Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

How Do I Send IIS v8.5 Logs in W3C Format to a Linux Syslog Server?
I would like to send IIS v8.5 logs over to a Linux syslog server. I have all parts installed, but need help with the nxlog agent configuration on the IIS server (Win2012 R2). My current configuration is attached. There are errors in the Win2012 nxlog agent's log file, and I am unable to fix them all, they are attached as well. I had to comment out parts like writing to a local file in order to get the agent running. I would like to have that work as well. It created the file but it's empty. Config (errors are further below): ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_syslog # Module xm_fileop Module xm_csv Fields date, time, s-ip, cs-method, cs-uri-stem, cs-uri-query, \ s-port, cs-username, c-ip, cs(User-Agent), cs(Referer), \ sc-status, sc-substatus, sc-win32-status, time-taken FieldTypes string, string, string, string, string, string, integer, \ string, string, string, string, integer, integer, integer, \ integer Delimiter ' ' EscapeChar '"' QuoteChar '"' EscapeControl FALSE UndefValue - Module im_file File "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\\\*.log" if $raw_event =~ /^#/ drop(); else { w3c_parser->parse_csv(); $EventTime = parsedate($date + "T" + $time + ".000Z"); } # # Module om_tcp # File 'C:\outputiis.log' # Exec to_syslog_bsd(); # Module om_tcp Host 10.0.3.163 Port 514 Exec to_syslog_bsd(); Path iis_w3c => out_tcp Path iis_w3c => out_file_iis Module xm_json Module xm_charconv AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2, ucs-2le ########################################## ## NXLOG INTERNAL LOG ## ########################################## # Nxlog internal logs - Recommended to keep this turned ON so error(s)/Issues with NXLog are reported. Module im_internal Exec $Hostname = hostname_fqdn(); Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json(); ########################################## ## FLAT FILES ## ########################################## ## http://nxlog-ce.sourceforge.net/nxlog-docs/en/nxlog-reference-manual.html#im_file ## Input to watch a file of your choosing. After Input, name it whatever you want to describe that NXLog ## is pulling, then add that name to the path in Route 1 after eventlog. Can be separated for filtering diff logs. ## After setting the Message as raw_event this converts the message to UTF-8, drops empty messages ## removes extra whitespace, grabs the file name as LogFile, adds the FQDN, and deletes a useless var ## Pulls all logfiles from the default ITS Log Location ## It is Recommended to LEAVE THIS ENABLED ## Ensure that "ITS_Logs" is specified in the correct Route at the bottom for output Module im_file File "C:\\ITS\\Logs\\\\*.log" SavePos TRUE Recursive TRUE Exec $Message = $raw_event; Exec $Message = convert($Message, "ucs-2le", "utf-8"); Exec if $Message == '' drop(); Exec if $Message =~ s/^\s+//g log_debug("whitespace removed"); Exec if file_name() =~ /([^\\]+)$/ $LogFile = $1; Exec $Hostname = hostname_fqdn(); Exec delete($SourceModuleType); Exec $EventTime = $EventReceivedTime; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; Exec to_json(); Error Message: 2019-09-11 12:08:56 ERROR if-else failed at line 46, character 9 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 44, character 36 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer "/", invalid modifier: '/' 2019-09-11 12:09:26 ERROR last message repeated 5 times

bk created
Replies: 1
View post »
last updated
send a test message syslog

Hello, I have the following nxlog configuration file:

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_syslog </Extension>

<Input in> Module im_msvistalog #Exec if not ($EventID IN (4624, 1102)) drop();

</input>

<Output out> Module om_udp Host xx.xxx.xx Port 514 Exec to_syslog_snare(); </Output>

<Route> Path in=>out </Route>

I am sending windows log events to a syslog.

I would like to know how do I send a "connector is ok" test message every 1 hour

can you help me?


GustavoM created
Replies: 1
View post »
last updated
How to filter a Powershell Message to NOT send

Hello NXLog folks!!

I'm trying to send all powershell alerts to our logserver but I want to exclude those generated by a specific executable. Since the powershell transcription doesn't list the exe as $process, but instead in context info...how does one filter that out? In this case, anything coming from tsm.exe, or tsmv.exe or tsmv1.exe

All insight is welcome

Thanks

TP

Here:s a sample of the log:

CommandInvocation(Set-StrictMode): "Set-StrictMode" ParameterBinding(Set-StrictMode): name="Version"; value="1.0"

Context: Severity = Informational Host Name = Windows PowerShell ISE Host Host Version = 5.1.17134.858 Host ID = 8ae5c6dd-1af0-4e65-aeac-7a67be38f4e4 Host Application = C:\Program Files\TSM\TSM.exe Engine Version = 1.0 Runspace ID = f1c12215-0436-4e63-8bf2-2bfadf608c65 Pipeline ID = 385 Command Name = Set-StrictMode Command Type = Cmdlet Script Name = Command Path = Sequence Number = 53836 User = Connected User = Shell ID =

Here's our Log selection snippet:

<Input in> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="Security"></Select>
<Select Path="System">
[System/Level=4]</Select>
<Select Path="Application"></Select>
<Select Path="Setup">
</Select>
<Select Path='Windows PowerShell'></Select>
<Select Path='Microsoft-Windows-AAD/Operational'>
</Select>
<Select Path='Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'></Select>
<Select Path='Microsoft-Windows-Application-Experience/Program-Telemetry'>
</Select>
<Select Path='Microsoft-Windows-AppLocker/EXE and DLL'></Select>
<Select Path='Microsoft-Windows-AppLocker/MSI and Script'>
</Select>
<Select Path='Microsoft-Windows-AppLocker/Packaged app-Deployment'></Select>
<Select Path='Microsoft-Windows-AppLocker/Packaged app-Execution'>
</Select>
<Select Path="Microsoft-Windows-Sysmon/Operational"></Select>
<Select Path="Microsoft-Windows-PowerShell/Admin">
</Select>
<Select Path="Microsoft-Windows-PowerShell/Operational"></Select>
<Select Path='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'>
</Select>
<Select Path='Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose'>*</Select>
</Query>
</QueryList> </Input>


Thomas_Powers created
Replies: 1
View post »
last updated
Issues with "xm_set.dll", The specified module could not be found.

Hi,

I'm trying to use nxlog to to extract three metrics from a .set file. My OS is Windows 10. I edited the .conf file in "C:\Program Files (x86)\nxlog\conf" and it looks like this:

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension json> Module xm_json </Extension>

<Extension sikora> Module xm_set Fields $Nominal, $PlusTol, $Oval # fields of interest (metrics) FieldTypes string, string, string # type of variable Delimiter ; EscapeControl FALSE </Extension>

<Input sikora_logs> Module im_file File "C:\Users\50051145\Desktop\nx_log\\*.set" # imput file #ReadFromLast True #Recursive True #SavePos True ReadFromLast False Recursive False SavePos False

&lt;Exec&gt;

     if $raw_event =~ /^Macrosezione : (.+)/                                 #  creazione variabile
         {                                                                                                     #
               create_var('macrosection');                                                #
               set_var('macrosection', $1);                                                #
               drop();                                                                                    #
          }
    
         sikora-&gt;parse_set();
         delete($EventReceivedTime);
         delete($SourceModuleName);
         delete($SourceModuleType);


         if $raw_event =~ /^Operatore /
         {                                                                                                                                              #  variable definition for the          
               if not defined get_var('start_time')                                                                             #  timestamp
               {                                                                                                                                        #
                     log_debug(&quot;parsed_time: &quot; + strptime($time, &quot;%d/%m/%Y %I:%M:%S&quot;));      #
                     create_var('start_time');                                             #
                     set_var('start_time', strptime($time, &quot;%d/%m/%Y %I:%M:%S&quot;));
                     drop();
                }
                else
                {
                     if get_var('start_time') != strptime($time,&quot;%d/%m/%Y %I:%M:%S&quot;)
                     {
                          log_debug(&quot;old_time: &quot; + get_var('start_time'));
                          log_debug(&quot;new_time: &quot;, $time);
                          set_var('start_time', strptime($time,&quot;%d/%m/%Y %I:%M:%S&quot;));
                          drop();
                      }
                 }
        }

       $time = (integer(get_var('start_time')) / 1000000 + integer($time)) * 1000;               # formula to convert timestamp in milliseconds
       $pressure = integer($pressure);
       $macrosection = get_var('macrosection');
       $nominal = get_var('nominal');
       $type = get_var('type');
    

       to_json();

&lt;/Exec&gt;

</Input>

<Output out> Module om_file # CreateDir TRUE # File "C:\Users\50051145\Desktop\temp" + $fileName # output file </Output>

<Route 1> Path sikora_logs => out </Route>

When I run the program I expect an output file in a folder on my desktop "C:\Users\50051145\Desktop\temp" but I get nothing. I checked the logs and I get this:

 2019-09-10 18:20:34 ERROR Failed to load module from C:\Program Files (x86)\nxlog\modules\extension\xm_set.dll, The specified module could not be found.  ; 
     The specified module could not be found.  
2019-09-10 18:20:34 ERROR Failed to load module from C:\Program Files (x86)\nxlog\modules\output\om_file                                         #.dll, The specified module 
    could not be found.  ; The specified module could not be found.  
2019-09-10 18:20:34 ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:38; couldn't parse statement at line 45, character 28 in 
  C:\Program Files (x86)\nxlog\conf\nxlog.conf; module sikora not found
2019-09-10 18:20:34 ERROR module 'sikora_logs' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:93
2019-09-10 18:20:34 ERROR module 'out' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:93
2019-09-10 18:20:34 ERROR route 1 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:93
2019-09-10 18:20:34 WARNING no routes defined!
2019-09-10 18:20:34 WARNING not starting unused module sikora_logs
2019-09-10 18:20:34 INFO nxlog-ce-2.10.2150 started
2019-09-11 11:10:27 WARNING stopping nxlog service
2019-09-11 11:10:27 WARNING nxlog-ce received a termination request signal, exiting...

It appers that xm_set.dll library is missing, "The specified module could not be found". I found out in "C:\Program Files (x86)\nxlog\modules\extension" that nxlog doesn't come with a .set library. How can I add this library ?

Thank you


IoT_fra_87 created
Replies: 1
View post »
last updated
Parsing Problems

Hello All,

I have a huge .csv file, this contains logs from Service Now instance. I have the following nxlog configuration file. But when i run the parser, error file i generate exceeds more than 1 GB. The source file itself is only about 225 MB.

Please set the ROOT to the folder your nxlog was installed into,

otherwise it will not start.

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension multiline> Module xm_multiline HeaderLine /^\d{1,2}/\d{1,2}/\d{4}\s/ </Extension>

<Extension json> Module xm_json </Extension>

<Extension csv> Module xm_csv Fields $Created,$Level,$Message,$Source,$CreatedBy FieldTypes string, string, string, string, string </Extension>

<Extension syslog> Module xm_syslog </Extension>

<Input eventlog> Module im_msvistalog ReadFromLast TRUE SavePos TRUE Query <QueryList>
<Query Id="0">
<Select Path="Security">[System[(EventID=4768)]]</Select>
<Select Path="Security">
[System[(EventID=4769)]]</Select>
<Select Path="Security">[System[(EventID=4771)]]</Select>
<Select Path="Security">
[System[(EventID=4624)]]</Select>
<Select Path="Security">[System[(EventID=4625)]]</Select>
<Select Path="Security">
[System[(EventID=4634)]]</Select>
<Select Path="Security">[System[(EventID=4647)]]</Select>
<Select Path="Security">
[System[(EventID=4648)]]</Select>
<Select Path="Security">[System[(EventID=4656)]]</Select>
<Select Path="Security">
[System[(EventID=4719)]]</Select>
<Select Path="Security">[System[(EventID=4720)]]</Select>
<Select Path="Security">
[System[(EventID=4722)]]</Select>
<Select Path="Security">[System[(EventID=4723)]]</Select>
<Select Path="Security">
[System[(EventID=4724)]]</Select>
<Select Path="Security">[System[(EventID=4725)]]</Select>
<Select Path="Security">
[System[(EventID=4726)]]</Select>
<Select Path="Security">[System[(EventID=4727)]]</Select>
<Select Path="Security">
[System[(EventID=4728)]]</Select>
<Select Path="Security">[System[(EventID=4729)]]</Select>
<Select Path="Security">
[System[(EventID=4730)]]</Select>
<Select Path="Security">[System[(EventID=4731)]]</Select>
<Select Path="Security">
[System[(EventID=4732)]]</Select>
<Select Path="Security">[System[(EventID=4733)]]</Select>
<Select Path="Security">
[System[(EventID=4734)]]</Select>
<Select Path="Security">[System[(EventID=4735)]]</Select>
<Select Path="Security">
[System[(EventID=4737)]]</Select>
<Select Path="Security">[System[(EventID=4738)]]</Select>
<Select Path="Security">
[System[(EventID=4739)]]</Select>
<Select Path="Security">[System[(EventID=4741)]]</Select>
<Select Path="Security">
[System[(EventID=4742)]]</Select>
<Select Path="Security">[System[(EventID=4743)]]</Select>
<Select Path="System">
[System[(EventID=7036)]]</Select>
<Select Path="Application">[System[(EventID=18454)]]</Select>
<Select Path="Application">
[System[(EventID=18456)]]</Select>
</Query>
</QueryList> Exec to_json(); </Input>

<Input filein> Module im_file File 'e:\ServiceNow\agent\export\snow_log.csv'

InputType       multiline
ReadFromLast    FALSE
SavePos         FALSE
&lt;Exec&gt;
    # Ignore top line
    if $raw_event =~ /Created,Level,Message,Source,Created by/ drop();
	if $raw_event =~ /Warning/ drop();
	if $raw_event =~ /Information/ drop();
	
    # Convert Newline and Tab to printed character
    #$raw_event =~ s/\R/\\r\\n/g;
    #$raw_event =~ s/\t/\\t/g;
	
	$raw_event = replace($raw_event,&quot;\n&quot;, &quot; &quot;);
	$raw_event = replace($raw_event,&quot;\r&quot;, &quot; &quot;);
	$raw_event = replace($raw_event,&quot;\t&quot;, &quot; &quot;);
			
	$SourceName = 'SNOWLogs';
    # Parse $raw_event as CSV
    csv-&gt;parse_csv();

    # Convert to JSON
    to_json();
&lt;/Exec&gt;

</Input>

<Output fileout> Module om_tcp Host logger Port 5140 #Exec to_syslog_bsd(); </Output>

<Output out> Module om_tcp Host logger Port 5140 </Output>

<Route r1> Path eventlog => out </Route>

<Route parse_xml> Path filein => fileout </Route>

For few lines it reads the data properly, but in some lines, it does not read the complete data. I am also trying to drop off unwanted data like information or warning, just to ensure i collect only Error information. But still it does not help. Error information from the file is very limited, so that I can reduce the amount of data to be ingested into ELK.

Sample of Error messages as follows: Created Level Message 9/10/2019 3:00 Error java.lang.NullPointerException: java.lang.NullPointerException: 9/10/2019 1:07 Error java.lang.NullPointerException: java.lang.NullPointerException: 9/10/2019 1:04 Error [code]Failed Exploring CI Pattern, Pattern name: <b>Docker Pattern</b>, Process ID: <b>12887</b>, To Check Pattern Log Press <a href="$sw_horizontal_discovery_log.do?discoLogId=aeeb6a6d1b33fb40db5e43b4bd4bcb5a&amp;ipAddress=10.144.112.51&amp;pid=12887&amp;preExecution=&amp;host_sys_id=d3fd5bff87e04504065e00f509434dc2&amp;host_name=dm01db02.ga.ssga.root&amp;patternId=dd15665a7fe022004e83e2065f2a0c57&amp;patternName=Docker Pattern&amp;patternType=1&amp;isCloud=false"><u><b>Here</b></u></a>[/code] 9/10/2019 1:04 Error [code]Failed Exploring CI Pattern, Pattern name: <b>Docker Pattern</b>, Process ID: <b>12841</b>, To Check Pattern Log Press <a href="$sw_horizontal_discovery_log.do?discoLogId=aeeb6a6d1b33fb40db5e43b4bd4bcb11&amp;ipAddress=10.145.112.57&amp;pid=12841&amp;preExecution=&amp;host_sys_id=9ac8ef3887bc0904065e00f509434d22&amp;host_name=dm02db08.ga.ssga.root&amp;patternId=dd15665a7fe022004e83e2065f2a0c57&amp;patternName=Docker Pattern&amp;patternType=1&amp;isCloud=false"><u><b>Here</b></u></a>[/code] 9/10/2019 1:04 Error [code]Failed Exploring CI Pattern, Pattern name: <b>Docker Pattern</b>, Process ID: <b>13373</b>, To Check Pattern Log Press <a href="$sw_horizontal_discovery_log.do?discoLogId=eeeb6a6d1b33fb40db5e43b4bd4bcb41&amp;ipAddress=10.145.112.51&amp;pid=13373&amp;preExecution=&amp;host_sys_id=ca716bb387244504065e00f509434dd6&amp;host_name=dm02db02.ga.ssga.root&amp;patternId=dd15665a7fe022004e83e2065f2a0c57&amp;patternName=Docker Pattern&amp;patternType=1&amp;isCloud=false"><u><b>Here</b></u></a>[/code] 9/10/2019 1:04 Error [code]Failed Exploring CI Pattern, Pattern name: <b>Docker Pattern</b>, Process ID: <b>13328</b>, To Check Pattern Log Press <a href="$sw_horizontal_discovery_log.do?discoLogId=acebe6ad1bff7f404d41dd7edd4bcb1f&amp;ipAddress=10.145.112.54&amp;pid=13328&amp;preExecution=&amp;host_sys_id=7e912fb387244504065e00f509434d8c&amp;host_name=dm02db05.ga.ssga.root&amp;patternId=dd15665a7fe022004e83e2065f2a0c57&amp;patternName=Docker Pattern&amp;patternType=1&amp;isCloud=false"><u><b>Here</b></u></a>[/code] 9/10/2019 1:04 Error [code]Failed Exploring CI Pattern, Pattern name: <b>Docker Pattern</b>, Process ID: <b>12911</b>, To Check Pattern Log Press <a href="$sw_horizontal_discovery_log.do?discoLogId=80eb2a6d1b33fb40db5e43b4bd4bcb88&amp;ipAddress=10.144.112.56&amp;pid=12911&amp;preExecution=&amp;host_sys_id=964e9fff87e04504065e00f509434d5f&amp;host_name=dm01db07.ga.ssga.root&amp;patternId=dd15665a7fe022004e83e2065f2a0c57&amp;patternName=Docker Pattern&amp;patternType=1&amp;isCloud=false"><u><b>Here</b></u></a>[/code] 9/10/2019 1:04 Error [code]Failed Exploring CI Pattern, Pattern name: <b>Docker Pattern</b>, Process ID: <b>12899</b>, To Check Pattern Log Press <a href="$sw_horizontal_discovery_log.do?discoLogId=40eb2a6d1b33fb40db5e43b4bd4bcbc2&amp;ipAddress=10.144.112.53&amp;pid=12899&amp;preExecution=&amp;host_sys_id=391e5bff87e04504065e00f509434d3e&amp;host_name=dm01db04.ga.ssga.root&amp;patternId=dd15665a7fe022004e83e2065f2a0c57&amp;patternName=Docker Pattern&amp;patternType=1&amp;isCloud=false"><u><b>Here</b></u></a>[/code] 9/10/2019 1:04 Error [code]Failed Exploring CI Pattern, Pattern name: <b>Docker Pattern</b>, Process ID: <b>13264</b>, To Check Pattern Log Press <a href="$sw_horizontal_discovery_log.do?discoLogId=48eb2a6d1b33fb40db5e43b4bd4bcb6a&amp;ipAddress=10.145.112.56&amp;pid=13264&amp;preExecution=&amp;host_sys_id=f0b1afb387244504065e00f509434df6&amp;host_name=dm02db07.ga.ssga.root&amp;patternId=dd15665a7fe022004e83e2065f2a0c57&amp;patternName=Docker Pattern&amp;patternType=1&amp;isCloud=false"><u><b>Here</b></u></a>[/code] 9/10/2019 1:04 Error [code]Failed Exploring CI Pattern, Pattern name: <b>Docker Pattern</b>, Process ID: <b>12879</b>, To Check Pattern Log Press <a href="$sw_horizontal_discovery_log.do?discoLogId=44eb2a6d1b33fb40db5e43b4bd4bcbf4&amp;ipAddress=10.144.112.50&amp;pid=12879&amp;preExecution=&amp;host_sys_id=6cfddfbb87e04504065e00f509434d75&amp;host_name=dm01db01.ga.ssga.root&amp;patternId=dd15665a7fe022004e83e2065f2a0c57&amp;patternName=Docker Pattern&amp;patternType=1&amp;isCloud=false"><u><b>Here</b></u></a>[/code] 9/10/2019 1:04 Error [code]Failed Exploring CI Pattern, Pattern name: <b>Docker Pattern</b>, Process ID: <b>13267</b>, To Check Pattern Log Press <a href="$sw_horizontal_discovery_log.do?discoLogId=4adba2ad1bff7f404d41dd7edd4bcbb1&amp;ipAddress=10.145.112.55&amp;pid=13267&amp;preExecution=&amp;host_sys_id=19a12fb387244504065e00f509434d28&amp;host_name=dm02db06.ga.ssga.root&amp;patternId=dd15665a7fe022004e83e2065f2a0c57&amp;patternName=Docker Pattern&amp;patternType=1&amp;isCloud=false"><u><b>Here</b></u></a>[/code] 9/10/2019 1:04 Error [code]Failed Exploring CI Pattern, Pattern name: <b>Docker Pattern</b>, Process ID: <b>12901</b>, To Check Pattern Log Press <a href="$sw_horizontal_discovery_log.do?discoLogId=cedba2ad1bff7f404d41dd7edd4bcb90&amp;ipAddress=10.144.112.57&amp;pid=12901&amp;preExecution=&amp;host_sys_id=665edfbf87e04504065e00f509434d29&amp;host_name=dm01db08.ga.ssga.root&amp;patternId=dd15665a7fe022004e83e2065f2a0c57&amp;patternName=Docker Pattern&amp;patternType=1&amp;isCloud=false"><u><b>Here</b></u></a>[/code] 9/10/2019 1:04 Error [code]Failed Exploring CI Pattern, Pattern name: <b>Docker Pattern</b>, Process ID: <b>13323</b>, To Check Pattern Log Press <a href="$sw_horizontal_discovery_log.do?discoLogId=cadbae6d1bff7f404d41dd7edd4bcb7b&amp;ipAddress=10.145.112.53&amp;pid=13323&amp;preExecution=&amp;host_sys_id=10916b7387244504065e00f509434d22&amp;host_name=dm02db04.ga.ssga.root&amp;patternId=dd15665a7fe022004e83e2065f2a0c57&amp;patternName=Docker Pattern&amp;patternType=1&amp;isCloud=false"><u><b>Here</b></u></a>[/code] 9/10/2019 1:04 Error [code]Failed Exploring CI Pattern, Pattern name: <b>Docker Pattern</b>, Process ID: <b>13312</b>, To Check Pattern Log Press <a href="$sw_horizontal_discovery_log.do?discoLogId=fbcbeead1b377f40276510e4bd4bcbd2&amp;ipAddress=10.145.112.50&amp;pid=13312&amp;preExecution=&amp;host_sys_id=d7616bb387244504065e00f509434dd3&amp;host_name=dm02db01.ga.ssga.root&amp;patternId=dd15665a7fe022004e83e2065f2a0c57&amp;patternName=Docker Pattern&amp;patternType=1&amp;isCloud=false"><u><b>Here</b></u></a>[/code] 9/10/2019 1:04 Error [code]Failed Exploring CI Pattern, Pattern name: <b>Docker Pattern</b>, Process ID: <b>12891</b>, To Check Pattern Log Press <a href="$sw_horizontal_discovery_log.do?discoLogId=b7cbeead1b377f40276510e4bd4bcb97&amp;ipAddress=10.144.112.54&amp;pid=12891&amp;preExecution=&amp;host_sys_id=642edbff87e04504065e00f509434dd6&amp;host_name=dm01db05.ga.ssga.root&amp;patternId=dd15665a7fe022004e83e2065f2a0c57&amp;patternName=Docker Pattern&amp;patternType=1&amp;isCloud=false"><u><b>Here</b></u></a>[/code] 9/10/2019 1:04 Error [code]Failed Exploring CI Pattern, Pattern name: <b>Docker Pattern</b>, Process ID: <b>13255</b>, To Check Pattern Log Press <a href="$sw_horizontal_discovery_log.do?discoLogId=23cbae6d1bff7f404d41dd7edd4bcb6c&amp;ipAddress=10.145.112.52&amp;pid=13255&amp;preExecution=&amp;host_sys_id=d581ebb387244504065e00f509434da2&amp;host_name=dm02db03.ga.ssga.root&amp;patternId=dd15665a7fe022004e83e2065f2a0c57&amp;patternName=Docker Pattern&amp;patternType=1&amp;isCloud=false"><u><b>Here</b></u></a>[/code] 9/10/2019 1:04 Error [code]Failed Exploring CI Pattern, Pattern name: <b>Docker Pattern</b>, Process ID: <b>13008</b>, To Check Pattern Log Press <a href="$sw_horizontal_discovery_log.do?discoLogId=47cb266d1b33fb40db5e43b4bd4bcb6c&amp;ipAddress=10.144.112.52&amp;pid=13008&amp;preExecution=&amp;host_sys_id=fe0ed7ff87e04504065e00f509434dd8&amp;host_name=dm01db03.ga.ssga.root&amp;patternId=dd15665a7fe022004e83e2065f2a0c57&amp;patternName=Docker Pattern&amp;patternType=1&amp;isCloud=false"><u><b>Here</b></u></a>[/code] 9/10/2019 1:04 Error [code]Failed Exploring CI Pattern, Pattern name: <b>Docker Pattern</b>, Process ID: <b>12885</b>, To Check Pattern Log Press <a href="$sw_horizontal_discovery_log.do?discoLogId=c7cb266d1b33fb40db5e43b4bd4bcb8c&amp;ipAddress=10.144.112.55&amp;pid=12885&amp;preExecution=&amp;host_sys_id=a03e1fff87e04504065e00f509434d97&amp;host_name=dm01db06.ga.ssga.root&amp;patternId=dd15665a7fe022004e83e2065f2a0c57&amp;patternName=Docker Pattern&amp;patternType=1&amp;isCloud=false"><u><b>Here</b></u></a>[/code] 9/10/2019 1:03 Error java.lang.NullPointerException: java.lang.NullPointerException: 9/10/2019 1:03 Error java.lang.NullPointerException: java.lang.NullPointerException: 9/10/2019 1:02 Error java.lang.NullPointerException: java.lang.NullPointerException: 9/10/2019 1:01 Error java.lang.NullPointerException: java.lang.NullPointerException: 9/10/2019 1:00 Error cmdb_metadata : Found duplicate cmdb_rel_type records with name: Master of::Stack Member of having sys_ids: 357afff213a21300f39f721a6144b076, c8c685710b22130005d90d2835673aa8: no thrown error 9/10/2019 1:00 Error java.lang.NullPointerException: java.lang.NullPointerException: 9/10/2019 1:00 Error LICENSE_DETAILS.ALLOCATED ua_stats_defn Calculation: DEF1000115 not found: no thrown error 9/10/2019 0:34 Error java.lang.NullPointerException: java.lang.NullPointerException: 9/10/2019 0:30 Error cmdb_metadata : Found duplicate cmdb_rel_type records with name: Master of::Stack Member of having sys_ids: 357afff213a21300f39f721a6144b076, c8c685710b22130005d90d2835673aa8: no thrown error 9/10/2019 0:30 Error cmdb_metadata : Found duplicate cmdb_rel_type records with name: Master of::Stack Member of having sys_ids: 357afff213a21300f39f721a6144b076, c8c685710b22130005d90d2835673aa8: no thrown error 9/10/2019 0:03 Error UATablePkgOverrideHandler: Could not find the package with source com.snc.problem: no thrown error 9/10/2019 0:03 Error UATablePkgOverrideHandler: Could not find the package with source com.snc.incident: no thrown error 9/10/2019 0:00 Error [code]Canceled discovery of <a href="discovery_schedule.do?sys_id=71c932b1db5aa3403f737afc0f96195a"><u>SSGA Windows Active Servers</u></a>. Already at maximum number of active 'Scheduled' invocations (3) for a given schedule[/code]

Can someone please help me achieve or rectify my config file ?

Thanks a million in advance.


abasha created
Replies: 3
View post »
last updated
Regex to set variable

Hi, I’m trying to use regex in nxlog. My current configuration is to save firewall logs to a file .txt using the $Sender value to create the file name.

.......

<Input *****> Module im_tcp Host 0.0.0.0 Port 1001 <Exec> if $raw_event =~ /LEEF/ parse_leef(); else parse_syslog(); </Exec> </Input>

.......

<Output > define OUT_DIR %LOGDIR2%/ Module om_file File "%OUT_DIR%/" + $Sender + ".txt" <Schedule> Every 3600 sec <Exec> if ->file_size() > 0M { set_var('newfile', file_name() + strftime(now(), '_%Y%m%d%H%M%S') + '.log'); rotate_to(get_var('newfile')); exec_async('C:/Program Files/GnuWin32/bin/bzip2.exe', 'E:// *.log'); } </Exec> </Schedule> </Output>

.........

This is the Log: <13>Sep 4 16:07:23 Firewall: LEEF:1.0|FORCEPOINT|Firewall|1.1.1|Connection_Discarded|src=122.1.1.1 EventReceivedTime=2019-09-04 16:07:23 SourceModuleName=****** SourceModuleType=im_tcp LEEFVersion=<1> LEEF:0.0 Vendor=FORCEPOINT vSrcName=Firewall Version=1.1.1 EventID=Connection_Discarded devTimeFormat=MMM dd yyyy HH:mm:ss devTime=2019-09-04 16:07:23 proto=1 dstPort=80 srcPort=53438 dst=192.1.1.1 sender=services.fw.mi01.custom.cloud node 1 action=Discard

the system sets the value of $Sender like this: $Sender = services.fw.mi01.custom.cloud node 1 action=Discard.txt

but I need instead the system to set $Sender this way, only up to "node 1": $Sender = services.fw.mi01.custom.cloud node 1.txt

I thought about using a regex to extrapolate the value I need, but it doesn’t work. this one: <Exec> if $Sender =~ /(?<=sender=).[^\t]+/g; $Sender = $1 </Exec>

Can I do this thing? If so, what should I do?

Thank you Antonio


nembosec created
Replies: 1
View post »
last updated
Issues reconnecting after UDP fails to send to logging server.

Hello,

I'm experiencing an issues with the community edition. Once you power off the log collection server, the nxlog client agent (for windows) will drop the connection, and stop sending UDP packets after the log collection server is back online. Restarting the windows agent starts resolves the issue.

Is there a solution for this besides restarting the windows service every so often to ensure the agent is always sending logs?

Thanks


jmflood created
Replies: 3
View post »
last updated
NXLog Enrichment

I'm attempting to enrich some Windows event logs with "ClientMachine" which needs to equal the hostname. I'm having issues with only some logs coming through with this enriched fields, and others do not contain the ClientMachine enrichment. My config is below. Any help would be greatly appreciated.

Panic Soft define ROOT C:\Program Files\nxlog #ModuleDir %ROOT%\modules #CacheDir %ROOT%\data #SpoolDir %ROOT%\data

#define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf

Note that these two lines define constants only; the log file location

is ultimately set by the LogFile directive (see below). The

MYLOGFILE define is also used to rotate the log file automatically

(see the _fileop block).

define LOGDIR %ROOT%\data define MYLOGFILE %LOGDIR%\nxlog.log

By default, LogFile %MYLOGFILE% is set in log4ensics.conf. This

allows the log file location to be modified via NXLog Manager. If you

are not using NXLog Manager, you can instead set LogFile below and

disable the include line.

LogFile %MYLOGFILE%

<Extension _syslog> Module xm_syslog </Extension>

<Input in> Module im_msvistalog </Input>

<Output out> Exec $ClientMachine = hostname_fqdn(); Module om_tcp Host 192.168.1.20 Port 11105 Exec to_syslog_snare(); </Output>

<Route 1> Path in => out </Route>


JacobY created
Replies: 3
View post »
last updated
Nxlog Multiline Input to 1 Syslog Message
Hi all,

I'm using nxlog to send CAS audit log to our syslog server. Each entry in the text file looks similar to this as below:

2019-08-28 14:33:58,959 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: user1
WHAT: ST-65-eMcuA7IeZWYUYPldhgaT-11 for https://test.com.vn/news/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Aug 28 14:33:58 ICT 2019
CLIENT IP ADDRESS: x.x.x.x
SERVER IP ADDRESS: x.x.x.x
=============================================================

I want to combine these multiple lines to 1 line and I've read some of the documentation on nxlog's website regarding multiline but haven't found a specific config to put them all in 1 entry with a syslog header. Is there any solution for nxlog conf to work with this kind of multiline message? Thanks

dnhphuc created
Replies: 1
View post »
last updated
NxLog wseventing windows event forwarding with http

Hi, I’m trying to configure the windows event forwarding from a Windows machine to the nxlog machine using the wseventing module and we want to use the http protocol on port 80. The two machines are on the same domain, so with the kerberos already configured, but Nxlog gives me the following error:

2019-08-28 09:30:45 ERROR https is required for im_wseventing without kerberos support at C:\Program Files\nxlog\conf\nxlog.conf:156

this is the configuration of nxlog entered as described on the documentation:

<Input wseventing> Module im_wseventing Address http://nxlog.domain.cloud:80/wsman ListenAddr 0.0.0.0 Port 80 SubscriptionName test Exec log_info(to_json()); <QueryXML> <QueryList> <Query Id="0" Path="Application"> <Select Path="Application"></Select> <Select Path="Security"></Select> <Select Path="Setup"></Select> <Select Path="System"></Select> <Select Path="ForwardedEvents"></Select> <Select Path="Windows PowerShell"></Select> </Query> </QueryList> </QueryXML> </Input>

Being both machines on the same domain, seems a strange mistake, do you have any ideas?

Thank you Antonio


reevo created
Replies: 1
View post »
last updated
ProxyAddress directive in om_http module

Hello! First time nxlog user here.

Looking at the docs:

https://nxlog.co/documentation/nxlog-user-guide-full#om_http_config

It would seem to indicate the availability of a ProxyAddress directive but when I populate the nxlog.conf file with one, I receive an error that the ProxyAddress keyword is invalid:

2019-08-27 17:34:40 ERROR invalid keyword: ProxyAddress at C:\Program Files (x86)\nxlog\conf\nxlog.conf:91 2019-08-27 17:34:40 ERROR module 'http' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:96 2019-08-27 17:34:40 WARNING not starting unused module http 2019-08-27 17:34:40 INFO nxlog-ce-2.10.2150 started

Can anyone point me in the right direction on this one?

Much appreciated!!!

-Ryan


Hoenle created
Replies: 1
View post »
last updated
Trying to create a custom log that contains a JSON object

The endpoint I will be sending logs to expects this format:

{ "timestamp":"2019-08-06T19:00:03Z", "body":"This is a sample body", "attributes":{ "token":"some token value", "log_type":"error", "(extensible keys)":"(string value)" } }

I need to convert Windows eventlogs to the target format and I'm having an issue creating "attributes." Here's my latest attempt, but "attributes" is getting converted to JSON twice which is messing up the format.

Here's my .conf:

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension json> Module xm_json </Extension>

<Extension _exec> Module xm_exec </Extension>

<Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id='1'> <Select Path='Application'></Select> <Select Path='Security'></Select> </Query> </QueryList> </QueryXML> <Exec>

#$attributes = $raw_event;
$log_type = $EventType;
$token = 'token goes here';
$raw_event = $raw_event + $log_type + $token;
$attributes = to_json();
rename_field(&quot;EventTime&quot;, &quot;timestamp&quot;);
$body = $message;
delete($log_type);
delete($token);
delete($AccountName);
delete($AccountType);
delete($ActivityID);
delete($Category);
delete($Channel);
delete($Domain);
delete($EventID);
delete($EventTime);
delete($EventType);
delete($HandleId);
delete($Hostname);
delete($Keywords);
delete($MandatoryLabel);
delete($Message);
delete($NewProcessId);
delete($NewProcessName);
delete($ObjectServer);
delete($Opcode);
delete($OpcodeValue);
delete($ParentProcessName);
delete($PrivilegeList);
delete($ProcessName);
delete($ProcessID);
delete($ProviderGuid);
delete($RecordNumber);
delete($RelatedActivityID);
delete($Service);
delete($Severity);
delete($SeverityValue);
delete($SourceName);
delete($SubjectUserSid);
delete($SubjectUserName);
delete($SubjectDomainName);
delete($SubjectLogonId);
delete($Task);
delete($ThreadID);
delete($TargetUserSid);
delete($TargetUserSid);
delete($TargetUserName);
delete($TargetDomainName);
delete($TargetLogonId);
delete($TokenElevationType);
delete($TransactionId);
delete($UserID);
delete($Version);
delete($EventReceivedTime);
delete($SourceModuleName);
delete($SourceModuleType);
to_json();

</Exec> </Input>

<Output file> Module om_file file "c:\temp\logdata.log" </Output>

<Route 2> Path in => file </Route>

My results end up looking like this:

{ "timestamp": "2019-08-27 15:45:39", "attributes": "{&quot;EventTime&quot;:&quot;2019-08-27 15:45:39&quot;,&quot;Hostname&quot;:&quot;fakehost&quot;,&quot;Keywords&quot;:-9214364837600034816,&quot;EventType&quot;:&quot;AUDIT_SUCCESS&quot;,&quot;SeverityValue&quot;:2,&quot;Severity&quot;:&quot;INFO&quot;,&quot;EventID&quot;:4688,&quot;SourceName&quot;:&quot;Microsoft-Windows-Security-Auditing&quot;,&quot;ProviderGuid&quot;:&quot;{guid}&quot;,&quot;Version&quot;:2,&quot;Task&quot;:13312,&quot;OpcodeValue&quot;:0,&quot;RecordNumber&quot;:30506980,&quot;ProcessID&quot;:4,&quot;ThreadID&quot;:19308,&quot;Channel&quot;:&quot;Security&quot;,&quot;Message&quot;:&quot;A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\fake$\r\n\tAccount Domain:\t\tFake\r\n\tLogon ID:\t\FakeID\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0xc0c\r\n\tNew Process Name:\tC:\\Windows\\SysWOW64\\cmd.exe\r\n\tToken Elevation Type:\t%%1936\r\n\tMandatory Label:\t\tS-1-16-16384\r\n\tCreator Process ID:\t0x30f8\r\n\tCreator Process Name:\tC:\\Program Files (x86)\\Stackdriver\\LoggingAgent\\Main\\bin\\ruby.exe\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.&quot;,&quot;Category&quot;:&quot;Process Creation&quot;,&quot;Opcode&quot;:&quot;Info&quot;,&quot;SubjectUserSid&quot;:&quot;S-1-5-18&quot;,&quot;SubjectUserName&quot;:&quot;FakeUser$&quot;,&quot;SubjectDomainName&quot;:&quot;FakeDomain&quot;,&quot;SubjectLogonId&quot;:&quot;0x3e7&quot;,&quot;NewProcessId&quot;:&quot;0xc0c&quot;,&quot;NewProcessName&quot;:&quot;C:\\Windows\\SysWOW64\\cmd.exe&quot;,&quot;TokenElevationType&quot;:&quot;%%1936&quot;,&quot;TargetUserSid&quot;:&quot;S-1-0-0&quot;,&quot;TargetUserName&quot;:&quot;-&quot;,&quot;TargetDomainName&quot;:&quot;-&quot;,&quot;TargetLogonId&quot;:&quot;0x0&quot;,&quot;ParentProcessName&quot;:&quot;C:\\Program Files (x86)\\Stackdriver\\LoggingAgent\\Main\\bin\\ruby.exe&quot;,&quot;MandatoryLabel&quot;:&quot;S-1-16-16384&quot;,&quot;EventReceivedTime&quot;:&quot;2019-08-27 15:45:41&quot;,&quot;SourceModuleName&quot;:&quot;in&quot;,&quot;SourceModuleType&quot;:&quot;im_msvistalog&quot;,&quot;log_type&quot;:&quot;AUDIT_SUCCESS&quot;,&quot;token&quot;:&quot;token goes here&quot;}", "body": "A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\Fake$\r\n\tAccount Domain:\t\tFake\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0xc0c\r\n\tNew Process Name:\tC:\Windows\SysWOW64\cmd.exe\r\n\tToken Elevation Type:\t%%1936\r\n\tMandatory Label:\t\tS-1-16-16384\r\n\tCreator Process ID:\t0x30f8\r\n\tCreator Process Name:\tC:\Program Files (x86)\Stackdriver\LoggingAgent\Main\bin\ruby.exe\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator." }

How can I get "attributes" to be a regular JSON object?

Thanks!


jonwalz created
Replies: 1
View post »
last updated
Not getting parse multi-line XML file
# Below is my NXLOG configuration file to parse define ROOT C:\Program Files (x86)\nxlog Module xm_gelf Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_multiline HeaderLine /^/ EndLine /^/ Module xm_xml Module xm_json Module im_file File "C:\\test\\server\\Azurion\\SoftwarePackage\\test.xml" InputType multiline # Discard everything that doesn't seem to be an xml event if $raw_event !~ /^/ drop(); # Parse the xml event parse_xml(); #Rewrite some fields $EventTime = parsedate($timestamp); delete($timestamp); delete($EventReceivedTime); # Convert to JSON to_json(); Module om_file File "C:\\Users\\320005935\\Desktop\\new.txt" Path filein => fileout # This is my XML file 2012-11-23 23:00:00 ERROR Something bad happened. Please check the system. 2012-11-23 23:00:12 INFO System state is now back to normal.

pradumn created
Replies: 1
View post »
last updated
Setting up NXlog

Hello everyone an old employee setup nxlog with server 2008 R2. Since that is coming to an end or the support is I am trying to setup nxlog on a 2016 server. I went ahead and downloaded the client and copied the conf file over from the old server. I then looked for how it was deployed. From what I can see it was deployed using a gpo under the event forwarding section and Configure target subscription manager. I went into this location and changed the information from the old server to the new so instead of log2 it is now log3 with all the same parameters. I then waited for a couple of hours since it takes around an hour for the machine to check the gpo's. I even restarted some machines. After this was done I caused some Software restriction Policy alerts that will email us when on the old server. When doing this on the new nothing happens. I also log into the server and start an instance of wireshark. There are some logs coming into the server but not the amount that was coming into the old server in the same time. I then swith the name back in the gpo from log3 to log2. After this is done in about an hour time all the Software restriction Policy alerts start coming in to our email. I then check wireshark. In a minutes time with the new (relog3) server I will get around 200 logs. With the old now (relog2) I am over 1000 in the same time. For some reason when making the change in the gpo it seems like the computers are holding the logs and don't want to send to the new location, then when changing it back it send the logs that were held. Any idea on what is going on here?


jpederson created
Replies: 1
View post »
last updated
Split message, each new line '\n' with syslog header
Hello guys, please help to split MESSAGE to seperate events with syslog_bsd headers. config example: ``` Module xm_csv Fields DisplayName, EmailAddress, Department, Title, Description, SamAccountName,EmployeeNumber,PasswordLastSet,LastLogonDate,enabled FieldTypes string,string,string,string,string,string,string,string,string,string Exec $msg1 = ($SamAccountName + " | -DisplayName | " + $DisplayName); Exec $msg2 = ($SamAccountName + " | -EmailAddress | " + $EmailAddress); Exec $msg3 = ($SamAccountName + " | -Department | " + $Department); Exec $msg4 = ($SamAccountName + " | -Title | " + $Title); Exec $msg5 = ($SamAccountName + " | -Description | " + $Description); Exec $msg6 = ($SamAccountName + " | -SamAccountName | " + $SamAccountName); Exec $msg7 = ($SamAccountName + " | -EmployeeNumber | " + $EmployeeNumber); Exec $msg8 = ($SamAccountName + " | -PasswordLastSet | " + $PasswordLastSet); Exec $msg9 = ($SamAccountName + " | -LastLogonDate | " + $LastLogonDate); Exec $msg10 = ($SamAccountName + " | -enabled | " + $enabled); Exec $raw_event = $msg1 + "\n" + $msg2 + "\n" + $msg3 + "\n" + $msg4 + "\n" + $msg5 + "\n" + $msg6 + "\n" + $msg7 + "\n" + $msg8 + "\n" + $msg9 + "\n" + $msg10 + "\n"; ``` So the ouput like: ``` Administrator | -DisplayName | Administrator | -EmailAddress | admin@gmail.com Administrator | -Department | Administrator | -Title | Administrator | -Description | Built-in account for administering the computer/domain Administrator | -SamAccountName | Administrator Administrator | -EmployeeNumber | Administrator | -PasswordLastSet | 2/21/2019 1:57:37 PM Administrator | -LastLogonDate | 2/21/2019 2:08:51 PM Administrator | -enabled | True ``` How to add syslog header TIMESTAMP HOSTNAME TAG[PID]: before each line and send to syslog as seperate messages? If I use to_syslog_bsd(); lines merges into one event

RAZR created
Replies: 1
View post »
last updated
NXLog 4.3.4308 Crashed after logrotate

Hi everyone!

The new version NXLog works well. But recently, I again saw an error during the rotation of log.

Service does not work. I reinstalled it and everything is ok.

Thanks everyone!

2019-08-18 00:00:00 ERROR failed to check whether file 'C:\nxlog\data\nxlog.log.2' exists; Access is denied. 
2019-08-19 00:00:00 ERROR Scheduled execution failed; procedure 'file_cycle' failed at line 27, character 57 in C:\nxlog\conf\nxlog.conf. statement execution has been aborted; ### ASSERTION FAILED at line 76 in filepath.c/nx_filepath_find_all_paths(): "path_decomposed->nelts > 0" ###
2019-08-20 00:00:00 ERROR Scheduled execution failed; procedure 'file_cycle' failed at line 27, character 57 in C:\nxlog\conf\nxlog.conf. statement execution has been aborted; ### ASSERTION FAILED at line 76 in filepath.c/nx_filepath_find_all_paths(): "path_decomposed->nelts > 0" ###
2019-08-21 00:00:00 ERROR Scheduled execution failed; procedure 'file_cycle' failed at line 27, character 57 in C:\nxlog\conf\nxlog.conf. statement execution has been aborted; ### ASSERTION FAILED at line 76 in filepath.c/nx_filepath_find_all_paths(): "path_decomposed->nelts > 0" ###

hatula created
Replies: 1
View post »
last updated
Need help in writing input module

Hi, I am trying to read logs (csv format) from Service Now and send it to ELK stack. I need some help in writing the input module, so that I can properly send the logs to ELK stack. My input file contains 5 fields, but field3 has multiline input. I tried many methods and it doesnot work as per expectations. Can someone please help in writing proper input/output module to my stack.

Input file sample as follows:

Created,Level,Message,Source,Created by 7/22/2019 3:00,Warning,"org.mozilla.javascript.EcmaError: Cannot convert null to an object. Caused by error in sys_script.914d69890a0a3c1101310dab6c2ebf01.script at line 1

==> 1: geamBlockCI(); 2: function geamBlockCI() { 3: var user = gs.getUser(); 4: //gs.log('**** 1 User'+ user,'Test'); ",Evaluator,admin 7/22/2019 3:00,Warning,"org.mozilla.javascript.EcmaError: Cannot convert null to an object. Caused by error in sys_script.914d69890a0a3c1101310dab6c2ebf01.script at line 1

==> 1: geamBlockCI(); 2: function geamBlockCI() { 3: var user = gs.getUser(); 4: //gs.log('**** 1 User'+ user,'Test'); ",Evaluator,admin


abasha created
Replies: 3
View post »
last updated
alerting on mail when regex string matches

Hi,

I am trying to get an alert on mail when someone changes the syslog IP, i am using below config,

<Input file> Module im_file File "/opt/nxlog/var/log/*.log" <Exec> if $raw_event =~ /Syslog Server IP was changed from/ { exec_async("/bin/sh", "-c", 'echo "' + $Hostname + $raw_event + '"|/usr/bin/mailx -a "Content-Type: text/plain; charset=UTF-8" -s "ALERT" ' + 'user@domaincom'); } </Exec> </Input>

everytime when i see "Syslog Server IP was changed from" on log file i am getting "RROR subprocess 'xxxxx' returned a non-zero exit value of 1" on nxlog log file.

i am on CentOS 7 .... can anyone help..

BR//SAJESH


Sajeshvv23 created
Replies: 1
View post »
last updated
Windows 2012 R2 Having issues, while Windows 2008 works seamless

Trying to implement nxlog on a Windows 2012 R2 server and the log data appears to forward to Graylog3, however in a review of the data no messages are recieved. Using the same nxlog.conf file from a working 2008 server we get the same result.


paulhurst created
Replies: 1
View post »
last updated
Bypassing 'File' When Configuring im_file Module with NXLog Manager for IIS Log Ingestion

Hello. We plan on using the im_file module to ingest W3C IIS logs. We will use the command script provided in the user manual in section 69.7 as we have many IIS servers and the logs are not all in the same place. We use NXLog Manager to manage all of our agents. When attempting to create the module for the agent within NXLog Manager, we are being forced to input something for the 'File' parameter. Yet when we do the 'include_stdout' directive as shown in the manual, that creates the 'File' parameter based on what the script finds so we don't want the NXLog Manager defining that parameter. How do we tell NXLog Manager to skip that parameter? We don't want to have to manually update log4ensics.conf on each of these servers.

Thank you.


marktroy created
Replies: 1
View post »
last updated