HiWe are not receiving the Windows security logs via the nxlog agent. We noticed that nxlog.log successfully connected the destination IP, and port.2023-04-12 08:18:57 INFO [CORE|main] nxlog-5.7.7898 (68bb24e7e@REL_v5.7) started on Windows2023-04-12 08:18:57 INFO [om_udp|syslogout] connecting to 10.129.5.20:5212023-04-12 08:18:57 INFO [om_udp|syslogout] successfully connected to 10.129.5.20:521Nxlog. conf file configuration## Please set the ROOT to the folder your nxlog was installed into,## otherwise it will not start.define ROOT C:\Program Files (x86)\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\confdefine LOGDIR %ROOT%\datadefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data<Extension syslog>Module xm_syslog</Extension><Input eventlog>Module im_msvistalog# ReadFromLast True<QueryXML><QueryList><Query Id="0"><Select Path="ForwardedEvents">*</Select></Query></QueryList></QueryXML></Input><Processor eventlog_transformer>Module pm_transformer# OutputFormat syslog_rfc5424</Processor><Processor buffer>Module pm_buffer# 100 MB disk bufferMaxSize 102400Type disk</Processor>########################OUTPUTS##########################<Output syslogout>Module om_udpHost 10.129.5.20:521########################PUTS EVENT IN IETF FORMAT############Exec to_syslog_snare();</Output><Route 1>Path eventlog => eventlog_transformer => syslogout</Route>Note: We are using the nxlog agent version 5.7.7898 and security events are available in Forwarded events

I used a configuration right out of the documentation. This error is logged at startup. I have to remove all fields referenced in curly braces ${}2023-03-31 13:45:13 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:60; couldn't parse statement at line 62, character 13 in C:\Program Files\nxlog\conf\nxlog.conf; invalid character: '$' (0x24) Config:      # Convert integer type fields      if (${Framed-MTU})                    ${Framed-MTU} = integer(${Framed-MTU}); 

Hi,I had this situation whereby when I unplugged the cable of the outgoing interface of the nxlog server, the logs went into the cache folder. When I connected back to the interface, the new logs continues to flow to the external logger,  but the cached logs remain inside the cache folder and do not forward out to the external logger.below is my configuration.  Looking forward to any help, please. thank youUser rootGroup rootPanic Soft##modify change# default values:# PidFile   /opt/nxlog/var/run/nxlog/nxlog.pid# CacheDir  /opt/nxlog/var/spool/nxlog# ModuleDir /opt/nxlog/lib/nxlog/modules# SpoolDir /opt/nxlog/var/spool/nxlogCacheDir /data/nxlogcachedefine CERTDIR /opt/nxlog/var/lib/nxlog/certdefine CONFDIR /opt/nxlog/var/lib/nxlog# Note that these two lines define constants only; the log file location# is ultimately set by the `LogFile` directive (see below). The# `MYLOGFILE` define is also used to rotate the log file automatically# (see the `_fileop` block).define LOGDIR /opt/nxlog/var/log/nxlogdefine MYLOGFILE %LOGDIR%/nxlog.log# By default, `LogFile %MYLOGFILE%` is set in log4ensics.conf. This# allows the log file location to be modified via NXLog Manager. If you# are not using NXLog Manager, you can instead set `LogFile` below and# disable the `include` line.LogFile %MYLOGFILE%#include %CONFDIR%/log4ensics.conf<Extension _syslog>   Module  xm_syslog</Extension><Extension exec>        Module  xm_exec</Extension><Extension _leef>Module xm_leef</Extension><Output Egress_To_xxx>       Module om_tcp       Port    1524       Host    xxx.xxx.xxx.xxx</Output># Set port and Ip Address to listen to traffic<Input External_Ingress>       Module im_tcp       Port    1524       Host    0.0.0.0</Input><Output External_Log_Locally>       Module om_file       File    '/data/store/External/External_logs.txt'#Set log rotation to run daily and keep 90 days worth of logs               <Schedule>               when    @daily               <Exec>                       # Create year/month directories if necessary                                               dir_make('/data/store/External/' + strftime(now() - 86400, '%Y-%m'));                                               # Rotate current file into the correct directory                                               rotate_to('/data/store/External/' + strftime(now() - 86400, '%Y-%m/External_logs_%Y-%m-%d.txt'));                                               #Remove files older than 90 days                                               exec_async("/usr/bin/find", "/data/store/External", "-mtime", "+90", "-type", "f", "-delete");                                                              </Exec>       </Schedule></Output><Processor External_To_xxx_Buffer>       Module  pm_buffer       Type    Disk       #130MiB buffer       MaxSize 130000000       WarnLimit       100000000</Processor><Route External_To_xxx_Path>       Path    External_Ingress => External_To_xxx_Buffer => Egress_To_xxx</Route><Route External_To_Local>       Path    External_Ingress => External_Log_Locally</Route><Input Internal_Ingress>       Module im_tcp       Port    2524       Host    0.0.0.0       <Exec>           # edit syslog header for xxxx           if $raw_event =~ /\d\d:\d\d:\d\d\s+(xxxx)\s+/           {               $Hostname = $1;               to_syslog_bsd();           }       </Exec></Input><Output Internal_Log_Locally>        Module om_file        File   '/data/store/Internal/Internal_logs.txt'                #Set log rotation to run daily and keep 90 days worth of logs       <Schedule>               when    @daily               <Exec>                       # Create year/month directories if necessary                       dir_make('/data/store/Internal/' + strftime(now() - 86400, '%Y-%m'));                       # Rotate current file into the correct directory                       rotate_to('/data/store/Internal/' + strftime(now() - 86400, '%Y-%m/Internal_logs_%Y-%m-%d.txt'));                       #Remove files older than 90 days                       exec_async("/usr/bin/find", "/data/store/Internal", "-mtime", "+90", "-type", "f", "-delete");               </Exec>       </Schedule></Output><Processor Internal_To_xxx_Buffer>        Module pm_buffer        Type   Disk        #130MiB buffer        MaxSize        130000000        WarnLimit      100000000</Processor><Route Internal_To_xxx_Path>       Path    Internal_Ingress => Internal_To_xxx_Buffer => Egress_To_xxx</Route><Route Internal_To_Local>       Path    Internal_Ingress => Internal_Log_Locally</Route><Input xxx_UDP_Ingress>       Module im_udp       Port   514       Host   0.0.0.0<Exec> # edit syslog header for xxx else if $MessageSourceAddress == 'xx.xxx.x.x' {  $Hostname = 'xxx';  to_syslog_bsd(); } # edit syslog header for xxx else if $MessageSourceAddress == 'xx.xxx.xx.xx' {  $Hostname = 'xxx';  to_syslog_bsd(); }              # edit syslog header for xxx               else if $MessageSourceAddress == 'xx.xx.xx'               {                       $Hostname = 'xxx';                       to_syslog_bsd();               }</Exec></Input><Output xxx_UDP_Log_Locally>        Module om_file        File   '/data/store/UDP/xxx_UDP_logs.txt'                #Set log rotation to run daily and keep 90 days worth of logs               <Schedule>               when    @daily               <Exec>                       # Create year/month directories if necessary                                               dir_make('/data/store/UDP/' + strftime(now() - 86400, '%Y-%m'));                                               # Rotate current file into the correct directory                                               rotate_to('/data/store/UDP/' + strftime(now() - 86400, '%Y-%m/xxxx_UDP_logs_%Y-%m-%d.txt'));                                               #Remove files older than 90 days                                               exec_async("/usr/bin/find", "/data/store/UDP", "-mtime", "+90", "-type", "f", "-delete");               </Exec>       </Schedule></Output><Processor xxx_UDP_To_xxx_Buffer>        Module pm_buffer        Type   Disk        #130MiB buffer        MaxSize        130000000        WarnLimit      100000000</Processor><Route xxx_UDP_To_xxx_Path>       Path    xxx_UDP_Ingress => xxx_UDP_To_xxx_Buffer => Egress_To_xxx</Route><Route xxx_UDP_To_Local>       Path    xxx_UDP_Ingress => xxx_UDP_Log_Locally</Route><Input audit_log>       Module im_file       File    '/var/log/secure'       <Exec>               to_syslog_bsd();       </Exec></Input><Processor xxx_Audit_To_xxx_Buffer>        Module pm_buffer        Type   Disk        #130MiB buffer        MaxSize        130000000        WarnLimit      100000000</Processor><Route xx_Audit_To_xx_Path>       Path    audit_log => xxx_Audit_To_xxx_Buffer => Egress_To_xxx</Route><Input audit_log_2>       Module im_file       File    '/var/log/audit/audit.log'       <Exec>               to_syslog_bsd();       </Exec></Input><Processor xxx_Audit_2_To_xxx_Buffer>        Module pm_buffer        Type   Disk        #130MiB buffer        MaxSize        130000000        WarnLimit      100000000</Processor><Route xxx_Audit2_To_xxxx_Path>       Path    audit_log_2 => xxxx_Audit_2_To_xxxx_Buffer => Egress_To_xxxx</Route># This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`# is changed in log4ensics.conf via NXLog Manager, rotation of the new# file should also be configured there.<Extension _fileop>   Module  xm_fileop   # Check the size of our log file hourly, rotate if larger than 5MB   <Schedule>       Every   1 hour       <Exec>           if ( file_exists('%MYLOGFILE%') and                (file_size('%MYLOGFILE%') >= 5M) )           {                file_cycle('%MYLOGFILE%', 8);           }       </Exec>   </Schedule>   # Rotate our log file every week on Sunday at midnight   <Schedule>       When    @weekly       Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);   </Schedule></Extension>

nxlog-ce-3.1.2319 add custom conf to ` /etc/nxlog/nxlog.d`; systemctl restart nxlog;systemctl status nxlog;got message: how to enable the im_dbi module ?the config looks like:config file: `/etc/nxlog/nxlog.d/icslog.conf`: <Input dbi> Module im_dbi Driver mysql Option host 127.0.0.1 Option username root Option password pp Option dbname logs SQL SELECT * FROM ics_alarm_log </Input> <Output file> Module om_file File '/tmp/ics_alarm_log.csv' </Output>

Hello,I am trying to send my custom application Windows logs to GrayLog.  I am using GELF TCP.    Our event text is getting cut off.   It looks like our custom events write all of the data to the section GrayLog calls “short message”    I did see the article that said there is a 64 character limit and we did change that with  Exec   $short_message = $raw_message;  in the output section.  This did increase the number of characters shown but there are still plenty more characters getting cut off.  We have NXlog writing to a local file right now so were able to verify that it is NXlog that is cutting off the data.  Is there a way to fix this?   Here is my conf file:Panic Soft#NoFreeOnExit TRUEdefine ROOT     C:\Program Files\nxlogdefine CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data<Extension _syslog>   Module      xm_syslog</Extension><Extension _charconv>   Module      xm_charconv   AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec>   Module      xm_exec</Extension><Extension _gelf>   Module      xm_gelf   ShortMessageLength 1024   UseNullDelimiter false</Extension><Extension _fileop>   Module      xm_fileop   # Check the size of our log file hourly, rotate if larger than 5MB   <Schedule>       Every   1 hour       Exec    if (file_exists('%LOGFILE%') and \                  (file_size('%LOGFILE%') >= 5M)) \                   file_cycle('%LOGFILE%', 8);   </Schedule>   # Rotate our log file every week on Sunday at midnight   <Schedule>       When    @weekly       Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);   </Schedule></Extension><Input in>   Module      im_msvistalog</Input><Output file>      Module om_file      File 'c:/temp/nxlog.txt'</Output><Output out>   Module      om_tcp   Host       xxxxxxxxxxxxxxxxx   Port        5555   OutPutType  GELF_TCP   Exec        $short_message = $raw_message;</Output><Route 1>  Path        in => file</Route>This is what the event data shows:  [The description for EventID 0 from source xxxxxxx cannot be found:  The parameter is incorrect,   ]   There are several more lines after this that are just not coming over.   I am very inexperienced with this software.  Thank you for your help.  

I have the following config forwarding all events to siemPanic Soft#NoFreeOnExit TRUEdefine ROOT     C:\Program Files\nxlogdefine WINDNS_OUTPUT_DESTINATION_ADDRESS 1.1.1.5define WINDNS_OUTPUT_DESTINATION_PORT 10518define CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\datadefine LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data<Extension _json>     Module      xm_json </Extension> <Input windows_security_eventlog>     Module  im_msvistalog     <QueryXML>         <QueryList>             <Query Id="0">                 <Select Path="Application">*</Select>                 <Select Path="System">*</Select>                 <Select Path="Security">*</Select>   <Select Path="ForwardedEvents">*</Select>             </Query>         </QueryList>     </QueryXML>     ReadFromLast  False     SavePos  False </Input><Output out_siem_windevents>     Module      om_udp     Host        %WINDNS_OUTPUT_DESTINATION_ADDRESS%     Port        %WINDNS_OUTPUT_DESTINATION_PORT%     Exec        $EventTime = integer($EventTime) / 1000;     Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;     Exec        to_json(); </Output> <Route r2>     Path    windows_security_eventlog => out_siem_windevents </Route> I need to push sysmon events to a seperate feed within Siem, would the below be an aceptable config to use?  Not sure if the route statements need route r3 or if they can all exist within route r2 define ROOT     C:\Program Files\nxlogdefine WINDNS_OUTPUT_DESTINATION_ADDRESS 1.1.1.5define WINDNS_OUTPUT_DESTINATION_PORT 10518define CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\datadefine WINDNS_OUTPUT_DESTINATION_ADDRESS2 1.1.1.5define WINDNS_OUTPUT_DESTINATION_PORT2 10519define LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data<Extension _json>    Module      xm_json</Extension><Input windows_security_eventlog>    Module  im_msvistalog    <QueryXML>        <QueryList>            <Query Id="0">                <Select Path="Application">*</Select>                <Select Path="System">*</Select>                <Select Path="Security">*</Select>  <Select Path="ForwardedEvents">*</Select>            </Query>        </QueryList>    </QueryXML>    ReadFromLast  False    SavePos  False</Input><Output out_siem_windevents>    Module      om_udp    Host        %WINDNS_OUTPUT_DESTINATION_ADDRESS%    Port        %WINDNS_OUTPUT_DESTINATION_PORT%    Exec        $EventTime = integer($EventTime) / 1000;    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;    Exec        to_json();</Output><Output out_siem_windevents2>    Module      om_udp    Host        %WINDNS_OUTPUT_DESTINATION_ADDRESS2%    Port        %WINDNS_OUTPUT_DESTINATION_PORT2%    Exec        $EventTime = integer($EventTime) / 1000;    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;    Exec        to_json();</Output><Route r2>    Path    windows_security_eventlog => out_siem_windevents Path    windows_security_eventlog => out_siem_windevents2</Route>

Running nxlog-ce-3.1.2319 on Windows.2023-01-19 08:12:46 ERROR Failed to load module from C:\xxxxx\nxlog\modules\extension\xm_python.dll, The specified module could not be found.  ; The specified module could not be found.The NXLog Python DLL is on disk so I am wondering if this is complaining because I don't have the nxlog Python module  (which I don't see in pip).I looked around for some setup instructions but I don't see any extra setup steps required for Python (aside from writing the script).Config:<Extension python>   Module      xm_python   PythonCode  "C:\xxx\NXLogDev\modules\convert_to_splunk_hec.py"</Extension> PythonCodeimport nxlogdef get_splunk_hec_format(event):   nxlog.log_warning('in get_splunk_hec_format()')   for field in event.field_names():       nxlog.log_debug('Received field:' + field) 

Hello, I have a problem with a nxlog collector for a SIEM Graylog. On the Graylog page the nxlog appears to be Failing. But on the collector the service looks like running : root@:/var/run/nxlog# systemctl status nxlog ● nxlog.service - LSB: logging daemon Loaded: loaded (/etc/init.d/nxlog; generated; vendor preset: enabled) Active: active (running) since Tue 2021-12-21 15:33:07 CET; 1 day 19h ago Docs: man:systemd-sysv-generator(8) Process: 26310 ExecStop=/etc/init.d/nxlog stop (code=exited, status=0/SUCCESS) Process: 26314 ExecStart=/etc/init.d/nxlog start (code=exited, status=0/SUCCESS) CGroup: /system.slice/nxlog.service └─26320 /usr/bin/nxlog When I look into the internal logs for troubleshooting I have this : root@:/var/run/nxlog# tail /var/log/nxlog/nxlog.log 2021-12-23 10:17:32 INFO configuration OK 2021-12-23 10:17:32 ERROR Another instance is already running (pid 26320);Resource temporarily unavailable 2021-12-23 10:17:33 ERROR Another instance is already running (pid 26320);Resource temporarily unavailable 2021-12-23 10:17:34 ERROR Another instance is already running (pid 26320);Resource temporarily unavailable 2021-12-23 10:17:35 ERROR Another instance is already running (pid 26320);Resource temporarily unavailable 2021-12-23 11:17:32 INFO configuration OK 2021-12-23 11:17:32 ERROR Another instance is already running (pid 26320);Resource temporarily unavailable 2021-12-23 11:17:33 ERROR Another instance is already running (pid 26320);Resource temporarily unavailable 2021-12-23 11:17:34 ERROR Another instance is already running (pid 26320);Resource temporarily unavailable 2021-12-23 11:17:35 ERROR Another instance is already running (pid 26320);Resource temporarily unavailable root@:/var/run/nxlog# cat /var/run/nxlog/nxlog.pid 26320 root@BDXSVLG01:/var/run/nxlog# ps -aux |grep nxlog root 4008 0.0 0.0 12776 980 pts/6 D+ 11:21 0:00 grep --color=auto nxlog nxlog 26320 0.0 0.0 275248 224 ? Ssl déc.21 1:03 /usr/bin/nxlog The service that is already running is the one with the right pid so I don't get where my problem comes from. Thank you in advance for your help. BR, Paul

Why do I always receive the message "WARNING nxlog-ce received a termination request signal, exiting..." and I don't receive any message using GELF UDP in Graylog input, unless I use Raw/Plaintext UDP? Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data include %CONFDIR%\\*.conf define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data # define IISLOG "C:\\inetpub\\logs\\LogFiles\\W3SVC2\\u_ex*.log" ####################################################################### #### EXTENTIONS ##### ####################################################################### <Extension _gelf> Module xm_gelf </Extension> <Extension _json> Module xm_json </Extension> <Extension fileop> Module xm_fileop </Extension> ####################################################################### #### IIS NXLOG ###### ####################################################################### <Extension w3c> Module xm_csv Fields $date, $time, $s_ip FieldTypes string, string, string Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Input iis> Module im_file File "C:\\inetpub\\logs\\LogFiles\\W3SVC2\\u_ex*.log" SavePos TRUE Exec if $raw_event =~/^#/ drop();\ else\ {\ w3c->parse_csv();\ $EventTime = parsedate($date + " " + $time);\ $EventTime = parsedate($date + " " + $time + "Z");\ $SourceName = "IIS";\ $raw_event = to_json();\ } </Input> <Output graylog> Module om_udp Host 192.168.3.250 Port 1322 OutputType GELF Exec $Hostname = hostname_fqdn(); Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event; #Use the following line for debugging (uncomment the fileop extension above as well) # exec file_write("C:\\Program Files\\nxlog\\data\\nxlog_output.log", $raw_event); </Output> <Route iis-to-graylog> Path iis => graylog </Route>

I am having issues where when I try to parse a big file ~1500 lines the regexp doesn't find any lines that match and then eventually “gives up”. There is no ERROR log in the nxlog.log saying that it essentially stopped but it never writes anything to my output file. In the input file I have 6 lines that match my parser though.<Exec> if $raw_event =~ /srv_name="([^"]+).+?user_auth_entr="([^"]+)/ { $event_type = 'VPN_SESSION_IP_ASSIGNED'; $version = 'v1'; $time = 'test'; $account = $2; $account_domain = 'null'; $assigned_ip = 'null'; $source_ip = 'null'; $authentication_result = 'FAILURE'; $authentication_target = $1; } </Exec>I was confused at first and thought there was an issue with my statement but it checks out.  When I specifically grabbed only those 6 log lines that would match and ran the service against ONLY those logs, everything parsed and worked just fine giving my the 6 new log lines in my output file.So this leads me to believe that the only reason it didn't work the first time is because the first time it actually matches those log lines is the 112th line. So my assumption is that it tries to process the incoming log lines against my regex and after so many not matching it just stops. Can anyone confirm if this is accurate and if so, how can I increase the threshold and/or remove this dependency?

Hello everyone,We should log on Windows server some IIS and SQL Server logs via agent in Community Edition. Through documentation I have examples that produce as results logs in csv and/or json format.Could you give me a hand in transforming the logs from json and/or csv format to key-value (kvp)Thank you very much for the support.

I am trying to parse some logs coming in and trying to figure out the proper way to build the nxlog.conf when specifying what to do depending on the conditions met in the parser. I have a working conf file that can read all the logs from a file and parse them into one set of conditions but how do I add multiple IF statements in a single Exec block?<Input NetMotion> Module im_file File "C:\Testing-logs\NetMotion.txt" <Exec> if $raw_event =~ /m_user="([^"]+).+?pop_ip_srv="([^"]+).+?ses_start="([^"]+).+?ses_state="([^"]+).+?vip="([^"]+)/ { if $4 = 'Connected' $event_type = 'VPN_SESSION_IP_ASSIGNED'; { $version = 'v1'; $time = $3; $account = $1; $assigned_ip = $6; $source_ip = $2; $authentication_result = 'SUCCESS'; $authentication_target = $5; } if $3 == 'Disconnected' $event_type = 'VPN_SESSION_IP_TERMINATION'; { $version = 'v1'; $time = $2; $account = $1; } } </Exec> </Input>The above code works in the fact that it doesn't give me any errors in the NXLog log file however the actual log lines are mixed up. If the events match 'VPN_SESSION_IP_ASSIGNED'  then it all works just fine. This gives me the order of event_type, version, time, account, assigned_ip, source_ip, authentication_result, authentication_target which is exactly what I need. However for the lines where it doesn't match, it messes up the order and puts version first, and then tacks on the event_type = 'VPN_SESSION_IP_TERMINATION' at the end.How do I get it so that when the $event_type = 'VPN_SESSION_IP_TERMINATION' the log format only shows the fields I want e.g. event_type, version, time, account. I tried a different method where I put the second if statement directly after the first and it worked to keep the order but I still don't know how to drop the unnecessary fields from the termination events.<Input NetMotion> Module im_file File "C:\Testing-logs\NetMotion.txt" <Exec> if $raw_event =~ /m_user="([^"]+).+?pop_ip_srv="([^"]+).+?ses_start="([^"]+).+?ses_state="([^"]+).+?vip="([^"]+)/ { if $4 = 'Connected' $event_type = 'VPN_SESSION_IP_ASSIGNED'; if $3 == 'Disconnected' $event_type = 'VPN_SESSION_IP_TERMINATION'; $version = 'v1'; $time = $3; $account = $1; $assigned_ip = $6; $source_ip = $2; $authentication_result = 'SUCCESS'; $authentication_target = $5; } </Exec> </Input>Would I do an additional if statement after that to basically say, if $event_type == 'VPN_SESSION_IP_TERMINATION' { delete($assigned_ip); delete($source_ip); delete($authentication_result); delete($authentication_target); }Any and all help is appreciated!

Hi all, Anybody here already using NXLog on Windows 2022? I seems to work pretty fine but I just figure that certain events just are not caught, for instance, EventID 4625, for Login failures. Despite I can see lots of occurrences on Event Viewer, they are not sent to my log server.

Hello community. I'm trying to download nxlog for Debian 7 (wheezy) and I'n getting error “Couldn't download something went wrong….”No problem with downloads for upper versions of Debian. Any help ?  

Hello,I created a new EC2 instance using Amazon Linxu AMI 2 and downloaded the Community edition of Nxlog Redhat 7 version and run into dependency error when I run yum install The version of python3 on the server is 3.7.16Anyone else run into the same issue found a way forward?yum install nxlog-ce-3.1.2319_rhel7.x86_64.rpmLoaded plugins: extras_suggestions, langpacks, priorities, update-motdExamining nxlog-ce-3.1.2319_rhel7.x86_64.rpm: nxlog-ce-3.1.2319-1.x86_64Marking nxlog-ce-3.1.2319_rhel7.x86_64.rpm to be installedResolving Dependencies--> Running transaction check---> Package nxlog-ce.x86_64 0:3.1.2319-1 will be installed--> Processing Dependency: apr >= 1.2 for package: nxlog-ce-3.1.2319-1.x86_64--> Processing Dependency: libdbi >= 0.8.1 for package: nxlog-ce-3.1.2319-1.x86_64--> Processing Dependency: libapr-1.so.0()(64bit) for package: nxlog-ce-3.1.2319-1.x86_64--> Processing Dependency: libdbi.so.0()(64bit) for package: nxlog-ce-3.1.2319-1.x86_64--> Processing Dependency: libpython3.6m.so.1.0()(64bit) for package: nxlog-ce-3.1.2319-1.x86_64--> Running transaction check---> Package apr.x86_64 0:1.7.2-1.amzn2 will be installed---> Package libdbi.x86_64 0:0.8.4-6.amzn2.0.2 will be installed---> Package nxlog-ce.x86_64 0:3.1.2319-1 will be installed--> Processing Dependency: libpython3.6m.so.1.0()(64bit) for package: nxlog-ce-3.1.2319-1.x86_64--> Finished Dependency ResolutionError: Package: nxlog-ce-3.1.2319-1.x86_64 (/nxlog-ce-3.1.2319_rhel7.x86_64)          Requires: libpython3.6m.so.1.0()(64bit)You could try using --skip-broken to work around the problemYou could try running: rpm -Va --nofiles --nodigest

Example documentation reads  <Select Path='Application'>*</Select> <Select Path='Security'>*[System/Level&lt;4]</Select> <Select Path='System'>*</Select> I have <Select Path="ForwardedEvents">*</Select> can I specify the config as <Select Path="ForwardedEvents">*[System/Level&lt;4]</Select>to pick up all log files as some are not forwarding

I have Windows server subscribing to a windows log event forwarder.  I have noticed that some events that appear within the forwarded event log are not ingested by NX Log and forwarded to the SIEM platform.  eg  event id 1102 and 22both events are forwarded from the source servers to the windows forwarded where nx log is running so windows upload is fine, just nxlog sending on to SIEM 

After applying the most recent Windows Patch, NXlog 2.10.2150 crashed on Windows 2022. Upgrades the nxlog agent to version 3.1.2319, however the problem continuesThe nxlog process became suspended in task manager, and the agent kept crashing.

Hi, I'm trying to send logs from a client (Ubuntu 20.04.4 LTS) to server (Ubuntu 22.04 LTS).nxlog -v from the server throws an error: ERROR Failed to load module from /usr/lib/nxlog/modules/output/out_file.so, /usr/lib/nxlog/modules/output/out_file.so: cannot open shared object file: No such file or directory;DSO load failed Can someone please help me identify the problem?Thanks. Below is the conf file for client, which has no errors:define ROOT /etc/nxlog Group nxlog Moduledir /usr/lib/nxlog/modules CacheDir %ROOT%/data SpoolDir %ROOT%/data Pidfile /tmp/nxlog.pid include /etc/nxlog/nxlog.d/*.conf LogFile /var/log/nxlog/nxlog.log LogLevel INFO <Extension _syslog> Module xm_syslog </Extension> <Input in1> Module im_file File "/var/log/auth.log" SavePos TRUE ReadFromLast TRUE </Input> <Input in2> Module im_file File "/var/log/syslog" SavePos TRUE ReadFromLast TRUE </Input> <Output out1> Module om_ssl Host 10.XXX.XXX.XXX Port 6514 </Output> <Output out2> Module om_ssl Host 10.XXX.XXX.XXX Port 6514 </Output> <Route file_to_ssl> Path in1 => out1 Path in2 => out2 </Route>Below is the conf file for server showing the above mentioned error: define ROOT /etc/nxlog Group nxlog Moduledir /usr/lib/nxlog/modules CacheDir %ROOT%/data SpoolDir %ROOT%/data Pidfile /tmp/nxlog.pid include /etc/nxlog/nxlog.d/*.conf LogFile /var/log/nxlog/nxlog.log LogLevel INFO <Extension _syslog> Module xm_syslog </Extension> <Input in1> Module im_ssl Host 10.XXX.XXX.XXX Port 6514 </Input> <Input in2> Module im_ssl Host 10.XXX.XXX.XXX Port 6514 </Input> <Output out1> Module out_file File "/var/log/nxremotelogs/"$Hostname".log" SavePos TRUE ReadFromLast TRUE </Output> <Output out2> Module out_file File "/var/log/nxremotelogs/"$Hostname".log" SavePos TRUE ReadFromLast TRUE </Output> <Route 1> Path in1 => out1 </Route> <Route tcproute> Path in2 => out2 </Route>

Hi All,We have purchased 100 NXLog Enterprise Edition Annual Licenses (node based). Can anybody let us know how we update the license when we install the NXLog Enterprise Edition to a windows server?Regards,Valuepoint Team