured: <Input input_file> Module im_file File "%LOGPATH%" ReadFromLast TRUE Recursive FALSE <Exec> if ($raw_event =~ /UPDATE/) { parse_json(); } else if ($raw_event =~ /DELETE/) { sleep(2000) # wait 2 seconds before processing this event parse_json(); } </Exec> </Input> Is is possible to delay/wait for a few seconds before processing an event? Thank you in advance!

Good day i need help buying the enterprise version, ive sent multiple emails but i still haven't had assistance

Hi I am trying to install nxlog on XP machine but I couldn't troubleshoot the error. Following is the error I am seeing on XP machine: 2020-08-20 15:54:06 WARNING nxlog-ce received a termination request signal, exiting... 2020-08-20 15:54:10 ERROR invalid keyword: Query at C:\Program Files\nxlog\conf\nxlog.conf:37 2020-08-20 15:54:10 ERROR module 'in' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:52 2020-08-20 15:54:10 ERROR route 1 is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:52 2020-08-20 15:54:10 WARNING no routes defined! 2020-08-20 15:54:10 WARNING not starting unused module in 2020-08-20 15:54:10 WARNING not starting unused module out 2020-08-20 15:54:10 INFO nxlog-ce-2.10.2150 started

I cant seem to get my im_file input to find my files. It is from a network mount that is mapped to the Z drive. This is the actual file: Z:\WebCom\DDIWebCm Log Thursday, August 20, 2020.txt I have tried to point the input directly to it and even tried wildcards. For example: File "Z:\WebCom\DDIWebCm*.txt" Yields 2020-08-20 13:50:29 ERROR failed to open directory: Z:\WebCom: The system cannot find the path specified. Any ideas for me? Thanks in advance

Hi Requirement: Reading logs of multiple servers from a single server Is there any way to read a network shared log file like "\RemoteServer\Remotelog.log" using nxlog. I tired using im_file module but not succeed, kindly let me know whether it is possible or not. BR, Ravi

How can I get the filepath from im_file and pass it as variable in the Output.. as you can see i am using Recursive TRUE, want's to know which file from which directory, current message came from <Input tst> Module im_file File "/home/*.log" Recursive TRUE </Input> <Output tst_testfile> Module om_file File "/home/user/nxlogtest" <Exec> $tst_filepath = ??; $Message = $raw_event; to_json(); </Exec> </Output> <Route tst_out> Path maas => maas_testfile </Route>

Hi all, I want to send this text-logfiles to a syslog service. Now I´m stuck with xm_kvp, because it manipualtes the data in a way I don´t expect. The data looks as follows: "srv1","IAS",08/01/2020,10:33:39,1,"123\xyz","123\xyz","dc-aa-94-96-52-70:WLAN-XYZ","f8-aa-4e-24-bc-7c",,,"wlc01","1.1.1.1",13,0,"1.1.1.1","wlc01",,,19,,,2,5,"wlan-xyz-01",0,"311 1 4.4.4.4 03/25/2020 14:12:43 689",,,,,,,,,"5e8427b3/f8:aa:4e:24:bc:7c/133777",,,,,,,,,13,6,,,,"49",,,,,,,,,,,"Wireless-hj",1,,,, So there is comma separated values, without fieldnames. I want to create KVP values and send it to syslog via UDP. Lets focus on the formatted data. So this is my code: ##################### <Extension csv1> Module xm_csv Fields $ComputerName, $ServiceName, $Record-Date, $Record-Time, $Packet-Type, $User-Name, $Fully-Qualified-Distinguished-Name, $Called-Station-ID, $Calling-Station-ID, $Callback-Number, $Framed-IP-Address, $NAS-Identifier, $NAS-IP-Address, $NAS-Port, $Client-Vendor, $Client-IP-Address, $Client-Friendly-Name, $Event-Timestamp, $Port-Limit, $NAS-Port-Type, $Connect-Info, $Framed-Protocol, $Service-Type, $Authentication-Type, $Policy-Name, $Reason-Code, $Class, $Session-Timeout, $Idle-Timeout, $Termination-Action, $EAP-Friendly-Name, $Acct-Status-Type, $Acct-Delay-Time, $Acct-Input-Octets, $Acct-Output-Octets, $Acct-Session-Id, $Acct-Authentic, $Acct-Session-Time, $Acct-Input-Packets, $Acct-Output-Packets, $Acct-Terminate-Cause, $Acct-Multi-Ssn-ID, $Acct-Link-Count, $Acct-Interim-Interval, $Tunnel-Type, $Tunnel-Medium-Type, $Tunnel-Client-Endpt, $Tunnel-Server-Endpt, $Acct-Tunnel-Conn, $Tunnel-Pvt-Group-ID, $Tunnel-Assignment-ID, $Tunnel-Preference, $MS-Acct-Auth-Type, $MS-Acct-EAP-Type, $MS-RAS-Version, $MS-RAS-Vendor, $MS-CHAP-Error, $MS-CHAP-Domain, $MS-MPPE-Encryption-Types, $MS-MPPE-Encryption-Policy, $Proxy-Policy-Name, $Provider-Type, $Provider-Name, $Remote-Server-Address, $MS-RAS-Client-Name, $MS-RAS-Client-Version #EscapeControl FALSE Delimiter , </Extension> <Extension csv2> Module xm_csv Fields $ComputerName, $Record-Date, $Record-Time, $Packet-Type, $User-Name, $Fully-Qualified-Distinguished-Name, $Called-Station-ID, $Calling-Station-ID, $Framed-IP-Address, $NAS-Identifier, $NAS-IP-Address, $NAS-Port, $Client-IP-Address, $Client-Friendly-Name, $Framed-Protocol, $Service-Type, $Authentication-Type, $Policy-Name, $Reason-Code, $Tunnel-Type, $Tunnel-Medium-Type, $Tunnel-Pvt-Group-ID Delimiter ; #EscapeControl False EscapeChar \n </Extension> <Extension kvp1> Module xm_kvp #Delimiter '' #ValueQuoteChar " QuoteMethod All #KVDelimiter = EscapeChar \n KVPDelimiter ; IncludeHiddenFields False </Extension> <Extension kvp2> Module xm_kvp KVPDelimiter ; </Extension> <Input in> Module im_file File "d:\nxlog\IN2004.log" InputType LineBased PollInterval 1 ReadFromLast FALSE SavePos FALSE <Exec> csv1->parse_csv(); if not defined $number $number = 0; csv2->to_csv(); kvp1->to_kvp(); delete($EventReceivedTime); delete($SourceModuleName); delete($SourceModuleType); </Exec> </Input> ##################### Till csv2->to_csv();, it works fine and the output is as expected. Values are now semicolon seperated and surrounded by quotation marks "". This is what I want. But know, when kvp1->to_kvp(); is also active, quotes are removed from all values but values with spaces in it. I do not want to change the quotes surrounding the values. The result looks like this: EventReceivedTime=2020-08-19 17:53:39;SourceModuleName=in;SourceModuleType=im_file;ComputerName=srv1;ServiceName=IAS;Record-Date=08/01/2020;Record-Time=10:33:39;Packet-Type=1;User-Name=123\xyz;Fully-Qualified-Distinguished-Name=123\xyz;Called-Station-ID=dc-aa-94-96-52-70:WLAN-XYZ;Calling-Station-ID=f8-aa-4e-24-bc-7c;NAS-Identifier=wlc01;NAS-IP-Address=1.1.1.1;NAS-Port=13;Client-Vendor=0;Client-IP-Address=1.1.1.1;Client-Friendly-Name=wlc01;NAS-Port-Type=19;Service-Type=2;Authentication-Type=5;Policy-Name=wlan-xyz-01;Reason-Code=0;Class='311 1 4.4.4.4 03/25/2020 14:12:43 689';Acct-Session-Id=5e8427b3/f8:aa:4e:24:bc:7c/133777;Tunnel-Type=13;Tunnel-Medium-Type=6;Tunnel-Pvt-Group-ID=49;Proxy-Policy-Name=Wireless-hj;Provider-Type=1;number=0; So does somebody know, why the quotes are beeing removed in general, but only kept for values with spaces in it? Additionally, I would like to remove these fields: "EventReceivedTime=2020-08-19 17:53:39;SourceModuleName=in;SourceModuleType=im_file;" by using delete($EventReceivedTime); delete($SourceModuleName); delete($SourceModuleType); but it is also not working. Any ideas? Thanks!