Hi. How can I write SQL statement to the variable. For example: define variable $sql_statement = SELECT some_func() and in module om_dbi use this variable like Module om_dbi SQL $sql_statement Driver pgsql

I am parsing DNS logs (windows debug logs) where there may be multiple answers to one query (cname plus IP, or multiple cnames, or multiple IPs) but I want to normalize the output so that each output line contains one and only one answer (with the rest of the output being the same) so if I start with source 1.1.1.1 query type A query foo.com answer cname bar.com answer A 2.2.2.2 how can I get my output to be: source 1.1.1.1 query type A query foo.com answer cname bar.com source 1.1.1.1 query type A query foo.com answer A 2.2.2.2

Hi There, Using the CE edition on a Server 2012 R2 collector. I see in the logs the following: ERROR Failed to load module from C:\Program Files (x86)\nxlog\modules\output\Module om_udp.dll, The specified module could not be found. The config file %ROOT% has the correct path as far as I can see. I've reinstalled and once I start/restart services then this message appears. NXLog Ver: 2.10.2102 Any help appreciated!

I have a Graylog NXLog configuration that contains a multiline input. I'm trying to figure out what the best regex would be for the HeaderLine to delimit each message as a group for each instance of a username that appears in the log. This is the desired output: Message 1 should contain: Username : <Username1> Index : <Index> Assigned IP : <IP1> Public IP : <IP2> Group Policy : <GroupPolicy> Login Time : 15:15:34 UTC Fri Nov 1 2019 Message 2 should contain: Username : <Username2> Index : <Index> Assigned IP : <IP1> Public IP : <IP2> Group Policy : <GroupPolicy> Login Time : 15:16:12 UTC Fri Nov 1 2019 Instead, this is what happens: Message 1: Username Message 2: Index Message 3: Assigned IP Message 4: Public IP So on and so forth. Looking for advice on what should be put in the HeaderLine so the logs are delimited and can be read properly. Thanks in advance!

Dear All, I'm using this product for a months and it works fine, every windows PC (Win 7 and Win10) sent informations to central linux syslog server. Now it doesn't work because I've changed network settings. All of my Windows computers have got 802.1x authentication so the networking goes up after user login. Maybe NXlog starts before user login and try to connect syslog server sending some messages, so it doesn't reach syslog remain in running status and don't send any other informations. Any ideas ? Thanks a lot for you help ! Best Regards Willy

Hello, We are using NXLog extensively and just recently started seeing some parsing issues, so far specifically on Windows 2012r2 using Windows Event Forwarding, but could be others. It appears to be something with processing self-closed tags at first glance, but I've done a little bit of testing myself and couldn't directly reproduce the problem (so far), so figured I'd come here for guidance. Specific details are included below. Current Behavior NXLog appears to be improperly parsing empty, self-closed XML tags. Expected Behavior NXLog properly ignores empty, self-closed XML tags. NXLog Version: nxlog-ce-2.10.2150 NXLog Configuration File: ## NXLog configuration file define ROOT C:\Program Files (x86)\nxlog define LOGFILE %ROOT%\data\nxlog.log Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %LOGFILE% # Rotate agent logs on the local system such that only the last 4 files are kept <Extension fileop> Module xm_fileop # Check the size of our log file every hour and rotate if it is larger than 1M <Schedule> Every 1 hour Exec if (file_size('%LOGFILE%') >= 1M) file_cycle('%LOGFILE%', 4); </Schedule> # Rotate our log file every week on sunday at midnight <Schedule> When @weekly Exec file_cycle('%LOGFILE%', 4); </Schedule> </Extension> <Extension syslog> Module xm_syslog </Extension> <Extension json> Module xm_json </Extension> # Agent logs <Input internal> Module im_internal </Input> # OS logs <Input eventlog> Module im_msvistalog # Drop EventID 5156 logs when application name is nxlog.exe Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing')\ AND ($EventID == 5156)\ AND ($Application =~ /nxlog.exe$/)\ drop(); </Input> <Input forwardedEvents> Module im_msvistalog Query <QueryList> \ <Query Id="0"> \ <Select Path="ForwardedEvents">*</Select>\ </Query> \ </QueryList> </Input> # SIEM port 3514 is listening for JSON-encoded IETF style syslog messages # OutputType Syslog_TLS required to enable the octet-framing described in RFC5425 <Output out> Module om_tcp Host XXX.XXX.XXX.XXX Port 3514 OutputType Syslog_TLS Exec $Message = to_json(); # Remove param-value pairs from structured data header with names > 32 characters. Exec if ($SourceName == 'Microsoft-Windows-GroupPolicy') {\ if ($EventID == 5017) OR ($EventID == 6017) OR ($EventID == 7017)\ delete($OperationElaspedTimeInMilliSeconds);\ if ($EventID == 5116) OR ($EventID == 6116) OR ($EventID == 7116)\ delete($GpsvcInitTimeElapsedInMilliseconds);\ if ($EventID == 5126) OR ($EventID == 6126) OR ($EventID == 7126)\ delete($GPODownloadTimeElapsedInMilliseconds);\ if ($EventID == 5257) OR ($EventID == 6257) OR ($EventID == 7257)\ delete($PolicyDownloadTimeElapsedInMilliseconds);\ if ($EventID == 5351) OR ($EventID == 6351) OR ($EventID == 7351)\ delete($WinlogonReturnTimeElapsedInMilliseconds);\ } Exec to_syslog_ietf(); </Output> <Route 1> Path internal, eventlog, forwardedEvents => out </Route> Windows Version: Windows 2012r2 (potentially others, but confirmed for sure on this one) Example Exported XML from EventViewer <?xml version="1.0" encoding="utf-8" standalone="yes"?> <Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event' xml:lang='en-US'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-10-23T14:01:56.684789600Z'/><EventRecordID>5238702734</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='3948'/><Channel>Security</Channel><Computer>hostname.domain</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>workstation$</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x1754</Data><Data Name='NewProcessName'>C:\Windows\System32\wbem\WmiApSrv.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x2f8</Data><Data Name='CommandLine'/><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data></EventData><RenderingInfo Culture='en-US'><Message>A new process has been created...</Message><Level>Information</Level><Task>Process Creation</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event></Events> Example Data as Received on the wire: <14>1 2019-10-21T15:44:36.650065-04:00 hostname.domain Microsoft-Windows-Security-Auditing 4 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="4688" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="2" Task="13312" OpcodeValue="0" RecordNumber="355111132" ThreadID="5020" Channel="Security" Category="Process Creation" Opcode="Info" SubjectUserSid="S-1-5-18" SubjectUserName="workstation$" SubjectDomainName="DOMAIN" SubjectLogonId="0x3e7" NewProcessId="0x13a8" NewProcessName="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" TokenElevationType="%%1936" CommandLine\'/><Data_Name=\'TargetUserSid="S-1-0-0" TargetUserName="workstation$" TargetDomainName="DOMAIN" TargetLogonId="0x3e4" EventReceivedTime="2019-10-21 15:45:38" SourceModuleName="eventlog" SourceModuleType="im_msvistalog"] {"EventTime":"2019-10-21 15:44:36","Hostname":"hostname.domain","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4688,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":2,"Task":13312,"OpcodeValue":0,"RecordNumber":355111132,"ProcessID":4,"ThreadID":5020,"Channel":"Security","Message":"A new process has been created...","Category":"Process Creation","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"workstation$","SubjectDomainName":"domain","SubjectLogonId":"0x3e7","NewProcessId":"0x13a8","NewProcessName":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","TokenElevationType":"%%1936","CommandLine'/><Data Name='TargetUserSid":"S-1-0-0","TargetUserName":"workstation$","TargetDomainName":"DOMAIN","TargetLogonId":"0x3e4","EventReceivedTime":"2019-10-21 15:45:38","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"} NOTE: I know the above two examples don't reference the exact same event. They are just for illustration and reference purposes You should see that in the XML exported from EventViewer, there's an empty and self-closed 'CommandLine' tag. However, in the example pulled from the wire, you should see that the 'CommandLine' tag has been mangled and parsed as if it were part of the 'TargetUserSid' tag and there's some XML data there. Have you seen similar behavior when parsing logs either through the ForwardedEvents (Windows Event Forwarding) or otherwise? Addendum: We have also seen this behavior with other empty, self-closed XML Fields such as a 'TargetDomainName' field, so it does not seem to be specifically related to the CommandLine tag itself.

Here are the error messages: 2019-10-30 11:38:17 INFO nxlog-ce-2.10.2150 started 2019-10-30 11:38:22 WARNING stopping nxlog service 2019-10-30 11:38:22 WARNING nxlog-ce received a termination request signal, exiting... Conf file: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _gelf> Module xm_gelf </Extension> <Input in> Module im_msvistalog ReadFromLast TRUE For windows 2003 and earlier use the following: Module im_mseventlog Query <QueryList> <Query Id="0"> <Select Path="Application"></Select> <Select Path="System"></Select> <Select Path="Security">*</Select> </Query> </QueryList> </Input> <Output Graylog> Module om_udp Host secret Port secret OutputType GELF_UDP </Output> <Route 1> Path in => Graylog </Route>

There is no detailed description of the use of the xm_filelist module in the manual. I made a configuration based on the guide https://nxlog.co/question/4095/drop-win-event-message-based-text-file-content, but it does not work. Help me, why the configuration does not work? <Extension Testlist> Module xm_filelist File "c:\logs\List\Testlist.txt" CheckInterval 600 </Extension> <Input in_ForwardedEvents> Module im_msvistalog ReadFromLast False SavePos True ResolveSID False PollInterval 5 <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4624)]]</Select> </Query> </QueryList> </QueryXML> </Input> <Processor proc_list> Module pm_transformer <Exec> if Testlist->contains($TargetUserName,$true) $rule = "rule1"; </Exec> </Processor> <Output out_file_raw> exec to_json(); Module om_file CreateDir TRUE File 'c:\logs\test.log' </Output> <Route rout_file> Path in_ForwardedEvents=> proc_list => out_file_raw </Route> Give an example configuration using the xm_filelist module.

There is no detailed description of the use of the xm_filelist module in the manual. I made a configuration based on the guide https://nxlog.co/question/4095/drop-win-event-message-based-text-file-content, but it does not work. Help me, why the configuration does not work? <Extension Testlist> Module xm_filelist File "c:\logs\List\Testlist.txt" CheckInterval 600 </Extension> <Input in_ForwardedEvents> Module im_msvistalog ReadFromLast False SavePos True ResolveSID False PollInterval 5 <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4624)]]</Select> </Query> </QueryList> </QueryXML> </Input> <Processor proc_list> Module pm_transformer <Exec> if Testlist->contains($TargetUserName,$true) $rule = "rule1"; </Exec> </Processor> <Output out_file_raw> exec to_json(); Module om_file CreateDir TRUE File 'c:\logs\test.log' </Output> <Route rout_file> Path in_ForwardedEvents=> proc_list => out_file_raw </Route> Give an example configuration using the xm_filelist module.

Good day everyone! I am starting to use NXLog:CE in my environment and am having a few windows devices not reporting to my Observium server. I have the same .conf deployed across all windows devices. I am attempting to pattern hunt what could be different but being enterprise devices they are not configured much differently. I have a local debug file running and I am seeing events being written on all devices. I know this is not much detail but I would appreciate any suggestions of places to look. Thank you in advance, Scott

Hi, My system creates binary log file whenever some error happens. So, I would like to send the binary log file to server(also running the nxlog) when the file is created. The binary log file is created with specific extension name (for example *.binlog) and I want to send the file to server with same filename. Can I do this with nxlog? Thanks. Harry

Hi, I try configure regex to send log from localhost_access.log tomcat. I test this in many regex tester online and have error when I use this in nxlog. Sample: 4.3.2.1 - - [21/Oct/2019:06:29:10 +0200] "GET /webapi?Subsystem=Order&Action=GetTradeReports&Exchange=GRATR&TS=1571632145141&trpt.a=0%2C1%2C3%2C4%2C5%2C6%2C8%2C9%2C10%2C11%2C13%2C15%2C17%2C47%2C52%2C53%2C57%2C58%2C59%2C60%2C61%2C62%2C63&Session=A.z27L1EKuJetOW0RD890Q3DXXK1zwo5eJ HTTP/1.1" 200 89 and config: <Input tomcat_localhost> InputType multiline Module im_file File '/var/log/tomcat/localhost_access.log' <Exec> if $raw_event =~ /^(\S+) (\S+) (\S+) [([\w:/]+\s[+-]\d{4})] "(\S+)\s?(\S+)?\s?(\S+)?" (\d{3}|-) (\d+|-)\s?"?([^"])"?\s?"?([^"])?"?$/ { $IP_address = $1; $EventTime = parsedate($4); $HTTPMethod = $5; $HTTPMethod = $4; $HTTPURL = $5; $HTTPResponseStatus = $8; $HTTPProtocol = $7; $Message = $6; } </Exec> </Input> error in log: 2019-10-21 10:01:08 ERROR Couldn't parse Exec block at /var/lib/graylog-sidecar/generated/nxlog.conf:61;couldn't parse statement at line 62, character 47 in /var/lib/graylog-sidecar/generated/nxlog.conf;failed to compile regular expression '^(\S+) (\S+) (\S+) [([\w:', error at position 26: missing terminating ] for character class Why they expected "]" ?

We have the following problem. We are currently migrating from REDIS to KAFKA on our windows server 2012 machines. In order to do this we are changing our nxlog.conf. (see below for entire configuration) We cannot seem to get our certificates to work. Something to note is that the same certificates work on a linux machine in the same environment (acceptance) Kafka is configured correctly, so that isn’t the problem. (considering that it works in a similar setup for a linux machine that connects to the same KAFKA topic with the same certificates.) When we start the nxlog service like this, the service basically is stuck on the starting phase of the service configuration. We need to force kill the PID to breath live back into it. We changed the .jks (java keystore) into a .p12 extension via a keystore manipulator (keystore explorer), since we do not have JAVA running on these windows machines. When we put Loglevel on DEBUG we get logging up until the kafka_out module but not further. (i.e. No information about handshaking etc.) In the configuration we tried o Protocol SSL with CAFILE and either (CertKeyFile and KeyPass) or (Keyfile as a cer file) o We didn’t try converting it to a PEM. o I put the Partition parameter on comment, since we use multiple partitions in our Kafka-bus, so it wouldn’t make sense to aim for the first one all the time. (Noting that even if not commented out it also fails) We use a root and an intermediate certificate for our CA-path. There are hardly any examples for om_kafka modules, especially when you have more than 1 broker. We are running with version nxlog-4.5.4503 Information I could find on the WWW CAFile %CERTDIR%/cert-bundle.pem CAFile %CERTDIR%/cacert.pem CertFile %CERTDIR%/client-cert.pem CertKeyFile %CERTDIR%/client-key.pem KeyPass yourPasswordOfTheKey #CAFile: This specifies the path of the certificate authority (CA) certificate, which will be used to check the certificate of the remote brokers. CAFile is required if Protocol is set to ssl or sasl_ssl. #CertFile: This specifies the path of the certificate file to be used for the SSL handshake. #CertKeyFile: This specifies the path of the certificate key file to be used for the SSL handshake. Primary questions: Can CAFILE be used with a keystore or only with a .PEM / .CRT file? KeyPass is related to CertKeyFile. If there is a password on either CAFILE or KEYFILE how do I configure this then? Is there a higher level of debug so we can see what happens after the statements in our logging? NXLOG.CONF --GENERAL SETTINGS----------------- envvar COMPUTERNAME define ROOT O:\NXLOG define ENV PRD define APPLI MyPortal KAFKA omgeving define KAFKA_TOPIC mon_myportal_topic define KAFKA_BROKERLIST_PROD 'kafka-0.intranet:9093,kafka-1.intranet:9093,kafka-2.intranet:9093,kafka-3.intranet:9093,kafka-4.intranet:9093,kafka-5.intranet:9093,kafka-6.intranet:9093,kafka-7.intranet:9093,kafka-8.intranet:9093,kafka-9.intranet:9093,kafka-10.intranet:9093,kafka-11.intranet:9093' ---------------------------------------------------------------------- Moduledir %ROOT%\modules CacheDir %ROOT%\data SpoolDir %ROOT%\data CertDir %ROOT%\cert LogLevel DEBUG LogFile %ROOT%\log\nxlog.log #Pidfile %ROOT%\test\nxlog.pid ---------------------------------------------------------------------- <Extension json> Module xm_json </Extension> <output kafka_out> Module om_kafka BrokerList %KAFKA_BROKERLIST_PROD% Topic %KAFKA_TOPIC% Partition 1 Protocol ssl CAFile %CertDir%\client.truststore.p12 CertFile %CertDir%\intermediairportal-PRD.crt CertKeyFile %CertDir%\intermediairportal-PRD.p12 KeyPass <password obfuscated> </Output> include %ROOT%\conf\check1.conf include %ROOT%\conf\check2.conf

I'm trying to trigger a powershell script to run with passed parameters on pattern matching the contents of $message. The method itself works, I just cannot work out how to pass parameters to the script I'm calling. <Input internal> Module im_internal Exec if ($message =~ /nxlog-ce-2.10.2150 started/) exec_async("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\Scripts\nxlog_exec_async_test.ps1"); </Input> My working test configuration is shown above. The script called nxlog_exec_async_test.ps1 is successfully called from an elevated shell, if there is no parameter passed in. exec_async("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\Scripts\nxlog_exec_async_test.ps1 test"); I've tried passing the parameter "test" in the following ways, but this doesn't work either i.e.: exec_async("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\Scripts\nxlog_exec_async_test.ps1", "test"); exec_async("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\Scripts\nxlog_exec_async_test.ps1 test"); The powershell script simply echos a line out to file, and the first line is: $testparm==$args[0] Which is assigning the first parameter to the variable $testparm Can anyone help? Cheers, Phil

Hello everyone, I have a window server that receives logs from other windows hosts (log collector) and from this last one, events are sent to a Fortisiem. The problem is that in SIEM the IP that appears is always the collector's IP and all host events are identified by that IP. Is it possible to keep the original IP of each host? My out config: <Output out> Module om_tcp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000000; Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " "); Exec $Message = to_json(); to_syslog_snare(); </Output> Thanks

For about 5 years, I've been using NXLog to forward Windows logs from all of my Windows servers into a Graylog server. Recently, one of the servers developed an issue where there will be event ID 5156 (&quot;The Windows Filtering Platform has permitted a connection&quot;) triggered when NXLog sends logs to the Graylog server, which triggers another event ID 5156, which triggers another and another and another and so on. So, logging from that one server goes from an average of 50,000/hr to as much as 10 million/hr. I don't see anything in the Windows event logs that seems to trigger the issue but all I have to do is restart the NXLog service to break the loop and resume normal log forwarding for a couple of days. I've uninstalled/re-installed NXLog and upgraded to 'nxlog-ce-2.10.2150'. The server is essentially just a file server. It has Checkpoint Endpoint installed but so do all of my other Windows servers. Does anyone have any suggestions as to what causes this and how I can resolve the issue? I don't want to disable the events from the Windows Filtering Platform in total but I wouldn't mind if I never saw one triggered by NXLog making network connections. Below is the same NXLog config I've used for all of the Windows servers, even the server I'm having the issue on. Any help you can give is greatly appreciated. #define ROOT C:\Program Files (x86)\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension gelf> Module xm_gelf </Extension> <Input in> Use 'im_mseventlog' for Windows XP, 2000 and 2003 Module im_msvistalog Uncomment the following to collect specific event logs only Query &lt;QueryList&gt;\ &lt;Query Id=&quot;0&quot;&gt;\ &lt;Select Path=&quot;Application&quot;&gt;*&lt;/Select&gt;\ &lt;Select Path=&quot;System&quot;&gt;*&lt;/Select&gt;\ &lt;Select Path=&quot;Security&quot;&gt;*&lt;/Select&gt;\ &lt;/Query&gt;\ &lt;/QueryList&gt; </Input> <Output out> Module om_udp Host 172.xx.xx.xxx {<-- redacted for this post} Port 12201 OutputType GELF </Output> <Route 1> Path in => out </Route>

Hi. I am new in NXlog. I am using om_dbi module to execute some SQL to insert my logs to pqsql. But I have the following ERROR "om_dbi failed to execute SQL statement", and NXLOG is trying to repeat this SQL again and again. How to stop this loop SQL execution after the first failure.

Hello Team, I am new to Nxlog and we have a requirement to send below log file content to syslog server, fields will be same for every new log file. Can you please help in writing conf file to send it to syslog. Sample Log file. OPSWAT - METADEFENDER KIOSK SCAN RESULTS User ID: TRAININGLAB\syslog Profile: Default Session ID: 52CE90C9-73DC-4150-AE7F-1FDCFF933D3F PROCESSING FINISHED SUCCESSFULLY Process Start Time: 2019-09-21 16:09:36 Process Finish Time: 2019-09-21 16:10:55 MetaDefender Kiosk Version: 4.3.5.2010 MetaDefender Core Version: 4.16.2 Device Information Manufacturer: (Standard disk drives) Model: SanDisk Cruzer Blade USB Device Serial Number: 4C530000260530107000 Device ID: USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_BLADE&REV_1.00\4C530000260530107000&0 Media Type: USB Device Partition Count: 1 Partition Name: Disk #1, Partition #0 Bootable: NO Disk Usage: 39MB / 14GB Scanning System: SYSTEM1 Full Media Scanned: NO Full Media Processed: NO Total Files Scanned: 7 Total Files Processed: 7 Blocked Files No blocked files found Blocked Actions Taken - Sanitized: 0 - Quarantined: 0 - Deleted: 0 - Post Action Ran: 0 - Copied To Media: 0 - Copied To Directory: 0 - Copied To Vault Server: 0 - Moved To Media: 0 - Moved To Directory: 0 - Moved To Vault Server: 0 - Destination Media Wiped: NO Allowed Actions Taken - Sanitized: 0 - Post Action Ran: 0 - Copied To Media: 0 - Copied To Directory: 0 - Copied To Vault Server: 0 - Moved To Media: 0 - Moved To Directory: 0 - Moved To Vault Server: 0 - Destination Media Wiped: NO Skipped Files: 0 Failed To Delete: 0 File Type Totals application/octet-stream: 1 application/pdf: 2 application/x-dosexec: 2 text/plain: 2 ALLOWED FILES PATH: E:\New Text Document (6).txt SHA-256: E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 PATH: E:\SanDiskSecureAccess\DownloadSanDiskSecureAccess_Mac.pdf SHA-256: B2E01B65F369095428DB35D59A41FDB80A5B16F6C496D7420D814B63CC8EEDCB PATH: E:\SanDiskSecureAccess\SanDisk_SecureAccess_QSG.PDF SHA-256: BC6D908229CA23F0FA78690BF5CD498F67A6FDB5CD368A4F89BABC98427A93CB PATH: E:\New Text Document (7).txt SHA-256: BDED243D2EEDEEF19D62D88A361A7019A007363BBBF429A873320015B865A456 PATH: E:\sgbox.txt SHA-256: CA3ED41768F78C7E61BC782716010A208DE09464BDEB283D27DABE57318EE3B8 PATH: E:\SanDiskSecureAccessV3.1_win.exe SHA-256: 829F3BC240D26077AC00CE58B15D7D349E5D473B83629D3CC404A34BA865C9EC PATH: E:\epm.exe SHA-256: 3D878E578E7340443785D4DC6CEA0A5B415D3BB107AFB0282DFEBF776930B216

Hi all, I installed the .apk file (nxlog-1.4.571.apk) on a phone with Android 8.1. When I click on "Start" I get the following error message: Verifying config ... "/data/data/com.nxsec.nxlog/nxlog": error: Android 5.0 and later only support position-independent executables (-fPIE). How can I solve it? Is there a version compatible with android>5? Thanks!

Hello, I'm trying to query the oracle sys.aud$ table using the nxlog odbc input module (Oracle 12.1.0.2.0) for new audit-events. I'm using NXlog and the odbc module 4.3.4308. The Error that NXLog is presenting me is: ERROR SQLDescribeParam returned zero parameter_size or decimal_digit(999, 0) I'm querying the table as follows: <Input input-asdf> Module im_odbc SQL select NTIMESTAMP# AS id, SESSIONID, ENTRYID, STATEMENT, TIMESTAMP#, USERID, USERHOST, TERMINAL, ACTION#, RETURNCODE, OBJ$CREATOR, OBJ$NAME, AUTH$PRIVILEGES, AUTH$GRANTEE, NEW$OWNER, NEW$NAME, SES$ACTIONS, SES$TID, LOGOFF$LREAD, LOGOFF$PREAD, LOGOFF$LWRITE, LOGOFF$DEAD, LOGOFF$TIME, COMMENT$TEXT, CLIENTID, SPARE1, SPARE2, OBJ$LABEL, SES$LABEL, PRIV$USED, SESSIONCPU, NTIMESTAMP#, PROXY$SID, USER$GUID, INSTANCE#, PROCESS#, XID, AUDITID, SCN, DBID, SQLBIND, SQLTEXT, OBJ$EDITION FROM sys.aud$ WHERE NTIMESTAMP# > ? order by NTIMESTAMP# ASC; ConnectionString DSN=asdf;uid=fdsa;pwd=fdsa;database=asdf SavePos TRUE MaxIdSQL select MAX(NTIMESTAMP#) as maxid from sys.aud$ PollInterval 900 IdType Timestamp </Input> I'm not sure if the NTIMSTAMP# column is in the correct format, so I tried casting it using TO_DATE(TO_CHAR(NTIMESTAMP#, 'YYYY-MM-DD HH24:MI:SS'), 'YYYY-MM-DD HH24:MI:SS') into a datetime since according to documentation the NTIMESTAMP is from the type Timestamp(6). If it is better to query using another Parameter I'm also happy to use another parameter from the sys.aud$ table! Also I had the problem before that when restarting the NXLog agent some data would be queried again. I figured that this should be resolved with the MaxIdSQL parameter, however I couldn't verify that yet. Best regards