Hello - new to nxlog. Trying to end nxlog process when EOF reached on input file. Any help appreciated.

Thanks, Andrew

Hello,

I am fairly new to NXlog and we are trying to understand if It's possible to route/forward logs based on the Source when only one input module for 514 traffic is definied. I understand that the Host directive in the Input module is actually related to the host itself where Nxlog is installed. Would adding some kind of Exec instructions in there help?? Perhaps using a processor in the route module? Since this is a new deployment, we'd like to set it up by following best practices from the get go. I appreciate your help.

Hi all,

I have an issue when view agent internal logs "View Log" in NXLog Manager.

When I clicked on the View Log button, it will pop up error message as follow:

1. Error Executing the requested operation: Could not parse XML; nested exception is org.xml.sax.SAXParseException; lineNumber:x, columnNumber:x; Character reference "&#.

2. Error Executing the requested operation: Could not parse XML; nested exception is org.xml.sax.SAXParseException; lineNumber:x, columnNumber:x; The element type "SOAP-ENV:Envelope" must be terminated by matching end-tag"</SOAP-ENV:Envelope>"

Does anyone know what are those two errors about, and how should we fix it ? Where can we view / find the SOAP-ENV:Envelope or mentioned character from NXLog Manger?

Thanks.

Good Morning All,

I was hoping to get some direction with a log file we want to parse. We have a directory containing log files on a network share. A new log file is created every day. The issue with these logs is that there are no newline or carriage returns, it is one gigantic line. New events are just added at the end of the string. I am familiar with NXLog to the point of inputs / outputs / routes but I am not sure exactly my next step here. I have some regex that when ran manually will break the log down into individual lines but I am not sure how to implement that in NXLog in a way that it will read the log file, split the entirety of it into individual lines and then export those lines without seeing a bunch of duplication. Or in what blocks to implement which step.

Some broad stroke guidance (or details) would be appreciated.

Hi Guys,

I have a problem, I must to send the Event log a the LogCollecotr Linux, the problem is when Logcollector riceved the log, the formatting is much long, I want riceved an log so.

Example Log LInux: " Jun 19 16:23:01 MSI su: pam_unix(su:session): session opened for user ema by (uid=0) "

I can receive the log in this format??

Thank you.

Hi Team,

We are using Nxlog to send logs to RSA(SIEM), but few of the security logs are not sending to RSA. Below are the event ids we are not receiving: Event ids starting with 4860- 4890. Below is the configuration which we are using in RSA.

Can you please check below configuration and let me know if anything needs to be changed to receive the windows security and application logs.

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nslog.log

<Extension syslog> Module xm_syslog </Extension>

<Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'></Select> <Select Path='Security'></Select> </Query> </QueryList> </QueryXML> </Input>

<Output out> Module om_tcp Host hostname(hided) Port 514 Exec to_syslog_snare();$raw_event = replace($raw_event, "\t", ','); </Output>

<Route 1> Path in => out </Route>

Trialing the NXLOG CE version i forward logs for MS Windows Eventlog, now i found just over 200 events are logged while there are over 50 000. It there a way to configured nxlog so it consumes the logs older than today ?

We are using nxLog for sending all kind the logging information to a Graylog. This is working for both the SQL Server error log and SQL audit logs but also for other none SQL Server logs. We where initially looking into using SQL audit for getting the application name of the user connection but we are running SQL Server 2016 and it is only available starting with SQL Server 2017. Instead we have tried to use extended events for the logging. The basic ideas are working and when opening the extended events file in SSMS we can see the requested information. The problem is that the extended event files are binaries and we can't use the same type of nxLog configuration as for error log or SQL audit logs. Instead we have been trying to use **etw_classic_sync_target** and Event Tracing for Windows(**ETW)**. We are using nxLog module **im_etw** for collecting the ETW information. I have verified the nxLog configuration (nxLog -v) and basically the configuration seems to be working and some events are sent forward. The problem is that it is not the events from our extended event session! The reason most likely is that we are not using the correct **ETW provider**. I have not been able to find any information of what provider that SQL Server and extended events are using. I have tried to most obvious ones as e.g. sqlserver but none seems to be the correct. Does anyone know the name of the ETW provider that the extended event etw_classic_sync_target is using? OR does someonw see some other reason why this is not working? We have set up the nxLog module as this Module im_etw Provider sqlserver

I am having problems with the nxlog manager. The application takes forever to load the login page and when it does load once it finally logs in it just hangs and will not load any of the dashboards. When checking the systemctl status I have seen a couple different errors.

Exception in thread "agentServerTaskExecutor-145" java.lang.OutOfMemoryError: Java heap space

Jun 09, 2020 8:55:23 AM org.apache.jasper.compiler.JDTJavaCompiler setSourceVM WARNING: Unknown source VM 1.7 ignored.

: ERROR: 'XML document structures must start and end within the same entity.' Jun 09, 2020 9:51:11 AM com.sun.xml.internal.messaging.saaj.soap.EnvelopeFactory createEnvelope SEVERE: SAAJ0511: Unable to create envelope from given source

service.sh[1395]: 2020-06-09 10:55:39.820:WARN:oejh.HttpParser:qtp1329552164-8630: BadMessage: 400 Illegal character for HttpChannelOverHttp@76b3d195{r=0,a=IDLE,uri=-}

Exception in thread "C3P0PooledConnectionPoolManager[identityToken->31989haa16jlcxi18f6us8|6366ebe0]-HelperThread-#1" java.lang.OutOfMemoryError: Java heap space

Hello,

Is there a way for us to export the list of online, offline, error, or untrusted agent from NXLog Manager ? Is NXLog Manager able to send out notification of offline/error agent?

Thanks

Setup NXLog to send IIS logs to Syslog. Using the following modules: xm_syslog xm_csv im_file om_tcp My config file is the following: Panic Soft #NoFreeOnExit TRUE define ROOT e:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_syslog Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 Module xm_exec Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); # Rotate our log file every week on Sunday at midnight When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); Module xm_csv Fields date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, \ s-port, cs-username, c-ip, cs(User-Agent), cs(Referer), \ sc-status, sc-substatus, sc-win32-status, time-taken FieldTypes string, string, string, string, string, string, integer, \ string, string, string, string, integer, integer, integer, \ integer Delimiter ' ' EscapeChar '"' QuoteChar '"' EscapeControl FALSE UndefValue - Module im_file File 'L:\Logs\W3SVC1\u_ex*.log' if $raw_event =~ /^#/ drop(); else { w3c_parser->parse_csv(); $EventTime = parsedate($date + "T" + $time + ".000Z"); } Module om_tcp Host REDACTED Port 514 Exec to_syslog_ietf(); Module om_file File 'E:\Program Files (x86)\nxlog\test.log' CreateDir Path iis_w3c => w3c_parser => out When I start NXLog I keep getting the following error: > ERROR ### ASSERTION FAILED at line 879 in module.c/resume_senders(): "curr->type == NX_MODULE_TYPE_INPUT" ### Also, I can see the NXLog client is opening a TCP connection with the syslog destination but doesn't actually send any data in the transaction. (Packet trace shows SYN-SYN/ACK-ACK then immediately FIN from the client) I tried testing with "om-file" to see if it would at least write to a local file, this failed as well (same error in the log) - so something tells me I have an error in the input module IM_FILE but I can'T figure out what the error is. I took the config example from the user-guide (https://nxlog.co/documentation/nxlog-user-guide/iis.html). Any help appreciated!

Help with Custom MSI

• I want to replace the nxlog.conf with our own
• Start service nxlog as part of the installation

Hello,

I am collecting from many different types of log sources and many of those are syslog streams where an agent is not installed on the data source. For instance our firewalls send logs over syslog to our nxlog agent for collection. I want to setup an alert that would fire if any of these sources stops sending logs. I read over the documentation at "26.5. Detecting a Dead Agent or Log Source" which would only fire an alert if that input module receives no logs in an hour correct? I would like to have the input module I use to collect syslog detect if any device out of many stops sending in that single feed. For instance the firewalls all have a device name that appears in the log message so I would like to use $raw_event and a grep statement to pull out the device name, count how many events it has sent, and alert if it is less than 1 in 30 minutes. For instance lets say I have several devices with device names that start with "exam1- and can end with any number of letters after that but ends with a closing quote. Currently I filter these messages to send to different outputs like this.

if not ($raw_event =~ /devname="exam1-[^"]+"/) drop();

I would like to have the input module use the same filter message to count the events for each of these devices individually. Not exactly sure how this could be completed and could use some help. Thank you.

Hi, I'm currently outputting my desired log into a specific folder. I'm attempting to rotate the output file by size. Is there any limitations if i'm not under a enterprise license? Anyway this is the error i'm getting: ERROR failed to determine file size of 'APPLOGFILE': The system cannot find the file specified. This is my config Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data define APPLOGFILE'/Program Files/Nxlog/Parsed_syslog/my_parsed.log' Module xm_fileop Module xm_exec Module xm_syslog Module xm_charconv AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2 Module xm_json Module xm_multiline HeaderLine /[\d\t .:]+ [1A-Za-z-]+ [MXZa-z-]+ [\d.\/-]+ [\d:]+ CEST \|/ #5140 udp listenner Module im_udp Host 0.0.0.0 Port 5140 #writes input to a file Module om_file File '/Nxlog/Raw_syslog/'+ strftime(now(),'_%Y_%m_%d') + '_my_raw.log' Module im_file SavePos True ReadFromLast True File '/Nxlog/Raw_syslog/'+ strftime(now(),'_%Y_%m_%d') + '_my_raw.log' InputType multiline_header $type = 'my Log'; $SourceModuleName = 'NxLog'; $SourceModuleType = 'my Log Source'; $Message = $raw_event; if not (($raw_event =~ /TEST REGEX/)) drop(); Module pm_norepeat CheckFields Hostname, Message, SourceName #output of the transformation Module om_file File 'D:/Program Files/Nxlog/Parsed_syslog/my_parsed.log' Exec $raw_event = to_json(); Every 30 sec if(file_size('APPLOGFILE') >= 100M) { file_cycle('APPLOGFILE',500); my_json_out->reopen(); } #1st route Path udp_my_listenner => my_raw_to_file #2nd route Path raw_udp_file => norepeat => my_json_out * What am i doing wrong? can anyone suggest a better config? This is my first time configuring log rotation via nxlog. * What i would like to achieve as and output is that every x seconds if the file exceeds 100MB it's rotated and a new file is created.

Dear,

Attempting to compile nxlog-ce on Arch Linux i hit a snag.

./configure results in checking for openssl/evp.h... yes checking for EVP_CIPHER_CTX_init in -lcrypto... no configure: error: libcrypto not found

-- the configure: error is generated on

#define HAVE_LIBCRYPTO 1 _ACEOF

LIBS="-lcrypto $LIBS"

else as_fn_error $? "libcrypto not found" "$LINENO" 5 fi

I doubt if i want to modify ./configure to skip this. What can i do to fix this ?

lib is installed

/usr/lib/libressl/libcrypto.so /usr/lib/libressl/libcrypto.so.46 /usr/lib/libressl/libcrypto.so.46.0.1 /usr/lib/libressl/pkgconfig/libcrypto.pc /usr/lib/libcryptopp.so /usr/lib/libcryptopp.so.8 /usr/lib/libcryptopp.so.8.2.0 /usr/lib/libcrypto.so /usr/lib/libcrypto.so.1.1

Br,

Joris

Hello, I'm using nxlog to send logs from an AD to a syslog server, this is my nxlog.conf:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension _syslog> Module xm_syslog </Extension>

<Input in> Module im_msvistalog </Input>

<Output out> Module om_udp Host xxxxx Port xxx Exec to_syslog_snare(); </Output>

<Route 1> Path in => out </Route>

However, the volume of log generated is very large and nxlog is not able to send everything, causing some packages to be lost. I noticed this with a wireshark at the source and saw that the packages don't even leave the server. Is there anything I can do to increase your performance? Be it in nxlog.conf, or clear some cache Thank you.

Hi I want to get the debug log with Nxlog Please tell me how to set

Hi, I am using NXlog to fetch events from Windows server to a SIEM. But in some Events, it is adding an extra "white space" before the timestamp. Due to the extra white space, SIEM fails to parse the log. Here are some samples Log with extra white space, please look after "EventTime": it has an extra space before the time stamp `2020-05-20T14:10:39.984056+05:30 10.7.24.101 {"EventTime": "2020-05-20 14:10:59","Hostname":"Monsoon.LTDIC.com","Keywords":-` A standard log which gets parsed `2020-05-20T14:10:39.984056+05:30 10.7.24.101 {"EventTime":"2017-09-05 10:11:10","Hostname":"` Below is my conf file #============ Define ROOT here =================== #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog #============ NXLog Machine Log info ============= Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log #=========== For Windows Event Log =========== Module xm_json # For windows 2003 and earlier use the following: #Module im_mseventlog # For windows 2005 and later use the following: Module im_msvistalog Exec to_json(); Module om_udp Host DNIF-Adapter-IP Port 514 Path MSEvtIN => MSEvtOUT

On our Graylog server we have GELF over TCP enabled. I use the following as a prototype Windows Server config file, with all relevant log paths defined for various services. We then just erase the lines we dont' want. I don't think I've seen a sample template, so this would have been useful when I was first building. Important to note, we didn't find any useful logs in event log for sharepoint, sccm, SQL Server, IIS, or Dynamics CRM, they log separately:

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_syslog </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _exec> Module xm_exec </Extension>

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
                (file_size('%LOGFILE%') >= 5M)) \
                file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>

</Extension>

<Extension gelf> Module xm_gelf </Extension>

<Input inWindowsAudit> Module im_msvistalog ReadFromLast True Query <QueryList>
<Query Id="0">\

Delete Unwanted Rows

Standard Server Logs

		<Select Path="Security">*</Select>\
		<Select Path="System">*[System/Level=4]</Select>\
		<Select Path="Application">*[Application/Level=2]</Select>\
		<Select Path="Setup">*[System/Level=3]</Select>\

Hardware Logs

		<Select Path="HardwareEvents">*</Select>\

Key Management

		<Select Path="Key Management Service">*</Select>\

Windows Powershell

		<Select Path="Windows PowerShell">*</Select>\

Internet Explorer

		<Select Path="Internet Explorer">*</Select>\

Active Directory

		<Select Path="Active Directory Web Services">*</Select>\
		<Select Path="DFS Replication">*</Select>\
		<Select Path="Directory Service">*</Select>\
		<Select Path="DNS Server">*</Select>\
		<Select Path="File Replication Service">*</Select>\

Server Manager

		<Select Path="Microsoft-ServerManagementExperience">*</Select>\

Exchange Logs

		<Select Path="EWS Monitoring Events">*</Select>\
		<Select Path="MSExchange Management">*</Select>\

VAMT

		<Select Path="Volume Activation Management Tool">*</Select>\

Lync/Skype

		<Select Path="Lync Server">*</Select>\

Blank Template

		<Select Path="">*</Select>\
		
	</Query>\
</QueryList>
# For windows 2003 and earlier use the following:
# Module im_mseventlog
Exec $CustomerID = 'my_customer';
Exec $LogType = 'Windows Audit';

</Input>

<Output outGraylog> Module om_tcp Host ## GRAYLOG SERVER IP ## Port 12201 OutputType GELF_TCP </Output>

<Route 1> Path inWindowsAudit => outGraylog </Route>

Hi all :) (I'm new to nxlog) I'm currently facing issues handling logs which are being sent to nxlog via syslog *line by line*. Basically after looking at documentation i found out that possibly xm_multiline can help me out. **Raw log example:** 2020.05.20 15:22:37:481 CEST | Info | HTTP Body text part 1 2020.05.20 15:22:37:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:37:502 CEST | Info | HTTP Body text part 3 2020.05.20 15:22:37:502 CEST |Debug | HTTP Body text part 4 2020.05.20 15:22:37:502 CEST | Info | HTTP **I'm using the following headerline /^\d\d\d\d.\d\d.\d\d\s+\d\d:\d\d:\d\d:\d\d\d/ to capture the event into one.** Module xm_charconv AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2 Module xm_json Module xm_multiline HeaderLine /^\d\d\d\d.\d\d.\d\d\s+\d\d:\d\d:\d\d:\d\d\d/ Module im_udp Host 0.0.0.0 Port 5140 InputType multiline_header Exec $type = 'mylog'; Exec $Message = $raw_event; Module om_udp Host 1.1.1.1 Port 514 Exec $raw_event = to_json(); Path log_udp=> log_out Transforming the log into json. **The expected output would be:** Event no. 1 ------------------------------------------------------------------------------------------------------ --------------------------------------------------------------- 2020.05.20 15:22:37:481 CEST | Info | HTTP Body text part 1 ------------------------------------------------------------------------------------------------------ --------------------------------------------------------------- Event no. 2 ------------------------------------------------------------------------------------------------------ --------------------------------------------------------------- 2020.05.20 15:22:37:502 CEST | Info | HTTP Body text part 2. ------------------------------------------------------------------------------------------------------ --------------------------------------------------------------- etc. **The issue end result:** -------------------------------------------------------------------------------------------------------------------------------------------------------- Event no. 1 2020.05.20 15:22:37:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:37:502 CEST | Info | HTTP Body text part 2 ------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------ Event no. 2 2020.05.20 15:22:38:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:38:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:38:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:38:502 CEST | Info | HTTP Body text part 2 ------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------ Event no. 3 2020.05.20 15:22:39:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:39:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:39:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:38:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:39:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:39:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:39:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:38:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:39:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:39:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:39:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:38:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:39:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:39:502 CEST | Info | HTTP Body text part 2 2020.05.20 15:22:39:481 CEST | Info | HTTP Body text part 2020.05.20 15:22:38:502 CEST | Info | HTTP Body text part 2 ------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------ the successive timestamp headerline is ignored and the logs are grouped by the second. (see above) :( am i doing anything wrong ? do you guys have any suggestions on how to tackle this type of logs.