Hi, I try configure regex to send log from localhost_access.log tomcat. I test this in many regex tester online and have error when I use this in nxlog.

Sample:

4.3.2.1 - - [21/Oct/2019:06:29:10 +0200] "GET /webapi?Subsystem=Order&Action=GetTradeReports&Exchange=GRATR&TS=1571632145141&trpt.a=0%2C1%2C3%2C4%2C5%2C6%2C8%2C9%2C10%2C11%2C13%2C15%2C17%2C47%2C52%2C53%2C57%2C58%2C59%2C60%2C61%2C62%2C63&Session=A.z27L1EKuJetOW0RD890Q3DXXK1zwo5eJ HTTP/1.1" 200 89

and config:

<Input tomcat_localhost> InputType multiline Module im_file File '/var/log/tomcat/localhost_access.log'

<Exec> if $raw_event =~ /^(\S+) (\S+) (\S+) [([\w:/]+\s[+-]\d{4})] "(\S+)\s?(\S+)?\s?(\S+)?" (\d{3}|-) (\d+|-)\s?"?([^"])"?\s?"?([^"])?"?$/

 {
        $IP_address = $1;
        $EventTime = parsedate($4);
        $HTTPMethod = $5;
        $HTTPMethod = $4;
        $HTTPURL = $5;
        $HTTPResponseStatus = $8;
        $HTTPProtocol = $7;
		$Message = $6;
    }

</Exec> </Input>

error in log:

2019-10-21 10:01:08 ERROR Couldn't parse Exec block at /var/lib/graylog-sidecar/generated/nxlog.conf:61;couldn't parse statement at line 62, character 47 in /var/lib/graylog-sidecar/generated/nxlog.conf;failed to compile regular expression '^(\S+) (\S+) (\S+) [([\w:', error at position 26: missing terminating ] for character class

Why they expected "]" ?

We have the following problem.

We are currently migrating from REDIS to KAFKA on our windows server 2012 machines. In order to do this we are changing our nxlog.conf. (see below for entire configuration)

• We cannot seem to get our certificates to work. Something to note is that the same certificates work on a linux machine in the same environment (acceptance)

• Kafka is configured correctly, so that isn’t the problem. (considering that it works in a similar setup for a linux machine that connects to the same KAFKA topic with the same certificates.)

• When we start the nxlog service like this, the service basically is stuck on the starting phase of the service configuration. We need to force kill the PID to breath live back into it.

• We changed the .jks (java keystore) into a .p12 extension via a keystore manipulator (keystore explorer), since we do not have JAVA running on these windows machines.

• When we put Loglevel on DEBUG we get logging up until the kafka_out module but not further. (i.e. No information about handshaking etc.)

• In the configuration we tried o Protocol SSL with CAFILE and either (CertKeyFile and KeyPass) or (Keyfile as a cer file) o We didn’t try converting it to a PEM. o I put the Partition parameter on comment, since we use multiple partitions in our Kafka-bus, so it wouldn’t make sense to aim for the first one all the time. (Noting that even if not commented out it also fails)

• We use a root and an intermediate certificate for our CA-path.

• There are hardly any examples for om_kafka modules, especially when you have more than 1 broker.

• We are running with version nxlog-4.5.4503

Information I could find on the WWW

CAFile %CERTDIR%/cert-bundle.pem

CAFile %CERTDIR%/cacert.pem

CertFile %CERTDIR%/client-cert.pem

CertKeyFile %CERTDIR%/client-key.pem

KeyPass yourPasswordOfTheKey

#CAFile: This specifies the path of the certificate authority (CA) certificate, which will be used to check the certificate of the remote brokers. CAFile is required if Protocol is set to ssl or sasl_ssl. #CertFile: This specifies the path of the certificate file to be used for the SSL handshake. #CertKeyFile: This specifies the path of the certificate key file to be used for the SSL handshake.

Primary questions:

• Can CAFILE be used with a keystore or only with a .PEM / .CRT file?
• KeyPass is related to CertKeyFile. If there is a password on either CAFILE or KEYFILE how do I configure this then?
• Is there a higher level of debug so we can see what happens after the statements in our logging?

NXLOG.CONF

--GENERAL SETTINGS-----------------

envvar COMPUTERNAME define ROOT O:\NXLOG define ENV PRD define APPLI MyPortal

KAFKA omgeving

define KAFKA_TOPIC mon_myportal_topic define KAFKA_BROKERLIST_PROD 'kafka-0.intranet:9093,kafka-1.intranet:9093,kafka-2.intranet:9093,kafka-3.intranet:9093,kafka-4.intranet:9093,kafka-5.intranet:9093,kafka-6.intranet:9093,kafka-7.intranet:9093,kafka-8.intranet:9093,kafka-9.intranet:9093,kafka-10.intranet:9093,kafka-11.intranet:9093'

----------------------------------------------------------------------

Moduledir %ROOT%\modules CacheDir %ROOT%\data SpoolDir %ROOT%\data CertDir %ROOT%\cert LogLevel DEBUG LogFile %ROOT%\log\nxlog.log

#Pidfile %ROOT%\test\nxlog.pid

----------------------------------------------------------------------

<Extension json> Module xm_json </Extension>

<output kafka_out> Module om_kafka BrokerList %KAFKA_BROKERLIST_PROD% Topic %KAFKA_TOPIC%

Partition 1

Protocol ssl CAFile %CertDir%\client.truststore.p12 CertFile %CertDir%\intermediairportal-PRD.crt

CertKeyFile %CertDir%\intermediairportal-PRD.p12

KeyPass <password obfuscated>

</Output>

include %ROOT%\conf\check1.conf include %ROOT%\conf\check2.conf

I'm trying to trigger a powershell script to run with passed parameters on pattern matching the contents of $message. The method itself works, I just cannot work out how to pass parameters to the script I'm calling.

<Input internal> Module im_internal Exec if ($message =~ /nxlog-ce-2.10.2150 started/)
exec_async("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\Scripts\nxlog_exec_async_test.ps1"); </Input>

My working test configuration is shown above. The script called nxlog_exec_async_test.ps1 is successfully called from an elevated shell, if there is no parameter passed in. exec_async("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\Scripts\nxlog_exec_async_test.ps1 test");

I've tried passing the parameter "test" in the following ways, but this doesn't work either i.e.: exec_async("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\Scripts\nxlog_exec_async_test.ps1", "test"); exec_async("C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\Scripts\nxlog_exec_async_test.ps1 test");

The powershell script simply echos a line out to file, and the first line is: $testparm==$args[0] Which is assigning the first parameter to the variable $testparm

Can anyone help? Cheers, Phil

Hello everyone, I have a window server that receives logs from other windows hosts (log collector) and from this last one, events are sent to a Fortisiem. The problem is that in SIEM the IP that appears is always the collector's IP and all host events are identified by that IP. Is it possible to keep the original IP of each host?

My out config: <Output out> Module om_tcp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $EventTime = integer($EventTime) / 1000000; Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " "); Exec $Message = to_json(); to_syslog_snare(); </Output>

Thanks

 For about 5 years, I've been using NXLog to forward Windows logs from all of my Windows servers into a Graylog server.  Recently, one of the servers developed an issue where there will be event ID 5156 ("The Windows Filtering Platform has permitted a connection") triggered when NXLog sends logs to the Graylog server, which triggers another event ID 5156, which triggers another and another and another and so on.  So, logging from that one server goes from an average of 50,000/hr to as much as 10 million/hr.  I don't see anything in the Windows event logs that seems to trigger the issue but all I have to do is restart the NXLog service to break the loop and resume normal log forwarding for a couple of days.  I've uninstalled/re-installed NXLog and upgraded to 'nxlog-ce-2.10.2150'.  The server is essentially just a file server.  It has Checkpoint Endpoint installed but so do all of my other Windows servers.

 Does anyone have any suggestions as to what causes this and how I can resolve the issue?  I don't want to disable the events from the Windows Filtering Platform in total but I wouldn't mind if I never saw one triggered by NXLog making network connections.  Below is the same NXLog config I've used for all of the Windows servers, even the server I'm having the issue on.  Any help you can give is greatly appreciated.

#define ROOT C:\Program Files (x86)\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension gelf> Module xm_gelf </Extension>

<Input in>

Use 'im_mseventlog' for Windows XP, 2000 and 2003

Module      im_msvistalog

Uncomment the following to collect specific event logs only

Query       <QueryList>\
                <Query Id="0">\
                    <Select Path="Application">*</Select>\
                    <Select Path="System">*</Select>\
                    <Select Path="Security">*</Select>\
                </Query>\
            </QueryList>

</Input>

<Output out> Module om_udp Host 172.xx.xx.xxx {<-- redacted for this post} Port 12201 OutputType GELF </Output>

<Route 1> Path in => out </Route>

Hi. I am new in NXlog. I am using om_dbi module to execute some SQL to insert my logs to pqsql. But I have the following ERROR "om_dbi failed to execute SQL statement", and NXLOG is trying to repeat this SQL again and again. How to stop this loop SQL execution after the first failure.

Hello Team,

I am new to Nxlog and we have a requirement to send below log file content to syslog server, fields will be same for every new log file. Can you please help in writing conf file to send it to syslog.

Sample Log file.

OPSWAT - METADEFENDER KIOSK SCAN RESULTS

User ID: TRAININGLAB\syslog Profile: Default Session ID: 52CE90C9-73DC-4150-AE7F-1FDCFF933D3F

PROCESSING FINISHED SUCCESSFULLY

Process Start Time: 2019-09-21 16:09:36 Process Finish Time: 2019-09-21 16:10:55

MetaDefender Kiosk Version: 4.3.5.2010 MetaDefender Core Version: 4.16.2

Device Information Manufacturer: (Standard disk drives) Model: SanDisk Cruzer Blade USB Device Serial Number: 4C530000260530107000 Device ID: USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_BLADE&REV_1.00\4C530000260530107000&0 Media Type: USB Device Partition Count: 1 Partition Name: Disk #1, Partition #0

• Bootable: NO Disk Usage: 39MB / 14GB Scanning System: SYSTEM1

Full Media Scanned: NO Full Media Processed: NO Total Files Scanned: 7 Total Files Processed: 7

Blocked Files No blocked files found

Blocked Actions Taken - Sanitized: 0 - Quarantined: 0 - Deleted: 0 - Post Action Ran: 0 - Copied To Media: 0 - Copied To Directory: 0 - Copied To Vault Server: 0 - Moved To Media: 0 - Moved To Directory: 0 - Moved To Vault Server: 0 - Destination Media Wiped: NO

Allowed Actions Taken - Sanitized: 0 - Post Action Ran: 0 - Copied To Media: 0 - Copied To Directory: 0 - Copied To Vault Server: 0 - Moved To Media: 0 - Moved To Directory: 0 - Moved To Vault Server: 0 - Destination Media Wiped: NO

Skipped Files: 0

Failed To Delete: 0

File Type Totals application/octet-stream: 1 application/pdf: 2 application/x-dosexec: 2 text/plain: 2

ALLOWED FILES

1.  PATH:           E:\New Text Document (6).txt
    SHA-256:        E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
   

2.  PATH:           E:\SanDiskSecureAccess\DownloadSanDiskSecureAccess_Mac.pdf
    SHA-256:        B2E01B65F369095428DB35D59A41FDB80A5B16F6C496D7420D814B63CC8EEDCB
   

3.  PATH:           E:\SanDiskSecureAccess\SanDisk_SecureAccess_QSG.PDF
    SHA-256:        BC6D908229CA23F0FA78690BF5CD498F67A6FDB5CD368A4F89BABC98427A93CB
   

4.  PATH:           E:\New Text Document (7).txt
    SHA-256:        BDED243D2EEDEEF19D62D88A361A7019A007363BBBF429A873320015B865A456
   

5.  PATH:           E:\sgbox.txt
    SHA-256:        CA3ED41768F78C7E61BC782716010A208DE09464BDEB283D27DABE57318EE3B8
   

6.  PATH:           E:\SanDiskSecureAccessV3.1_win.exe
    SHA-256:        829F3BC240D26077AC00CE58B15D7D349E5D473B83629D3CC404A34BA865C9EC
   

7.  PATH:           E:\epm.exe
    SHA-256:        3D878E578E7340443785D4DC6CEA0A5B415D3BB107AFB0282DFEBF776930B216
   

Hi all, I installed the .apk file (nxlog-1.4.571.apk) on a phone with Android 8.1. When I click on "Start" I get the following error message:

Verifying config ... "/data/data/com.nxsec.nxlog/nxlog": error: Android 5.0 and later only support position-independent executables (-fPIE).

How can I solve it? Is there a version compatible with android>5? Thanks!

Hello, I'm trying to query the oracle sys.aud$ table using the nxlog odbc input module (Oracle 12.1.0.2.0) for new audit-events. I'm using NXlog and the odbc module 4.3.4308. The Error that NXLog is presenting me is: ERROR SQLDescribeParam returned zero parameter_size or decimal_digit(999, 0)

I'm querying the table as follows:

<Input input-asdf> Module im_odbc SQL select NTIMESTAMP# AS id, SESSIONID, ENTRYID, STATEMENT, TIMESTAMP#, USERID, USERHOST, TERMINAL, ACTION#, RETURNCODE, OBJ$CREATOR, OBJ$NAME, AUTH$PRIVILEGES, AUTH$GRANTEE, NEW$OWNER, NEW$NAME, SES$ACTIONS, SES$TID, LOGOFF$LREAD, LOGOFF$PREAD, LOGOFF$LWRITE, LOGOFF$DEAD, LOGOFF$TIME, COMMENT$TEXT, CLIENTID, SPARE1, SPARE2, OBJ$LABEL, SES$LABEL, PRIV$USED, SESSIONCPU, NTIMESTAMP#, PROXY$SID, USER$GUID, INSTANCE#, PROCESS#, XID, AUDITID, SCN, DBID, SQLBIND, SQLTEXT, OBJ$EDITION FROM sys.aud$ WHERE NTIMESTAMP# > ? order by NTIMESTAMP# ASC;

ConnectionString DSN=asdf;uid=fdsa;pwd=fdsa;database=asdf SavePos TRUE MaxIdSQL select MAX(NTIMESTAMP#) as maxid from sys.aud$ PollInterval 900 IdType Timestamp

</Input>

I'm not sure if the NTIMSTAMP# column is in the correct format, so I tried casting it using TO_DATE(TO_CHAR(NTIMESTAMP#, 'YYYY-MM-DD HH24:MI:SS'), 'YYYY-MM-DD HH24:MI:SS') into a datetime since according to documentation the NTIMESTAMP is from the type Timestamp(6). If it is better to query using another Parameter I'm also happy to use another parameter from the sys.aud$ table!

Also I had the problem before that when restarting the NXLog agent some data would be queried again. I figured that this should be resolved with the MaxIdSQL parameter, however I couldn't verify that yet.

Best regards

Is im_odbc available for NXLog community version?

Hello, I'm having trouble sending logs in json format generated from a command. The command generate (one json per line, json syntax checked with jsonlint and all json lines are ok. I send the input log to output file per debug and the json is ok)

{"metricset":{"module":"system","name":"memory"},"system":{"memory":{"total`":4294967296,"free":1709912064,"used":{"bytes":2585055232,"pct":60.19},"swap":{"total":2046,"free":2012,"used":{"bytes":34,"pct":1.66}}}}} {"metricset":{"module":"system","name":"cpu"},"system":{"cpu":{"cores": 1,"idle":{"pct":99},"irq":{"pct":0},"system":{"pct":0},"user":{"pct":1}}}}

When nxlog send the data to logstash with om_tcp, logstash receive (review the system field, it's not the same as the one generated in the input)

Oct 01 03:04:54 elk logstash[43975]: { Oct 01 03:04:54 elk logstash[43975]: "SourceModuleName" => "counters", Oct 01 03:04:54 elk logstash[43975]: "system" => "{&quot;cpu&quot;:{&quot;cores&quot;:1,&quot;idle&quot;:{&quot;pct&quot;:99}&quot;irq&quot;:{&quot;pct&quot;:0}&quot;system&quot;:{&quot;pct&quot;:0}&quot;user&quot;:{&quot;pct&quot;:1}", Oct 01 03:04:54 elk logstash[43975]: "@timestamp" => 2019-10-01T01:04:54.022Z, Oct 01 03:04:54 elk logstash[43975]: "SourceModuleType" => "im_exec", Oct 01 03:04:54 elk logstash[43975]: "port" => 3150, Oct 01 03:04:54 elk logstash[43975]: "@metadata" => { Oct 01 03:04:54 elk logstash[43975]: "input" => "tcp", Oct 01 03:04:54 elk logstash[43975]: "week" => "2019.10-40", Oct 01 03:04:54 elk logstash[43975]: "month" => "2019.10", Oct 01 03:04:54 elk logstash[43975]: "stdout" => "true", Oct 01 03:04:54 elk logstash[43975]: "index" => "in-test-nxlog-2019.10-40", Oct 01 03:04:54 elk logstash[43975]: "day" => "2019.10.01" Oct 01 03:04:54 elk logstash[43975]: }, Oct 01 03:04:54 elk logstash[43975]: "@version" => "1", Oct 01 03:04:54 elk logstash[43975]: "metricset" => "{&quot;module&quot;:system,&quot;name&quot;:cpu}", Oct 01 03:04:54 elk logstash[43975]: "client" => { Oct 01 03:04:54 elk logstash[43975]: "ip" => "10.71.218.62" Oct 01 03:04:54 elk logstash[43975]: }, Oct 01 03:04:54 elk logstash[43975]: "EventReceivedTime" => "2019-10-01 03:03:58" Oct 01 03:04:54 elk logstash[43975]: }

If we add the to_json() exec in the input configuration, the debug output breaks in the same way. So, I think that the to_json procedure have a bug with nested json object.

<Extension json> Module xm_json </Extension>

<Extension charconv> Module xm_charconv </Extension>

powershell to recover counter metrics from a windows 2003 server at the same way as metrcbeat do it

<Input counters> Module im_exec InputType LineBased Command "%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe" Arg "-ExecutionPolicy" Arg "Bypass" Arg "-NoProfile" Arg "-File" Arg %ROOT%\modules\input\counters.ps1 Arg -interval Arg 60 Exec parse_json(); </Input>

<Output tcp> Module om_tcp Host elk Port 5045 Exec to_json(); </Output>

<Output debug> Module om_file CreateDir TRUE File "C:\Program Files\nxlog\data\debug.log" # if we uncomment this line, the debug file breaks at the same way #Exec to_json(); </Output>

<Route 1> Path counters => tcp </Route>

<Route 2> Path counters => debug </Route>

Hello,

I am evaluating NXLog using the Community Edition. I created input as shown below to monitor certain Windows events and forward them via email. Everything is working as expected except that $Message or $raw_event variables always return word "true" instead of actual details about the event. Is this a limitation of the CE or am I doing something else wrong? Many thanks in advance for your assistance.

<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0" Path="Application"> <Select Path="Application">[System[Provider[@Name='Symantec AntiVirus' or @Name='Symantec Network Protection']]]</Select> </Query> </QueryList> </QueryXML> <Exec> exec("c:/utils/mailsend.exe", "-to", "info@***.com", "-body", $raw_event, "-subject", "Symantec EPP Alert"); </Exec> </Input>

Hello,

I have a windows app that send errors to windows eventlog and I need monitoring this. The event structure is this:

• <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
• <System> <Provider Name="AppName" /> <EventID Qualifiers="16384">1</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2019-08-02T10:43:01.000000000Z" /> <EventRecordID>91524</EventRecordID> <Channel>Application</Channel> <Computer>server.domain.es</Computer> <Security /> </System>
• <EventData> <Data>Full description error</Data> </EventData> </Event>

The problem is that when I send this event to Graylog for monitoring, I can't see the contain of EventData that its the most important. I'm reading that there are some problems with data without named.

Is there any solution?

Thanks

Hello,

I have some IIS logs that contain a single " and I am getting errors when I try to use parse_csv saying the data is invalid csv input. As soon as I take out the single ", the log sends fine.

What can I do to resolve this issue?

Hello I'm trying to send Windows DNS logs through NXLog, but i'm having a problem. I followed the documentation and ended up with the following config file.

Events seem to match the regex, but then i can't seem to use any of the named group names ($Date, $QuestionName, ... any). I tried to log_info(); but it always shows up as an empty string in the log file :

• This: log_info('q is ' + $QuestionName);
• Shows up in logs as "q is" (and nothing else)

Anyone knows what i'm doing wrong ? I don't see "no match" in my logfile so i guess events always match the EVENT_REGEX.

Been struggling with this for 24 hours .. even tried unnamed capture groups but also the $0, $1... always show empty.

(config file also at https://pastebin.com/s4CaJg9k in case of problems)

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

Example data :

#14-09-19 09:20:39 0B64 PACKET 0000005487B8E130 UDP Rcv 172.30.2.30 486a Q [0001 D NOERROR] AAAA (7)outlook(9)office365(3)com(8)transfer(2)be(0) #14-09-19 09:20:39 0B60 PACKET 0000005487FAC120 UDP Rcv 172.30.1.38 9b88 Q [0001 D NOERROR] AAAA (7)outlook(9)office365(3)com(0)

define EVENT_REGEX /(?x)(?<Date>\d+(?:-\d+){2})\s (?<Time>\d+(?::\d+){2})\s (?<ThreadId>\w+)\s+ (?<Context>\w+)\s+ (?<InternalPacketIdentifier>[[:xdigit:]]+)\s+ (?<Protocol>\w+)\s+ (?<SendReceiveIndicator>\w+)\s (?<RemoteIP>[[:xdigit:].:]+)\s+ (?<Xid>[[:xdigit:]]+)\s (?<QueryType>\s|R)\s (?<Opcode>[A-Z]|?)\s (?<QFlags>[(.?)])\s+ (?<QuestionType>\w+)\s+ (?<QuestionName>.)/ define EMPTY_EVENT_REGEX /(^$|^\s+$)/ define DOMAIN_REGEX /(\d+)([\w-]+)(\d+)([\w-]+)/ define SUBDOMAIN_REGEX /(\d+)([\w-]+)(\d+)([\w-]+)(\d+)(\w+)/ define NOT_STARTING_WITH_DATE_REGEX /^(?!\d+-\d+-\d+).+/ define QFLAGS_REGEX /(?x)(?<FlagsHex>\d+)\s+ (?<FlagsCharCodes>\s+|([A-Z]{2}|[A-Z]))\s+ (?<ResponseCode>\w+)/

<Extension _json> Module xm_json </Extension>

<Input in> Module im_file File 'C:\dnslog\dns.log' <Exec> # Drop entries that have empty lines if $raw_event =~ %EMPTY_EVENT_REGEX% drop(); # Drop entries not starting with date if $raw_event =~ %NOT_STARTING_WITH_DATE_REGEX% drop(); # Split entries into fields & define regular entries if $raw_event =~ %EVENT_REGEX% { $Regular = TRUE; #$EventTime = parsedate($Date + " " + $Time); $Raw = $raw_event; #delete($date); #delete($time); if $FlagsCharCodes =~ /^\s+$/ delete($FlagsCharCodes ); # Convert domains from (8)mydomain(1)com to mydomain.com if $QuestionName =~ %DOMAIN_REGEX% $QuestionName = $1 + "." + $2; # Convert domains from (8)sub(8)mydomain(1)com to sub.mydomain.com if $QuestionName =~ %SUBDOMAIN_REGEX% $QuestionName = $1 + "." + $2 + "." +$3;

        # Set query flags
        if $QFlags =~ %QFLAGS_REGEX% delete($QFlags);

        # Set the query type
        if $QueryType =~ %EMPTY_EVENT_REGEX% $QueryType = "query";
        else $QueryType = "response";

        log_info('q is ' + $QuestionName);
    }
    else
    {
        $Regular = FALSE;
        $Raw = $raw_event;
        log_info("no match");
    }
</Exec>

</Input>

<Output out> Module om_file Exec to_json(); File 'C:\output-dns-traffic.json' </Output>

<Route r1> path in => out </Route>

We installed version 2.10.2150 and are using the standard out of box config file to sent syslogs to clone. Anything we can do to reduce CPU consumption? Here is our config file but I have removed IP for our clone server:

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_syslog </Extension>

Windows Event Log

<Input eventlog> Module im_msvistalog </Input>

<Output tcp> Module om_tcp Host xx.xx.xx.xx Port 514 Exec to_syslog_snare(); </Output>

<Route eventlog_to_tcp> Path eventlog => tcp </Route>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _exec> Module xm_exec </Extension>

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') >= 5M)) \
                file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>

</Extension>

Hi, I have many nxlog in my infrastructure that we just implement. I have a simple question. My nxlog config file do not show error when i do Nxlog.exe -f in command prompt. But the services is stopped. I would like to know if no data is forwarded at the moment, the service stay shutdown and open when he will need to send data ? Greetings,

Hi,

I use module om_http for send events to host via https, but after start NXlog shows error:

ERROR SSL certificate verification failed: self signed certificate in certificate chain (err: 19)

Thanks for your ideas!

HI, I am using nxlog CE on Wi2016 and have configured it to log data to windows event files.
I am sending dummy syslog using kiwi syslog generator with random host from subnet. I can also see data from random hosts in a syslog watcher. but its not logged in files. why its not saving data for syslog traffic please?

here is my config.

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension gelf> Module xm_gelf </Extension> <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension>

<Input in1> Module im_tcp Host 10.43.9.220 Port 514 </Input> <Input in2> Module im_udp Host 0.0.0.0 Port 514 </Input> <Input in> Module im_msvistalog Exec $Message = to_json(); </Input> <Output out> Module om_file CreateDir TRUE File 'C:\nxlog\Syslog' + "_" + strftime(now(),"%Y-%m-%d") + ".log" OutputType LineBased </Output>

<Route R1> Path in1 , in2 , in => out </Route>

Any help is appreciated.

Hi Team,

Recently I started testing NXLog and was tryingto simulate log forwarding to other syslog servers. My logs are stored in *.log files and I want to forward them to another syslog destination. But after so many attempts, I still fail, and my logs are not forwarded. I also tried writing to another file using om_file but that does not help me as well. The NXLog's logs are of not much help, as It is stuck with just "Connecting to X.X.X.X:514 and never does anything ahead of it. IT does not show any warning / error as well. How do I investigate, what went wrong.

I am on Ubuntu 16.04 with NXLog CE 2.10.2150 downloaded from this portal.

Below is my configuration,

<Input infile1> Module im_file File "/opt/logs/pix.log" InputType LineBased </Input>

<Output outfile1> Module om_file CreateDir TRUE File "/opt/logs/output.log" </Output>

<Output outtcp1> Module om_tcp Host X.X.X.X Port 514 </Output>

<Route r1> path infile1 => outtcp1, outfile1 </Route>

I have checked on the network side, did Telnet (for TCP) and NC (for UDP) everything works fine, even rsyslog is able to forward data but NXLog fails.