Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

Config file to extract MS Exchange logs to syslog format over TCP
Hi there ,I am stranded with a problem of sending exchange server logs in syslog format over TCP. I performed a trial for fetching connect logs and using the csv module and send them over syslog format over TCP.Once I run the service , I dont get any output over TCP , nor any errors. I wanted to know what im doing wrong. Please help !(((PS I removed my destination IP and port )))define ROOT C:\Program Files\nxlog#define ROOT C:\Program Files (x86)\nxlogModuledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\dataLogFile %ROOT%\data\nxlog.log<Extension syslog>   Module  xm_syslog</Extension><Extension _exec>   Module  xm_exec</Extension><Extension csv>   Module    xm_csv   Fields    date-time, connector-id, session-id, sequence-number, \             local-endpoint, remote-endpoint, event, data, context</Extension><Input in>Module im_fileFile "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\Connectivity\CONNECTLOG*.LOG"       <Exec> csv->parse_csv(); to_syslog_ietf();</Exec></Input><Output out>   Module    om_tcp   Host      ####    Port      ####          Exec      to_syslog_bsd();</Output><Route 1>   Path      in => out</Route> 

loghero created
Replies: 4
View post »
last updated
Problem using im_odbc (SQLDescribeParam Invalid parameter number)
Hi I'm getting a problem were the im_odbc module connects successfully to the DB via odbc but then straight away disconnects and give the error INFO [im_odbc|sccm_alerts] im_odbc successfully connected to the databaseWARNING [im_odbc|sccm_alerts] im_odbc detected a disconnection, attempting to reconnect in 10 secondsERROR [im_odbc|sccm_alerts] SQLDescribeParam failed, 07009:2:0:[Microsoft][ODBC Driver 17 for SQL Server]Invalid parameter number (odbc error code: -1) This is running on windows server 2019 and using MS SQL server 2017 (64bit)I have tried the ODBC driver 13/17/18 and tried just basic SQL query's to retrieve a single table (of just a couple or rows and columns ) The current DSN again works with PowerShell fine I've tried making my own and using system ones All permutations work using all ODBC drivers and SQL query's with PowerShell no problem  <Extension _json> Module xm_json </Extension> <Input sccm_alerts> Module im_odbc ConnectionString DSN=test;Trusted_Connection=yes; SQL SELECT ID,TypeID,TypeInstanceID,Name,FeatureArea, ObjectWmiClass,Severity FROM V_SMS_Alert </Input> <Output outfile> Module om_file File 'C:\scripts\out.log' Exec to_json(); </Output> <Route sccm> Path sccm_alerts, sccm_alerts => outfile </Route>It was al installed as a “standard” SCCM install which is working fine  Many thanks for any help, please let me know if you needs any more information Kind regards  

Floss created
Replies: 2
View post »
last updated
NXLog Manager support for RHEL
Hi,Can check if the current NXLog Manager can support RHEL 8.8?And any roadmap to support RHEL9 in future? ThanksRegards, Billy

billychua created
Replies: 1
View post »
last updated
HTTP Headers in community edition?
I have a very small (Read - no budget) project that NXlog would be a perfect fit for. Parsing, reformatting, and moving logs from a third party app to our Splunk server. I have a config that is simple and would work perfectly - except I did not realize until today that the CE does not support HTTP headers. (I had been using the EE documentation apparently) I found this out via google search on this old thread:https://nxlog.co/community-forum/t/648-adding-custom-header-om-httpWhich was 4 years ago, and mentioned that HTTP header support is not in the CE yet. Are there any plans to add this? I seems like pretty basic HTTP functionality, even more so than HTTPS/SSL support (which must have been far more involved to implement). Without any idea on pricing at all on the EE (again, zero or close to it budget) and no “in between” edition, it seems like a shame that I cannot make this work with the CE.Any ideas? An alternate way to get logs into Splunk using the CE would also work for me. Any help greatly appreciated!

Jeffrey Brinkerhoff created
Replies: 1
View post »
last updated
RHEL7 CE Edition Missing All Modules
We have a Linux host we have installed nxlog-ce-3.2.2329_rhel7.x86_64.rpm with yum on. The install did not create the modules folder and it seems we have none of the required files. Is there a way that this all needs to be separately installed? Is it possible this nxlog-ce-3.2.2329_rhel7.x86_64.rpm package did not install fully?

agrecoUCM created
Replies: 1
View post »
last updated
NXLOG for windows server 2019
hi,First of all I would like to know if NXLOG compatible with Windows server 2019. I have trouble with the performance of nxlog on windows 2019 while on 2012 everything is fine.The logs do not go up instantly even though the configuration is the same and there is no issue with the network.Does anyone knows what the issue might be?Thank you for your answers.

אסף ל created
Replies: 1
View post »
last updated
Seeking Assistance with NXLog Agent Installation aws ec2 linux instance
Hi Experts,I am reaching out to seek assistance with the installation of the NXLog Agent on my AWS EC2 Linux instance. I have encountered some challenges during the installation process and would greatly appreciate your guidance and support.The AWS EC2 instance I am using is running Amazon Linux version 2023. Here are the details of my Linux distribution:- Name: Amazon Linux- Version: 2023- ID: amzn- ID_LIKE: fedora- Version_ID: 2023- PLATFORM_ID: platform:al2023- PRETTY_NAME: Amazon Linux 2023- ANSI_COLOR: 0;33- CPE_NAME: cpe:2.3:o:amazon:amazon_linux:2023- HOME_URL: [https://aws.amazon.com/linux/](https://aws.amazon.com/linux/)- BUG_REPORT_URL: [https://github.com/amazonlinux/amazon-linux-2023](https://github.com/amazonlinux/amazon-linux-2023)- SUPPORT_END: 2028-03-01I kindly request your assistance in determining the correct RPM package I should download for this particular distribution and version of Linux.https://nxlog.co/downloads/nxlog-ce#nxlog-community-editionis there any documentation or resources that I can refer to for guidance on the installation process.Appreciate any help. 

siuolkl created
Replies: 1
View post »
last updated
ERROR couldn't connect to tcp socket
Hi All,We would like to check what could be the cause when getting the below error message in nxlog.log when using port 514?ERROR couldn't connect to tcp socket on logs-01.loggly.com:514; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. INFO connecting to 192.168.1.1:514 INFO reconnecting in 2 secondsWe are from SolarWinds Loggly and helping a customer to identify the cause as to why they are getting the above error message. From our documentation, we already advised them in editing the configuration file as "Administrator", this means that you should actually open up text editor as Administrator, but the issue still persists. Reference: https://documentation.solarwinds.com/en/success_center/loggly/content/admin/troubleshooting-nxlog.htm#Check-Connection The customer is using a latest version of NXLog Community Edition (nxlog-ce-3.2.2329). Is this a bug?  

tariotics created
Replies: 1
View post »
last updated
File Deletion OnEOF
Is it possible to perform a file deletion on the end of the file in the community edition with something like the below configuration?<Input csv>     Module          im_file    ReadFromLast    True    SavePos         True    PollInterval    300    File        'file/location'    # Parse the CSV events     <Exec>             csv->parse_csv();     </Exec>      <OnEOF>         <Exec>             file_remove(file_name());         </Exec>         GraceTimeout  10     </OnEOF></Input>

bubbre01 created
Replies: 1
View post »
last updated
Problem sending new logs with im_file to remote SIEM
I have a setup with nxlog to collect audit log files that come to me daily. Each day the file name changes.I noticed that the incoming files are not sent to my remote SIEM, only the first one after restarting the NXLOG service.Below is my NXLOG configuration using the im_file and on_tcp modules.Would anyone have an idea how to resolve this? define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO ####################################################################### EXTENTIONS ####################################################################### <Extension _gelf> Module xm_gelf </Extension> <Extension _json> Module xm_json </Extension> <Input auditoria> Module im_file File "E:\Dataside\SIEM*.json" ReadFromLast False SavePos False </Input> <Output graylog> Module om_tcp Host 10.100.8.113 Port 5555 </Output> <Route auditoria-to-graylog> Path auditoria => graylog </Route>

lucasbittencourt created
Replies: 1
View post »
last updated
Systemd and open files limit
Would like to check where should i change the file for RHEL 8? I found the below link but doesn't work for rhel 8. Common issues :: NXLog Documentation This scenario requires edits to the service file or an override. To check NXLog system limits, use the following command:$ cat /proc/$(cat /opt/nxlog/var/run/nxlog/nxlog.pid)/limitsOn Systems not using /proc, check the system’s open file limit:$ sysctl kern.maxfilesTo adjust limits for nxlog, create /etc/systemd/system/nxlog.service.d/override.conf and add the following definition:[Service] LimitNOFILE=100000Update the service settings with:$ systemctl daemon-reload

billychua created
Replies: 1
View post »
last updated
Are the config files different between Community and Enterprise editions
I am trying to migrate our functional Enterprise config to Community on other devices.Thanks,Paul 

PaulBagnell created
Replies: 1
View post »
last updated
How to refer to fields with dash in name in Exec
Hi I'm working on a setup for collecting IIS logs and send them to Graylog. Here I stumbled into a problem with refering to fields with a dash in the field name. I would really like the fields to have prober w3c names in greylog, so I dont wanna remove those dashes. In the CSV module I have: <Extension w3c> Module xm_csv Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken, $X-Forwarded-For FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer, string Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> And in my input def i have: <Input iis_dodpdownload> Module im_file .... Exec if $raw_event =~ /(^#)|((keepalive.html).*(\s-\s200\s0\s))/ \ { \ drop(); \ } \ else \ { \ w3c-&gt;parse_csv(); \ $EventTime = parsedate($date + &quot;T&quot; + $time + &quot;+00:00&quot;); \ $SourceName = &quot;IIS&quot;; \ $Message = $cs-method + &quot; &quot; + $cs-uri-stem + &quot; &quot; + $sc-status; \ } </Input> The line $Message = $cs-method + " " + $cs-uri-stem + " " + $sc-status; results in a parser error. If I change field names to not contain dash character then it works. I also tried to surround with curly braces but it just returns a new parse error. How can i refer to those fields/vars or escape them? Hope someone knows:-) Best regards, Peter Meldgaard

mulgurul created
Replies: 3
View post »
last updated
Multiple log in Windows Events Log
Hi, I have a problem trying to send the raw event of Windows Server 2016. I have this configuration in nxlog.conf: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _leef> Module xm_leef </Extension> <Extension xml> Module xm_xml </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension rewrite> Module xm_rewrite Keep EventXML </Extension> <Input argentina> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[band(Keywords,13510798882111488)]]</Select> </Query> </QueryList> </QueryXML> </Input> <Processor buffer1> Module pm_buffer MaxSize 102400 Type Mem </Processor> <Output qradar> Module om_tcp Host XXX.XXX.XXX.XXX:514 Exec $raw_event = $EventXML; Exec delete_all(); </Output> <Route r1> Path argentina => buffer1 => qradar </Route>but in our SIEM i see this output (every line is a diferent log):I used "tcpdump" to saw if every log are diferent packets but i saw that it's only one packet but it has a special character that separete the line (i thought) .Could someone help to solve this? maybe using “replace” or changing the encoding. Thanks

santiagonahuel.sarchetti@bbva.com created
Replies: 0
View post »
last updated
SQL Integration | NXLog configuration errors
Hello There,We're in the process of collecting SQL server logs and followed instructions in this link (Example 2)https://nxlog.co/documentation/nxlog-user-guide/mssql.htmlWe are having the following error message:ERROR if-else failed at line 73, character 9 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; if-else failed at line 73, character 9 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; assignment failed at line 53, character 47 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; function 'parsedate' failed at line 53, character 46 in c:\Program Files\nxlog\conf\nxlog.conf. expression evaluation has been aborted; 'unknown' type argument is invalid ERROR if-else failed at line 73, character 9 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; if-else failed at line 73, character 9 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; assignment failed at line 53, character 47 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; function 'parsedate' failed at line 53, character 46 in c:\Program Files\nxlog\conf\nxlog.conf. expression evaluation has been aborted; 'unknown' type argument is invalid ERROR last message repeated 2 timesWe're using the latest version of the community edition. Here is a snippet from the config file, including the lines numbers as reference to the error above. Let us know if you need further information. Many thanks.

Mary Joy Baquilar created
Replies: 4
View post »
last updated
Google Chronicle (om_chronicle) with multiple input and output error [HELP]
Anyone has encounter error before or have issue when doing multiple input and output for chronicle.If i list 1 chronicle setting and with the below configuration will have no error. define BASE_URL           https://abc.defgh.ijkhlmndefine ENDPOINT           unstructuredlogentriesdefine API_KEY            key=ABCdefghiJKLNMOP<Input listener1>       Module im_tcp       Host    1.1.1.1:10000</Input><Output to_chronicle_out>   Module                om_chronicle   URL                   %BASE_URL%%ENDPOINT%?%API_KEY%   HTTPSCAFile           \opt\cert.crt   LogType               WINEVTLOG   ChronicleBatchSize    1024</Output><Route route_chronicle>   Path listener1 => to_chronicle_out</Route> If i list 2 or more chronicle setting and i do encounter errordefine BASE_URL           https://abc.defgh.ijkhlmndefine ENDPOINT           unstructuredlogentriesdefine API_KEY            key=ABCdefghiJKLNMOP<Input listener1>       Module im_tcp       Host   1.1.1.1:10000</Input><Input listener2>       Module im_tcp       Host    1.1.1.1:10001</Input><Output to_chronicle_out>   Module                om_chronicle   URL                   %BASE_URL%%ENDPOINT%?%API_KEY%   HTTPSCAFile           \opt\cert.crt   LogType               WINEVTLOG   ChronicleBatchSize    1024</Output><Output to_chronicle_out1>   Module                om_chronicle   URL                   %BASE_URL%%ENDPOINT%?%API_KEY%   HTTPSCAFile           \opt\cert.crt   LogType               WINEVTLOG   ChronicleBatchSize    1024</Output><Route route_chronicle>   Path listener1 => to_chronicle_out</Route><Route route_chronicle1>   Path listener2 => to_chronicle_out1</Route>The error i'm getting is.  ERROR [CORE|main] can't initialize logger: already initialized  

billychua created
Replies: 4
View post »
last updated
nxlog manager push policy to nxlog agent
Hi, I have the following error. I'm using agent to manager using agent-ca.pem. I have encounter error when trying to push down the managed.conf file. Below is the error. Would like to check can i just do agent-ca.pem for manager and agent communication or i need to use mutual authentication in order to push down the managed.conf file?2023-06-28 17:37:08,547 INFO  1.1.1.17 unknown [c.n.l.s.a.AgentManagementService] - Reloading agent: Server1 2023-06-28 17:37:08,549 INFO  1.1.1.17 unknown [c.n.l.s.a.AgentManagementService] - Agent configuration exported: Server1 2023-06-28 17:37:08,551 ERROR 1.1.1.17 unknown [c.n.l.s.a.AgentManagementService] - Failed to reconfigure agent: Server1 [Unable to perform requested lazy initialization [com.nxsec.log4ensics.data.model.certdb.Certificate.cer] - no session and settings disallow loading outside the Session] 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.c.s.CommAgents] - Agent Server1 set to OFFLINE state 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.c.s.CommAgents] - Agent Server1 removed from opened connections 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.c.CommAgent] - Closing the socket for agent Server1: Unable to perform requested lazy initialization [com.nxsec.log4ensics.data.model.certdb.Certificate.cer] - no session and settings disallow loading outside the Session 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.c.s.CommAgents] - Agent Server1's connection closed 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.c.CommAgent] - Agent Server1 connection has been reset until execute 'putFile' 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.AgentManagementService] - Agent reconfigured: Server1 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.c.s.CommAgents] - Agent Server1 connection has been reset until execute RestartServerTask 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.AgentManagementService] - Agent restarted: Server1 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.AgentManagementService] - Agent reloaded: Server1 2023-06-28 17:37:08,568 INFO  1.1.1.17 unknown [c.n.l.s.a.s.n.MultiReactor] - Agent manager accepted agent connection Server1 from 1.1.1.48 2023-06-28 17:37:15,812 INFO  1.1.1.17 unknown [c.n.l.s.a.c.CommAgent] - getServerInfo from agent server2 succeeded. 2023-06-28 17:37:15,812 INFO  1.1.1.17 unknown [c.n.l.s.a.c.CommAgent] - getServerInfo from agent server3 succeeded. 2023-06-28 17:37:16,618 WARN  1.1.1.17 unknown [c.n.l.s.a.s.AgentSslVerifier] - Agent manager failed to accept agent connection from 1.1.1.25 [EOF during handshake with peer 1.1.1.205/Server1] 

billychua created
Replies: 2
View post »
last updated
Adding Source IP to Messages
I am receiving some logs from network devices that don't include the source IP or host in the log message. How do I add $MessageSourceAddress to the message so I can identify its source?I've tried Exec $raw_event = $raw_event +$MessageSourceAddress;But that does nothing. What is the correct syntax for this?

russeller created
Replies: 1
View post »
last updated
nxlog agent to nxlog-manager
I have encountered an issue that in nxlog agent i can connected to the nxlog manager. But in the nxlog manager i couldn't see any agent in the list. 

billychua created
Replies: 0
View post »
last updated
How to forward PowerShell_transcript files to SIEM as syslog?
Hello there, We are currently getting PowerShell transcript logs in one of our Windows WEF Collectors. Each log is been generated as a .txt file following the following naming convention: PowerShell_transcript.$deviceName.$RandownNumber.txt. For example this is how the folder looks like: G:/PowerShell_logs/ PowerShell_transcript.device1.qww.txt PowerShell_transcript.device2.fgd.txt PowerShell_transcript.device3.hjj.txt The issue I am having is that the content of each .txt file is arriving to the SIEM at one line at the time instead of arriving all the lines on the same event. This is the content of one of the PowerShell transcript file. Windows PowerShell transcript start Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\temp\reset-password_1.2.ps1' Process ID: 19236 PSVersion: 5.1.18362.1714 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.18362.1714 BuildVersion: 10.0.18362.1714 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 Windows PowerShell transcript end End time: 20210920120413 This is the "nxlog.conf" I am using: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension syslog> Module xm_syslog </Extension> <Input in> Module im_file File "G:\PowerShell_logs\PowerShell_transcript*.txt" </Input> <Output out1> Module om_tcp Host SIEM-FDQN-domain.com Port 514 Exec to_syslog_bsd(); </Output> <Route 1> Path in => out1 </Route> #----------------------------------------------------------------------------------- END nxlog.conf------------------------------------------------------ The question is: How to configure the "nxlog.conf" so the entire content of each PowerShell_transcript.device1.qww.txt is been sent to the SIEM as one event and not multiples ones?

Antonio.Gonzalez2021 created
Replies: 2
View post »
last updated