Hi everybody,
I would like to centralize sysmon events from endpoints using WEF and then forward "forwarded events" from collector server to graylog. Can i do it using Community edition of Nxlog ? If yes,
- can i concerve originated enpoint source ?
- which format does i need to use (SYSLOG or GELF) ?
Thanks
chauchard created
Hello, I parameterized as seen in the examples the nxlog configuration file for the logs of my Windows 2016 servers, but when I restart the services with them. In the nxlog files I find this:
nxlog failed to start: Expected </Extension_gelf> but saw </Extension> at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48
nxlog failed to start: Expected </Extension_gelf> but saw </Extension> at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48
nxlog failed to start: Expected </Extension2> but saw </Extension> at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48
Do you have ideas to list the errors? thank you in advance
feujj created
Hello,
When using sysmon and nxlog, nxlog.exe is triggering alerts for suspicious file characteristics from sigma
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_file_characteristics.yml
nxlog.exe binary (others?) have missing properties fields like product, fileversion, company, description.
Having those along binary signature would be great!
Thanks a lot for great work!
juju43 created
Hi,
My app runs on Windows and it writes log to the file a.log. When I run NXLog to watch this file (to send log to the server), My app gets CFileException::sharingViolation trying to write log to a.log file. It does not happen always, but when the log is big sometimes it happens and my app can not write log to a.log file.
Searching the internet, I found 'You should open the file with CFile::shareDenyNone' to avoid this problem. So my questions is :
- Is NXLog opens the file with ' CFile::shareDenyNone'?
- How can I avoid this problem?
Here's my nxlog.conf 's input configuration.
<Input watchfile> Module im_file File 'C:\Log\a.log' Exec $Message = $raw_event; Exec if file_name() =~ /.\(.)/ $SourceName = $1; SavePos TRUE Recursive TRUE CloseWhenIdle TRUE </Input>
Any comment will be appreciated. Thanks
Harry
phg98 created
Hi Guy's,
We are using nxlog community to ship server logs to a lake, powershell logs are collected on the server but we want to exclude shipping them, after much googling i thought it would be as easy as adding this line to the conf:
Exec if ($SourceName == 'PowerShell (PowerShell)' drop();
This does not work, can any experts in NX out there advise?
Thanks, O.
Fit_gurl created
$message =~ /(?<timestamp>\d+/\d+.\d+ )/s; $ts=$timestamp; $ts2=$1;
$ts2 has the right info, $ts=""
version nxlog-ce-2.10.2150
dlang created
Hi all, It's possible (using the queries) to ONLY receive logs related to all windows administrators and not related to all users? Thanks.
sec created
Hi All,
every once in a while nxlog on some win servers enteres stopped state after this error:
62501: 2019-10-21 04:32:54 ERROR EvtNext failed with error 1717: The interface is unknown.
Does anybody know what might be causing this? All I could find is that this may have been a bug that was resolved in newer versions though. We are using v 4.0.3735
Thanks, Jarka
jvhr created
I am reading windows dns logs, and at the start of each file, windows adds text at the beginning of each file. Note that windows will do this in the middle of a multiline log message. Ideally what I want is that when the file is opened, im_file will throw away the header and then pass the rest of the file to xm_multiline so that xm_multiline never knows that this was there. As a work-around I could add a bunch of filters to match each known bad line and throw it out, but that's a pretty inefficient way to do things, This would be something similar to onEOF but happen at the start of the file instead.
an example is:
DNS Server log file creation at 11/6/2019 6:19:22 PM Log file wrap at 11/6/2019 6:19:22 PM
Message logging key (for packets - other items use a subset of these fields): Field # Information Values ------- ----------- ------ 1 Date 2 Time 3 Thread ID 4 Context 5 Internal packet identifier 6 UDP/TCP indicator 7 Send/Receive indicator 8 Remote IP 9 Xid (hex) 10 Query/Response R = Response blank = Query 11 Opcode Q = Standard Query N = Notify U = Update ? = Unknown 12 [ Flags (hex) 13 Flags (char codes) A = Authoritative Answer T = Truncated Response D = Recursion Desired R = Recursion Available 14 ResponseCode ] 15 Question Type 16 Question Name
normal log data, potentially starting in the middle of a log
dlang created
Hi. How can I write SQL statement to the variable. For example: define variable $sql_statement = SELECT some_func() and in module om_dbi use this variable like Module om_dbi SQL $sql_statement Driver pgsql
Bohdan.Lisovskyi created
I am parsing DNS logs (windows debug logs) where there may be multiple answers to one query (cname plus IP, or multiple cnames, or multiple IPs) but I want to normalize the output so that each output line contains one and only one answer (with the rest of the output being the same)
so if I start with
source 1.1.1.1 query type A query foo.com answer cname bar.com answer A 2.2.2.2
how can I get my output to be:
source 1.1.1.1 query type A query foo.com answer cname bar.com source 1.1.1.1 query type A query foo.com answer A 2.2.2.2
dlang created
Hi There,
Using the CE edition on a Server 2012 R2 collector. I see in the logs the following: ERROR Failed to load module from C:\Program Files (x86)\nxlog\modules\output\Module om_udp.dll, The specified module could not be found.
The config file %ROOT% has the correct path as far as I can see. I've reinstalled and once I start/restart services then this message appears.
NXLog Ver: 2.10.2102
Any help appreciated!
Fravocado created
I have a Graylog NXLog configuration that contains a multiline input. I'm trying to figure out what the best regex would be for the HeaderLine to delimit each message as a group for each instance of a username that appears in the log.
This is the desired output:
Message 1 should contain: Username : <Username1> Index : <Index> Assigned IP : <IP1> Public IP : <IP2> Group Policy : <GroupPolicy> Login Time : 15:15:34 UTC Fri Nov 1 2019
Message 2 should contain: Username : <Username2> Index : <Index> Assigned IP : <IP1> Public IP : <IP2> Group Policy : <GroupPolicy> Login Time : 15:16:12 UTC Fri Nov 1 2019
Instead, this is what happens:
Message 1: Username Message 2: Index Message 3: Assigned IP Message 4: Public IP
So on and so forth. Looking for advice on what should be put in the HeaderLine so the logs are delimited and can be read properly. Thanks in advance!
ajtjavier created
Dear All, I'm using this product for a months and it works fine, every windows PC (Win 7 and Win10) sent informations to central linux syslog server. Now it doesn't work because I've changed network settings. All of my Windows computers have got 802.1x authentication so the networking goes up after user login.
Maybe NXlog starts before user login and try to connect syslog server sending some messages, so it doesn't reach syslog remain in running status and don't send any other informations.
Any ideas ? Thanks a lot for you help ! Best Regards Willy
willy70 created
nwalters created
Here are the error messages:
2019-10-30 11:38:17 INFO nxlog-ce-2.10.2150 started 2019-10-30 11:38:22 WARNING stopping nxlog service 2019-10-30 11:38:22 WARNING nxlog-ce received a termination request signal, exiting...
Conf file:
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
<Extension _gelf> Module xm_gelf </Extension>
<Input in> Module im_msvistalog ReadFromLast TRUE
For windows 2003 and earlier use the following:
Module im_mseventlog
Query <QueryList>
<Query Id="0">
<Select Path="Application"></Select>
<Select Path="System"></Select>
<Select Path="Security">*</Select>
</Query>
</QueryList>
</Input>
<Output Graylog> Module om_udp Host secret Port secret OutputType GELF_UDP </Output>
<Route 1> Path in => Graylog </Route>
mpark916 created
There is no detailed description of the use of the xm_filelist module in the manual. I made a configuration based on the guide https://nxlog.co/question/4095/drop-win-event-message-based-text-file-content, but it does not work. Help me, why the configuration does not work?
<Extension Testlist> Module xm_filelist File "c:\logs\List\Testlist.txt" CheckInterval 600 </Extension>
<Input in_ForwardedEvents> Module im_msvistalog ReadFromLast False SavePos True ResolveSID False PollInterval 5 <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4624)]]</Select> </Query> </QueryList> </QueryXML> </Input>
<Processor proc_list> Module pm_transformer <Exec> if Testlist->contains($TargetUserName,$true) $rule = "rule1"; </Exec> </Processor>
<Output out_file_raw> exec to_json(); Module om_file CreateDir TRUE File 'c:\logs\test.log' </Output>
<Route rout_file> Path in_ForwardedEvents=> proc_list => out_file_raw </Route>
Give an example configuration using the xm_filelist module.
lichtsinnig created
There is no detailed description of the use of the xm_filelist module in the manual. I made a configuration based on the guide https://nxlog.co/question/4095/drop-win-event-message-based-text-file-content, but it does not work. Help me, why the configuration does not work?
<Extension Testlist> Module xm_filelist File "c:\logs\List\Testlist.txt" CheckInterval 600 </Extension>
<Input in_ForwardedEvents> Module im_msvistalog ReadFromLast False SavePos True ResolveSID False PollInterval 5 <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4624)]]</Select> </Query> </QueryList> </QueryXML> </Input>
<Processor proc_list> Module pm_transformer <Exec> if Testlist->contains($TargetUserName,$true) $rule = "rule1"; </Exec> </Processor>
<Output out_file_raw> exec to_json(); Module om_file CreateDir TRUE File 'c:\logs\test.log' </Output>
<Route rout_file> Path in_ForwardedEvents=> proc_list => out_file_raw </Route>
Give an example configuration using the xm_filelist module.
lichtsinnig created
Good day everyone!
I am starting to use NXLog:CE in my environment and am having a few windows devices not reporting to my Observium server. I have the same .conf deployed across all windows devices. I am attempting to pattern hunt what could be different but being enterprise devices they are not configured much differently. I have a local debug file running and I am seeing events being written on all devices.
I know this is not much detail but I would appreciate any suggestions of places to look.
Thank you in advance,
Scott
sconnary32 created
Hi, My system creates binary log file whenever some error happens. So, I would like to send the binary log file to server(also running the nxlog) when the file is created. The binary log file is created with specific extension name (for example *.binlog) and I want to send the file to server with same filename. Can I do this with nxlog?
Thanks.
Harry
phg98 created