Hello, I am having the problem that nothing is sent to the server and I dont know why. Here is my config: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% LogLevel INFO Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> define BASEDIR C:\MessageTracking <Input in_exchange> Module im_file File '%BASEDIR%\MSGTRK*-*.LOG' # Exports all logs in Directory SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input> <Output out_exchange> Module om_udp Host 10.2.1.22 Port 5141 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'exchange_msgtrk_log'; Exec to_syslog_bsd(); </Output> <Route exchange> Path in_exchange => out_exchange </Route> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension>

Hi, I have this type of input in nxlog.conf: <Input udp> Module im_udp Host 0.0.0.0 Port 514 Exec parse_syslog(); to_json(); perl_call("process"); </Input> My question is, how should I include that JSON output that I get from to_json() to my perl code? Should I write like this?: my ( $event ) = @_; Or it's only the output of parse_syslog_bsd() (as in example for xm_perl https://nxlog.co/documentation/nxlog-user-guide/xm_perl.html)? More generally, my question is how to include JSON output that i get from to_json() to perl code of xm_perl module?

Hi all, How do I divide my NxLog configuration file into conditionals based on queries? I have an nxlog.conf that doesn't apply equally to all hosts, and NxLog fails if it has to query something that doesn't exist on a Windows server. I'd like to keep 1 nxlog.conf for all servers instead of having to maintain many confs for a variety of servers. In psuedocode: if [ exists Microsoft-Windows-TerminalServices ] then <query id="3"> <Select Path="Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational">*</Select> </query> However I'm having a hard time translating a lot of the "if statements" I see to NxLog query formats.. anyone have any resources or tips to guide me? Here's what I tried, obviously wrong, <Exec> cannot be in <QueryList> <Exec> if ($Channel == 'Microsoft-Windows-TerminalServices-SessionBroker/Operational') <Query id="3"> <Select Path="Microsoft-Windows-TerminalServices-SessionBroker/Operational">*</Select> </Query> </Exec> Also tried: <Exec> if ($Channel == 'Microsoft-Windows-TerminalServices-SessionBroker/Operational') \ <QueryXML> \ <QueryList> \ <Query id="3"> \ <Select Path="Microsoft-Windows-TerminalServices-SessionBroker/Operational">*</Select> \ </Query> \ </QueryList> \ </QueryXML> </Exec> </Input> Thanks for your help.

I am configuring the NXLog to Elastic Search Server using om_elasticserch, but it doesnt connect Here is the nxlog.conf file: User root Group system Panic Soft default values: PidFile /opt/nxlog/var/run/nxlog/nxlog.pid CacheDir /opt/nxlog/var/spool/nxlog ModuleDir /opt/nxlog/lib/nxlog/modules ModuleDir /opt/nxlog/libexec/nxlog/modules SpoolDir /opt/nxlog/var/spool/nxlog define CERTDIR /opt/nxlog/var/lib/nxlog/cert define CONFDIR /opt/nxlog/var/lib/nxlog Note that these two lines define constants only; the log file location is ultimately set by the LogFile directive (see below). The MYLOGFILE define is also used to rotate the log file automatically (see the _fileop block). define LOGDIR /opt/nxlog/var/log/nxlog define MYLOGFILE %LOGDIR%/nxlog.log <Extension _json> Module xm_json </Extension> <Input file> Module im_file File '/<path/to/my/logfile/*log' # Parse log here if needed # $EventTime should be set here </Input> <Output out> Module om_elasticsearch URL http://linuxServer:9200/_bulk FlushInterval 2 FlushLimit 100 # Create an index daily Index strftime($EventTime, &quot;nxlog-%Y%m%d&quot;) # Use the following if you do not have $EventTime set #Index strftime($EventReceivedTime, &quot;nxlog-%Y%m%d&quot;) </Output> By default, LogFile %MYLOGFILE% is set in log4ensics.conf. This allows the log file location to be modified via NXLog Manager. If you are not using NXLog Manager, you can instead set LogFile below and disable the include line. LogFile %MYLOGFILE% #include %CONFDIR%/log4ensics.conf <Extension _syslog> Module xm_syslog </Extension> This block rotates %MYLOGFILE% on a schedule. Note that if LogFile is changed in log4ensics.conf via NXLog Manager, rotation of the new file should also be configured there. <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour &lt;Exec&gt; if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') &gt;= 5M) ) { file_cycle('%MYLOGFILE%', 8); } &lt;/Exec&gt; &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); &lt;/Schedule&gt; </Extension> NXlog is starting, but it waiting to connect to ElasticSearch server, not proceeding further. Here is the log in nxlog.log. And I could not see nxlog* index patter in Kibana 2020-03-31 09:37:44 WARNING already running as gid 0 2020-03-31 09:37:44 WARNING already running as uid 0 2020-03-31 09:37:44 WARNING no routes defined! 2020-03-31 09:37:44 WARNING default route added 2020-03-31 09:37:44 INFO nxlog-4.7.4715 started 2020-03-31 09:37:44 INFO om_elasticsearch_add_reconnect_event reconnecting in 0 seconds 2020-03-31 09:37:44 INFO connecting to linuxServer:9200 Any help on this is appricaited. Thanks in advance Santosh

Hi, Can NXLog be configured to automatically hide confidential information (PII) like credit card numbers, social security numbers, etc? I thought you could maybe use Regex but thought there might be a better way (like a module) since this is a pretty common thing to do. Thanks in advance!!

Please, could you advise how to skip (drop) certain number of next log lines after the $raw_event matches (Exec if $raw_event =~ / .... / drop();) ??? Thanks!

Hi, I am using NXLog's <Input MSEvtIN> module to forward Windows Event Logs to a syslog server. The problem I am facing is with MTU Size. The default MTU across is 1500 (i.e. 1472 Bytes actual length) But there are many events in windows which are much larger than 1472. Those events having length greater than 1472 bytes are getting truncated at 1472 and received partially on the syslog server. This is creating a problem for my SIEM to parse the logs. Can anyone please help me in diagnosing and resolving this? What I know about MTU is, if the packets are greater than 1472 bytes, MTU Fragmentation is used. I don't know how to enable this fragmentation setting in NXLog. ################ #============ Define ROOT here =================== #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog #============ NXLog Machine Log info ============= Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log #=========== For Windows Event Log =========== <Extension json> Module xm_json </Extension> <Input MSEvtIN> # For windows 2003 and earlier use the following: #Module im_mseventlog # For windows 2005 and later use the following: Module im_msvistalog Exec to_json(); </Input> <Output MSEvtOUT> Module om_udp Host DNIF-Adapter-IP Port 514 </Output> <Route 1> Path MSEvtIN => MSEvtOUT </Route>

Hello, I would like a simple help, I have a syslog server which I need to send logs from a file that is in xml to another syslog. My configuration is as follows: [...] <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_file File '/var/log/alerts' </Input> <Output out> Module om_udp Host xx.xxx.x.x Port 514 </Output> <Route 1> Path in => out </Route> Where "/var/log/alerts" are the xml logs that I want to send. Is there any additional configuration I should put in my conf or is it just that? Thanks

Hi there, We have one of our client that is looking to upgrade their NXLog to the enterprise edition.How do I contact a sales rep from NXLog to get the license quote for our client? We are based in Malaysia by the way.

I've noticed that the "GroupMembership" and "full_message" fields in Windows security logs for EventID 4627 contains unresolved Group SIDs (at least they look like SIDs to me). Event 4627 is generated along with event 4624 (successful account logon) and shows the entire list of groups that the particular logged-on account belongs to. This shows a list of groups that the user is a member of in Windows Event Viewer, but it looks like the following in our output stream: Group Membership: %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-123} %{S-1-1-0} ... %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234} %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-2345} %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-3456} I am running version 4.7.4715 64-bit Enterprise Edition (non-trial) and my config file has the input defined as: <Input in> # For windows vista/2008 and above use: Module im_msvistalog ResolveSID TRUE </Input> The username seems to be resolving correctly (or at least the "TargetUserSid"/"TargetUserName" fields both show a valid username and not a SID), so I believe the "ResolveSID" option is working correctly for usernames. I would like to be able to read the group membership information in a human-readable format rather than SIDs. I thought that "ResolveSID TRUE" would convert all instances of SIDs into human-readable format. I'm a little confused on the implementation specifics because I see the documentation (https://nxlog.co/documentation/nxlog-user-guide/im_msvistalog.html) only specifically mentions user names "ResolveSID This optional boolean directive specifies that SID values should be resolved to user names in the ...", so am I wrong in assuming that group membership SIDs would also be resolved since they are not user names? My questions are: Should the group SIDs be resolving into human-readable format when ResolveSID=true? Or is the expected behaviour that they remain as SIDs? If this is expected behaviour, are there any plans for incorporating this feature in a later release of NXLog? Is there anyway I can convert the group SIDs into human-readable format? If this is not expected behaviour, how can I troubleshoot this further?

I've amassed a number of EventIDs I think I want to monitor on my Win10 host. However, the error I'm receiving is: .\nxlog.exe -v INFO configuration OK .\nxlog.exe -f INFO nxlog-ce-2.10.2150 started ERROR failed to subscribe to msvistalog events using bookmark: the specified query is invalid. ERROR failed to subscribe to msvistalog events, the Query is invalid: This operator is unsupported by this implementaiton of the filter.; [error code: 15001] The weird part is, when I remove multiple lines it works. However, when I test each line individually, it works. I assume there is a conflict between them (e.g. duplicate eventIDs). Below is the configuration and associated examples Complete but fails .conf #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGFILE%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension gelf> Module xm_gelf <Extension> <input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'> (EventID=550) or (EventID=612) or (EventID=801) or (EventID=1102) or (EventID=1104) or (EventID=1108) or (EventID=4608) or (EventID=4616) or ((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or ((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) or ((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10))) or ((EventID=4648) and (TargetDomainName="domain.net")) or (EventID=4649) or ((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or ((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or ((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or ((EventID=5140) and (ShareName!="\\*C$")) or ((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) </Select> </Query> </QueryList> </QueryXML> </Input> <Output graylog> Module om_udp Host 192.168.1.1 Port 55555 OutputType GELF_UDP </Output> <Route toGraylog> Path eventlog => graylog </Route> Cut out from above. Succeeds: <input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'> (EventID=550) or (EventID=612) or (EventID=801) or (EventID=1102) or (EventID=1104) or (EventID=1108) or (EventID=4608) or (EventID=4616) or ((EventID=4624) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) ((EventID=4625) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10) or (LogonType=11))) ((EventID=4634) and ((LogonType=2) or (LogonType=3) or (LogonType=4) or (LogonType=7) or (LogonType=8) or (LogonType=10))) ((EventID=4648) and (TargetDomainName="domain.net")) or (EventID=4649) or ((EventID=4688) and (SubjectUserSid="/^S-1-5-21")) or ((EventID=4697) and ((ServiceName!="/^BluetoothUserService") and (ServiceName!="/^Vmware"))) or ((EventID=4698) and (SubjectUserSid="/^S-1-5-21")) or (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or ((EventID=5140) and (ShareName!="\\*C$")) or ((EventID=5142) and ((ShareName!="\\*C$") or (ShareName!="\\*\ADMINISTRATOR$"))) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) </Select> </Query> </QueryList> </QueryXML> </Input> Fails: (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) Succeeds (Removed bottom 5): (EventID=4699) or (EventID=4704) or (EventID=4717) or (EventID=4719) or (EventID=4720) or (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) Succeeds (Added bottom 5 back and removed top 5): (EventID=4726) or (EventID=4740) or (EventID=4765) or (EventID=4766) or (EventID=4794) or (EventID=4897) or (EventID=4946) or (EventID=4948) or (EventID=4950) or (EventID=4964) or (EventID=5024) or (EventID=5025) or (EventID=5030) or (EventID=5124) or (EventID=5148) or (EventID=5149) or (EventID=5154) or (EventID=5155) or (EventID=5156) or (EventID=5157) or (EventID=5158) or (EventID=5159) or (EventID=5376) or (EventID=5379) Thank you!

I'm trying to query a local Sybase database using NXLog and then write the output to a file. So far I'm unable to connect to the database. NXLog is saying that there are no drivers present. I'm running this on Centos7. I'm not seeing any database drivers available. Do I need to download these drivers separately? What's the name of the correct driver for Sybase? Where would I find the correct file? 2020-03-09 12:02:18 INFO nxlog-ce-2.10.2150 started 2020-03-09 12:02:18 ERROR failed to open tmp/output;No such file or directory 2020-03-09 12:02:18 ERROR dbi_initialize failed, no drivers present? Config below: <Input dbi> Module im_dbi Driver Sybase Option host 127.0.0.1 Option username ******** Option password ******** Option dbname ******** SQL SELECT * from ******* </Input> <Output file> Module om_file File "tmp/output.out" </Output> <Route dbi_to_file> Path dbi => file </Route> Any help would be appreciated. Thanks in advance!!

For some reason I realized NXlog wasn't sending logs to graylog (after previously doing so flawlessly) I went to the Nxlog log and found this just before it stopped responding: What does this mean? I can't find anything online, but I know the udp arguments work because restarting nxlog works fine. 2020-03-09 08:29:36 ERROR om_udp apr_socket_send failed; An invalid argument was supplied. However, Graylog received a message 20ms later from that machine (the last message that was sent before nxlog went offline) Any ideas?

We are using a graylog server in hopes to capture 2 things (Logons and Disk Errors). NXlog is forwarding most logon attempts, but not all of them for some reason. NXlog is not forwarding any Disk error logs. Here is my config: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension> define LogonEventIds 4648 <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'>*</Select> </Query> </QueryList> </QueryXML> <Exec> if $EventID NOT IN (%LogonEventIds%) drop(); </Exec> </Input> define DiskEventIds 9, 11, 50, 51, 54, 55, 57, 129, 1066, 6008 <Input diskcheck> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='System'>*</Select> </Query> </QueryList> </QueryXML> <Exec> if $EventID NOT IN (%DiskEventIds%) drop(); </Exec> </Input> <Output udpLogon> Module om_udp Host 10.0.0.220 Port 1517 </Output> <Output udpDisk> Module om_udp Host 10.0.0.220 Port 1518 </Output> <Route 1> Path eventlog => udpLogon </Route> <Route 2> Path diskcheck => udpDisk </Route> I don't know what the issue is. I am using tcpdump on the graylog server and am not receiving anything on that port (1518) despite event viewer showing several logs with 129 and 55 EventIDs. Any help would be appreciated. Yes, the port is open.

Hi Team, I have installed the NXlog community edition (nxlog-ce-2.10.2150.msi) on our windows server and I am trying to collect the Firewall (ASA) logs in windows server through NXlog. I have used the following configuration but I am not receiving any logs. Can you help me on this <Extension json> Module xm_json </Extension> ##Extension to format the message in syslog format <Extension syslog> Module xm_syslog </Extension> ########## INPUTS ########### <Input in_syslog_tcp> Module im_tcp Host 0.0.0.0 Port 1514 Exec parse_syslog(); </Input> ############ OUTPUTS ############## <Output file> Module om_file File "C:\test\asa.log" Exec to_syslog_ietf(); </Output> <Route file> Path in_syslog_tcp => file </Route>

Hi, I am trying to collect Windows DNS debug logs with Nxlog xm_multiline. I reference below link: Parsing Detailed DNS Logs With Regular Expressions (https://nxlog.co/documentation/nxlog-user-guide/windows-dns-server.html#parsing-detailed) But, Windows DNS Debug Logs includes Traditional Chinese characters, it won't let me combine multiline into one log, What is correct "HEADER_REGEX" that should I use? DNS Debug Logs sample is (I beleive problem is 上午, By the way, 上午=AM and 下午=PM): 2020/3/6 上午 11:58:01 0E80 PACKET 000001D80FE9BD40 UDP Snd 10.0.35.101 a3f5 R Q [8081 DR NOERROR] A (5)e3998(1)d(10)akamaiedge(3)net(0) UDP response info at 000001D80FE9BD40 Socket = 724 Remote addr 10.0.35.101, port 56423 Time Query=283057, Queued=283057, Expire=283060 Buf length = 0x0200 (512) Msg length = 0x0038 (56) Message: XID 0xa3f5 Flags 0x8180 QR 1 (RESPONSE) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 1 NSCOUNT 0 ARCOUNT 0 QUESTION SECTION: Offset = 0x000c, RR count = 0 Name "(5)e3998(1)d(10)akamaiedge(3)net(0)" QTYPE A (1) QCLASS 1 ANSWER SECTION: Offset = 0x0028, RR count = 0 Name "C00Ce3998(1)d(10)akamaiedge(3)net(0)" TYPE A (1) CLASS 1 TTL 20 DLEN 4 DATA 96.7.252.200 AUTHORITY SECTION: empty ADDITIONAL SECTION: empty Nxlog configuration sample is: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _charconv> Module xm_charconv AutodetectCharsets BIG-5, utf-8, utf-16, utf-32, iso8859-2 </Extension> <Extension gelf> Module xm_gelf </Extension> define EVENT_REGEX /(?x)(?<Date>\d+(?:/\d+){2})\s (?<Time>\d+(?::\d+){2})\s (?<ThreadId>\w+)\s+ (?<Context>\w+)\s+ (?<InternalPacketIdentifier>[[:xdigit:]]+)\s+ (?<Protocol>\w+)\s+ (?<SendReceiveIndicator>\w+)\s (?<RemoteIP>[[:xdigit:].:]+)\s+ (?<Xid>[[:xdigit:]]+)\s (?<QueryType>\s|R)\s (?<Opcode>[A-Z]|?)\s (?<QFlags>[(.?)])\s+ (?<QuestionType>\w+)\s+ (?<QuestionName>.)\s+ (?<LogInfo>.+)\s+.+=\s (?<Socket>\d+)\s+ Remote\s+ addr\s (?<RemoteAddr>.+),\sport\s (?<PortNum>\d+)\s+Time\sQuery= (?<TimeQuery>\d+),\sQueued= (?<Queued>\d+),\sExpire= (?<Expire>\d+)\s+.+( (?<BufLen>\d+))\s+.+( (?<MsgLen>\d+))\s+Message:\s+ (?<Message>(?s).*)/ define HEADER_REGEX /(?x)(?<Date>\d+(?:/\d+){2})\s (?<AMPM>\x{e4}\x{b8}\x{8a}\x{e5}\x{8d}\x{88})\s (?<Time>\d+(?::\d+){2})\s (?<ThreadId>\w+)\s+ (?<Context>\w+)\s+ (?<InternalPacketIdentifier>[[:xdigit:]]+)\s+ (?<Protocol>\w+)\s+ (?<SendReceiveIndicator>\w+)\s (?<RemoteIP>[[:xdigit:].:]+)\s+ (?<Xid>[[:xdigit:]]+)\s (?<QueryType>\s|R)\s (?<Opcode>[A-Z]|?)\s (?<QFlags>[(.?)])\s+ (?<QuestionType>\w+)\s+ (?<QuestionName>.)/ <Extension multiline> Module xm_multiline HeaderLine %HEADER_REGEX% </Extension> <Input windnsdetaillog> Module im_file File 'C:\dns.log' Exec convert_fields("BIG-5", "utf-8"); InputType multiline Exec if $raw_event =~ /(\d+)/(\d+/\d+)\s(上午\s)(\d+:\d+:\d+\s)((.|\n))/ $raw_event = $2 + '/' + $1 + ' ' + $4 + 'AM ' + $5; Exec if $raw_event =~ /(\d+)/(\d+/\d+)\s(下午\s)(\d+:\d+:\d+\s)((.|\n))/ $raw_event = $2 + '/' + $1 + ' ' + $4 + 'PM ' + $5; <Exec> if $raw_event =~ %EVENT_REGEX% { $EventTime = parsedate($Date + " " + $Time + " " + $AMPM); delete($Date); delete($Time); } </Exec> </Input> <Input wineventin> Module im_msvistalog </Input> <Output windnsdetaillogout> Module om_tcp Host 192.168.11.3 Port 12198 OutputType GELF_TCP </Output> <Output wineventout> Module om_udp Host 192.168.11.3 Port 12196 OutputType GELF </Output> <Route 1> Path wineventin => wineventout </Route> <Route 2> Path windnsdetaillog => windnsdetaillogout </Route>

Hello NXLog community! I was hoping you can help me with the problem I've been dealing with. I'm trying to configure NXLog to collect Sharepoint audit logs using a PowerShell script following the offical documentation here: https://nxlog.co/documentation/nxlog-user-guide/sharepoint.html#sharepoint_audit I have enabled Sharepoint audit logging, configured the PowerShell script and the NXLog input, but when I'm trying to run it it does not work. Can you please help me figure out what I'm doing wrong here? Here is what I'm getting in the log file: 2020-03-05 09:42:14 ERROR failed to parse json string, lexical error: invalid char in json text.; The local farm is not accessibl; (right here) ------^; [The local farm is not accessible. Cmdlets with FeatureDependencyId are not registered.] 2020-03-05 09:42:14 ERROR assignment failed at line 40, character 43 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf. statement execution has been aborted; function 'parsedate' failed at line 40, character 42 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf. expression evaluation has been aborted; 'unknown' type argument is invalid 2020-03-05 09:42:14 ERROR failed to parse json string, lexical error: invalid char in json text.; C:\Audit\auditlog.ps1 : An unha; (right here) ------^; [C:\Audit\auditlog.ps1 : An unhandled exception occurred!] 2020-03-05 09:42:14 ERROR assignment failed at line 40, character 43 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf. statement execution has been aborted; function 'parsedate' failed at line 40, character 42 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf. expression evaluation has been aborted; 'unknown' type argument is invalid 2020-03-05 09:42:14 ERROR failed to parse json string, lexical error: invalid char in json text.; + CategoryInfo : NotSp; (right here) ------^; [ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorExcep ] 2020-03-05 09:42:14 ERROR assignment failed at line 40, character 43 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf. statement execution has been aborted; function 'parsedate' failed at line 40, character 42 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf. expression evaluation has been aborted; 'unknown' type argument is invalid 2020-03-05 09:42:14 ERROR failed to parse json string, lexical error: invalid string in json text.; tion; (right here) ------^; [ tion] 2020-03-05 09:42:14 ERROR assignment failed at line 40, character 43 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf. statement execution has been aborted; function 'parsedate' failed at line 40, character 42 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf. expression evaluation has been aborted; 'unknown' type argument is invalid 2020-03-05 09:42:14 ERROR failed to parse json string, lexical error: invalid char in json text.; + FullyQualifiedErrorId : Micro; (right here) ------^; [ + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio ] 2020-03-05 09:42:14 ERROR assignment failed at line 40, character 43 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf. statement execution has been aborted; function 'parsedate' failed at line 40, character 42 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf. expression evaluation has been aborted; 'unknown' type argument is invalid 2020-03-05 09:42:14 ERROR failed to parse json string, lexical error: invalid string in json text.; n,auditlog.ps1; (right here) ------^; [ n,auditlog.ps1] 2020-03-05 09:42:14 ERROR assignment failed at line 40, character 43 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf. statement execution has been aborted; function 'parsedate' failed at line 40, character 42 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf. expression evaluation has been aborted; 'unknown' type argument is invalid 2020-03-05 09:42:14 ERROR failed to parse json string, parse error: premature EOF; ; (right here) ------^; [ ] 2020-03-05 09:42:14 ERROR assignment failed at line 40, character 43 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf. statement execution has been aborted; function 'parsedate' failed at line 40, character 42 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf. expression evaluation has been aborted; 'unknown' type argument is invalid 2020-03-05 09:42:14 ERROR Module audit_powershell got EOF, process exited? Here's my config file: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO <Extension logrotate> Module xm_fileop <Schedule> When @daily Exec file_cycle('%ROOT%\data\nxlog.log', 7); </Schedule> </Extension> <Extension gelfExt> Module xm_gelf # Avoid truncation of the short_message field to 64 characters. ShortMessageLength 65536 </Extension> <Extension _json> Module xm_json </Extension> <Input audit_powershell> Module im_exec Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Arg "-ExecutionPolicy" Arg "Bypass" Arg "-NoProfile" Arg "-File" Arg "C:\Audit\auditlog.ps1" <Exec> parse_json(); $EventTime = parsedate($EventTime); </Exec> </Input> <Output gelf> Module om_tcp Host 192.168.98.5 Port 12208 OutputType GELF_TCP <Exec> # These fields are needed for Graylog $gl2_source_collector = '3a5aa0c9-aba3-4384-8691-43ed7d1ebbab'; $collector_node_id = 'Scooby'; </Exec> </Output> <Route route-2> Path audit_powershell => gelf </Route> And the PowerShell script I've created: # This script can be used with NXLog to fetch Audit logs via the SharePoint # API. See the configurable options below. Based on: # <http://shokochino-sharepointexperience.blogspot.ch/2013/05/create-auditing-reports-in-sharepoint.html> #Requires -Version 3 # The timestamp is saved to this file for resuming. $CacheFile = 'C:\Audit\nxlog_sharepoint_auditlog_position.txt' # The database is queried at this interval in seconds. $PollInterval = 10 # Allow this many seconds for new logs to be written to database. $ReadDelay = 30 # Use this to enable debug logging (for testing outside of NXLog). #$DebugPreference = 'Continue' ################################################################################ # If running 32-bit on a 64-bit system, run 64-bit PowerShell instead. if ($env:PROCESSOR_ARCHITEW6432 -eq "AMD64") { Write-Debug "Running 64-bit PowerShell." &"$env:WINDIR\SysNative\WindowsPowerShell\v1.0\powershell.exe" ` -NonInteractive -NoProfile -ExecutionPolicy Bypass ` -File "$($myInvocation.InvocationName)" $args exit $LASTEXITCODE } Add-PSSnapin "Microsoft.SharePoint.Powershell" -ErrorAction Stop # Return description for event function Event-Description { param( $entry ) switch ($entry.Event) { AuditMaskChange {"The audit flags are changed for the audited object."} ChildDelete {"A child of the audited object is deleted."} ChildMove {"A child of the audited object is moved."} CheckIn {"A document is checked in."} 'Copy' {"The audited item is copied."} Delete {"The audited object is deleted."} EventsDeleted {"Some audit entries are deleted from SharePoint database."} 'Move' {"The audited object is moved."} Search {"The audited object is searched."} SecGroupCreate {"A group is created for the site collection (this action "` + "also generates an Update event)."} SecGroupDelete {"A group on the site collection is deleted."} SecGroupMemberAdd {"A user is added to a group."} SecGroupMemberDelete {"A user is removed from a group."} SecRoleBindBreakInherit {"A subsite's inheritance of permission level "` + "definitions (that is, role definitions) is severed."} SecRoleBindInherit {"A subsite is set to inherit permission level "` + "definitions (that is, role definitions) from its parent."} SecRoleBindUpdate {"The permissions of a user or group for the audited "` + "object are changed."} SecRoleDefCreate {"A new permission level (a combination of permissions "` + "that are given to people holding a particular role for the site "` + "collection) is created."} SecRoleDefDelete {"A permission level (a combination of permissions that "` + "are given to people holding a particular role for the site "` + "collection) is deleted."} SecRoleDefModify {"A permission level (a combination of permissions that "` + "are given to people holding a particular role for the site "` + "collection) is modified."} Update {"An existing object is updated."} CheckOut {"A document is checked out."} View {"The object is viewed by a user."} ProfileChange {"Change in a profile that is associated with the object."} SchemaChange {"Change in the schema of the object."} Undelete {"Restoration of an object from the Recycle Bin."} Workflow {"Access of the object as part of a workflow."} FileFragmentWrite {"A File Fragment has been written for the file."} Custom {"Custom action or event."} default {"The event description could not be determined."} } } # Get audit data from $site in range $start to $end. Timestamps should use # seconds precision only. A record with timestamp equal to $start time is # included in output; a record with timestamp equal to $end time is not. function Get-Audit-Data { param( $site, $start, $end ) Write-Debug "Getting audit log for $site.Url from $start to $end" $query = New-Object -TypeName Microsoft.SharePoint.SPAuditQuery($site) $query.setRangeStart($start.AddSeconds(-1)) $query.setRangeEnd($end) $coll = $site.Audit.GetEntries($query) $root = $site.RootWeb for ($i=0; $i -le ($coll.Count)-1 ; $i++) { # Get the entry item from the collection $entry = $coll.Item($i) # Find the current user name foreach($User in $root.SiteUsers) { if($entry.UserId -eq $User.Id) { $UserName = $User.UserLogin } } # Find the item name foreach($List in $root.Lists) { if($entry.ItemId -eq $List.Id) { $ItemName = $List.Title } } # Create hash table $record = @{ # AuditData table fields SiteID = $entry.SiteId; ItemID = $entry.ItemId; ItemType = $entry.ItemType; UserID = $entry.UserId; AppPrincipalID = $entry.AppPrincipalId; MachineName = $entry.MachineName; MachineIP = $entry.MachineIP; DocLocation = $entry.DocLocation; LocationType = $entry.LocationType; EventTime = ($entry.Occurred.ToString('o') + "Z"); Event = $entry.Event; EventName = $entry.EventName; EventSource = $entry.EventSource; SourceName = $entry.SourceName; EventData = $entry.EventData; # Additional fields ItemName = $ItemName; Message = Event-Description $entry; SiteURL = $site.Url; UserName = $UserName; } # Return record as JSON $record | ConvertTo-Json -Compress | Write-Output } } # Get position timestamp from cache file. On first run, create file using # current time. function Get-Position { param( $file ) Try { if (Test-Path $file) { $time = (Get-Date (Get-Content $file -First 1)) $time = $time.ToUniversalTime() $time = $time.AddTicks(-($time.Ticks % 10000000)) } else { $time = [System.DateTime]::UtcNow $time = $time.AddTicks(-($time.Ticks % 10000000)) Save-Position $file $time } return $time } Catch { Write-Error "Failed to read timestamp from position file." exit 1 } } # Save position timestamp to cache file. function Save-Position { param( $file, $time ) Try { Out-File -FilePath $file -InputObject $time.ToString('o') } Catch { Write-Error "Failed to write timestamp to position file." exit 1 } } # Main Try { $start = Get-Position $CacheFile Write-Debug "Got start time of $($start.ToString('o'))." $now = [System.DateTime]::UtcNow $now = $now.AddTicks(-($now.Ticks % 10000000)) Write-Debug "Got current time of $($now.ToString('o'))." $diff = ($now - $start).TotalSeconds # Check whether waiting is required to comply with $ReadDelay. if (($diff - $PollInterval) -lt $ReadDelay) { $wait = $ReadDelay - $diff + $PollInterval Write-Debug "Waiting $wait seconds to start collecting logs." Start-Sleep -Seconds $wait } # Repeatedly read from the audit log while($true) { Write-Debug "Using range start time of $($start.ToString('o'))." $now = [System.DateTime]::UtcNow $now = $now.AddTicks(-($now.Ticks % 10000000)) $end = $now.AddSeconds(-($ReadDelay)) Write-Debug "Using range end time of $($end.ToString('o'))." $sites = Get-SPSite -Limit All foreach($site in $sites) { Get-Audit-Data $site $start $end } Write-Debug "Saving position timestamp to cache file." Save-Position $CacheFile $end Write-Debug "Waiting $PollInterval seconds before reading again." Start-Sleep -Seconds $PollInterval $start = $end } } Catch { Write-Error "An unhandled exception occurred!" exit 1 }

Good evening! I have a probem with configuring im_odbc module to connect to the Oracle database from unix. So... As I understood (maybe I'm wrong somewhere), this module don't work "from the box" and for correctrly working I need to set up oracle instant client wich provide me a driver, odbc.ini, odbcinst.ini files. Also I created tnsnames.ora file. odbc.ini, odbcinst.ini and tnsnames.ora configured correctly. I trying to test them with isql and it's work fine. I tried to differently configured ConnectionString parameter in configuration file, but it's did not work for me. /etc/odbcinst.ini: [libsqora.so.12.1] Description = Oracle ODBC driver for Oracle 12c Driver = /usr/lib/oracle/12.2/client64/lib/libsqora.so.12.1 Setup = FileUsage = CPTimeout = CPReuse /etc/odbc.ini: [ODBC Data Sources] OracleODBC = Oracle ODBC driver for Oracle 12c [OracleODBC] Application Attributes = T Attributes = W BatchAutocommitMode = IfAllSuccessful BindAsFLOAT = F CloseCursor = F DisableDPM = F DisableMTS = T Driver = libsqora.so.12.1 DSN = OracleODBC EXECSchemaOpt = EXECSyntax = T Failover = T FailoverDelay = 10 FailoverRetryCount = 10 FetchBufferSize = 64000 ForceWCHAR = F Lobs = T Longs = T MaxLargeData = 0 MetadataIdDefault = F QueryTimeout = T ResultSets = T ServerName = DB.ETALON SQLGetData extensions = F Translation DLL = Translation Option = 0 DisableRULEHint = T UserID = XXXX Password = XXXX StatementCache=F CacheBufferSize=20 UseOCIDescribeAny=F SQLTranslateErrors=F MaxTokenSize=8192 AggregateSQLType=FLOAT tnsnames.ora DB.ETALON = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = db-etalon.example.com)(PORT = 1530)) ) (CONNECT_DATA = (SERVICE_NAME = etalon) ) ) I don’t understand how to correctly set ConnectionString. Maybe someone had odbc setup experience.

Hello all, I am having an issue reading in a csv file and converting it out up to a log server. The first line/event in the csv gets parsed and converted correctly but then the second line/event doesn't get parsed and is converted to the same line as the first event. I am trying to have it read in the csv file (being exported from sccm for scep alerts) and convert it to syslog and send it up to log server. Please find all my configs below: NXlog conf (Not pasting full config file) ######################################## # Application Configuration Includes # ######################################## ## Uncomment additional input modules below if desired. ## Additional configuration may be required for each application in its conf file. # include %ROOT%\conf\ms_dhcpv4.conf ## Must add "MS_DHCPv4" as INPUT to route below. # include %ROOT%\conf\ms_dhcpv6.conf ## Must add "MS_DHCPv6" as INPUT to route below. # include %ROOT%\conf\ms_scep.conf ## Must add "ms_scep" as INPUT to route below. include %ROOT%\conf\ms_scep_csv.conf ## Must add "ms_scep_csv" as INPUT to route below. # include %ROOT%\conf\ms_dns.conf ## Must add "MS_DNS" as INPUT to route below. # include %ROOT%\conf\ms_exchange15.conf ## Must add "MS_EXCH_MT" as INPUT to route below. # include %ROOT%\conf\ms_netlogon.conf ## Must add "MS_NETLOGON" as INPUT to route below. # include %ROOT%\conf\ms_iis.conf ## Must add "MS_IIS" or "MS_FTP" or "MS_SMTP" as INPUT to route below. ######################################## # Output Module Includes # ######################################## ## Uncomment additional OUTPUT modules below if desired. ## You MUST configure an IP or Hostname in each output conf file. include %ROOT%\conf\output_tcp.conf ## Must add "tcp_sender1" as OUTPUT to route below # include %ROOT%\conf\output_udp.conf ## Must add "udp_sender1" as OUTPUT to route below # include %ROOT%\conf\output_encrypted.conf ## Must add "ssl_sender1" as OUTPUT to route below include %ROOT%\conf\output_file.conf ## Must add "file_sender1" as OUTPUT to route below ######################################## # Default Route # ######################################## ## Add additional INPUTS comma separated on LEFT of arrow symbol. ## Add additional OUTPUTS comma separated on RIGHT of arrow symbol. <Route 1> #Primary route for log processing and forwarding. Path ms_scep_csv => file_sender1,tcp_sender1 </Route> ############################################################################### ############################################################################### ## DO NOT MODIFY BELOW CONFIGURATIONS UNLESS INSTRUCTED TO DO SO. ######################################## # Global Extensions # ######################################## ## Do not modify extensions as they may be required by included configurations. <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _syslog> Module xm_syslog # IETFTimestampInGMT TRUE </Extension> <Extension _json> Module xm_json </Extension> <Extension _exec> Module xm_exec </Extension> ms_scep_csv conf file ########################################################### # INPUT Microsft System Center Endpoint Protection # ########################################################### ## DO NOT MODIFY MODULE NAMES AS IT MAY BREAK TAP FUNCTIONALITY <Extension csv> Module xm_csv Fields $Type, $RowID, $Name, $Description, $Timestamp, $SchemaVersion, $ObserverHost, $ObserverUser, $ObserverProductName, $ObserverProductVersion, $ObserverProtectionType, $ObserverProtectionVersion, $ObserverProtectionSignatureVersion, $ObserverDetection, $ObserverDetectionTime, $ActorHost, $ActorUser, $ActorProcess, $ActorResource, $ActionType, $TargetHost, $TargetUser, $TargetProcess, $TargetResource, $ClassificationID, $ClassificationType, $ClassificationSeverity, $ClassificationCategory, $RemediationType, $RemediationResult, $RemediationErrorCode, $RemediationPendingAction, $IsActiveMalware Delimiter , </Extension> <Input ms_scep_csv> Module im_file File "C:\\Temp\\Desktop.csv" ReadFromLast TRUE SavePos TRUE CloseWhenIdle TRUE <Exec> csv->parse_csv(); to_syslog_ietf(); </Exec> </Input> Desktop.csv file "Type","RowID","Name","Description","Timestamp","SchemaVersion","ObserverHost","ObserverUser","ObserverProductName","ObserverProductversion","ObserverProtectionType","ObserverProtectionVersion", "ObserverProtectionSignatureVersion","ObserverDetection","ObserverDetectionTime","ActorHost","ActorUser","ActorProcess","ActorResource","ActionType","TargetHost","TargetUser","TargetProcess","TargetRe source","ClassificationID","ClassificationType","ClassificationSeverity","ClassificationCategory","RemediationType","RemediationResult","RemediationErrorCode","RemediationPendingAction","IsActiveMalware" "SecurityIncident","08be9aba-1326-4ac8-81e1- ace5c4550c76","MalwareInfection","NotImplemented","3/3/2020","1.0","Testing","","SystemCenterEndpointProtection","4.10.209.0","AM","","","Realtime","3/3/2020","","","","","MalwareInfection","Testing","NT AUTHORITY\SYSTEM","System","file:_C:\Path\ofw2d3qz.iqf","2147626289","Trojan:Win32/Giframe.A","Severe","Trojan","NoAction","Testing","0","NoActionRequired","Testing 3/3 9:33am" "SecurityIncident","08be9aba-1326-4ac8-81e1- ace5c4550c76","MalwareInfection","NotImplemented","3/3/2020","1.0","Testing","","SystemCenterEndpointProtection","4.10.209.0","AM","","","Realtime","3/3/2020","","","","","MalwareInfection","Testing","NT AUTHORITY\SYSTEM","System","file:_C:\Path\ofw2d3qz.iqf","2147626289","Trojan:Win32/Giframe.A","Severe","Trojan","NoAction","Testing","0","NoActionRequired","Testing 3/3 9:34am" "SecurityIncident","08be9aba-1326-4ac8-81e1- ace5c4550c76","MalwareInfection","NotImplemented","3/3/2020","1.0","Testing","","SystemCenterEndpointProtection","4.10.209.0","AM","","","Realtime","3/3/2020","","","","","MalwareInfection","Testing","NT AUTHORITY\SYSTEM","System","file:_C:\Path\ofw2d3qz.iqf","2147626289","Trojan:Win32/Giframe.A","Severe","Trojan","NoAction","Testing","0","NoActionRequired","Testing 3/3 9:35am" "SecurityIncident","08be9aba-1326-4ac8-81e1- ace5c4550c76","MalwareInfection","NotImplemented","3/3/2020","1.0","Testing","","SystemCenterEndpointProtection","4.10.209.0","AM","","","Realtime","3/3/2020","","","","","MalwareInfection","Testing","NT AUTHORITY\SYSTEM","System","file:_C:\Path\ofw2d3qz.iqf","2147626289","Trojan:Win32/Giframe.A","Severe","Trojan","NoAction","Testing","0","NoActionRequired","Testing 3/3 9:36am" Testfile.log output <13>1 2020-03-03T10:19:28.428851-08:00 DESKTOP-TVVB676 - - - [NXLOG@14506 EventReceivedTime="2020-03-03 10:19:28" SourceModuleName="ms_scep_csv" SourceModuleType="im_file" Type="SecurityIncident" RowID="08be9aba-1326-4ac8-81e1-ace5c4550c76" Name="MalwareInfection" Description="NotImplemented" Timestamp="3/3/2020" SchemaVersion="1.0" ObserverHost="Testing" ObserverUser="" ObserverProductName="SystemCenterEndpointProtection" ObserverProductVersion="4.10.209.0" ObserverProtectionType="AM" ObserverProtectionVersion="" ObserverProtectionSignatureVersion="" ObserverDetection="Realtime" ObserverDetectionTime="3/3/2020" ActorHost="" ActorUser="" ActorProcess="" ActorResource="" ActionType="MalwareInfection" TargetHost="Testing" TargetUser="NT AUTHORITY\SYSTEM" TargetProcess="System" TargetResource="file:_C:\Path\ofw2d3qz.iqf" ClassificationID="2147626289" ClassificationType="Trojan:Win32/Giframe.A" ClassificationSeverity="Severe" ClassificationCategory="Trojan" RemediationType="NoAction" RemediationResult="Testing" RemediationErrorCode="0" RemediationPendingAction="NoActionRequired" IsActiveMalware="Testing 3/3 9:35am"] "SecurityIncident","08be9aba-1326-4ac8-81e1- ace5c4550c76","MalwareInfection","NotImplemented","3/3/2020","1.0","Testing","","SystemCenterEndpointProtection","4.10.209.0","AM","","","Realtime","3/3/2020","","","","","MalwareInfection","Testing","NT AUTHORITY\SYSTEM","System","file:_C:\Path\ofw2d3qz.iqf","2147626289","Trojan:Win32/Giframe.A","Severe","Trojan","NoAction","Testing","0","NoActionRequired","Testing 3/3 9:35am"

Hi, I don't have a lot of skill in NXLog and I need help. I have an application which puts a log file (* .csv) in a directory every 10 min. The file in question must be sent to the SIEM server and also must be compressed. my question how to make compressed the file once sent to the siem server. Thanks for your help.