I have file log, it has like 2000 lines, when i try to send it through HTTP POST, it is only receive half data. It start from the middle line. Its start from the last 4 hour updated line/ row which the 1000+ rows/line. How to setup/ config the nxlog so it will start from the first line/ the whole file. Please help me... below is my config nxlog :
<Extension multiline> Module xm_multiline FixedLineCount 32 </Extension>
<Extension multiline_action> Module xm_multiline FixedLineCount 32 </Extension>
<Input filein> Module im_file
#Wincor
File "C:\\DataSend\\" + "data_1.log"
InputType multiline
SavePos TRUE
ReadFromLast TRUE
CloseWhenIdle TRUE
PollInterval 300
</Input>
<Output http> Module om_http URL http://localhost/log-monitor/public/index.php/receive-log #HTTPSAllowUntrusted TRUE </Output>
<Route filein_to_http> Path filein => http </Route>
Thankyou in advance
dinarhsb created
Anbers created
h5Azc created
Hi I am trying to post events from my logs files to gelf_tcp (Graylog). My log records are in flat json format. I can push logs to gelf, however with few issues; I appreciate if you can help.
Issue 1: My log record has a field called "level". When the record is sent to Graylog, level does not match the one that I have in log file. I do parse_json() first and also I tried to explicitly set the value of level based on NXLog documentation https://nxlog.co/documentation/nxlog-user-guide/xm_gelf.html There is also something wrong with documentation. It says gelf understand field "SeverityLevel" but in the example in the same page it is using "SyslogSeverityLevel". I tried to explicitly set both fields with $level field but nothing changes in graylog.
Issue 2: I have timestamp filed in my log record which is ISO 8601 format. I could not find an easy way to parse it. the parsedata() function does not help there. I end up extracting date and time part from my field and then send it to parsedate($1 + " " + $2). If you know a better way, please let me know.
Thanks
Kev
ksaffarian created
Hello to All!
I have an issue using the nxlog agent community edition. My output part of the config file looks like this:
Module om_udp
Host graylog.domain.local
Port 12201
OutputType GELF
As failover mechanism I use the DNS record for graylog.domain.local. When the primary graylog node is unreachable, the DNS record is updated to the secondary node.
For some log sources, the OS is picking up the change almost immediately (there is no cache enable) but the agent doesn't deliver logs to the secondary node until the nxlog service is restarted.
Couple of questions:
- Does the nxlog service keep any DNS cache?
- If yes, is there any way to bypass it?
- Any advice on how to fix the issue?
Many thanks in advance
tato created
Hi,
I want to log from my nxlog.conf to my LogFile.
Example: nxlog.conf:
include additonal/*.conf
additonal/module.conf
Log DEBUG "module.conf included"
How can i do this?
framold created
Dear team, I was currently using nxLog agent for windows (community edition) to forward logs to a centOS server. And I was looking for a documentation on how to build nxLog agent for windows plateform but could not find any. I hope the build documentation with some insight on how to prepare development environment will bring more people with project. Since many of us would love to add some of features to personalize it for personal use rather than opening issues with feature request.
I am a Linux user with some c development background so I hope to have some support on how to create development environment to build windows agent. My goal would be to add latest openSSL version support.
Thanks
paagalladka created
Hi,
Here's my case :
I'm trying to create Syslog Server Configuration, based on CentOS. Server must :
-- Receive log from tcp
-- store log into a NFS Volume automaticaly mounted by fstab on server startup
---- in case of fail of the NFS Volume, create a buffer on local disk.
Here's my configuration :
<Extension _syslog> Module xm_syslog </Extension>
<Extension _xm_file> Module xm_fileop </Extension>
<Input in> Module im_tcp Host 0.0.0.0 Port 39458 <Exec> $SERVER = hostname(); parse_syslog_ietf(); $DATE = strftime($EventTime, "%Y%m%d"); </Exec> </Input>
<Processor buffer> Module pm_buffer maxSize 204800 Type Disk Directory %LOGDIR% WarnLimit 190000 </Processor>
<Processor blocker> Module pm_blocker <Exec> $CHEMIN = "/var/partage/"+$SERVER; $test = dir_exists($CHEMIN); if $test == TRUE { blocker->block(FALSE); } else blocker->block(TRUE); </Exec> </Processor>
<Output out> Module om_file File "/var/partage/"+$SERVER+"/"+$Hostname+"/"+$DATE+"_"+$Hostname+".log" CreateDir TRUE Exec to_syslog_ietf(); </Output>
<Route tcp_to_file> Path in => buffer => blocker => out </Route>
My Problem :
- When NFS Volume is down, pm_blocker write " can't check condition "dir_exists(<Path>)" : input/outpur Error"
- When i try without pm_blocker, om_file fails with same error and no buffer created....
Question :
- What is the best solution to implement a disk buffer system for om_file module ?
- How can i catch NFS volume exceptions ?
Thanks in advance, best regards, Julien
julienBourdon created
My applications starts generating logs at 5am and runs every 15 minutes.
I have observed that it essentially skips the first X lines and syncs things only after the x lines starting 5:15 and works fine throughout the day.
There is nothing in logs at 5am.
I have tried routing it to another om_file on the same machine, it works ok.
Can you please help me fix it?
Here is the config:
########################################
# Global directives #
########################################
User nxlog
Group nxlog
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO
########################################
# Modules #
########################################
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _fileop>
Module xm_fileop
</Extension>
########################################
# Input #
########################################
<Input in-my-important-app>
Module im_file
File "/var/log/tomcat/my-important-app-*.log"
ReadFromLast True
SavePos True
Exec $Filename = "myApp/" +file_basename(file_name());
Exec $Hostname = hostname_fqdn();
</Input>
########################################
# Output #
########################################
# Output to destination
<Output out-destination>
Module om_tcp
Host [destination host]
Port [destination port]
OutputType Binary
</Output>
########################################
# Routes #
########################################
<Route to_destination>
Path in-my-important-app => out-destination
</Route>
javid90khan created
giveen created
Hello,
I am collecting syslog from many different firewalls and I want to extract only a single field from these messages and output that to a file separate of the output file I am currently writing. Basically I want to match the field devname= and extract it and output the results into a list. Is there a way to avoid duplication? So I have firewall1, firewall2, firewall3 etc. and they are in the devname= field so in the log file it has devname="firewall1", devname="firewall2", devname="firewall3" etc. I am wondering how can I look for all these names and create a list of them. Thank you.
anthonyweller created
I have tried multiple ways to get the wildcard includes to work but just cant get it to work in CE. If I put the path in then it works.
define ROOT C:\Program Files (x86)\nxlog define PLUGIN %ROOT%\additional
works: include C:\Program Files (x86)\nxlog\additional\nxlog_exchange.conf
doesn't work: include additional*.conf include additional/.conf include %PLUGIN%*.conf include %PLUGIN%/.conf
jdixon created
Hi,
My working nxlog.conf relies on Query directives aimed at explicitly named Channels together with the im_msvistalog Module.
<Input blu_eventlog_iis> Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Microsoft-IIS-Configuration/Administrative">*</Select>\
<Select Path="Microsoft-IIS-Configuration/Operational">*</Select>\
<Select Path="Microsoft-IIS-Logging/Logs">*</Select>\
</Query>\
</QueryList>
# Filter noise from IIS schema issues
Exec if ($Message =~ /Unable to find schema/) drop();
# Workaround for local time so as to standardize to absolute microseconds since epoch
Exec $EventTime = integer($EventTime);
# JSON is required because some Windows logs contain new-line characters.
Exec $Message = to_json();
</Input>
<Output blu_out_eventlog_iis> Module om_tcp Host %SIEM% Port %PORT%
Exec to_syslog_bsd();
</Output>
<Route route_eventlog_iis> Path blu_eventlog_iis => blu_out_eventlog_iis </Route>
I hoped to clean up some 15007 errors in the nxlog.log files included below:
2020-07-06 14:42:55 ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.
I suspect the 15007 errors are being generated because IIS isn't setup. In other words, the named IIS Channels are queried but not found.
Is it possible to add an If/Else statement as part of those Query directives? Looking over the NXlog CE Manual I only see If/Else statement used with Exec. Any guidance would be greatly appreciated!
behr created
Hi all,
I must send the event logs (only event ID 4626 and 4625) in the log collector Linux. can you help me with configuration?
Thank you.
Emanuele created
I'm very new to NXLog and have no clue how to fix this. I was setting up an nxlog.conf file to one of our servers and we keep getting this error. It starts with the 'not enough' fields error but then after a few lines it says 'Too many fields'. There are 21 fields on the W3c fields, but I'm not sure why it seems like it's adding Fields as an input? I added an additional string in the Fieldtypes and also combined date-time instead of 'date, time' but didn't work. Is there a way to fix this in the Conf file? Or should I be looking in the IIS?
Log expected 20, got 6 in input '#Software: Microsoft Internet Information Services 8.5' expected 20, got 2 in input '#Version: 1.0' expected 20, got 3 in input '#Date: 2020-06-30 08:35:19' Too many fields in CSV input, expected 20, got 21 in input '#Fields: date time c-ip c-port cs-username s-sitename s-computername cs-host s-ip s-port cs-method cs-uri-stem sc-status sc-win32-status sc-substatus sc-bytes cs-bytes time-taken x-session x-fullpath x-debug'
Conf <Extension w3c_ftp> Module xm_csv Fields date, time, c-ip, cs-username, s-sitename, s-computername, s-ip, cs-method, cs-uri-stem, sc-status, sc-win32-status, sc-bytes, cs-bytes, time-taken, s-port, cs-host, sc-substatus, x-session, x-fullpath, x-debug, c-port FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string Delimiter ' ' </Extension>
TIA!
GW2Dave created
m.ferrara created
Hi,
I've want to include nxlog to send all Windows logs to syslog plus Microsoft-Windows-Windows Defender/Operational, however as "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog" doesn't seem to include "Microsoft-Windows-Windows Defender" it doesn't read that config in at start and send those Windows Defender logs.
How can I get nxlog to send everything it does now, plus Microsoft-Windows-Windows Defender logs, without having to define everything? The only way I can see to do this is with two im_msvistalog defines, i.e.
define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
<Extension syslog> Module xm_syslog </Extension>
<Input eventlog> Module im_msvistalog </Input>
<Input eventlog_defender> Module im_msvistalog
Query <QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>
</Query>
</QueryList>
</Input>
<Processor eventlog_transformer> Module pm_transformer Exec $Hostname = hostname(); OutputFormat syslog_rfc3164 </Processor>
<Output syslogout> Module om_ssl [removed, but its to Papertrail] </Output>
<Route 1> Path eventlog => eventlog_transformer => syslogout </Route>
<Route 2> Path eventlog_defender => eventlog_transformer => syslogout </Route>
That seems to work except there are three problems compared to when I only have the Microsoft-Windows-Windows Defender going and the other blocks deleted:
- The Windows Defender logging is a little inconsistent, testing with an EICAR test virus doesn't always appear, probably 50% chance it appears in the syslog (all events appear in Windows log)
- The severity and source is copied from the previous log line (usually info rather than warn severity, and not Microsoft-Windows-Windows Defender), maybe a threading issue?
- Each rows of text is in its own line rather than all in a single message which happens when its the only logging to send
Is there a better way to do 'everything' plus Microsoft-Windows-Windows Defender?
Adam312312 created
I am trying to reduce the size of the message sent from my Windows event logs to graylog and I cannot for the life of me figuring out how tell it to drop certain fields
The only thing I can figure out is that i'm supposed to use delete() but how to use and where to place it in my config is very frustrating.
giveen created
jd01 created
NXLog_user12345 created