casey1234 created
For some reason I realized NXlog wasn't sending logs to graylog (after previously doing so flawlessly)
I went to the Nxlog log and found this just before it stopped responding:
What does this mean? I can't find anything online, but I know the udp arguments work because restarting nxlog works fine.
2020-03-09 08:29:36 ERROR om_udp apr_socket_send failed; An invalid argument was supplied.
However, Graylog received a message 20ms later from that machine (the last message that was sent before nxlog went offline)
Any ideas?
ntubergen created
We are using a graylog server in hopes to capture 2 things (Logons and Disk Errors). NXlog is forwarding most logon attempts, but not all of them for some reason. NXlog is not forwarding any Disk error logs.
Here is my config:
Panic Soft #NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data
<Extension _syslog> Module xm_syslog </Extension>
<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>
<Extension _exec> Module xm_exec </Extension>
<Extension _fileop> Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
define LogonEventIds 4648
<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'>*</Select> </Query> </QueryList> </QueryXML> <Exec> if $EventID NOT IN (%LogonEventIds%) drop(); </Exec> </Input>
define DiskEventIds 9, 11, 50, 51, 54, 55, 57, 129, 1066, 6008
<Input diskcheck> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='System'>*</Select> </Query> </QueryList> </QueryXML> <Exec> if $EventID NOT IN (%DiskEventIds%) drop(); </Exec> </Input>
<Output udpLogon> Module om_udp Host 10.0.0.220 Port 1517 </Output>
<Output udpDisk> Module om_udp Host 10.0.0.220 Port 1518 </Output>
<Route 1> Path eventlog => udpLogon </Route>
<Route 2> Path diskcheck => udpDisk </Route>
I don't know what the issue is. I am using tcpdump on the graylog server and am not receiving anything on that port (1518) despite event viewer showing several logs with 129 and 55 EventIDs.
Any help would be appreciated. Yes, the port is open.
ntubergen created
I have installed the NXlog community edition (nxlog-ce-2.10.2150.msi) on our windows server and I am trying to collect the Firewall (ASA) logs in windows server through NXlog.
I have used the following configuration but I am not receiving any logs. Can you help me on this
<Extension json>
Module xm_json
</Extension>
##Extension to format the message in syslog format
<Extension syslog>
Module xm_syslog
</Extension>
########## INPUTS ###########
<Input in_syslog_tcp>
Module im_tcp
Host 0.0.0.0
Port 1514
Exec parse_syslog();
</Input>
############ OUTPUTS ##############
<Output file>
Module om_file
File "C:\\test\\asa.log"
Exec to_syslog_ietf();
</Output>
<Route file>
Path in_syslog_tcp => file
</Route>
Saravanakumar created
Hi,
I am trying to collect Windows DNS debug logs with Nxlog xm_multiline. I reference below link: Parsing Detailed DNS Logs With Regular Expressions (https://nxlog.co/documentation/nxlog-user-guide/windows-dns-server.html#parsing-detailed)
But, Windows DNS Debug Logs includes Traditional Chinese characters, it won't let me combine multiline into one log, What is correct "HEADER_REGEX" that should I use?
DNS Debug Logs sample is (I beleive problem is 上午, By the way, 上午=AM and 下午=PM): 2020/3/6 上午 11:58:01 0E80 PACKET 000001D80FE9BD40 UDP Snd 10.0.35.101 a3f5 R Q [8081 DR NOERROR] A (5)e3998(1)d(10)akamaiedge(3)net(0) UDP response info at 000001D80FE9BD40 Socket = 724 Remote addr 10.0.35.101, port 56423 Time Query=283057, Queued=283057, Expire=283060 Buf length = 0x0200 (512) Msg length = 0x0038 (56) Message: XID 0xa3f5 Flags 0x8180 QR 1 (RESPONSE) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 CD 0 AD 0 RCODE 0 (NOERROR) QCOUNT 1 ACOUNT 1 NSCOUNT 0 ARCOUNT 0 QUESTION SECTION: Offset = 0x000c, RR count = 0 Name "(5)e3998(1)d(10)akamaiedge(3)net(0)" QTYPE A (1) QCLASS 1 ANSWER SECTION: Offset = 0x0028, RR count = 0 Name "C00Ce3998(1)d(10)akamaiedge(3)net(0)" TYPE A (1) CLASS 1 TTL 20 DLEN 4 DATA 96.7.252.200 AUTHORITY SECTION: empty ADDITIONAL SECTION: empty
Nxlog configuration sample is: define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
<Extension _charconv> Module xm_charconv AutodetectCharsets BIG-5, utf-8, utf-16, utf-32, iso8859-2 </Extension>
<Extension gelf> Module xm_gelf </Extension>
define EVENT_REGEX /(?x)(?<Date>\d+(?:/\d+){2})\s
(?<Time>\d+(?::\d+){2})\s
(?<ThreadId>\w+)\s+
(?<Context>\w+)\s+
(?<InternalPacketIdentifier>[[:xdigit:]]+)\s+
(?<Protocol>\w+)\s+
(?<SendReceiveIndicator>\w+)\s
(?<RemoteIP>[[:xdigit:].:]+)\s+
(?<Xid>[[:xdigit:]]+)\s
(?<QueryType>\s|R)\s
(?<Opcode>[A-Z]|?)\s
(?<QFlags>[(.?)])\s+
(?<QuestionType>\w+)\s+
(?<QuestionName>.)\s+
(?<LogInfo>.+)\s+.+=\s
(?<Socket>\d+)\s+ Remote\s+ addr\s
(?<RemoteAddr>.+),\sport\s
(?<PortNum>\d+)\s+Time\sQuery=
(?<TimeQuery>\d+),\sQueued=
(?<Queued>\d+),\sExpire=
(?<Expire>\d+)\s+.+(
(?<BufLen>\d+))\s+.+(
(?<MsgLen>\d+))\s+Message:\s+
(?<Message>(?s).*)/
define HEADER_REGEX /(?x)(?<Date>\d+(?:/\d+){2})\s
(?<AMPM>\x{e4}\x{b8}\x{8a}\x{e5}\x{8d}\x{88})\s
(?<Time>\d+(?::\d+){2})\s
(?<ThreadId>\w+)\s+
(?<Context>\w+)\s+
(?<InternalPacketIdentifier>[[:xdigit:]]+)\s+
(?<Protocol>\w+)\s+
(?<SendReceiveIndicator>\w+)\s
(?<RemoteIP>[[:xdigit:].:]+)\s+
(?<Xid>[[:xdigit:]]+)\s
(?<QueryType>\s|R)\s
(?<Opcode>[A-Z]|?)\s
(?<QFlags>[(.?)])\s+
(?<QuestionType>\w+)\s+
(?<QuestionName>.)/
<Extension multiline> Module xm_multiline HeaderLine %HEADER_REGEX% </Extension>
<Input windnsdetaillog> Module im_file File 'C:\dns.log' Exec convert_fields("BIG-5", "utf-8"); InputType multiline Exec if $raw_event =~ /(\d+)/(\d+/\d+)\s(上午\s)(\d+:\d+:\d+\s)((.|\n))/ $raw_event = $2 + '/' + $1 + ' ' + $4 + 'AM ' + $5; Exec if $raw_event =~ /(\d+)/(\d+/\d+)\s(下午\s)(\d+:\d+:\d+\s)((.|\n))/ $raw_event = $2 + '/' + $1 + ' ' + $4 + 'PM ' + $5; <Exec> if $raw_event =~ %EVENT_REGEX% { $EventTime = parsedate($Date + " " + $Time + " " + $AMPM); delete($Date); delete($Time); } </Exec> </Input>
<Input wineventin> Module im_msvistalog </Input>
<Output windnsdetaillogout> Module om_tcp Host 192.168.11.3 Port 12198 OutputType GELF_TCP </Output>
<Output wineventout> Module om_udp Host 192.168.11.3 Port 12196 OutputType GELF </Output>
<Route 1> Path wineventin => wineventout </Route>
<Route 2> Path windnsdetaillog => windnsdetaillogout </Route>
kevinlin created
mayflower-mike created
Good evening!
I have a probem with configuring im_odbc module to connect to the Oracle database from unix.
So...
As I understood (maybe I'm wrong somewhere), this module don't work "from the box" and for correctrly working I need to set up oracle instant client wich provide me a driver, odbc.ini, odbcinst.ini files. Also I created tnsnames.ora file. odbc.ini, odbcinst.ini and tnsnames.ora configured correctly. I trying to test them with isql and it's work fine.
I tried to differently configured ConnectionString parameter in configuration file, but it's did not work for me.
/etc/odbcinst.ini:
[libsqora.so.12.1] Description = Oracle ODBC driver for Oracle 12c Driver = /usr/lib/oracle/12.2/client64/lib/libsqora.so.12.1 Setup = FileUsage = CPTimeout = CPReuse
/etc/odbc.ini:
[ODBC Data Sources] OracleODBC = Oracle ODBC driver for Oracle 12c
[OracleODBC] Application Attributes = T Attributes = W BatchAutocommitMode = IfAllSuccessful BindAsFLOAT = F CloseCursor = F DisableDPM = F DisableMTS = T Driver = libsqora.so.12.1 DSN = OracleODBC EXECSchemaOpt = EXECSyntax = T Failover = T FailoverDelay = 10 FailoverRetryCount = 10 FetchBufferSize = 64000 ForceWCHAR = F Lobs = T Longs = T MaxLargeData = 0 MetadataIdDefault = F QueryTimeout = T ResultSets = T ServerName = DB.ETALON SQLGetData extensions = F Translation DLL = Translation Option = 0 DisableRULEHint = T UserID = XXXX Password = XXXX StatementCache=F CacheBufferSize=20 UseOCIDescribeAny=F SQLTranslateErrors=F MaxTokenSize=8192 AggregateSQLType=FLOAT
tnsnames.ora
DB.ETALON = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = db-etalon.example.com)(PORT = 1530)) ) (CONNECT_DATA = (SERVICE_NAME = etalon) ) )
I don’t understand how to correctly set ConnectionString. Maybe someone had odbc setup experience.
Stanislav created
jbloe812 created
Hi, I don't have a lot of skill in NXLog and I need help. I have an application which puts a log file (* .csv) in a directory every 10 min. The file in question must be sent to the SIEM server and also must be compressed. my question how to make compressed the file once sent to the siem server.
Thanks for your help.
abdel created
I'm doing some tests with an EE trial version for a software selection, in particular I have to verify the possibility of deleting the input file after sending it to a syslog. Does the EE trial version have all the features of the paid version? my configuration file is this: define ROOT C: \ Program Files \ nxlog
#ModuleDir% ROOT% \ modules #CacheDir% ROOT% \ data #SpoolDir% ROOT% \ data
define CERTDIR% ROOT% \ cert define CONFDIR% ROOT% \ conf
define LOGDIR% ROOT% \ data define MYLOGFILE% LOGDIR% \ nxlog.log LogFile% MYLOGFILE% <Input in> Module im_file File 'c: \ temp \ test_fileMW.txt' SavePos True ReadFromLast True <Oneof> Exec file_remove (file_name ()); </ Oneof> </ Input> <Output out> Module om_udp Host 10.1.15.42 Port 514 </ Output> <Route Path> Path in => out </ Route>
Starting the daemon I get this error message: 2020-03-03 09:06:16 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:21; couldn't parse statement at line 21, character 38 in C:\Program Files\nxlog\conf\nxlog.conf; procedure 'file_remove()' does not exist or takes different arguments 2020-03-03 09:06:16 WARNING no functional input modules! 2020-03-03 09:06:16 ERROR module 'in' has configuration errors, not adding to route 'Path' at C:\Program Files\nxlog\conf\nxlog.conf:33 2020-03-03 09:06:16 ERROR route Path is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:33 2020-03-03 09:06:16 WARNING not starting unused module out 2020-03-03 09:06:16 WARNING not starting unused module in 2020-03-03 09:06:16 INFO nxlog-4.6.4692-trial started
Thanks for the support. Paolo
p.brasca created
Hello!
I updated my nxlog server to 4.6.4640, and today during the day I saw a new for me error in log file:
2020-03-02 18:03:01 WARNING nxlog received a termination request signal, exiting...
2020-03-02 18:03:11 ERROR failed to stop module in, module is busy
2020-03-02 18:03:16 ERROR Another instance is already running (pid 5075);Resource temporarily unavailable
2020-03-02 18:03:16 ERROR Another instance is already running (pid 5075);Resource temporarily unavailable
2020-03-02 18:03:16 ERROR Another instance is already running (pid 5075);Resource temporarily unavailable
2020-03-02 18:03:17 ERROR Another instance is already running (pid 5075);Resource temporarily unavailable
2020-03-02 18:03:17 ERROR Another instance is already running (pid 5075);Resource temporarily unavailable
2020-03-02 18:04:09 ERROR timed out waiting for threads to exit
2020-03-02 18:04:19 ERROR failed to shutdown module in, module is busy
And nxlog server was down until I restarted it. This situation is repeated several times per hour.
Please help. Thaks a lot!
hatula created
Hi,
I have a issue with my configuration. I try to send EventID to syslog with NXlog. But I am french and the log have accent.... And NXlog replace by "Ç" or other. For exemple é --> Ç
exemple :
02-20-2020 16:17:25 User.Info 10.28.201.50 1 2020-02-20T16:17:24.248999+01:00 PC-MGMT-INFRA-HDV Microsoft-Windows-Security-Auditing 532 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="4726" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="0" Task="13824" OpcodeValue="0" RecordNumber="435937" ActivityID="{40052197-E800-0000-1A22-054000E8D501}" ThreadID="488" Channel="Security" Category="User Account Management" Opcode="Informations" TargetUserName="TEST-LOG" TargetDomainName="PC-MGMT-INFRA-H" TargetSid="S-1-5-21-398120947-1394256007-3495492944-1004" SubjectUserSid="S-1-5-21-398120947-1394256007-3495492944-500" SubjectUserName="Administrateur" SubjectDomainName="PC-MGMT-INFRA-H" SubjectLogonId="0x689a9" PrivilegeList="-" EventReceivedTime="2020-02-20 16:17:25" SourceModuleName="eventlog" SourceModuleType="im_msvistalog"] Un compte dƒ?Tutilisateur a ǸtǸ supprimǸ. Sujet¶ÿ: ID de sǸcuritǸ¶ÿ: S-1-5-21-398120947-1394256007-3495492944-500 Nom du compte¶ÿ: Administrateur Domaine du compte¶ÿ: PC-MGMT-INFRA-H ID dƒ?Touverture de session¶ÿ: 0x689A9 Compte cible¶ÿ: ID de sǸcuritǸ¶ÿ: S-1-5-21-398120947-1394256007-3495492944-1004 Nom du compte¶ÿ: TEST-LOG Domaine du compte¶ÿ: PC-MGMT-INFRA-H Informations supplǸmentaires¶ÿ: PrivilÇùges -
Can you help me ?
aauvinet created
Hello:
I have been working on setting up an intermediary SYSLOG Server to receive syslog events from various network devices as part of my Splunk deployment.
Please NOTE: This a WINDOWS 2019 Server environment.
I am a newbie to NXLog . I have been able to get a base configuration working to receive data on port 514. I can successfully write to a file but the only option that seems to work is to write to file using the source IP Address, but I want to write to a file using the source Hostname.
I am using the Community Edition and do not have access to use xm_resolver.
How can I receive syslog data and write that data to file using source HOSTNAME?
I have been researching and trying now for close to a month with no success. Any information / guidance would be greatly appreciated.
Thank you for your time. Regards, --Diane Proscino
dproscino created
We have a requirement to send Windows Event logs over an encrypted channel with client authentication.
The issue is, the certificates in our infrastructure are stored in the Computer Certificates store with private keys that are marked as non-exportable.
I'm looking for a way to either: a) Somehow use NXLog to utilize the client certificate from within the store (ideal but I don't think NXLog is written to handle this) b) Find a scalable method for hundreds of servers to copy the key pair to NXLog-friendly PEM format from within the certificate store. There are ways to do this, but since the key is not marked as exportable it takes a lot of work to export that I don't think can be efficiently automated.
Does anyone have any ideas on this? Our current implementation is sending input from the Event Log to a Syslog server.
Thanks!
chrisad2 created
jaredtully created
Hi, This is my sql_fetch command :
$Retval = sql_fetch("SELECT ServerName, Transmission FROM dbo.SrvAuth WHERE ServerName = ?", $MachineCourt);
This command does find the right record based on ServerName but it is always putting the second field, $Transmission, to the value FALSE.
Here is the MS SQL table definition : Colum Name Data Type Allow Nulls ServerName varchar(50) Unchecked Transmission bit Unchecked
Depending of the record that it is fetch, the DB contains about a third of TRUE and 2 third of FALSE for the Transmission field.
Question : Why do I always fetch FALSE for the Transmission field?
Thanks
YvanG created
casey1234 created
Hi all,
Sorry to come with an other new question about that but I don't understand why the regex didn't match the Message:
regexp /(?x)^\s?[(\d+):(\d+):(\d+)] (.+?) [Classification: (.+?)] [Priority: (\d+)] {(.+?)} (\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(:(\d{1,5}))? -> (\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(:(\d{1,5}))?\R?/ doesn't match subject string '[129:20:1] TCP session without 3-way handshake [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.0.1:8080 -> 192.168.0.2:53590'
If I compare that on Online regex site (PCRE), it works.
Thanks
cmiscloni created
Hi I got to set up a log forwarding to a syslog-server. I managed everthing to work except one thing.
The newest event at the end of the logfile has no CR, CRLF, LF or something similar. When a event occurs it is processed when the next event occurs ...
How can I make NXLog to read and process to the end of the file (EOF) in case the file has changed? So far I uses the im_file module.
Thank you for you help Daniel
platypus4u created
Hi all,
Does Nxlog Enterprise has the possibility to request a table in order to convert some field ?
Like EventID 4624 on Windows and replace LogonType ID to a more readable string:
"2": "Interactive",
"3": "Network",
"4": "Batch",
"5": "Service",
"7": "Unlock",
"8": "NetworkCleartext",
"9": "NewCredentials",
"10": "RemoteInteractive",
"11": "CachedInteractive",
cmiscloni created