Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

Nxlog CE vs EE

Hi everybody,

I would like to centralize sysmon events from endpoints using WEF and then forward "forwarded events" from collector server to graylog. Can i do it using Community edition of Nxlog ? If yes,

  • can i concerve originated enpoint source ?
  • which format does i need to use (SYSLOG or GELF) ?

Thanks


chauchard created
Replies: 2
View post »
last updated
Windows logs can'

Hello, I parameterized as seen in the examples the nxlog configuration file for the logs of my Windows 2016 servers, but when I restart the services with them. In the nxlog files I find this:

nxlog failed to start: Expected </Extension_gelf> but saw </Extension> at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48

nxlog failed to start: Expected </Extension_gelf> but saw </Extension> at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48

nxlog failed to start: Expected </Extension2> but saw </Extension> at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48

Do you have ideas to list the errors? thank you in advance


feujj created
Replies: 3
View post »
last updated
Nxlog windows binaries properties/metadata

Hello,

When using sysmon and nxlog, nxlog.exe is triggering alerts for suspicious file characteristics from sigma
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_file_characteristics.yml

nxlog.exe binary (others?) have missing properties fields like product, fileversion, company, description.

Having those along binary signature would be great!

Thanks a lot for great work!


juju43 created
Replies: 1
View post »
last updated
My app gets CFileException::sharingViolation when nxlog is running

Hi,

My app runs on Windows and it writes log to the file a.log. When I run NXLog to watch this file (to send log to the server), My app gets CFileException::sharingViolation trying to write log to a.log file. It does not happen always, but when the log is big sometimes it happens and my app can not write log to a.log file.

Searching the internet, I found 'You should open the file with CFile::shareDenyNone' to avoid this problem. So my questions is :

  1. Is NXLog opens the file with ' CFile::shareDenyNone'?
  2. How can I avoid this problem?

Here's my nxlog.conf 's input configuration.

<Input watchfile> Module im_file File 'C:\Log\a.log' Exec $Message = $raw_event; Exec if file_name() =~ /.\(.)/ $SourceName = $1; SavePos TRUE Recursive TRUE CloseWhenIdle TRUE </Input>

Any comment will be appreciated. Thanks

Harry


phg98 created
Replies: 1
View post »
last updated
Powershell application logs exclusion

Hi Guy's,

We are using nxlog community to ship server logs to a lake, powershell logs are collected on the server but we want to exclude shipping them, after much googling i thought it would be as easy as adding this line to the conf:

Exec if ($SourceName == 'PowerShell (PowerShell)' drop();

This does not work, can any experts in NX out there advise?

Thanks, O.


Fit_gurl created
Replies: 1
View post »
last updated
named capture not working

$message =~ /(?<timestamp>\d+/\d+.\d+ )/s; $ts=$timestamp; $ts2=$1;

$ts2 has the right info, $ts=""

version nxlog-ce-2.10.2150


dlang created
Replies: 1
View post »
last updated
Administrators related logs

Hi all, It's possible (using the queries) to ONLY receive logs related to all windows administrators and not related to all users? Thanks.


sec created
Replies: 1
View post »
last updated
NxLog ERROR EvtNext failed with error 1717: The interface is unknown.

Hi All,

every once in a while nxlog on some win servers enteres stopped state after this error:

62501: 2019-10-21 04:32:54 ERROR EvtNext failed with error 1717: The interface is unknown.

Does anybody know what might be causing this? All I could find is that this may have been a bug that was resolved in newer versions though. We are using v 4.0.3735

Thanks, Jarka


jvhr created
Replies: 1
View post »
last updated
in imfile, can you filter a multiline comment from the start of the file?

I am reading windows dns logs, and at the start of each file, windows adds text at the beginning of each file. Note that windows will do this in the middle of a multiline log message. Ideally what I want is that when the file is opened, im_file will throw away the header and then pass the rest of the file to xm_multiline so that xm_multiline never knows that this was there. As a work-around I could add a bunch of filters to match each known bad line and throw it out, but that's a pretty inefficient way to do things, This would be something similar to onEOF but happen at the start of the file instead.

an example is:

DNS Server log file creation at 11/6/2019 6:19:22 PM Log file wrap at 11/6/2019 6:19:22 PM

Message logging key (for packets - other items use a subset of these fields): Field # Information Values ------- ----------- ------ 1 Date 2 Time 3 Thread ID 4 Context 5 Internal packet identifier 6 UDP/TCP indicator 7 Send/Receive indicator 8 Remote IP 9 Xid (hex) 10 Query/Response R = Response blank = Query 11 Opcode Q = Standard Query N = Notify U = Update ? = Unknown 12 [ Flags (hex) 13 Flags (char codes) A = Authoritative Answer T = Truncated Response D = Recursion Desired R = Recursion Available 14 ResponseCode ] 15 Question Type 16 Question Name

normal log data, potentially starting in the middle of a log


dlang created
Replies: 1
View post »
last updated
SQL om_dbi

Hi. How can I write SQL statement to the variable. For example: define variable $sql_statement = SELECT some_func() and in module om_dbi use this variable like Module om_dbi SQL $sql_statement Driver pgsql


Bohdan.Lisovskyi created
Replies: 1
View post »
last updated
how can I turn one log event into multiple messages

I am parsing DNS logs (windows debug logs) where there may be multiple answers to one query (cname plus IP, or multiple cnames, or multiple IPs) but I want to normalize the output so that each output line contains one and only one answer (with the rest of the output being the same)

so if I start with

source 1.1.1.1 query type A query foo.com answer cname bar.com answer A 2.2.2.2

how can I get my output to be:

source 1.1.1.1 query type A query foo.com answer cname bar.com source 1.1.1.1 query type A query foo.com answer A 2.2.2.2


dlang created
Replies: 1
View post »
last updated
om_udp Module not loading

Hi There,

Using the CE edition on a Server 2012 R2 collector. I see in the logs the following: ERROR Failed to load module from C:\Program Files (x86)\nxlog\modules\output\Module om_udp.dll, The specified module could not be found.

The config file %ROOT% has the correct path as far as I can see. I've reinstalled and once I start/restart services then this message appears.

NXLog Ver: 2.10.2102

Any help appreciated!


Fravocado created
Replies: 1
View post »
last updated
Multiline input, HeaderLine: Delimit each message at each instance of Username

I have a Graylog NXLog configuration that contains a multiline input. I'm trying to figure out what the best regex would be for the HeaderLine to delimit each message as a group for each instance of a username that appears in the log.

This is the desired output:

Message 1 should contain: Username : <Username1> Index : <Index> Assigned IP : <IP1> Public IP : <IP2> Group Policy : <GroupPolicy> Login Time : 15:15:34 UTC Fri Nov 1 2019

Message 2 should contain: Username : <Username2> Index : <Index> Assigned IP : <IP1> Public IP : <IP2> Group Policy : <GroupPolicy> Login Time : 15:16:12 UTC Fri Nov 1 2019

Instead, this is what happens:

Message 1: Username Message 2: Index Message 3: Assigned IP Message 4: Public IP

So on and so forth. Looking for advice on what should be put in the HeaderLine so the logs are delimited and can be read properly. Thanks in advance!


ajtjavier created
Replies: 3
View post »
last updated
failed with network authentication ....

Dear All, I'm using this product for a months and it works fine, every windows PC (Win 7 and Win10) sent informations to central linux syslog server. Now it doesn't work because I've changed network settings. All of my Windows computers have got 802.1x authentication so the networking goes up after user login.

Maybe NXlog starts before user login and try to connect syslog server sending some messages, so it doesn't reach syslog remain in running status and don't send any other informations.

Any ideas ? Thanks a lot for you help ! Best Regards Willy


willy70 created
Replies: 5
View post »
last updated
Windows 2012r2 (and possibly others) NXLog parsing issue?
Hello, We are using NXLog extensively and just recently started seeing some parsing issues, so far specifically on Windows 2012r2 using Windows Event Forwarding, but could be others. It appears to be something with processing self-closed tags at first glance, but I've done a little bit of testing myself and couldn't directly reproduce the problem (so far), so figured I'd come here for guidance. Specific details are included below. **Current Behavior** NXLog appears to be improperly parsing empty, self-closed XML tags. **Expected Behavior** NXLog properly ignores empty, self-closed XML tags. **NXLog Version**: nxlog-ce-2.10.2150 **NXLog Configuration File**: ``` ## NXLog configuration file define ROOT C:\Program Files (x86)\nxlog define LOGFILE %ROOT%\data\nxlog.log Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %LOGFILE% # Rotate agent logs on the local system such that only the last 4 files are kept Module xm_fileop # Check the size of our log file every hour and rotate if it is larger than 1M Every 1 hour Exec if (file_size('%LOGFILE%') >= 1M) file_cycle('%LOGFILE%', 4); # Rotate our log file every week on sunday at midnight When @weekly Exec file_cycle('%LOGFILE%', 4); Module xm_syslog Module xm_json # Agent logs Module im_internal # OS logs Module im_msvistalog # Drop EventID 5156 logs when application name is nxlog.exe Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing')\ AND ($EventID == 5156)\ AND ($Application =~ /nxlog.exe$/)\ drop(); Module im_msvistalog Query \ \ *\ \ # SIEM port 3514 is listening for JSON-encoded IETF style syslog messages # OutputType Syslog_TLS required to enable the octet-framing described in RFC5425 Module om_tcp Host XXX.XXX.XXX.XXX Port 3514 OutputType Syslog_TLS Exec $Message = to_json(); # Remove param-value pairs from structured data header with names > 32 characters. Exec if ($SourceName == 'Microsoft-Windows-GroupPolicy') {\ if ($EventID == 5017) OR ($EventID == 6017) OR ($EventID == 7017)\ delete($OperationElaspedTimeInMilliSeconds);\ if ($EventID == 5116) OR ($EventID == 6116) OR ($EventID == 7116)\ delete($GpsvcInitTimeElapsedInMilliseconds);\ if ($EventID == 5126) OR ($EventID == 6126) OR ($EventID == 7126)\ delete($GPODownloadTimeElapsedInMilliseconds);\ if ($EventID == 5257) OR ($EventID == 6257) OR ($EventID == 7257)\ delete($PolicyDownloadTimeElapsedInMilliseconds);\ if ($EventID == 5351) OR ($EventID == 6351) OR ($EventID == 7351)\ delete($WinlogonReturnTimeElapsedInMilliseconds);\ } Exec to_syslog_ietf(); Path internal, eventlog, forwardedEvents => out ``` **Windows Version**: Windows 2012r2 (potentially others, but confirmed for sure on this one) **Example Exported XML from EventViewer** ``` 4688201331200x80200000000000005238702734Securityhostname.domainS-1-5-18workstation$DOMAIN0x3e70x1754C:\Windows\System32\wbem\WmiApSrv.exe%%19360x2f8S-1-0-0--0x0A new process has been created...InformationProcess CreationInfoSecurityMicrosoft Windows security auditing.Audit Success ``` **Example Data as Received on the wire**: ``` 1 2019-10-21T15:44:36.650065-04:00 hostname.domain Microsoft-Windows-Security-Auditing 4 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="4688" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="2" Task="13312" OpcodeValue="0" RecordNumber="355111132" ThreadID="5020" Channel="Security" Category="Process Creation" Opcode="Info" SubjectUserSid="S-1-5-18" SubjectUserName="workstation$" SubjectDomainName="DOMAIN" SubjectLogonId="0x3e7" NewProcessId="0x13a8" NewProcessName="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" TokenElevationType="%%1936" CommandLine\'/>

nwalters created
Replies: 1
View post »
last updated
The log files are not providing me enough information to figure out whats wrong!!

Here are the error messages:

2019-10-30 11:38:17 INFO nxlog-ce-2.10.2150 started 2019-10-30 11:38:22 WARNING stopping nxlog service 2019-10-30 11:38:22 WARNING nxlog-ce received a termination request signal, exiting...

Conf file:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension _gelf> Module xm_gelf </Extension>

<Input in> Module im_msvistalog ReadFromLast TRUE

For windows 2003 and earlier use the following:

Module im_mseventlog

Query <QueryList>
<Query Id="0">
<Select Path="Application"></Select>
<Select Path="System">
</Select>
<Select Path="Security">*</Select>
</Query>
</QueryList> </Input>

<Output Graylog> Module om_udp Host secret Port secret OutputType GELF_UDP </Output>

<Route 1> Path in => Graylog </Route>


mpark916 created
Replies: 8
View post »
last updated
xm_filelist module configuration

There is no detailed description of the use of the xm_filelist module in the manual. I made a configuration based on the guide https://nxlog.co/question/4095/drop-win-event-message-based-text-file-content, but it does not work. Help me, why the configuration does not work?

<Extension Testlist> Module xm_filelist File "c:\logs\List\Testlist.txt" CheckInterval 600 </Extension>

<Input in_ForwardedEvents> Module im_msvistalog ReadFromLast False SavePos True ResolveSID False PollInterval 5 <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4624)]]</Select> </Query> </QueryList> </QueryXML> </Input>

<Processor proc_list> Module pm_transformer <Exec> if Testlist->contains($TargetUserName,$true) $rule = "rule1"; </Exec> </Processor>

<Output out_file_raw> exec to_json(); Module om_file CreateDir TRUE File 'c:\logs\test.log' </Output>

<Route rout_file> Path in_ForwardedEvents=> proc_list => out_file_raw </Route>

Give an example configuration using the xm_filelist module.


lichtsinnig created
Replies: 1
View post »
last updated
xm_filelist module configuration

There is no detailed description of the use of the xm_filelist module in the manual. I made a configuration based on the guide https://nxlog.co/question/4095/drop-win-event-message-based-text-file-content, but it does not work. Help me, why the configuration does not work?

<Extension Testlist> Module xm_filelist File "c:\logs\List\Testlist.txt" CheckInterval 600 </Extension>

<Input in_ForwardedEvents> Module im_msvistalog ReadFromLast False SavePos True ResolveSID False PollInterval 5 <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4624)]]</Select> </Query> </QueryList> </QueryXML> </Input>

<Processor proc_list> Module pm_transformer <Exec> if Testlist->contains($TargetUserName,$true) $rule = "rule1"; </Exec> </Processor>

<Output out_file_raw> exec to_json(); Module om_file CreateDir TRUE File 'c:\logs\test.log' </Output>

<Route rout_file> Path in_ForwardedEvents=> proc_list => out_file_raw </Route>

Give an example configuration using the xm_filelist module.


lichtsinnig created
Some windows devices not reporting while the majority will

Good day everyone!

I am starting to use NXLog:CE in my environment and am having a few windows devices not reporting to my Observium server. I have the same .conf deployed across all windows devices. I am attempting to pattern hunt what could be different but being enterprise devices they are not configured much differently. I have a local debug file running and I am seeing events being written on all devices.

I know this is not much detail but I would appreciate any suggestions of places to look.

Thank you in advance,

Scott


sconnary32 created
Replies: 2
View post »
last updated
Send binary file when created

Hi, My system creates binary log file whenever some error happens. So, I would like to send the binary log file to server(also running the nxlog) when the file is created. The binary log file is created with specific extension name (for example *.binlog) and I want to send the file to server with same filename. Can I do this with nxlog?

Thanks.

Harry


phg98 created
Replies: 1
View post »
last updated