Hello, We are using NXLog extensively and just recently started seeing some parsing issues, so far specifically on Windows 2012r2 using Windows Event Forwarding, but could be others. It appears to be something with processing self-closed tags at first glance, but I've done a little bit of testing myself and couldn't directly reproduce the problem (so far), so figured I'd come here for guidance. Specific details are included below. **Current Behavior** NXLog appears to be improperly parsing empty, self-closed XML tags. **Expected Behavior** NXLog properly ignores empty, self-closed XML tags. **NXLog Version**: nxlog-ce-2.10.2150 **NXLog Configuration File**: ``` ## NXLog configuration file define ROOT C:\Program Files (x86)\nxlog define LOGFILE %ROOT%\data\nxlog.log Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %LOGFILE% # Rotate agent logs on the local system such that only the last 4 files are kept Module xm_fileop # Check the size of our log file every hour and rotate if it is larger than 1M Every 1 hour Exec if (file_size('%LOGFILE%') >= 1M) file_cycle('%LOGFILE%', 4); # Rotate our log file every week on sunday at midnight When @weekly Exec file_cycle('%LOGFILE%', 4); Module xm_syslog Module xm_json # Agent logs Module im_internal # OS logs Module im_msvistalog # Drop EventID 5156 logs when application name is nxlog.exe Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing')\ AND ($EventID == 5156)\ AND ($Application =~ /nxlog.exe$/)\ drop(); Module im_msvistalog Query \ \ *\ \ # SIEM port 3514 is listening for JSON-encoded IETF style syslog messages # OutputType Syslog_TLS required to enable the octet-framing described in RFC5425 Module om_tcp Host XXX.XXX.XXX.XXX Port 3514 OutputType Syslog_TLS Exec $Message = to_json(); # Remove param-value pairs from structured data header with names > 32 characters. Exec if ($SourceName == 'Microsoft-Windows-GroupPolicy') {\ if ($EventID == 5017) OR ($EventID == 6017) OR ($EventID == 7017)\ delete($OperationElaspedTimeInMilliSeconds);\ if ($EventID == 5116) OR ($EventID == 6116) OR ($EventID == 7116)\ delete($GpsvcInitTimeElapsedInMilliseconds);\ if ($EventID == 5126) OR ($EventID == 6126) OR ($EventID == 7126)\ delete($GPODownloadTimeElapsedInMilliseconds);\ if ($EventID == 5257) OR ($EventID == 6257) OR ($EventID == 7257)\ delete($PolicyDownloadTimeElapsedInMilliseconds);\ if ($EventID == 5351) OR ($EventID == 6351) OR ($EventID == 7351)\ delete($WinlogonReturnTimeElapsedInMilliseconds);\ } Exec to_syslog_ietf(); Path internal, eventlog, forwardedEvents => out ``` **Windows Version**: Windows 2012r2 (potentially others, but confirmed for sure on this one) **Example Exported XML from EventViewer** ``` 4688201331200x80200000000000005238702734Securityhostname.domainS-1-5-18workstation$DOMAIN0x3e70x1754C:\Windows\System32\wbem\WmiApSrv.exe%%19360x2f8S-1-0-0--0x0A new process has been created...InformationProcess CreationInfoSecurityMicrosoft Windows security auditing.Audit Success ``` **Example Data as Received on the wire**: ``` 1 2019-10-21T15:44:36.650065-04:00 hostname.domain Microsoft-Windows-Security-Auditing 4 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="4688" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="2" Task="13312" OpcodeValue="0" RecordNumber="355111132" ThreadID="5020" Channel="Security" Category="Process Creation" Opcode="Info" SubjectUserSid="S-1-5-18" SubjectUserName="workstation$" SubjectDomainName="DOMAIN" SubjectLogonId="0x3e7" NewProcessId="0x13a8" NewProcessName="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" TokenElevationType="%%1936" CommandLine\'/>

Here are the error messages:

2019-10-30 11:38:17 INFO nxlog-ce-2.10.2150 started 2019-10-30 11:38:22 WARNING stopping nxlog service 2019-10-30 11:38:22 WARNING nxlog-ce received a termination request signal, exiting...

Conf file:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension _gelf> Module xm_gelf </Extension>

<Input in> Module im_msvistalog ReadFromLast TRUE

For windows 2003 and earlier use the following:

Module im_mseventlog

Query <QueryList>
<Query Id="0">
<Select Path="Application"></Select>
<Select Path="System"></Select>
<Select Path="Security">*</Select>
</Query>
</QueryList> </Input>

<Output Graylog> Module om_udp Host secret Port secret OutputType GELF_UDP </Output>

<Route 1> Path in => Graylog </Route>

There is no detailed description of the use of the xm_filelist module in the manual. I made a configuration based on the guide https://nxlog.co/question/4095/drop-win-event-message-based-text-file-content, but it does not work. Help me, why the configuration does not work?

<Extension Testlist> Module xm_filelist File "c:\logs\List\Testlist.txt" CheckInterval 600 </Extension>

<Input in_ForwardedEvents> Module im_msvistalog ReadFromLast False SavePos True ResolveSID False PollInterval 5 <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4624)]]</Select> </Query> </QueryList> </QueryXML> </Input>

<Processor proc_list> Module pm_transformer <Exec> if Testlist->contains($TargetUserName,$true) $rule = "rule1"; </Exec> </Processor>

<Output out_file_raw> exec to_json(); Module om_file CreateDir TRUE File 'c:\logs\test.log' </Output>

<Route rout_file> Path in_ForwardedEvents=> proc_list => out_file_raw </Route>

Give an example configuration using the xm_filelist module.

There is no detailed description of the use of the xm_filelist module in the manual. I made a configuration based on the guide https://nxlog.co/question/4095/drop-win-event-message-based-text-file-content, but it does not work. Help me, why the configuration does not work?

<Extension Testlist> Module xm_filelist File "c:\logs\List\Testlist.txt" CheckInterval 600 </Extension>

<Input in_ForwardedEvents> Module im_msvistalog ReadFromLast False SavePos True ResolveSID False PollInterval 5 <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[(EventID=4624)]]</Select> </Query> </QueryList> </QueryXML> </Input>

<Processor proc_list> Module pm_transformer <Exec> if Testlist->contains($TargetUserName,$true) $rule = "rule1"; </Exec> </Processor>

<Output out_file_raw> exec to_json(); Module om_file CreateDir TRUE File 'c:\logs\test.log' </Output>

<Route rout_file> Path in_ForwardedEvents=> proc_list => out_file_raw </Route>

Give an example configuration using the xm_filelist module.

Good day everyone!

I am starting to use NXLog:CE in my environment and am having a few windows devices not reporting to my Observium server. I have the same .conf deployed across all windows devices. I am attempting to pattern hunt what could be different but being enterprise devices they are not configured much differently. I have a local debug file running and I am seeing events being written on all devices.

I know this is not much detail but I would appreciate any suggestions of places to look.

Thank you in advance,

Scott

Hi, My system creates binary log file whenever some error happens. So, I would like to send the binary log file to server(also running the nxlog) when the file is created. The binary log file is created with specific extension name (for example *.binlog) and I want to send the file to server with same filename. Can I do this with nxlog?

Thanks.

Harry

Hi, I try configure regex to send log from localhost_access.log tomcat. I test this in many regex tester online and have error when I use this in nxlog.

Sample:

4.3.2.1 - - [21/Oct/2019:06:29:10 +0200] "GET /webapi?Subsystem=Order&Action=GetTradeReports&Exchange=GRATR&TS=1571632145141&trpt.a=0%2C1%2C3%2C4%2C5%2C6%2C8%2C9%2C10%2C11%2C13%2C15%2C17%2C47%2C52%2C53%2C57%2C58%2C59%2C60%2C61%2C62%2C63&Session=A.z27L1EKuJetOW0RD890Q3DXXK1zwo5eJ HTTP/1.1" 200 89

and config:

<Input tomcat_localhost> InputType multiline Module im_file File '/var/log/tomcat/localhost_access.log'

<Exec> if $raw_event =~ /^(\S+) (\S+) (\S+) [([\w:/]+\s[+-]\d{4})] "(\S+)\s?(\S+)?\s?(\S+)?" (\d{3}|-) (\d+|-)\s?"?([^"])"?\s?"?([^"])?"?$/

 {
        $IP_address = $1;
        $EventTime = parsedate($4);
        $HTTPMethod = $5;
        $HTTPMethod = $4;
        $HTTPURL = $5;
        $HTTPResponseStatus = $8;
        $HTTPProtocol = $7;
		$Message = $6;
    }

</Exec> </Input>

error in log:

2019-10-21 10:01:08 ERROR Couldn't parse Exec block at /var/lib/graylog-sidecar/generated/nxlog.conf:61;couldn't parse statement at line 62, character 47 in /var/lib/graylog-sidecar/generated/nxlog.conf;failed to compile regular expression '^(\S+) (\S+) (\S+) [([\w:', error at position 26: missing terminating ] for character class

Why they expected "]" ?

We have the following problem.

We are currently migrating from REDIS to KAFKA on our windows server 2012 machines. In order to do this we are changing our nxlog.conf. (see below for entire configuration)

• We cannot seem to get our certificates to work. Something to note is that the same certificates work on a linux machine in the same environment (acceptance)

• Kafka is configured correctly, so that isn’t the problem. (considering that it works in a similar setup for a linux machine that connects to the same KAFKA topic with the same certificates.)

• When we start the nxlog service like this, the service basically is stuck on the starting phase of the service configuration. We need to force kill the PID to breath live back into it.

• We changed the .jks (java keystore) into a .p12 extension via a keystore manipulator (keystore explorer), since we do not have JAVA running on these windows machines.

• When we put Loglevel on DEBUG we get logging up until the kafka_out module but not further. (i.e. No information about handshaking etc.)

• In the configuration we tried o Protocol SSL with CAFILE and either (CertKeyFile and KeyPass) or (Keyfile as a cer file) o We didn’t try converting it to a PEM. o I put the Partition parameter on comment, since we use multiple partitions in our Kafka-bus, so it wouldn’t make sense to aim for the first one all the time. (Noting that even if not commented out it also fails)

• We use a root and an intermediate certificate for our CA-path.

• There are hardly any examples for om_kafka modules, especially when you have more than 1 broker.

• We are running with version nxlog-4.5.4503

Information I could find on the WWW

CAFile %CERTDIR%/cert-bundle.pem

CAFile %CERTDIR%/cacert.pem

CertFile %CERTDIR%/client-cert.pem

CertKeyFile %CERTDIR%/client-key.pem

KeyPass yourPasswordOfTheKey

#CAFile: This specifies the path of the certificate authority (CA) certificate, which will be used to check the certificate of the remote brokers. CAFile is required if Protocol is set to ssl or sasl_ssl. #CertFile: This specifies the path of the certificate file to be used for the SSL handshake. #CertKeyFile: This specifies the path of the certificate key file to be used for the SSL handshake.

Primary questions:

• Can CAFILE be used with a keystore or only with a .PEM / .CRT file?
• KeyPass is related to CertKeyFile. If there is a password on either CAFILE or KEYFILE how do I configure this then?
• Is there a higher level of debug so we can see what happens after the statements in our logging?

NXLOG.CONF

--GENERAL SETTINGS-----------------

envvar COMPUTERNAME define ROOT O:\NXLOG define ENV PRD define APPLI MyPortal

KAFKA omgeving

define KAFKA_TOPIC mon_myportal_topic define KAFKA_BROKERLIST_PROD 'kafka-0.intranet:9093,kafka-1.intranet:9093,kafka-2.intranet:9093,kafka-3.intranet:9093,kafka-4.intranet:9093,kafka-5.intranet:9093,kafka-6.intranet:9093,kafka-7.intranet:9093,kafka-8.intranet:9093,kafka-9.intranet:9093,kafka-10.intranet:9093,kafka-11.intranet:9093'

----------------------------------------------------------------------

Moduledir %ROOT%\modules CacheDir %ROOT%\data SpoolDir %ROOT%\data CertDir %ROOT%\cert LogLevel DEBUG LogFile %ROOT%\log\nxlog.log

#Pidfile %ROOT%\test\nxlog.pid

----------------------------------------------------------------------

<Extension json> Module xm_json </Extension>

<output kafka_out> Module om_kafka BrokerList %KAFKA_BROKERLIST_PROD% Topic %KAFKA_TOPIC%

Partition 1

Protocol ssl CAFile %CertDir%\client.truststore.p12 CertFile %CertDir%\intermediairportal-PRD.crt

CertKeyFile %CertDir%\intermediairportal-PRD.p12

KeyPass <password obfuscated>

</Output>

include %ROOT%\conf\check1.conf include %ROOT%\conf\check2.conf

I'm trying to trigger a powershell script to run with passed parameters on pattern matching the contents of $message. The method itself works, I just cannot work out how to pass parameters to the script I'm calling.

<Input internal> Module im_internal Exec if ($message =~ /nxlog-ce-2.10.2150 started/)
exec_async("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\Scripts\nxlog_exec_async_test.ps1"); </Input>

My working test configuration is shown above. The script called nxlog_exec_async_test.ps1 is successfully called from an elevated shell, if there is no parameter passed in. exec_async("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\Scripts\nxlog_exec_async_test.ps1 test");

I've tried passing the parameter "test" in the following ways, but this doesn't work either i.e.: exec_async("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\Scripts\nxlog_exec_async_test.ps1", "test"); exec_async("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\Scripts\nxlog_exec_async_test.ps1 test");

The powershell script simply echos a line out to file, and the first line is: $testparm==$args[0] Which is assigning the first parameter to the variable $testparm

Can anyone help? Cheers, Phil

Hello everyone, I have a window server that receives logs from other windows hosts (log collector) and from this last one, events are sent to a Fortisiem. The problem is that in SIEM the IP that appears is always the collector's IP and all host events are identified by that IP. Is it possible to keep the original IP of each host?

My out config: <Output out> Module om_tcp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000000; Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " "); Exec $Message = to_json(); to_syslog_snare(); </Output>

Thanks

 For about 5 years, I've been using NXLog to forward Windows logs from all of my Windows servers into a Graylog server.  Recently, one of the servers developed an issue where there will be event ID 5156 ("The Windows Filtering Platform has permitted a connection") triggered when NXLog sends logs to the Graylog server, which triggers another event ID 5156, which triggers another and another and another and so on.  So, logging from that one server goes from an average of 50,000/hr to as much as 10 million/hr.  I don't see anything in the Windows event logs that seems to trigger the issue but all I have to do is restart the NXLog service to break the loop and resume normal log forwarding for a couple of days.  I've uninstalled/re-installed NXLog and upgraded to 'nxlog-ce-2.10.2150'.  The server is essentially just a file server.  It has Checkpoint Endpoint installed but so do all of my other Windows servers.

 Does anyone have any suggestions as to what causes this and how I can resolve the issue?  I don't want to disable the events from the Windows Filtering Platform in total but I wouldn't mind if I never saw one triggered by NXLog making network connections.  Below is the same NXLog config I've used for all of the Windows servers, even the server I'm having the issue on.  Any help you can give is greatly appreciated.

#define ROOT C:\Program Files (x86)\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension gelf> Module xm_gelf </Extension>

<Input in>

Use 'im_mseventlog' for Windows XP, 2000 and 2003

Module      im_msvistalog

Uncomment the following to collect specific event logs only

Query       <QueryList>\
                <Query Id="0">\
                    <Select Path="Application">*</Select>\
                    <Select Path="System">*</Select>\
                    <Select Path="Security">*</Select>\
                </Query>\
            </QueryList>

</Input>

<Output out> Module om_udp Host 172.xx.xx.xxx {<-- redacted for this post} Port 12201 OutputType GELF </Output>

<Route 1> Path in => out </Route>

Hi. I am new in NXlog. I am using om_dbi module to execute some SQL to insert my logs to pqsql. But I have the following ERROR "om_dbi failed to execute SQL statement", and NXLOG is trying to repeat this SQL again and again. How to stop this loop SQL execution after the first failure.

Hello Team,

I am new to Nxlog and we have a requirement to send below log file content to syslog server, fields will be same for every new log file. Can you please help in writing conf file to send it to syslog.

Sample Log file.

OPSWAT - METADEFENDER KIOSK SCAN RESULTS

User ID: TRAININGLAB\syslog Profile: Default Session ID: 52CE90C9-73DC-4150-AE7F-1FDCFF933D3F

PROCESSING FINISHED SUCCESSFULLY

Process Start Time: 2019-09-21 16:09:36 Process Finish Time: 2019-09-21 16:10:55

MetaDefender Kiosk Version: 4.3.5.2010 MetaDefender Core Version: 4.16.2

Device Information Manufacturer: (Standard disk drives) Model: SanDisk Cruzer Blade USB Device Serial Number: 4C530000260530107000 Device ID: USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_BLADE&REV_1.00\4C530000260530107000&0 Media Type: USB Device Partition Count: 1 Partition Name: Disk #1, Partition #0

• Bootable: NO Disk Usage: 39MB / 14GB Scanning System: SYSTEM1

Full Media Scanned: NO Full Media Processed: NO Total Files Scanned: 7 Total Files Processed: 7

Blocked Files No blocked files found

Blocked Actions Taken - Sanitized: 0 - Quarantined: 0 - Deleted: 0 - Post Action Ran: 0 - Copied To Media: 0 - Copied To Directory: 0 - Copied To Vault Server: 0 - Moved To Media: 0 - Moved To Directory: 0 - Moved To Vault Server: 0 - Destination Media Wiped: NO

Allowed Actions Taken - Sanitized: 0 - Post Action Ran: 0 - Copied To Media: 0 - Copied To Directory: 0 - Copied To Vault Server: 0 - Moved To Media: 0 - Moved To Directory: 0 - Moved To Vault Server: 0 - Destination Media Wiped: NO

Skipped Files: 0

Failed To Delete: 0

File Type Totals application/octet-stream: 1 application/pdf: 2 application/x-dosexec: 2 text/plain: 2

ALLOWED FILES

1.  PATH:           E:\New Text Document (6).txt
    SHA-256:        E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
   

2.  PATH:           E:\SanDiskSecureAccess\DownloadSanDiskSecureAccess_Mac.pdf
    SHA-256:        B2E01B65F369095428DB35D59A41FDB80A5B16F6C496D7420D814B63CC8EEDCB
   

3.  PATH:           E:\SanDiskSecureAccess\SanDisk_SecureAccess_QSG.PDF
    SHA-256:        BC6D908229CA23F0FA78690BF5CD498F67A6FDB5CD368A4F89BABC98427A93CB
   

4.  PATH:           E:\New Text Document (7).txt
    SHA-256:        BDED243D2EEDEEF19D62D88A361A7019A007363BBBF429A873320015B865A456
   

5.  PATH:           E:\sgbox.txt
    SHA-256:        CA3ED41768F78C7E61BC782716010A208DE09464BDEB283D27DABE57318EE3B8
   

6.  PATH:           E:\SanDiskSecureAccessV3.1_win.exe
    SHA-256:        829F3BC240D26077AC00CE58B15D7D349E5D473B83629D3CC404A34BA865C9EC
   

7.  PATH:           E:\epm.exe
    SHA-256:        3D878E578E7340443785D4DC6CEA0A5B415D3BB107AFB0282DFEBF776930B216
   

Hi all, I installed the .apk file (nxlog-1.4.571.apk) on a phone with Android 8.1. When I click on "Start" I get the following error message:

Verifying config ... "/data/data/com.nxsec.nxlog/nxlog": error: Android 5.0 and later only support position-independent executables (-fPIE).

How can I solve it? Is there a version compatible with android>5? Thanks!

Hello, I'm trying to query the oracle sys.aud$ table using the nxlog odbc input module (Oracle 12.1.0.2.0) for new audit-events. I'm using NXlog and the odbc module 4.3.4308. The Error that NXLog is presenting me is: ERROR SQLDescribeParam returned zero parameter_size or decimal_digit(999, 0)

I'm querying the table as follows:

<Input input-asdf> Module im_odbc SQL select NTIMESTAMP# AS id, SESSIONID, ENTRYID, STATEMENT, TIMESTAMP#, USERID, USERHOST, TERMINAL, ACTION#, RETURNCODE, OBJ$CREATOR, OBJ$NAME, AUTH$PRIVILEGES, AUTH$GRANTEE, NEW$OWNER, NEW$NAME, SES$ACTIONS, SES$TID, LOGOFF$LREAD, LOGOFF$PREAD, LOGOFF$LWRITE, LOGOFF$DEAD, LOGOFF$TIME, COMMENT$TEXT, CLIENTID, SPARE1, SPARE2, OBJ$LABEL, SES$LABEL, PRIV$USED, SESSIONCPU, NTIMESTAMP#, PROXY$SID, USER$GUID, INSTANCE#, PROCESS#, XID, AUDITID, SCN, DBID, SQLBIND, SQLTEXT, OBJ$EDITION FROM sys.aud$ WHERE NTIMESTAMP# > ? order by NTIMESTAMP# ASC;

ConnectionString DSN=asdf;uid=fdsa;pwd=fdsa;database=asdf SavePos TRUE MaxIdSQL select MAX(NTIMESTAMP#) as maxid from sys.aud$ PollInterval 900 IdType Timestamp

</Input>

I'm not sure if the NTIMSTAMP# column is in the correct format, so I tried casting it using TO_DATE(TO_CHAR(NTIMESTAMP#, 'YYYY-MM-DD HH24:MI:SS'), 'YYYY-MM-DD HH24:MI:SS') into a datetime since according to documentation the NTIMESTAMP is from the type Timestamp(6). If it is better to query using another Parameter I'm also happy to use another parameter from the sys.aud$ table!

Also I had the problem before that when restarting the NXLog agent some data would be queried again. I figured that this should be resolved with the MaxIdSQL parameter, however I couldn't verify that yet.

Best regards

Is im_odbc available for NXLog community version?

Hello, I'm having trouble sending logs in json format generated from a command. The command generate (one json per line, json syntax checked with jsonlint and all json lines are ok. I send the input log to output file per debug and the json is ok)

{"metricset":{"module":"system","name":"memory"},"system":{"memory":{"total`":4294967296,"free":1709912064,"used":{"bytes":2585055232,"pct":60.19},"swap":{"total":2046,"free":2012,"used":{"bytes":34,"pct":1.66}}}}} {"metricset":{"module":"system","name":"cpu"},"system":{"cpu":{"cores": 1,"idle":{"pct":99},"irq":{"pct":0},"system":{"pct":0},"user":{"pct":1}}}}

When nxlog send the data to logstash with om_tcp, logstash receive (review the system field, it's not the same as the one generated in the input)

Oct 01 03:04:54 elk logstash[43975]: { Oct 01 03:04:54 elk logstash[43975]: "SourceModuleName" => "counters", Oct 01 03:04:54 elk logstash[43975]: "system" => "{&quot;cpu&quot;:{&quot;cores&quot;:1,&quot;idle&quot;:{&quot;pct&quot;:99}&quot;irq&quot;:{&quot;pct&quot;:0}&quot;system&quot;:{&quot;pct&quot;:0}&quot;user&quot;:{&quot;pct&quot;:1}", Oct 01 03:04:54 elk logstash[43975]: "@timestamp" => 2019-10-01T01:04:54.022Z, Oct 01 03:04:54 elk logstash[43975]: "SourceModuleType" => "im_exec", Oct 01 03:04:54 elk logstash[43975]: "port" => 3150, Oct 01 03:04:54 elk logstash[43975]: "@metadata" => { Oct 01 03:04:54 elk logstash[43975]: "input" => "tcp", Oct 01 03:04:54 elk logstash[43975]: "week" => "2019.10-40", Oct 01 03:04:54 elk logstash[43975]: "month" => "2019.10", Oct 01 03:04:54 elk logstash[43975]: "stdout" => "true", Oct 01 03:04:54 elk logstash[43975]: "index" => "in-test-nxlog-2019.10-40", Oct 01 03:04:54 elk logstash[43975]: "day" => "2019.10.01" Oct 01 03:04:54 elk logstash[43975]: }, Oct 01 03:04:54 elk logstash[43975]: "@version" => "1", Oct 01 03:04:54 elk logstash[43975]: "metricset" => "{&quot;module&quot;:system,&quot;name&quot;:cpu}", Oct 01 03:04:54 elk logstash[43975]: "client" => { Oct 01 03:04:54 elk logstash[43975]: "ip" => "10.71.218.62" Oct 01 03:04:54 elk logstash[43975]: }, Oct 01 03:04:54 elk logstash[43975]: "EventReceivedTime" => "2019-10-01 03:03:58" Oct 01 03:04:54 elk logstash[43975]: }

If we add the to_json() exec in the input configuration, the debug output breaks in the same way. So, I think that the to_json procedure have a bug with nested json object.

<Extension json> Module xm_json </Extension>

<Extension charconv> Module xm_charconv </Extension>

powershell to recover counter metrics from a windows 2003 server at the same way as metrcbeat do it

<Input counters> Module im_exec InputType LineBased Command "%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe" Arg "-ExecutionPolicy" Arg "Bypass" Arg "-NoProfile" Arg "-File" Arg %ROOT%\modules\input\counters.ps1 Arg -interval Arg 60 Exec parse_json(); </Input>

<Output tcp> Module om_tcp Host elk Port 5045 Exec to_json(); </Output>

<Output debug> Module om_file CreateDir TRUE File "C:\Program Files\nxlog\data\debug.log" # if we uncomment this line, the debug file breaks at the same way #Exec to_json(); </Output>

<Route 1> Path counters => tcp </Route>

<Route 2> Path counters => debug </Route>

Hello,

I am evaluating NXLog using the Community Edition. I created input as shown below to monitor certain Windows events and forward them via email. Everything is working as expected except that $Message or $raw_event variables always return word "true" instead of actual details about the event. Is this a limitation of the CE or am I doing something else wrong? Many thanks in advance for your assistance.

<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0" Path="Application"> <Select Path="Application">[System[Provider[@Name='Symantec AntiVirus' or @Name='Symantec Network Protection']]]</Select> </Query> </QueryList> </QueryXML> <Exec> exec("c:/utils/mailsend.exe", "-to", "info@***.com", "-body", $raw_event, "-subject", "Symantec EPP Alert"); </Exec> </Input>

Hello,

I have a windows app that send errors to windows eventlog and I need monitoring this. The event structure is this:

• <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
• <System> <Provider Name="AppName" /> <EventID Qualifiers="16384">1</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2019-08-02T10:43:01.000000000Z" /> <EventRecordID>91524</EventRecordID> <Channel>Application</Channel> <Computer>server.domain.es</Computer> <Security /> </System>
• <EventData> <Data>Full description error</Data> </EventData> </Event>

The problem is that when I send this event to Graylog for monitoring, I can't see the contain of EventData that its the most important. I'm reading that there are some problems with data without named.

Is there any solution?

Thanks

Hello,

I have some IIS logs that contain a single " and I am getting errors when I try to use parse_csv saying the data is invalid csv input. As soon as I take out the single ", the log sends fine.

What can I do to resolve this issue?