Hi everybody,

I would like to centralize sysmon events from endpoints using WEF and then forward "forwarded events" from collector server to graylog. Can i do it using Community edition of Nxlog ? If yes,

• can i concerve originated enpoint source ?
• which format does i need to use (SYSLOG or GELF) ?

Thanks

Hello, I parameterized as seen in the examples the nxlog configuration file for the logs of my Windows 2016 servers, but when I restart the services with them. In the nxlog files I find this:

nxlog failed to start: Expected </Extension_gelf> but saw </Extension> at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48

nxlog failed to start: Expected </Extension_gelf> but saw </Extension> at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48

nxlog failed to start: Expected </Extension2> but saw </Extension> at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48

Do you have ideas to list the errors? thank you in advance

Hello,

When using sysmon and nxlog, nxlog.exe is triggering alerts for suspicious file characteristics from sigma
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_file_characteristics.yml

nxlog.exe binary (others?) have missing properties fields like product, fileversion, company, description.

Having those along binary signature would be great!

Thanks a lot for great work!

Hi,

My app runs on Windows and it writes log to the file a.log. When I run NXLog to watch this file (to send log to the server), My app gets CFileException::sharingViolation trying to write log to a.log file. It does not happen always, but when the log is big sometimes it happens and my app can not write log to a.log file.

Searching the internet, I found 'You should open the file with CFile::shareDenyNone' to avoid this problem. So my questions is :

1. Is NXLog opens the file with ' CFile::shareDenyNone'?
2. How can I avoid this problem?

Here's my nxlog.conf 's input configuration.

<Input watchfile> Module im_file File 'C:\Log\a.log' Exec $Message = $raw_event; Exec if file_name() =~ /.\(.)/ $SourceName = $1; SavePos TRUE Recursive TRUE CloseWhenIdle TRUE </Input>

Any comment will be appreciated. Thanks

Harry

Hi Guy's,

We are using nxlog community to ship server logs to a lake, powershell logs are collected on the server but we want to exclude shipping them, after much googling i thought it would be as easy as adding this line to the conf:

Exec if ($SourceName == 'PowerShell (PowerShell)' drop();

This does not work, can any experts in NX out there advise?

Thanks, O.

$message =~ /(?<timestamp>\d+/\d+.\d+ )/s; $ts=$timestamp; $ts2=$1;

$ts2 has the right info, $ts=""

version nxlog-ce-2.10.2150

Hi all, It's possible (using the queries) to ONLY receive logs related to all windows administrators and not related to all users? Thanks.

Hi All,

every once in a while nxlog on some win servers enteres stopped state after this error:

62501: 2019-10-21 04:32:54 ERROR EvtNext failed with error 1717: The interface is unknown.

Does anybody know what might be causing this? All I could find is that this may have been a bug that was resolved in newer versions though. We are using v 4.0.3735

Thanks, Jarka

I am reading windows dns logs, and at the start of each file, windows adds text at the beginning of each file. Note that windows will do this in the middle of a multiline log message. Ideally what I want is that when the file is opened, im_file will throw away the header and then pass the rest of the file to xm_multiline so that xm_multiline never knows that this was there. As a work-around I could add a bunch of filters to match each known bad line and throw it out, but that's a pretty inefficient way to do things, This would be something similar to onEOF but happen at the start of the file instead.

an example is:

DNS Server log file creation at 11/6/2019 6:19:22 PM Log file wrap at 11/6/2019 6:19:22 PM

Message logging key (for packets - other items use a subset of these fields): Field # Information Values ------- ----------- ------ 1 Date 2 Time 3 Thread ID 4 Context 5 Internal packet identifier 6 UDP/TCP indicator 7 Send/Receive indicator 8 Remote IP 9 Xid (hex) 10 Query/Response R = Response blank = Query 11 Opcode Q = Standard Query N = Notify U = Update ? = Unknown 12 [ Flags (hex) 13 Flags (char codes) A = Authoritative Answer T = Truncated Response D = Recursion Desired R = Recursion Available 14 ResponseCode ] 15 Question Type 16 Question Name

normal log data, potentially starting in the middle of a log

Hi. How can I write SQL statement to the variable. For example: define variable $sql_statement = SELECT some_func() and in module om_dbi use this variable like Module om_dbi SQL $sql_statement Driver pgsql

I am parsing DNS logs (windows debug logs) where there may be multiple answers to one query (cname plus IP, or multiple cnames, or multiple IPs) but I want to normalize the output so that each output line contains one and only one answer (with the rest of the output being the same)

so if I start with

source 1.1.1.1 query type A query foo.com answer cname bar.com answer A 2.2.2.2

how can I get my output to be:

source 1.1.1.1 query type A query foo.com answer cname bar.com source 1.1.1.1 query type A query foo.com answer A 2.2.2.2

Hi There,

Using the CE edition on a Server 2012 R2 collector. I see in the logs the following: ERROR Failed to load module from C:\Program Files (x86)\nxlog\modules\output\Module om_udp.dll, The specified module could not be found.

The config file %ROOT% has the correct path as far as I can see. I've reinstalled and once I start/restart services then this message appears.

NXLog Ver: 2.10.2102

Any help appreciated!

I have a Graylog NXLog configuration that contains a multiline input. I'm trying to figure out what the best regex would be for the HeaderLine to delimit each message as a group for each instance of a username that appears in the log.

This is the desired output:

Message 1 should contain: Username : <Username1> Index : <Index> Assigned IP : <IP1> Public IP : <IP2> Group Policy : <GroupPolicy> Login Time : 15:15:34 UTC Fri Nov 1 2019

Message 2 should contain: Username : <Username2> Index : <Index> Assigned IP : <IP1> Public IP : <IP2> Group Policy : <GroupPolicy> Login Time : 15:16:12 UTC Fri Nov 1 2019

Instead, this is what happens:

Message 1: Username Message 2: Index Message 3: Assigned IP Message 4: Public IP

So on and so forth. Looking for advice on what should be put in the HeaderLine so the logs are delimited and can be read properly. Thanks in advance!

Dear All, I'm using this product for a months and it works fine, every windows PC (Win 7 and Win10) sent informations to central linux syslog server. Now it doesn't work because I've changed network settings. All of my Windows computers have got 802.1x authentication so the networking goes up after user login.

Maybe NXlog starts before user login and try to connect syslog server sending some messages, so it doesn't reach syslog remain in running status and don't send any other informations.

Any ideas ? Thanks a lot for you help ! Best Regards Willy

Hello, We are using NXLog extensively and just recently started seeing some parsing issues, so far specifically on Windows 2012r2 using Windows Event Forwarding, but could be others. It appears to be something with processing self-closed tags at first glance, but I've done a little bit of testing myself and couldn't directly reproduce the problem (so far), so figured I'd come here for guidance. Specific details are included below. **Current Behavior** NXLog appears to be improperly parsing empty, self-closed XML tags. **Expected Behavior** NXLog properly ignores empty, self-closed XML tags. **NXLog Version**: nxlog-ce-2.10.2150 **NXLog Configuration File**: ``` ## NXLog configuration file define ROOT C:\Program Files (x86)\nxlog define LOGFILE %ROOT%\data\nxlog.log Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %LOGFILE% # Rotate agent logs on the local system such that only the last 4 files are kept Module xm_fileop # Check the size of our log file every hour and rotate if it is larger than 1M Every 1 hour Exec if (file_size('%LOGFILE%') >= 1M) file_cycle('%LOGFILE%', 4); # Rotate our log file every week on sunday at midnight When @weekly Exec file_cycle('%LOGFILE%', 4); Module xm_syslog Module xm_json # Agent logs Module im_internal # OS logs Module im_msvistalog # Drop EventID 5156 logs when application name is nxlog.exe Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing')\ AND ($EventID == 5156)\ AND ($Application =~ /nxlog.exe$/)\ drop(); Module im_msvistalog Query \ \ *\ \ # SIEM port 3514 is listening for JSON-encoded IETF style syslog messages # OutputType Syslog_TLS required to enable the octet-framing described in RFC5425 Module om_tcp Host XXX.XXX.XXX.XXX Port 3514 OutputType Syslog_TLS Exec $Message = to_json(); # Remove param-value pairs from structured data header with names > 32 characters. Exec if ($SourceName == 'Microsoft-Windows-GroupPolicy') {\ if ($EventID == 5017) OR ($EventID == 6017) OR ($EventID == 7017)\ delete($OperationElaspedTimeInMilliSeconds);\ if ($EventID == 5116) OR ($EventID == 6116) OR ($EventID == 7116)\ delete($GpsvcInitTimeElapsedInMilliseconds);\ if ($EventID == 5126) OR ($EventID == 6126) OR ($EventID == 7126)\ delete($GPODownloadTimeElapsedInMilliseconds);\ if ($EventID == 5257) OR ($EventID == 6257) OR ($EventID == 7257)\ delete($PolicyDownloadTimeElapsedInMilliseconds);\ if ($EventID == 5351) OR ($EventID == 6351) OR ($EventID == 7351)\ delete($WinlogonReturnTimeElapsedInMilliseconds);\ } Exec to_syslog_ietf(); Path internal, eventlog, forwardedEvents => out ``` **Windows Version**: Windows 2012r2 (potentially others, but confirmed for sure on this one) **Example Exported XML from EventViewer** ``` 4688201331200x80200000000000005238702734Securityhostname.domainS-1-5-18workstation$DOMAIN0x3e70x1754C:\Windows\System32\wbem\WmiApSrv.exe%%19360x2f8S-1-0-0--0x0A new process has been created...InformationProcess CreationInfoSecurityMicrosoft Windows security auditing.Audit Success ``` **Example Data as Received on the wire**: ``` 1 2019-10-21T15:44:36.650065-04:00 hostname.domain Microsoft-Windows-Security-Auditing 4 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="4688" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="2" Task="13312" OpcodeValue="0" RecordNumber="355111132" ThreadID="5020" Channel="Security" Category="Process Creation" Opcode="Info" SubjectUserSid="S-1-5-18" SubjectUserName="workstation$" SubjectDomainName="DOMAIN" SubjectLogonId="0x3e7" NewProcessId="0x13a8" NewProcessName="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" TokenElevationType="%%1936" CommandLine\'/>

Here are the error messages:

2019-10-30 11:38:17 INFO nxlog-ce-2.10.2150 started 2019-10-30 11:38:22 WARNING stopping nxlog service 2019-10-30 11:38:22 WARNING nxlog-ce received a termination request signal, exiting...

Conf file:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension _gelf> Module xm_gelf </Extension>

<Input in> Module im_msvistalog ReadFromLast TRUE

For windows 2003 and earlier use the following:

Module im_mseventlog

Query <QueryList>
<Query Id="0">
<Select Path="Application"></Select>
<Select Path="System"></Select>
<Select Path="Security">*</Select>
</Query>
</QueryList> </Input>

<Output Graylog> Module om_udp Host secret Port secret OutputType GELF_UDP </Output>

<Route 1> Path in => Graylog </Route>

There is no detailed description of the use of the xm_filelist module in the manual. I made a configuration based on the guide https://nxlog.co/question/4095/drop-win-event-message-based-text-file-content, but it does not work. Help me, why the configuration does not work?

<Extension Testlist> Module xm_filelist File "c:\logs\List\Testlist.txt" CheckInterval 600 </Extension>

<Input in_ForwardedEvents> Module im_msvistalog ReadFromLast False SavePos True ResolveSID False PollInterval 5 <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4624)]]</Select> </Query> </QueryList> </QueryXML> </Input>

<Processor proc_list> Module pm_transformer <Exec> if Testlist->contains($TargetUserName,$true) $rule = "rule1"; </Exec> </Processor>

<Output out_file_raw> exec to_json(); Module om_file CreateDir TRUE File 'c:\logs\test.log' </Output>

<Route rout_file> Path in_ForwardedEvents=> proc_list => out_file_raw </Route>

Give an example configuration using the xm_filelist module.

There is no detailed description of the use of the xm_filelist module in the manual. I made a configuration based on the guide https://nxlog.co/question/4095/drop-win-event-message-based-text-file-content, but it does not work. Help me, why the configuration does not work?

<Extension Testlist> Module xm_filelist File "c:\logs\List\Testlist.txt" CheckInterval 600 </Extension>

<Input in_ForwardedEvents> Module im_msvistalog ReadFromLast False SavePos True ResolveSID False PollInterval 5 <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4624)]]</Select> </Query> </QueryList> </QueryXML> </Input>

<Processor proc_list> Module pm_transformer <Exec> if Testlist->contains($TargetUserName,$true) $rule = "rule1"; </Exec> </Processor>

<Output out_file_raw> exec to_json(); Module om_file CreateDir TRUE File 'c:\logs\test.log' </Output>

<Route rout_file> Path in_ForwardedEvents=> proc_list => out_file_raw </Route>

Give an example configuration using the xm_filelist module.

Good day everyone!

I am starting to use NXLog:CE in my environment and am having a few windows devices not reporting to my Observium server. I have the same .conf deployed across all windows devices. I am attempting to pattern hunt what could be different but being enterprise devices they are not configured much differently. I have a local debug file running and I am seeing events being written on all devices.

I know this is not much detail but I would appreciate any suggestions of places to look.

Thank you in advance,

Scott

Hi, My system creates binary log file whenever some error happens. So, I would like to send the binary log file to server(also running the nxlog) when the file is created. The binary log file is created with specific extension name (for example *.binlog) and I want to send the file to server with same filename. Can I do this with nxlog?

Thanks.

Harry