Hi Team, We are using Nxlog to send logs to RSA(SIEM), but few of the security logs are not sending to RSA. Below are the event ids we are not receiving: Event ids starting with 4860- 4890. Below is the configuration which we are using in RSA. Can you please check below configuration and let me know if anything needs to be changed to receive the windows security and application logs. define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nslog.log <Extension syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'></Select> <Select Path='Security'></Select> </Query> </QueryList> </QueryXML> </Input> <Output out> Module om_tcp Host hostname(hided) Port 514 Exec to_syslog_snare();$raw_event = replace($raw_event, "\t", ','); </Output> <Route 1> Path in => out </Route>

Trialing the NXLOG CE version i forward logs for MS Windows Eventlog, now i found just over 200 events are logged while there are over 50 000. It there a way to configured nxlog so it consumes the logs older than today ?

We are using nxLog for sending all kind the logging information to a Graylog. This is working for both the SQL Server error log and SQL audit logs but also for other none SQL Server logs. We where initially looking into using SQL audit for getting the application name of the user connection but we are running SQL Server 2016 and it is only available starting with SQL Server 2017. Instead we have tried to use extended events for the logging. The basic ideas are working and when opening the extended events file in SSMS we can see the requested information. The problem is that the extended event files are binaries and we can't use the same type of nxLog configuration as for error log or SQL audit logs. Instead we have been trying to use etw_classic_sync_target and Event Tracing for Windows(ETW). We are using nxLog module im_etw for collecting the ETW information. I have verified the nxLog configuration (nxLog -v) and basically the configuration seems to be working and some events are sent forward. The problem is that it is not the events from our extended event session! The reason most likely is that we are not using the correct ETW provider. I have not been able to find any information of what provider that SQL Server and extended events are using. I have tried to most obvious ones as e.g. sqlserver but none seems to be the correct. Does anyone know the name of the ETW provider that the extended event etw_classic_sync_target is using? OR does someonw see some other reason why this is not working? We have set up the nxLog module as this <Input xe_etw> Module im_etw Provider sqlserver </Input>

I am having problems with the nxlog manager. The application takes forever to load the login page and when it does load once it finally logs in it just hangs and will not load any of the dashboards. When checking the systemctl status I have seen a couple different errors. Exception in thread "agentServerTaskExecutor-145" java.lang.OutOfMemoryError: Java heap space Jun 09, 2020 8:55:23 AM org.apache.jasper.compiler.JDTJavaCompiler setSourceVM WARNING: Unknown source VM 1.7 ignored. : ERROR: 'XML document structures must start and end within the same entity.' Jun 09, 2020 9:51:11 AM com.sun.xml.internal.messaging.saaj.soap.EnvelopeFactory createEnvelope SEVERE: SAAJ0511: Unable to create envelope from given source service.sh[1395]: 2020-06-09 10:55:39.820:WARN:oejh.HttpParser:qtp1329552164-8630: BadMessage: 400 Illegal character for HttpChannelOverHttp@76b3d195{r=0,a=IDLE,uri=-} Exception in thread "C3P0PooledConnectionPoolManager[identityToken->31989haa16jlcxi18f6us8|6366ebe0]-HelperThread-#1" java.lang.OutOfMemoryError: Java heap space

Hello, Is there a way for us to export the list of online, offline, error, or untrusted agent from NXLog Manager ? Is NXLog Manager able to send out notification of offline/error agent? Thanks

Setup NXLog to send IIS logs to Syslog. Using the following modules: xm_syslog xm_csv im_file om_tcp My config file is the following: Panic Soft #NoFreeOnExit TRUE define ROOT e:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule> </Extension> <Extension w3c_parser> Module xm_csv Fields date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, \ s-port, cs-username, c-ip, cs(User-Agent), cs(Referer), \ sc-status, sc-substatus, sc-win32-status, time-taken FieldTypes string, string, string, string, string, string, integer, \ string, string, string, string, integer, integer, integer, \ integer Delimiter ' ' EscapeChar '"' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Input iis_w3c> Module im_file File 'L:\Logs\W3SVC1\u_ex*.log' <Exec> if $raw_event =~ /^#/ drop(); else { w3c_parser->parse_csv(); $EventTime = parsedate($date + "T" + $time + ".000Z"); } </Exec> </Input> <Output out> Module om_tcp Host REDACTED Port 514 Exec to_syslog_ietf(); </Output> <Output test> Module om_file File 'E:\Program Files (x86)\nxlog\test.log' CreateDir </Output> <Route w3c> Path iis_w3c => w3c_parser => out </Route> When I start NXLog I keep getting the following error: ERROR ### ASSERTION FAILED at line 879 in module.c/resume_senders(): "curr->type == NX_MODULE_TYPE_INPUT" ### Also, I can see the NXLog client is opening a TCP connection with the syslog destination but doesn't actually send any data in the transaction. (Packet trace shows SYN-SYN/ACK-ACK then immediately FIN from the client) I tried testing with "om-file" to see if it would at least write to a local file, this failed as well (same error in the log) - so something tells me I have an error in the input module IM_FILE but I can'T figure out what the error is. I took the config example from the user-guide (https://nxlog.co/documentation/nxlog-user-guide/iis.html). Any help appreciated!

Help with Custom MSI I want to replace the nxlog.conf with our own Start service nxlog as part of the installation

Hello, I am collecting from many different types of log sources and many of those are syslog streams where an agent is not installed on the data source. For instance our firewalls send logs over syslog to our nxlog agent for collection. I want to setup an alert that would fire if any of these sources stops sending logs. I read over the documentation at "26.5. Detecting a Dead Agent or Log Source" which would only fire an alert if that input module receives no logs in an hour correct? I would like to have the input module I use to collect syslog detect if any device out of many stops sending in that single feed. For instance the firewalls all have a device name that appears in the log message so I would like to use $raw_event and a grep statement to pull out the device name, count how many events it has sent, and alert if it is less than 1 in 30 minutes. For instance lets say I have several devices with device names that start with "exam1- and can end with any number of letters after that but ends with a closing quote. Currently I filter these messages to send to different outputs like this. if not ($raw_event =~ /devname="exam1-[^"]+"/) drop(); I would like to have the input module use the same filter message to count the events for each of these devices individually. Not exactly sure how this could be completed and could use some help. Thank you.

Hi, I'm currently outputting my desired log into a specific folder. I'm attempting to rotate the output file by size. Is there any limitations if i'm not under a enterprise license? Anyway this is the error i'm getting: ERROR failed to determine file size of 'APPLOGFILE': The system cannot find the file specified. This is my config Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data define APPLOGFILE'/Program Files/Nxlog/Parsed_syslog/my_parsed.log' <Extension _fileop> Module xm_fileop </Extension> <Extension exec> Module xm_exec </Extension> <Extension syslog> Module xm_syslog </Extension> <Extension charconv> Module xm_charconv AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2 </Extension> <Extension json> Module xm_json </Extension> <Extension multiline_header> Module xm_multiline HeaderLine /[\d\t .:]+ [1A-Za-z-]+ [MXZa-z-]+ [\d.\/-]+ [\d:]+ CEST \|/ </Extension> #5140 udp listenner <Input udp_my_listenner> Module im_udp Host 0.0.0.0 Port 5140 </Input> #writes input to a file <Output my_raw_to_file> Module om_file File '/Nxlog/Raw_syslog/'+ strftime(now(),'_%Y_%m_%d') + '_my_raw.log' </Output> <Input raw_udp_file> Module im_file SavePos True ReadFromLast True File '/Nxlog/Raw_syslog/'+ strftime(now(),'_%Y_%m_%d') + '_my_raw.log' InputType multiline_header <Exec> $type = 'my Log'; $SourceModuleName = 'NxLog'; $SourceModuleType = 'my Log Source'; $Message = $raw_event; if not (($raw_event =~ /TEST REGEX/)) drop(); </Exec> </Input> <Processor norepeat> Module pm_norepeat CheckFields Hostname, Message, SourceName </Processor> #output of the transformation <Output my_json_out> Module om_file File 'D:/Program Files/Nxlog/Parsed_syslog/my_parsed.log' Exec $raw_event = to_json(); <Schedule> Every 30 sec <Exec> if(file_size('APPLOGFILE') >= 100M) { file_cycle('APPLOGFILE',500); my_json_out->reopen(); } </Exec> </Schedule> </Output> #1st route <Route udp_to_file> Path udp_my_listenner => my_raw_to_file </Route> #2nd route <Route udp_file_to_json_file> Path raw_udp_file => norepeat => my_json_out </Route> What am i doing wrong? can anyone suggest a better config? This is my first time configuring log rotation via nxlog. What i would like to achieve as and output is that every x seconds if the file exceeds 100MB it's rotated and a new file is created.

Dear, Attempting to compile nxlog-ce on Arch Linux i hit a snag. ./configure results in checking for openssl/evp.h... yes checking for EVP_CIPHER_CTX_init in -lcrypto... no configure: error: libcrypto not found -- the configure: error is generated on #define HAVE_LIBCRYPTO 1 _ACEOF LIBS="-lcrypto $LIBS" else as_fn_error $? "libcrypto not found" "$LINENO" 5 fi I doubt if i want to modify ./configure to skip this. What can i do to fix this ? lib is installed /usr/lib/libressl/libcrypto.so /usr/lib/libressl/libcrypto.so.46 /usr/lib/libressl/libcrypto.so.46.0.1 /usr/lib/libressl/pkgconfig/libcrypto.pc /usr/lib/libcryptopp.so /usr/lib/libcryptopp.so.8 /usr/lib/libcryptopp.so.8.2.0 /usr/lib/libcrypto.so /usr/lib/libcrypto.so.1.1 Br, Joris

Hello, I'm using nxlog to send logs from an AD to a syslog server, this is my nxlog.conf: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog </Input> <Output out> Module om_udp Host xxxxx Port xxx Exec to_syslog_snare(); </Output> <Route 1> Path in => out </Route> However, the volume of log generated is very large and nxlog is not able to send everything, causing some packages to be lost. I noticed this with a wireshark at the source and saw that the packages don't even leave the server. Is there anything I can do to increase your performance? Be it in nxlog.conf, or clear some cache Thank you.

Hi I want to get the debug log with Nxlog Please tell me how to set

Hi, I am using NXlog to fetch events from Windows server to a SIEM. But in some Events, it is adding an extra "white space" before the timestamp. Due to the extra white space, SIEM fails to parse the log. Here are some samples Log with extra white space, please look after "EventTime": it has an extra space before the time stamp 2020-05-20T14:10:39.984056+05:30 10.7.24.101 {"EventTime": "2020-05-20 14:10:59","Hostname":"Monsoon.LTDIC.com","Keywords":- A standard log which gets parsed 2020-05-20T14:10:39.984056+05:30 10.7.24.101 {"EventTime":"2017-09-05 10:11:10","Hostname":" Below is my conf file #============ Define ROOT here =================== #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog #============ NXLog Machine Log info ============= Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log #=========== For Windows Event Log =========== <Extension json> Module xm_json </Extension> <Input MSEvtIN> # For windows 2003 and earlier use the following: #Module im_mseventlog # For windows 2005 and later use the following: Module im_msvistalog Exec to_json(); </Input> <Output MSEvtOUT> Module om_udp Host DNIF-Adapter-IP Port 514 </Output> <Route 1> Path MSEvtIN => MSEvtOUT </Route>

On our Graylog server we have GELF over TCP enabled. I use the following as a prototype Windows Server config file, with all relevant log paths defined for various services. We then just erase the lines we dont' want. I don't think I've seen a sample template, so this would have been useful when I was first building. Important to note, we didn't find any useful logs in event log for sharepoint, sccm, SQL Server, IIS, or Dynamics CRM, they log separately: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Extension gelf> Module xm_gelf </Extension> <Input inWindowsAudit> Module im_msvistalog ReadFromLast True Query <QueryList> <Query Id="0">\ Delete Unwanted Rows Standard Server Logs &lt;Select Path=&quot;Security&quot;&gt;*&lt;/Select&gt;\ &lt;Select Path=&quot;System&quot;&gt;*[System/Level=4]&lt;/Select&gt;\ &lt;Select Path=&quot;Application&quot;&gt;*[Application/Level=2]&lt;/Select&gt;\ &lt;Select Path=&quot;Setup&quot;&gt;*[System/Level=3]&lt;/Select&gt;\ Hardware Logs &lt;Select Path=&quot;HardwareEvents&quot;&gt;*&lt;/Select&gt;\ Key Management &lt;Select Path=&quot;Key Management Service&quot;&gt;*&lt;/Select&gt;\ Windows Powershell &lt;Select Path=&quot;Windows PowerShell&quot;&gt;*&lt;/Select&gt;\ Internet Explorer &lt;Select Path=&quot;Internet Explorer&quot;&gt;*&lt;/Select&gt;\ Active Directory &lt;Select Path=&quot;Active Directory Web Services&quot;&gt;*&lt;/Select&gt;\ &lt;Select Path=&quot;DFS Replication&quot;&gt;*&lt;/Select&gt;\ &lt;Select Path=&quot;Directory Service&quot;&gt;*&lt;/Select&gt;\ &lt;Select Path=&quot;DNS Server&quot;&gt;*&lt;/Select&gt;\ &lt;Select Path=&quot;File Replication Service&quot;&gt;*&lt;/Select&gt;\ Server Manager &lt;Select Path=&quot;Microsoft-ServerManagementExperience&quot;&gt;*&lt;/Select&gt;\ Exchange Logs &lt;Select Path=&quot;EWS Monitoring Events&quot;&gt;*&lt;/Select&gt;\ &lt;Select Path=&quot;MSExchange Management&quot;&gt;*&lt;/Select&gt;\ VAMT &lt;Select Path=&quot;Volume Activation Management Tool&quot;&gt;*&lt;/Select&gt;\ Lync/Skype &lt;Select Path=&quot;Lync Server&quot;&gt;*&lt;/Select&gt;\ Blank Template &lt;Select Path=&quot;&quot;&gt;*&lt;/Select&gt;\ &lt;/Query&gt;\ &lt;/QueryList&gt; # For windows 2003 and earlier use the following: # Module im_mseventlog Exec $CustomerID = 'my_customer'; Exec $LogType = 'Windows Audit'; </Input> <Output outGraylog> Module om_tcp Host ## GRAYLOG SERVER IP ## Port 12201 OutputType GELF_TCP </Output> <Route 1> Path inWindowsAudit => outGraylog </Route>

Hi all :) (I'm new to nxlog) I'm currently facing issues handling logs which are being sent to nxlog via syslog line by line. Basically after looking at documentation i found out that possibly xm_multiline can help me out. Raw log example: 2020.05.20 15:22:37:481 CEST | Info | HTTP Body text part 1 2020.05.20 15:22:37:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:37:502 CEST | Info | HTTP Body text part 3 2020.05.20 15:22:37:502 CEST |Debug | HTTP Body text part 4 2020.05.20 15:22:37:502 CEST | Info | HTTP I'm using the following headerline /^\d\d\d\d.\d\d.\d\d\s+\d\d:\d\d:\d\d:\d\d\d/ to capture the event into one. <Extension charconv> Module xm_charconv AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2 </Extension> <Extension json> Module xm_json </Extension> <Extension multiline_header> Module xm_multiline HeaderLine /^\d\d\d\d.\d\d.\d\d\s+\d\d:\d\d:\d\d:\d\d\d/ </Extension> <Input log_udp> Module im_udp Host 0.0.0.0 Port 5140 InputType multiline_header Exec $type = 'mylog'; Exec $Message = $raw_event; </Input> <Output log_out> Module om_udp Host 1.1.1.1 Port 514 Exec $raw_event = to_json(); </Output> <Route forward_xsp> Path log_udp=> log_out </Route> Transforming the log into json. The expected output would be: Event no. 1 2020.05.20 15:22:37:481 CEST | Info | HTTP Body text part 1 Event no. 2 2020.05.20 15:22:37:502 CEST | Info | HTTP Body text part 2. etc. The issue end result: Event no. 1 2020.05.20 15:22:37:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:37:502 CEST | Info | HTTP Body text part 2 Event no. 2 2020.05.20 15:22:38:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:38:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:38:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:38:502 CEST | Info | HTTP Body text part 2 Event no. 3 2020.05.20 15:22:39:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:39:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:39:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:38:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:39:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:39:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:39:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:38:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:39:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:39:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:39:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:38:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:39:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:39:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:39:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:38:502 CEST | Info | HTTP Body text part 2 the successive timestamp headerline is ignored and the logs are grouped by the second. (see above) :( am i doing anything wrong ? do you guys have any suggestions on how to tackle this type of logs.

Hello, I have nxlog installed on a server where we collect multiple logging streams, nxlog writes those logs to a flat file that is tailed and sent out to our other solutions. This system was not built for log retention so I need nxlog to clear these log files every hour or potentially based on file size. I setup the xm_fileop module on them and defined each log file path and setup the rotation as pasted below, however the logs grow and are not being cleared. Please take a look and let me know where I may have gone wrong. Thank you. define OUTPUTFILE0 /opt/nxlog/data/fortifirewall/forti.log define OUTPUTFILE1 /opt/nxlog/data/ciscovpn/ciscovpn.log define OUTPUTFILE2 /opt/nxlog/data/cylance/cylance.log define OUTPUTFILE3 /opt/nxlog/data/gpcvpcflow/gpcvpcflow.log define OUTPUTFILE4 /opt/nxlog/data/infobloxdhcp/infobloxdhcp.log define OUTPUTFILE5 /opt/nxlog/data/juniperips/juniperips.log define OUTPUTFILE6 /opt/nxlog/data/pulsevpn/pulsevpn.log define OUTPUTFILE7 /opt/nxlog/data/tanium/tanium.log define OUTPUTFILE8 /opt/nxlog/data/windhcp/windhcp.log define OUTPUTFILE9 /opt/nxlog/data/windns/windns.log define OUTPUTFILE10 /opt/nxlog/data/winevents/winevents.log <Extension fileop> Module xm_fileop # Truncate the file every hour <Schedule> Every 1 hour Exec file_truncate('%OUTPUTFILE0%'); Exec file_truncate('%OUTPUTFILE1%'); Exec file_truncate('%OUTPUTFILE2%'); Exec file_truncate('%OUTPUTFILE3%'); Exec file_truncate('%OUTPUTFILE4%'); Exec file_truncate('%OUTPUTFILE5%'); Exec file_truncate('%OUTPUTFILE6%'); Exec file_truncate('%OUTPUTFILE7%'); Exec file_truncate('%OUTPUTFILE8%'); Exec file_truncate('%OUTPUTFILE9%'); Exec file_truncate('%OUTPUTFILE10%'); </Schedule> </Extension>

Hi, I installed nxlog and nxlog-manager for testing my own logs in the dashboard, i am new to nxlog, and can't able to check this in dashboard. could you please tell me how to check logs in dashboard, i didn't find any options in the dashboard menu. Thanks in advance.

Hi, I just installed nxlog, when i started i seen the below error in nxlog, how to create this file and all, can you please help me on this. ERROR SSL error, failed to load ca cert from '/opt/nxlog/var/lib/nxlog/cert/agent-ca.pem', reason: No such file or directory, no such file, system lib Thanks in advance.

Hi, Anyone can please help on this issue am facing, i'm new to nxlog and things, am getting error : "Cannot communicate with database server." in the nxlog-manager dashboard page. this is my nxlog.conf file, please correct me if there are mistakes. User nxlog Group nxlog Panic Soft default values: PidFile /opt/nxlog/var/run/nxlog/nxlog.pid CacheDir /opt/nxlog/var/spool/nxlog ModuleDir /opt/nxlog/lib/nxlog/modules SpoolDir /opt/nxlog/var/spool/nxlog define CERTDIR /opt/nxlog/var/lib/nxlog/cert define CONFDIR /opt/nxlog/var/lib/nxlog Note that these two lines define constants only; the log file location is ultimately set by the LogFile directive (see below). The MYLOGFILE define is also used to rotate the log file automatically (see the _fileop block). define LOGDIR /opt/nxlog/var/log/nxlog define MYLOGFILE %LOGDIR%/nxlog.log By default, LogFile %MYLOGFILE% is set in log4ensics.conf. This allows the log file location to be modified via NXLog Manager. If you are not using NXLog Manager, you can instead set LogFile below and disable the include line. #LogFile %MYLOGFILE% include %CONFDIR%/log4ensics.conf <Extension _syslog> Module xm_syslog </Extension> <Extension json> Module xm_json </Extension> This block rotates %MYLOGFILE% on a schedule. Note that if LogFile is changed in log4ensics.conf via NXLog Manager, rotation of the new file should also be configured there. <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour &lt;Exec&gt; if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') &gt;= 5M) ) { file_cycle('%MYLOGFILE%', 8); } &lt;/Exec&gt; &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Input in_file> Module im_file File '/opt/nxlog/var/log/testing.txt' SavePos TRUE ReadFromLast TRUE PollInterval 1 Exec $Message = $raw_event; </Input> <Output out_tcp> Module om_tcp Host 192.168.x.x Port 9090 </Output> <Route synot> Path in_file => out_tcp </Route>

Hi Folks, I have following nxlog.conf which works fine. define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO <Extension logrotate> Module xm_fileop <Schedule> When @daily Exec file_cycle('%ROOT%\data\nxlog.log', 7); </Schedule> </Extension> <Processor process-buffer> Module pm_buffer Type Mem MaxSize 16384 </Processor> <Extension gelfExt> Module xm_gelf # Avoid truncation of the short_message field to 64 characters. ShortMessageLength 65536 </Extension> <Extension multiline> Module xm_multiline HeaderLine /^\d+\/\d\d\/\d\d\d\d+\s\d+:\d\d:\d\d+\s+[A-Z]+/ </Extension> <Input filein> Module im_file File 'C:\DNSLogs\DNSIN.log' # SavePos TRUE ReadFromLast FALSE InputType multiline </Input> <Output fileout> Module om_file File 'C:\DNSLogs\DNSOUT.log' #Exec $raw_event = "-------------------------------------\n" + $raw_event; </Output> <Route parse_multiline> Path filein => process-buffer => fileout </Route> Now, I am trying to send the data to our log collector GrayLog & added output & route define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO <Extension logrotate> Module xm_fileop <Schedule> When @daily Exec file_cycle('%ROOT%\data\nxlog.log', 7); </Schedule> </Extension> <Processor process-buffer> Module pm_buffer Type Mem MaxSize 16384 </Processor> <Extension gelfExt> Module xm_gelf # Avoid truncation of the short_message field to 64 characters. ShortMessageLength 65536 </Extension> <Extension multiline> Module xm_multiline HeaderLine /^\d+\/\d\d\/\d\d\d\d+\s\d+:\d\d:\d\d+\s+[A-Z]+/ </Extension> <Input filein> Module im_file File 'C:\DNSLogs\MGTDCP03_DN.log' # SavePos TRUE ReadFromLast FALSE InputType multiline </Input> <Output fileout> Module om_file File 'C:\DNSLogs\MGTDCP03_DNSOUT-2.log' #Exec $raw_event = "-------------------------------------\n" + $raw_event; </Output> <Route parse_multiline> Path filein => process-buffer => fileout </Route> <Output gelf> Module om_tcp Host 172.17.1.87 Port 5044 OutputType GELF_TCP <Exec> $gl2_source_collector = '${sidecar.nodeId}'; $collector_node_id = '${sidecar.nodeName}'; </Exec> </Output> <Route to_graylog> Path filein => process-buffer => gelf </Route> However, I start getting error msgs in nxlog.log. I have tried some troubleshooting steps but so far I am not able to get around the problem. Appreciate if you can help me resolve this issue. 2020-05-15 05:43:17 WARNING stopping nxlog service 2020-05-15 05:43:17 WARNING nxlog-ce received a termination request signal, exiting... 2020-05-15 05:43:18 INFO nxlog-ce-2.10.2150 started nxlog failed to start: Couldn't parse Exec block at C:\Program Files\Graylog\sidecar\generated\nxlog.conf:58 couldn't parse statement at line 59, character 67 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf invalid character: ' ' (0xd) 2020-05-15 05:44:17 ERROR Couldn't parse Exec block at C:\Program Files\Graylog\sidecar\generated\nxlog.conf:58; couldn't parse statement at line 59, character 67 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf; invalid character: ';' (0xd) 2020-05-15 05:44:17 WARNING stopping nxlog service 2020-05-15 05:44:17 WARNING nxlog-ce received a termination request signal, exiting... 2020-05-15 05:44:18 ERROR Couldn't parse Exec block at C:\Program Files\Graylog\sidecar\generated\nxlog.conf:58; couldn't parse statement at line 59, character 67 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf; invalid character: ';' (0xd) 2020-05-15 05:44:18 ERROR cannot add processor module 'process-buffer' to route 'to_graylog' because it is already added to route 'parse_multiline', you should define another instance at C:\Program Files\Graylog\sidecar\generated\nxlog.conf:65 2020-05-15 05:44:18 ERROR module 'gelf' has configuration errors, not adding to route 'to_graylog' at C:\Program Files\Graylog\sidecar\generated\nxlog.conf:65 2020-05-15 05:44:18 ERROR route to_graylog is not functional without output modules, ignored at C:\Program Files\Graylog\sidecar\generated\nxlog.conf:65 2020-05-15 05:44:18 WARNING not starting unused module gelf 2020-05-15 05:44:18 INFO nxlog-ce-2.10.2150 started