Hi
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
Set according to the above site. result,Unexpected service outage occurs. I want you to tell me the measures.
taiei created
When I use xm_perl with this code from /usr/libexec/nxlog/modules/extension/perl/event1.pl:
use Log::Nxlog;
use strict;
use warnings;
use feature 'say';
use JSON;
use utf8;
sub rec2msg {
my $msgsrcaddr = Log::Nxlog::get_field($event, 'MessageSourceAddress');
if ( defined($msgsrcaddr) )
{
Log::Nxlog::set_field_string($event, 'MessageSourceCountry', "France");
}
}
It gives me strange error:
syntax error at /usr/libexec/nxlog/modules/extension/perl/event1.pl line 16, at EOF
However , there is no code at line 16 at all. What does that mean? It happens when I use any perl code.
EZ created
DH created
kumdabur created
Hello for, windows events proceed in JSON but some fields like "CommandLine", "TaskContent", "EventData" e.t.c arrives with XML escaping character, like < is < > is > & is & " is "
Is it possible to disable escaping globally? Or the only option to solve the problem is using unescape_xml function for every field like:
$CommandLine = unescape_xml($CommandLine); $TaskContent = unescape_xml($TaskContent);
RAZR created
Hi,
Can NXLog collect and emit metrics on Linux and Windows?
It looks like Windows can be achieved with im_winperfcount
but I haven't found metrics for Linux.
Does this exist in the Enterprise Edition?
Thanks!
casey1234 created
How to fix output log file name abnormal Ext. WAP01.tks.co.th-","Sec-Fetch-Mode".log WAP01.tks.co.th-\r\n-.log WAP01.tks.co.th-l+xml,application.log
My configuration NXlog
This is a sample NXLog configuration file created by Loggly. June 2013
See the nxlog reference manual about the configuration options.
It should be installed locally and is also available
online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
Please set the ROOT to the folder your nxlog was installed into,
otherwise it will not start.
#define ROOT C:\Program Files\nxlog #define ROOT_STRING C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog define ROOT_STRING C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
Include fileop while debugging, also enable in the output module below
#<Extension fileop>
Module xm_fileop
#</Extension>
<Extension json> Module xm_json </Extension>
<Extension syslog> Module xm_syslog </Extension>
<Input in> Module im_msvistalog
ReadFromLast TRUE
SavePos TRUE
Query <QueryList>
<Query Id="0">
<Select Path="Application"></Select>
<Select Path="System"></Select>
<Select Path="Security">*</Select>
</Query>
</QueryList>
</Input>
<Output out> Module om_tcp Host 10.6.5.133 Port 514
Exec $Hostname = hostname_fqdn(); Exec $SyslogFacility = 2; #Exec $SourceName = 'eventlogs'; #Exec to_syslog_bsd(); #Exec to_syslog_snare(); Exec to_syslog_ietf(); Exec $Message = to_json(); to_syslog_bsd(); </Output>
<Route 1> Path in => out </Route>
I want to . Input <Select Path="Application"></Select>\ ---> output hostname.application.log Input <Select Path="System"></Select>\ ---> output hostname.system.log Input <Select Path="Security">*</Select>\ ---> output hostname.security.log
kunagorn.g created
I have a SaaS vendor that uses NXLog to send logs to customers and I would like them to send to an Azure Event Hub that has Kafka enabled so we don't need to use VPNs. I'm able to connect and produce messages to the topic with python and logstash but they seem to be having issues with NXLog.
This is the error they tell me they are getting: 2020-04-09 09:41:27 ERROR rdkafka: [thrd:sasl_ssl://servername.servicebus.windows.net:9093/boots]: sasl_ssl://servername.servicebus.windows.net:9093/bootstrap: SASL GSSAPI mechanism handshake failed: Local: Broker transport failure: broker's supported mechanisms: (n/a) (after 0ms in state DOWN)
Azure seems to have specific requirements/limitations, the configuration below works for logstash and it uses sasl_jaas_config to pass the authentication data:
output { kafka { codec => json topic_id => "kafkatopic" bootstrap_servers => "eventhubname.servicebus.windows.net:9093" client_id => "azshrelasea01p" compression_type => "none" sasl_jaas_config => "org.apache.kafka.common.security.plain.PlainLoginModule required username='$ConnectionString' password='Endpoint=<eventhubconnectionstring>';" sasl_mechanism => "PLAIN" security_protocol => "SASL_SSL" ssl_truststore_password => "password" ssl_truststore_location => "/elastic/trust.jks" ssl_truststore_type => "jks" batch_size => 250 linger_ms => 6000 } }
Looking around the internet, it seems that librdkafka has some requirements that have to be met but I don't know how the nxlog config would look to implement these:
https://github.com/Azure/azure-event-hubs-for-kafka/issues/51 https://brokenco.de/2019/04/04/azure-eventhubs-rust.html
Anyone have any experience with this or could help me convert these logstash configs to a nxlog one? It looks like I need to use the Option function and pass the settings there for librdkafka but I don't have a lot of experience with NXLog.
Thanks!
sera123k created
I am trying to ship Windows logs to Graylog using Nxlog and when trying to apply my configuration, the Sidecar gives me the following error:
ERROR Couldn't open nxlog service; The specified service does not exist as an installed service.
Any idea what could be wrong? I followed the instructions here https://docs.graylog.org/en/3.2/pages/sidecar.html#nxlog-on-windows to set it up.
Thank you.
junior466 created
Hello,
I am having the problem that nothing is sent to the server and I dont know why. Here is my config:
Panic Soft #NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% LogLevel INFO
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data
<Extension _syslog> Module xm_syslog </Extension>
define BASEDIR C:\MessageTracking
<Input in_exchange> Module im_file File '%BASEDIR%\MSGTRK*-*.LOG' # Exports all logs in Directory SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input>
<Output out_exchange> Module om_udp Host 10.2.1.22 Port 5141 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'exchange_msgtrk_log'; Exec to_syslog_bsd(); </Output>
<Route exchange> Path in_exchange => out_exchange </Route>
<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>
<Extension _exec> Module xm_exec </Extension>
<Extension _fileop> Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
EliWallic created
EZ created
wbollock created
I am configuring the NXLog to Elastic Search Server using om_elasticserch, but it doesnt connect
Here is the nxlog.conf file:
User root Group system Panic Soft
default values:
PidFile /opt/nxlog/var/run/nxlog/nxlog.pid CacheDir /opt/nxlog/var/spool/nxlog
ModuleDir /opt/nxlog/lib/nxlog/modules
ModuleDir /opt/nxlog/libexec/nxlog/modules SpoolDir /opt/nxlog/var/spool/nxlog
define CERTDIR /opt/nxlog/var/lib/nxlog/cert define CONFDIR /opt/nxlog/var/lib/nxlog
Note that these two lines define constants only; the log file location
is ultimately set by the LogFile
directive (see below). The
MYLOGFILE
define is also used to rotate the log file automatically
(see the _fileop
block).
define LOGDIR /opt/nxlog/var/log/nxlog define MYLOGFILE %LOGDIR%/nxlog.log
<Extension _json> Module xm_json </Extension>
<Input file> Module im_file File '/<path/to/my/logfile/*log' # Parse log here if needed # $EventTime should be set here </Input>
<Output out> Module om_elasticsearch URL http://linuxServer:9200/_bulk FlushInterval 2 FlushLimit 100
# Create an index daily
Index strftime($EventTime, "nxlog-%Y%m%d")
# Use the following if you do not have $EventTime set
#Index strftime($EventReceivedTime, "nxlog-%Y%m%d")
</Output>
By default, LogFile %MYLOGFILE%
is set in log4ensics.conf. This
allows the log file location to be modified via NXLog Manager. If you
are not using NXLog Manager, you can instead set LogFile
below and
disable the include
line.
LogFile %MYLOGFILE% #include %CONFDIR%/log4ensics.conf
<Extension _syslog> Module xm_syslog </Extension>
This block rotates %MYLOGFILE%
on a schedule. Note that if LogFile
is changed in log4ensics.conf via NXLog Manager, rotation of the new
file should also be configured there.
<Extension _fileop> Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
<Exec>
if ( file_exists('%MYLOGFILE%') and
(file_size('%MYLOGFILE%') >= 5M) )
{
file_cycle('%MYLOGFILE%', 8);
}
</Exec>
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>
</Extension>
NXlog is starting, but it waiting to connect to ElasticSearch server, not proceeding further. Here is the log in nxlog.log. And I could not see nxlog* index patter in Kibana
2020-03-31 09:37:44 WARNING already running as gid 0 2020-03-31 09:37:44 WARNING already running as uid 0 2020-03-31 09:37:44 WARNING no routes defined! 2020-03-31 09:37:44 WARNING default route added 2020-03-31 09:37:44 INFO nxlog-4.7.4715 started 2020-03-31 09:37:44 INFO om_elasticsearch_add_reconnect_event reconnecting in 0 seconds 2020-03-31 09:37:44 INFO connecting to linuxServer:9200
Any help on this is appricaited.
Thanks in advance
Santosh
santosh.p created
Hi,
Can NXLog be configured to automatically hide confidential information (PII) like credit card numbers, social security numbers, etc?
I thought you could maybe use Regex but thought there might be a better way (like a module) since this is a pretty common thing to do.
Thanks in advance!!
casey1234 created
Please, could you advise how to skip (drop) certain number of next log lines after the $raw_event matches (Exec if $raw_event =~ / .... / drop();) ??? Thanks!
mime created
I am using NXLog's <Input MSEvtIN> module to forward Windows Event Logs to a syslog server. The problem I am facing is with MTU Size. The default MTU across is 1500 (i.e. 1472 Bytes actual length) But there are many events in windows which are much larger than 1472. Those events having length greater than 1472 bytes are getting truncated at 1472 and received partially on the syslog server. This is creating a problem for my SIEM to parse the logs.
Can anyone please help me in diagnosing and resolving this?
What I know about MTU is, if the packets are greater than 1472 bytes, MTU Fragmentation is used. I don't know how to enable this fragmentation setting in NXLog.
################
#============ Define ROOT here ===================
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
#============ NXLog Machine Log info =============
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
#=========== For Windows Event Log ===========
<Extension json>
Module xm_json
</Extension>
<Input MSEvtIN>
# For windows 2003 and earlier use the following:
#Module im_mseventlog
# For windows 2005 and later use the following:
Module im_msvistalog
Exec to_json();
</Input>
<Output MSEvtOUT>
Module om_udp
Host DNIF-Adapter-IP
Port 514
</Output>
<Route 1>
Path MSEvtIN => MSEvtOUT
</Route>
ashutosh created
Hello, I would like a simple help, I have a syslog server which I need to send logs from a file that is in xml to another syslog.
My configuration is as follows:
[...] <Extension _syslog> Module xm_syslog </Extension>
<Input in> Module im_file File '/var/log/alerts' </Input>
<Output out> Module om_udp Host xx.xxx.x.x Port 514 </Output>
<Route 1> Path in => out </Route>
Where "/var/log/alerts" are the xml logs that I want to send.
Is there any additional configuration I should put in my conf or is it just that? Thanks
GustavoM created
Hi there,
We have one of our client that is looking to upgrade their NXLog to the enterprise edition.How do I contact a sales rep from NXLog to get the license quote for our client? We are based in Malaysia by the way.
BilalSaiful created
hip_nxlog created
Pervon created