I'm doing some tests with an EE trial version for a software selection, in particular I have to verify the possibility of deleting the input file after sending it to a syslog. Does the EE trial version have all the features of the paid version? my configuration file is this: define ROOT C: \ Program Files \ nxlog #ModuleDir% ROOT% \ modules #CacheDir% ROOT% \ data #SpoolDir% ROOT% \ data define CERTDIR% ROOT% \ cert define CONFDIR% ROOT% \ conf define LOGDIR% ROOT% \ data define MYLOGFILE% LOGDIR% \ nxlog.log LogFile% MYLOGFILE% <Input in> Module im_file File 'c: \ temp \ test_fileMW.txt' SavePos True ReadFromLast True <Oneof> Exec file_remove (file_name ()); </ Oneof> </ Input> <Output out> Module om_udp Host 10.1.15.42 Port 514 </ Output> <Route Path> Path in => out </ Route> Starting the daemon I get this error message: 2020-03-03 09:06:16 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:21; couldn't parse statement at line 21, character 38 in C:\Program Files\nxlog\conf\nxlog.conf; procedure 'file_remove()' does not exist or takes different arguments 2020-03-03 09:06:16 WARNING no functional input modules! 2020-03-03 09:06:16 ERROR module 'in' has configuration errors, not adding to route 'Path' at C:\Program Files\nxlog\conf\nxlog.conf:33 2020-03-03 09:06:16 ERROR route Path is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:33 2020-03-03 09:06:16 WARNING not starting unused module out 2020-03-03 09:06:16 WARNING not starting unused module in 2020-03-03 09:06:16 INFO nxlog-4.6.4692-trial started Thanks for the support. Paolo

Hello! I updated my nxlog server to 4.6.4640, and today during the day I saw a new for me error in log file: 2020-03-02 18:03:01 WARNING nxlog received a termination request signal, exiting... 2020-03-02 18:03:11 ERROR failed to stop module in, module is busy 2020-03-02 18:03:16 ERROR Another instance is already running (pid 5075);Resource temporarily unavailable 2020-03-02 18:03:16 ERROR Another instance is already running (pid 5075);Resource temporarily unavailable 2020-03-02 18:03:16 ERROR Another instance is already running (pid 5075);Resource temporarily unavailable 2020-03-02 18:03:17 ERROR Another instance is already running (pid 5075);Resource temporarily unavailable 2020-03-02 18:03:17 ERROR Another instance is already running (pid 5075);Resource temporarily unavailable 2020-03-02 18:04:09 ERROR timed out waiting for threads to exit 2020-03-02 18:04:19 ERROR failed to shutdown module in, module is busy And nxlog server was down until I restarted it. This situation is repeated several times per hour. Please help. Thaks a lot!

Hi, I have a issue with my configuration. I try to send EventID to syslog with NXlog. But I am french and the log have accent.... And NXlog replace by "Ç" or other. For exemple é --> Ç exemple : 02-20-2020 16:17:25 User.Info 10.28.201.50 1 2020-02-20T16:17:24.248999+01:00 PC-MGMT-INFRA-HDV Microsoft-Windows-Security-Auditing 532 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="4726" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="0" Task="13824" OpcodeValue="0" RecordNumber="435937" ActivityID="{40052197-E800-0000-1A22-054000E8D501}" ThreadID="488" Channel="Security" Category="User Account Management" Opcode="Informations" TargetUserName="TEST-LOG" TargetDomainName="PC-MGMT-INFRA-H" TargetSid="S-1-5-21-398120947-1394256007-3495492944-1004" SubjectUserSid="S-1-5-21-398120947-1394256007-3495492944-500" SubjectUserName="Administrateur" SubjectDomainName="PC-MGMT-INFRA-H" SubjectLogonId="0x689a9" PrivilegeList="-" EventReceivedTime="2020-02-20 16:17:25" SourceModuleName="eventlog" SourceModuleType="im_msvistalog"] Un compte dƒ?Tutilisateur a ǸtǸ supprimǸ. Sujet¶ÿ: ID de sǸcuritǸ¶ÿ: S-1-5-21-398120947-1394256007-3495492944-500 Nom du compte¶ÿ: Administrateur Domaine du compte¶ÿ: PC-MGMT-INFRA-H ID dƒ?Touverture de session¶ÿ: 0x689A9 Compte cible¶ÿ: ID de sǸcuritǸ¶ÿ: S-1-5-21-398120947-1394256007-3495492944-1004 Nom du compte¶ÿ: TEST-LOG Domaine du compte¶ÿ: PC-MGMT-INFRA-H Informations supplǸmentaires¶ÿ: PrivilÇùges - Can you help me ?

Hello: I have been working on setting up an intermediary SYSLOG Server to receive syslog events from various network devices as part of my Splunk deployment. Please NOTE: This a WINDOWS 2019 Server environment. I am a newbie to NXLog . I have been able to get a base configuration working to receive data on port 514. I can successfully write to a file but the only option that seems to work is to write to file using the source IP Address, but I want to write to a file using the source Hostname. I am using the Community Edition and do not have access to use xm_resolver. How can I receive syslog data and write that data to file using source HOSTNAME? I have been researching and trying now for close to a month with no success. Any information / guidance would be greatly appreciated. Thank you for your time. Regards, --Diane Proscino

We have a requirement to send Windows Event logs over an encrypted channel with client authentication. The issue is, the certificates in our infrastructure are stored in the Computer Certificates store with private keys that are marked as non-exportable. I'm looking for a way to either: a) Somehow use NXLog to utilize the client certificate from within the store (ideal but I don't think NXLog is written to handle this) b) Find a scalable method for hundreds of servers to copy the key pair to NXLog-friendly PEM format from within the certificate store. There are ways to do this, but since the key is not marked as exportable it takes a lot of work to export that I don't think can be efficiently automated. Does anyone have any ideas on this? Our current implementation is sending input from the Event Log to a Syslog server. Thanks!

Hi there, I'm having a little trouble trying to filter events with patterndb.xml I'm sending logs to our SIEM but despite the corresponding event ID's missing from patterndb they are still getting pushed. I think my configuration setup is over ruling the patterndb config. Can you please review? Thanks for your time. # # Configuration for converting and sending Windows logs # to AlienVault USM Anywhere. # # Version: 0.1.0 # Last modification: 2019-07-03 # define ROOT C:\Program Files (x86)\nxlog define OUTPUT_DESTINATION_ADDRESS x.x..x.xx define OUTPUT_DESTINATION_PORT 12346789 Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Input internal> Module im_internal </Input> <Input eventlog> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Application">*</Select>\ <Select Path="System">*</Select>\ <Select Path="Security">*</Select>\ </Query>\ </QueryList> Exec if ($EventID == 5156) OR ($EventID == 5158) drop(); </Input> <Output out> Module om_udp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; Exec $Message = to_json(); to_syslog_bsd(); </Output> <Route 1> Path eventlog, internal => out </Route> ############################################################################ #### NXLOG WITH PATTERNDB ##### #### Uncomment the following lines for Windows Events filtered ##### ############################################################################ <Input internal_Pattern> Module im_internal </Input> <Input eventlog_Pattern> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Application">*</Select>\ <Select Path="System">*</Select>\ <Select Path="Security">*</Select>\ </Query>\ </QueryList> </Input> <Processor match_events> Module pm_pattern PatternFile %ROOT%\conf\patterndb.xml </Processor> <Output out_Pattern> Module om_udp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000000; Exec if not defined $PatternID or not defined $Message { drop(); } Exec $Message = to_json(); to_syslog_bsd(); </Output> <Route route_Pattern> Path eventlog_Pattern, internal_Pattern => match_events => out_Pattern </Route> ############################################################################ ##### /NXLOG WITH PATTERNDB ##### ############################################################################

Hi, This is my sql_fetch command : $Retval = sql_fetch("SELECT ServerName, Transmission FROM dbo.SrvAuth WHERE ServerName = ?", $MachineCourt); This command does find the right record based on ServerName but it is always putting the second field, $Transmission, to the value FALSE. Here is the MS SQL table definition : Colum Name Data Type Allow Nulls ServerName varchar(50) Unchecked Transmission bit Unchecked Depending of the record that it is fetch, the DB contains about a third of TRUE and 2 third of FALSE for the Transmission field. Question : Why do I always fetch FALSE for the Transmission field? Thanks

When NXLog formats the the Event Log as om_out it formats the JSON correctly define Format {if defined($EventTime) $timestamp = strftime($EventTime, '%Y-%m-%dT%H:%M:%SZ');else $timestamp = strftime($EventReceivedTime, '%Y-%m-%dT%H:%M:%SZ');rename_field("service_id", "_service_id");rename_field("timestamp", "_timestamp");rename_field("log_type", "_log_type");$body = $raw_event;$attributes = to_json();if defined($tag) $raw_event = "{" + '"timestamp"' + ':"' + $_timestamp + '",' + '"service_id"' + ':"' + $_service_id + '",' + '"tag"' + ':"' + $tag + '",' + '"log_type"' + ':"' + $_log_type + '",' + '"attributes"' + ':' + $attributes + '}';else $raw_event = "{" + '"timestamp"' + ':"' + $_timestamp + '",' + '"service_id"' + ':"' + $_service_id + '",' + '"log_type"' + ':"' + $_log_type + '",' + '"attributes"' + ':' + $attributes + '}';} This is executed in the <exec> block which formats it into JSON format. When the om_http is called the same way as om_out an error is logged as an over sized string. At first the JSON looks normal but as the code goes on you get an excessively long string. Packet capture from Wireshark showing the end of the REST POST request. POST / HTTP/1.1 User-Agent: nxlog-ce Content-Length: 621554 Beginning: {"timestamp":"2020-02-17T14:19:33Z","service_id":"id","tag":"security","log_type":"ea2_test","attributes":{"EventTime":"2020-02-17 14:19:33","Hostname":"hostname","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4663,"SourceName":"Microsoft-Windows-Security-Auditing", End: Accesses:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\t\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\tWRITE_DAC\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\r\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\t\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\t\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\t\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\t\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\r\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\tAccess Mask:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\t\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\t0x40000\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"}\\\\\\\\\\\\\\\"}\\\\\\\"}\\\"}\"}"}} Why is it not working when you use the om_http module but works with the om_out module. Suggestions? Thanks in advance! EDIT: It looks like NXLog-CE broke itself. I was able to fix this by deleting everything in the nxlog/data folder and then reinstalled the agent. Now, using the exact same config files it appears to be working.

Hi all, Sorry to come with an other new question about that but I don't understand why the regex didn't match the Message: regexp /(?x)^\s?[(\d+):(\d+):(\d+)] (.+?) [Classification: (.+?)] [Priority: (\d+)] {(.+?)} (\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(:(\d{1,5}))? -> (\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(:(\d{1,5}))?\R?/ doesn't match subject string '[129:20:1] TCP session without 3-way handshake [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.0.1:8080 -> 192.168.0.2:53590' If I compare that on Online regex site (PCRE), it works. Thanks

Hi I got to set up a log forwarding to a syslog-server. I managed everthing to work except one thing. The newest event at the end of the logfile has no CR, CRLF, LF or something similar. When a event occurs it is processed when the next event occurs ... How can I make NXLog to read and process to the end of the file (EOF) in case the file has changed? So far I uses the im_file module. Thank you for you help Daniel

Hi all, Does Nxlog Enterprise has the possibility to request a table in order to convert some field ? Like EventID 4624 on Windows and replace LogonType ID to a more readable string: &quot;2&quot;: &quot;Interactive&quot;, &quot;3&quot;: &quot;Network&quot;, &quot;4&quot;: &quot;Batch&quot;, &quot;5&quot;: &quot;Service&quot;, &quot;7&quot;: &quot;Unlock&quot;, &quot;8&quot;: &quot;NetworkCleartext&quot;, &quot;9&quot;: &quot;NewCredentials&quot;, &quot;10&quot;: &quot;RemoteInteractive&quot;, &quot;11&quot;: &quot;CachedInteractive&quot;,

Hello, I have installed NXLog community edition to collect table data from PostgreSQL database but, the table isn't contain an ID column. As I understand, NXLog required to this field to bookmark but, we don't have. I'm looking for a workaround to solve the issue. On the other hand I can see a workaround from the following link and we can configure the ID with select statements but, the article isn't about the PostgreSQL. Could you please someone help me for PostgreSQL? https://nxlog.co/documentation/nxlog-user-guide/mssql.html the second question: Can we define a specific column (such as eventime) for ID (bookmark) with the following sample data? 2020-02-11 15:00:00.0000 2020-02-11 15:00:01.0001 2020-02-11 15:00:02.0002 2020-02-11 15:00:03.0000 Thanks in Advance! Best Regards SD

Hi there, a little bit of a novice here. Hope you dont mind pointing me in the right direction. I’m having some difficulty getting the configuration for using patternDB on windows 2003 servers, the configuration works for windows 2008+ The logs I have are as follows: 2020-02-05 13:48:32 ERROR invalid keyword: Query at C:\Program Files\nxlog\conf\nxlog.conf:40 2020-02-05 13:48:32 ERROR invalid keyword: Query at C:\Program Files\nxlog\conf\nxlog.conf:76 2020-02-05 13:48:32 ERROR module 'eventlog' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:57 2020-02-05 13:48:32 ERROR module 'eventlog_Pattern' has configuration errors, not adding to route 'route_Pattern' at C:\Program Files\nxlog\conf\nxlog.conf:94 2020-02-05 13:48:32 WARNING not starting unused module eventlog 2020-02-05 13:48:32 WARNING not starting unused module eventlog_Pattern 2020-02-05 13:48:32 INFO nxlog-ce-2.10.2150 started The section of conf is: ############################################################################ #### NXLOG WITH PATTERNDB ##### #### Uncomment the following lines for Windows Events filtered ##### ############################################################################ <Input internal_Pattern> Module im_internal </Input> <Input eventlog_Pattern> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Application">*</Select>\ <Select Path="System">*</Select>\ <Select Path="Security">*</Select>\ </Query>\ </QueryList> </Input> <Processor match_events> Module pm_pattern PatternFile %ROOT%\conf\patterndb.xml </Processor> <Output out_Pattern> Module om_udp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000000; Exec if not defined $PatternID or not defined $Message { drop(); } Exec $Message = to_json(); to_syslog_bsd(); </Output> <Route route_Pattern> Path eventlog_Pattern, internal_Pattern => match_events => out_Pattern </Route> ############################################################################ ##### /NXLOG WITH PATTERNDB ##### ############################################################################ Thanks for reading. Please let me know if any more information needs to be included.

Hi all, According to the documentation found here it indicates that the generic RPM doesn't have all available modules as opposed to the version specific RPM: The generic RPM above contains all the libraries (such as libpcre and libexpat) that are needed by NXLog, the only dependency is libc. However, some modules are not available (im_checkpoint, for example). The advantage of the generic RPM is that it can be installed on most RPM-based Linux distributions. Is there documentation for what modules are not available? Are there any issues for deploying this version that I should know about up front? Thanks!!

How can we rename nxlog package ? while we are placing both the rpm into spacewalk channel these are updating as “nxlog-ce-2.10.2150-1.x86_64.rpm” .So it's making a duplicate,So i hope renaming the rpm name will help us. Any help will be appreciated on this. nxlog-ce-2.10.2150-1_rhel6.x86_64.rpm nxlog-ce-2.10.2150-1_rhel7.x86_64.rpm Thanks! Ela

Our project is planning to reissue certificates for large amount of agents. Do we have API on the certificates so we'll able to reissue on these agents at the same time without doing it manually (one by one)?

Hi, We are planning to deploy NXLog to thousands of endpoints and need to know when an agent is no longer sending data regularly. Is there an established method for determining NXLog is working normally at scale? Thanks!

Hello, I resisted posting here for a while but am finally at a loss to explain what I'm observing. I'm trying to send nginx access logs to graylog, and am mostly using code adapted from the nxlog ce user guide but I haven't been able to get the fields to successfully capture and arrive in graylog. The nginx server in question logs two sorts of traffic: x.x.x.x - - [04/Feb/2020:03:23:22 +0000] "GET /" 400 271 "-" "-" "-" - These are status checks from a load balancer which I'm wanting to drop. x.x.x.x - <username> [04/Feb/2020:03:23:01 +0000] "POST /rest/api/endpoint HTTP/1.1" 201 508 "-" "okhttp/3.3.0" "-" - This is legitimate traffic to the application behind nginx which I want to parse and capture. I have the following input defined in my config file. <Input nginx_access> Module im_file File '/var/log/nginx/access.log' PollInterval 1 SavePos True ReadFromLast True Recursive False RenameCheck False <Exec> if $raw_event =~ /(?x)^(\S+)\ \S+\ (\S+)\ \[([^\]]+)\]\ \"(\S+)\ (.+)\ HTTP\/\d\.\d\"\ (\S+)\ (\S+)\ \"([^\"]+)\"\ \"([^\"]+)\"\ \"\S+\"$/ { $Hostname = $1; if $2 != '-' $AccountName = $2; $EventTime = parsedate($3); $HTTPMethod = $4; $HTTPURL = $5; $HTTPResponseStatus = $6; if $7 != '-' $FileSize = $7; if $8 != '-' $HTTPReferer = $8; if $9 != '-' $HTTPUserAgent = $9; delete($Message); } else drop(); </Exec> </Input> If I remove the else drop(); then this config forwards only the load balancer lines that I don't want, which indicates to me that the lines I do want are matching my regexp. But as shown, this configuration forwards nothing. I also don't think anything is wrong with my outputs or routes since just straight piping this all to graylog in the message field works fine. If anyone can help me understand what is going on here that would be much appreciated. Thanks

Hey y'all. Does anyone know where to find the GPG key used to sign the NXLog Enterprise Edition (trial) RPM packages? Key ID 9354d2051da9e40e, or just 1da9e40e for short. If someone at NXLog reads this, maybe this page would be a good site to link it from, if it's not immediately available in the download package. I figured if I post this question here, maybe someone else will find it useful in the future. (Wisdom of the Ancients, and all that) Thanks :)

I am currently running into an issue receiving syslog over ssl/tls. I cannot figure it out for the life of me! Version: CE-2.10.2150 Error: INFO SSL connection accepted from IP_ADDRESS:PORT ERROR SSL certificate verification failed: unsupported certificate purpose (err: 26) WARNING SSL connection closed from IP_ADDRESS:PORT Config: <Input in> Module im_ssl Host 0.0.0.0 Port 516 AllowUntrusted TRUE CAFile %CERTDIR%%CA-PEM% CertFile %CERTDIR%%CRT% CertKeyFile %CERTDIR%%KEY% KeyPass %PASSWORD% </Input>