Hi, I’m trying to configure the windows event forwarding from a Windows machine to the nxlog machine using the wseventing module and we want to use the http protocol on port 80. The two machines are on the same domain, so with the kerberos already configured, but Nxlog gives me the following error: 2019-08-28 09:30:45 ERROR https is required for im_wseventing without kerberos support at C:\Program Files\nxlog\conf\nxlog.conf:156 this is the configuration of nxlog entered as described on the documentation: <Input wseventing> Module im_wseventing Address http://nxlog.domain.cloud:80/wsman ListenAddr 0.0.0.0 Port 80 SubscriptionName test Exec log_info(to_json()); <QueryXML> <QueryList> <Query Id="0" Path="Application"> <Select Path="Application"></Select> <Select Path="Security"></Select> <Select Path="Setup"></Select> <Select Path="System"></Select> <Select Path="ForwardedEvents"></Select> <Select Path="Windows PowerShell"></Select> </Query> </QueryList> </QueryXML> </Input> Being both machines on the same domain, seems a strange mistake, do you have any ideas? Thank you Antonio

Hello! First time nxlog user here. Looking at the docs: https://nxlog.co/documentation/nxlog-user-guide-full#om_http_config It would seem to indicate the availability of a ProxyAddress directive but when I populate the nxlog.conf file with one, I receive an error that the ProxyAddress keyword is invalid: 2019-08-27 17:34:40 ERROR invalid keyword: ProxyAddress at C:\Program Files (x86)\nxlog\conf\nxlog.conf:91 2019-08-27 17:34:40 ERROR module 'http' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:96 2019-08-27 17:34:40 WARNING not starting unused module http 2019-08-27 17:34:40 INFO nxlog-ce-2.10.2150 started Can anyone point me in the right direction on this one? Much appreciated!!! -Ryan

The endpoint I will be sending logs to expects this format: { "timestamp":"2019-08-06T19:00:03Z", "body":"This is a sample body", "attributes":{ "token":"some token value", "log_type":"error", "(extensible keys)":"(string value)" } } I need to convert Windows eventlogs to the target format and I'm having an issue creating "attributes." Here's my latest attempt, but "attributes" is getting converted to JSON twice which is messing up the format. Here's my .conf: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension json> Module xm_json </Extension> <Extension _exec> Module xm_exec </Extension> <Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id='1'> <Select Path='Application'></Select> <Select Path='Security'></Select> </Query> </QueryList> </QueryXML> <Exec> #$attributes = $raw_event; $log_type = $EventType; $token = 'token goes here'; $raw_event = $raw_event + $log_type + $token; $attributes = to_json(); rename_field(&quot;EventTime&quot;, &quot;timestamp&quot;); $body = $message; delete($log_type); delete($token); delete($AccountName); delete($AccountType); delete($ActivityID); delete($Category); delete($Channel); delete($Domain); delete($EventID); delete($EventTime); delete($EventType); delete($HandleId); delete($Hostname); delete($Keywords); delete($MandatoryLabel); delete($Message); delete($NewProcessId); delete($NewProcessName); delete($ObjectServer); delete($Opcode); delete($OpcodeValue); delete($ParentProcessName); delete($PrivilegeList); delete($ProcessName); delete($ProcessID); delete($ProviderGuid); delete($RecordNumber); delete($RelatedActivityID); delete($Service); delete($Severity); delete($SeverityValue); delete($SourceName); delete($SubjectUserSid); delete($SubjectUserName); delete($SubjectDomainName); delete($SubjectLogonId); delete($Task); delete($ThreadID); delete($TargetUserSid); delete($TargetUserSid); delete($TargetUserName); delete($TargetDomainName); delete($TargetLogonId); delete($TokenElevationType); delete($TransactionId); delete($UserID); delete($Version); delete($EventReceivedTime); delete($SourceModuleName); delete($SourceModuleType); to_json(); </Exec> </Input> <Output file> Module om_file file "c:\temp\logdata.log" </Output> <Route 2> Path in => file </Route> My results end up looking like this: { "timestamp": "2019-08-27 15:45:39", "attributes": "{&quot;EventTime&quot;:&quot;2019-08-27 15:45:39&quot;,&quot;Hostname&quot;:&quot;fakehost&quot;,&quot;Keywords&quot;:-9214364837600034816,&quot;EventType&quot;:&quot;AUDIT_SUCCESS&quot;,&quot;SeverityValue&quot;:2,&quot;Severity&quot;:&quot;INFO&quot;,&quot;EventID&quot;:4688,&quot;SourceName&quot;:&quot;Microsoft-Windows-Security-Auditing&quot;,&quot;ProviderGuid&quot;:&quot;{guid}&quot;,&quot;Version&quot;:2,&quot;Task&quot;:13312,&quot;OpcodeValue&quot;:0,&quot;RecordNumber&quot;:30506980,&quot;ProcessID&quot;:4,&quot;ThreadID&quot;:19308,&quot;Channel&quot;:&quot;Security&quot;,&quot;Message&quot;:&quot;A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\fake$\r\n\tAccount Domain:\t\tFake\r\n\tLogon ID:\t\FakeID\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0xc0c\r\n\tNew Process Name:\tC:\\Windows\\SysWOW64\\cmd.exe\r\n\tToken Elevation Type:\t%%1936\r\n\tMandatory Label:\t\tS-1-16-16384\r\n\tCreator Process ID:\t0x30f8\r\n\tCreator Process Name:\tC:\\Program Files (x86)\\Stackdriver\\LoggingAgent\\Main\\bin\\ruby.exe\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.&quot;,&quot;Category&quot;:&quot;Process Creation&quot;,&quot;Opcode&quot;:&quot;Info&quot;,&quot;SubjectUserSid&quot;:&quot;S-1-5-18&quot;,&quot;SubjectUserName&quot;:&quot;FakeUser$&quot;,&quot;SubjectDomainName&quot;:&quot;FakeDomain&quot;,&quot;SubjectLogonId&quot;:&quot;0x3e7&quot;,&quot;NewProcessId&quot;:&quot;0xc0c&quot;,&quot;NewProcessName&quot;:&quot;C:\\Windows\\SysWOW64\\cmd.exe&quot;,&quot;TokenElevationType&quot;:&quot;%%1936&quot;,&quot;TargetUserSid&quot;:&quot;S-1-0-0&quot;,&quot;TargetUserName&quot;:&quot;-&quot;,&quot;TargetDomainName&quot;:&quot;-&quot;,&quot;TargetLogonId&quot;:&quot;0x0&quot;,&quot;ParentProcessName&quot;:&quot;C:\\Program Files (x86)\\Stackdriver\\LoggingAgent\\Main\\bin\\ruby.exe&quot;,&quot;MandatoryLabel&quot;:&quot;S-1-16-16384&quot;,&quot;EventReceivedTime&quot;:&quot;2019-08-27 15:45:41&quot;,&quot;SourceModuleName&quot;:&quot;in&quot;,&quot;SourceModuleType&quot;:&quot;im_msvistalog&quot;,&quot;log_type&quot;:&quot;AUDIT_SUCCESS&quot;,&quot;token&quot;:&quot;token goes here&quot;}", "body": "A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\Fake$\r\n\tAccount Domain:\t\tFake\r\n\tLogon ID:\t\t0x3E7\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0xc0c\r\n\tNew Process Name:\tC:\Windows\SysWOW64\cmd.exe\r\n\tToken Elevation Type:\t%%1936\r\n\tMandatory Label:\t\tS-1-16-16384\r\n\tCreator Process ID:\t0x30f8\r\n\tCreator Process Name:\tC:\Program Files (x86)\Stackdriver\LoggingAgent\Main\bin\ruby.exe\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator." } How can I get "attributes" to be a regular JSON object? Thanks!

Below is my NXLOG configuration file to parse define ROOT C:\Program Files (x86)\nxlog <Extension gelf> Module xm_gelf </Extension> Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension multiline> Module xm_multiline HeaderLine /^<event>/ EndLine /^</event>/ </Extension> <Extension xmlparser> Module xm_xml </Extension> <Extension json> Module xm_json </Extension> <Input filein> Module im_file File "C:\\test\\server\\Azurion\\SoftwarePackage\\test.xml" InputType multiline <Exec> # Discard everything that doesn't seem to be an xml event if $raw_event !~ /^<event>/ drop(); # Parse the xml event parse_xml(); #Rewrite some fields $EventTime = parsedate($timestamp); delete($timestamp); delete($EventReceivedTime); # Convert to JSON to_json(); </Exec> </Input> <Output fileout> Module om_file File "C:\\Users\\320005935\\Desktop\\new.txt" </Output> <Route parse_xml> Path filein => fileout </Route> This is my XML file <?xml version="1.0" encoding="UTF-8"?> <event> <timestamp>2012-11-23 23:00:00</timestamp> <severity>ERROR</severity> <message> Something bad happened. Please check the system. </message> </event> <event> <timestamp>2012-11-23 23:00:12</timestamp> <severity>INFO</severity> <message> System state is now back to normal. </message> </event>

Hello everyone an old employee setup nxlog with server 2008 R2. Since that is coming to an end or the support is I am trying to setup nxlog on a 2016 server. I went ahead and downloaded the client and copied the conf file over from the old server. I then looked for how it was deployed. From what I can see it was deployed using a gpo under the event forwarding section and Configure target subscription manager. I went into this location and changed the information from the old server to the new so instead of log2 it is now log3 with all the same parameters. I then waited for a couple of hours since it takes around an hour for the machine to check the gpo's. I even restarted some machines. After this was done I caused some Software restriction Policy alerts that will email us when on the old server. When doing this on the new nothing happens. I also log into the server and start an instance of wireshark. There are some logs coming into the server but not the amount that was coming into the old server in the same time. I then swith the name back in the gpo from log3 to log2. After this is done in about an hour time all the Software restriction Policy alerts start coming in to our email. I then check wireshark. In a minutes time with the new (relog3) server I will get around 200 logs. With the old now (relog2) I am over 1000 in the same time. For some reason when making the change in the gpo it seems like the computers are holding the logs and don't want to send to the new location, then when changing it back it send the logs that were held. Any idea on what is going on here?

Hello guys, please help to split MESSAGE to seperate events with syslog_bsd headers. config example: <Extension csv_parser> Module xm_csv Fields DisplayName, EmailAddress, Department, Title, Description, SamAccountName,EmployeeNumber,PasswordLastSet,LastLogonDate,enabled FieldTypes string,string,string,string,string,string,string,string,string,string </Extension> Exec $msg1 = ($SamAccountName + " | -DisplayName | " + $DisplayName); Exec $msg2 = ($SamAccountName + " | -EmailAddress | " + $EmailAddress); Exec $msg3 = ($SamAccountName + " | -Department | " + $Department); Exec $msg4 = ($SamAccountName + " | -Title | " + $Title); Exec $msg5 = ($SamAccountName + " | -Description | " + $Description); Exec $msg6 = ($SamAccountName + " | -SamAccountName | " + $SamAccountName); Exec $msg7 = ($SamAccountName + " | -EmployeeNumber | " + $EmployeeNumber); Exec $msg8 = ($SamAccountName + " | -PasswordLastSet | " + $PasswordLastSet); Exec $msg9 = ($SamAccountName + " | -LastLogonDate | " + $LastLogonDate); Exec $msg10 = ($SamAccountName + " | -enabled | " + $enabled); Exec $raw_event = $msg1 + "\n" + $msg2 + "\n" + $msg3 + "\n" + $msg4 + "\n" + $msg5 + "\n" + $msg6 + "\n" + $msg7 + "\n" + $msg8 + "\n" + $msg9 + "\n" + $msg10 + "\n"; So the ouput like: Administrator | -DisplayName | Administrator | -EmailAddress | admin@gmail.com Administrator | -Department | Administrator | -Title | Administrator | -Description | Built-in account for administering the computer/domain Administrator | -SamAccountName | Administrator Administrator | -EmployeeNumber | Administrator | -PasswordLastSet | 2/21/2019 1:57:37 PM Administrator | -LastLogonDate | 2/21/2019 2:08:51 PM Administrator | -enabled | True How to add syslog header <PRI>TIMESTAMP HOSTNAME TAG[PID]: before each line and send to syslog as seperate messages? If I use to_syslog_bsd(); lines merges into one event

Hi everyone! The new version NXLog works well. But recently, I again saw an error during the rotation of log. Service does not work. I reinstalled it and everything is ok. Thanks everyone! 2019-08-18 00:00:00 ERROR failed to check whether file 'C:\nxlog\data\nxlog.log.2' exists; Access is denied. 2019-08-19 00:00:00 ERROR Scheduled execution failed; procedure 'file_cycle' failed at line 27, character 57 in C:\nxlog\conf\nxlog.conf. statement execution has been aborted; ### ASSERTION FAILED at line 76 in filepath.c/nx_filepath_find_all_paths(): "path_decomposed->nelts > 0" ### 2019-08-20 00:00:00 ERROR Scheduled execution failed; procedure 'file_cycle' failed at line 27, character 57 in C:\nxlog\conf\nxlog.conf. statement execution has been aborted; ### ASSERTION FAILED at line 76 in filepath.c/nx_filepath_find_all_paths(): "path_decomposed->nelts > 0" ### 2019-08-21 00:00:00 ERROR Scheduled execution failed; procedure 'file_cycle' failed at line 27, character 57 in C:\nxlog\conf\nxlog.conf. statement execution has been aborted; ### ASSERTION FAILED at line 76 in filepath.c/nx_filepath_find_all_paths(): "path_decomposed->nelts > 0" ###

Hi, I am trying to read logs (csv format) from Service Now and send it to ELK stack. I need some help in writing the input module, so that I can properly send the logs to ELK stack. My input file contains 5 fields, but field3 has multiline input. I tried many methods and it doesnot work as per expectations. Can someone please help in writing proper input/output module to my stack. Input file sample as follows: Created,Level,Message,Source,Created by 7/22/2019 3:00,Warning,"org.mozilla.javascript.EcmaError: Cannot convert null to an object. Caused by error in sys_script.914d69890a0a3c1101310dab6c2ebf01.script at line 1 ==> 1: geamBlockCI(); 2: function geamBlockCI() { 3: var user = gs.getUser(); 4: //gs.log('**** 1 User'+ user,'Test'); ",Evaluator,admin 7/22/2019 3:00,Warning,"org.mozilla.javascript.EcmaError: Cannot convert null to an object. Caused by error in sys_script.914d69890a0a3c1101310dab6c2ebf01.script at line 1 ==> 1: geamBlockCI(); 2: function geamBlockCI() { 3: var user = gs.getUser(); 4: //gs.log('**** 1 User'+ user,'Test'); ",Evaluator,admin

Hi, I am trying to get an alert on mail when someone changes the syslog IP, i am using below config, <Input file> Module im_file File "/opt/nxlog/var/log/*.log" <Exec> if $raw_event =~ /Syslog Server IP was changed from/ { exec_async("/bin/sh", "-c", 'echo "' + $Hostname + $raw_event + '"|/usr/bin/mailx -a "Content-Type: text/plain; charset=UTF-8" -s "ALERT" ' + 'user@domaincom'); } </Exec> </Input> everytime when i see "Syslog Server IP was changed from" on log file i am getting "RROR subprocess 'xxxxx' returned a non-zero exit value of 1" on nxlog log file. i am on CentOS 7 .... can anyone help.. BR//SAJESH

Trying to implement nxlog on a Windows 2012 R2 server and the log data appears to forward to Graylog3, however in a review of the data no messages are recieved. Using the same nxlog.conf file from a working 2008 server we get the same result.

Hello. We plan on using the im_file module to ingest W3C IIS logs. We will use the command script provided in the user manual in section 69.7 as we have many IIS servers and the logs are not all in the same place. We use NXLog Manager to manage all of our agents. When attempting to create the module for the agent within NXLog Manager, we are being forced to input something for the 'File' parameter. Yet when we do the 'include_stdout' directive as shown in the manual, that creates the 'File' parameter based on what the script finds so we don't want the NXLog Manager defining that parameter. How do we tell NXLog Manager to skip that parameter? We don't want to have to manually update log4ensics.conf on each of these servers. Thank you.

Hi All, Is there a way to collect Netflow logs to a file and export them in Syslog format. Trying to get a working solution to collect logs from the sd-wan device(ipfix/netflow) and forward them to our SIEM which only accepts Syslog format. here is the conf file ..let me know what im doing wrong ? <Extension netflow> Module xm_netflow </Extension> <Extension json> Module xm_json </Extension> <Input netflowIn1> Module im_udp Host Port 2055 InputType netflow </Input> <Output Out> Module om_file File "c:\temp\syslog.txt" Exec to_json(); </Output> <Route nf> Path netflowIn1 => Out </Route>

Hello, I have a WEC server receiving the logs form my network computers, in this server I have the NXLog community edition to forward this logs, but in the exabeam analytics does not see logs from the machines the login and log out, I feel that the nxlogs does not forward all events, Do I need to use other version of client or what else should I do to verify if is send the full log? Regards Ben

Hi, I'd like to know if i can open tickets support using the nxlog community edition or it's just for the enterprise edition users. Thanks

Hello, I would like to ask you if there is option for nxlog community edition to disable TLS (module im_ssl) renegotiation for nxlog community edition or if the renegotiations are compliant with RFC 5746? Thanks for letting me know. Kind regards, Marek

Hello! I an having trouble finding documentation on how/where I would alter the config files to forward all windows logs. I can setup the config to forward logs, which was simple, but specifying which logs to forward is where I am stuck

Hello, we need to create a customer user who can have access to the nxlog manager to see his agents, but I would like the customer user to see nothing of other customer users. Is that even possible? Thank you Antonio

Hey all, I want to be able to capture the event IDs of windows events in my SIEM but currently they don't come through and I'm not sure what changes need to be made to make them come through. Below are my config files and an example of how they come in. Any ideas? Thanks in advance How events come in: 10 Jul 2019 16:57:42.364<14>Jul 10 12:57:40 FILESVR******** Service_Control_Manager[532]: The Microsoft Policy Platform Local Authority service entered the running state. 10 Jul 2019 16:57:43.385<14>Jul 10 12:57:41 FILESVR******** Service_Control_Manager[532]: The Microsoft Policy Platform Processor service entered the running state. Config: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule> </Extension> <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'>*</Select> <Select Path='Security'>*</Select> <Select Path='System'>*</Select> </Query> </QueryList> </QueryXML> </Input> <Output tcp> Module om_tcp Host ******** Port ******** Exec to_syslog_bsd(); </Output> <Route eventlog_to_tcp> Path eventlog => tcp </Route>

Hello: After spending several months trying to understand rsyslog interstellar configuration -- I am thinking of nxlog (enterprise) for a larger deployment in the coming months. Currently I am messing around with the community edition. while the documentation is nice --- some of example for basic things are a little short on info. Google searches has been a little frustrating as it focuses on Windows alerting which is not what we need. In our environment we have LTE based devices that connect to our VPN. Essentially these are weather stations for the agricultural industry. The devices are capable of sending itef / bsd style syslog messages to a central server. We are looking for a solution to centrally receive these logs and based on the message content reformat and re forward the messages to something like graylog. For now I am trying to standardize on a config that would allow me to receive bsd style syslog messages over UDP (plain text) and send the messages to a file. I am running nxlog on Linux -- Centos 7. nxlog-ce-2.10.2150 usage: nxlog [-h/help] [-c/conf conffile] [-f] [-s/stop] [-v/verify] [-h] print help [-f] run in foreground, do not daemonize [-c conffile] specify an alternate config file [-r] reload configuration of a running instance [-s] send stop signal to a running nxlog [-v] verify configuration file syntax CentOS Linux release 7.6.1810 (Core) Requirement: 1) All of the weather stations are in the 10.200.0.0/16 subnets. 2) Dump messages from each weather station into a single file --- in the example below (which doesnt work) I was trying to push the messages into agmon-log 3) If the message contains the words "SENSORFAIL" send only those messages to another file ag-sensor-fail.log 4) add a carriage return / lf after each message so the log is formatted nicely. Nice to have - Be able to place the messages from each sensor into an individual file based on some patter of their IP address for example 10.200.16.25 could be agmon-16-25.log - richer content editing controls --- if the weather station is unable to get a wind reading it sends "NO WINDINFO" or "BAD WINDINFO" message. i would like to kick off a python process if this message is received --- while logging the message to a file. - If the message contains the words "TEMPDATA=/regexpattern/" would love to log the data to a MARIADB database. Not sure how to look for the regex pattern and if backtick or goup matches apply Can someone please post some snippets or places to look. Brand new to nxlog. The manual is great but needs better more complete examples. Not sure that nxlog is a fit for this and I would like some help to understand if this is the case. Im really trying to wrap my head around inputs and routes so that I can direct messages from specific host / based on content to a distinct location. Also trying to determine how vibrant the nxlog community is along with support. Made the mistake of investing in rsyslog --- didnt work out. ######################################## # Global directives # ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ######################################## # Modules # ######################################## <Extension _syslog> Module xm_syslog </Extension> <Input in1> Module im_udp Port 514 Exec parse_syslog_bsd(); </Input> <Input in2> Module im_tcp Port 514 </Input> <Input in5> Module im_udp Host 10.200.0.0/16; Port 514 Exec parse_syslog_bsd(); </Input> <Output fileout1> Module om_file File "/var/log/logmsg.txt" Exec if $Message =~ /error/ $SeverityValue = syslog_severity_value("error"); Exec to_syslog_bsd(); </Output> <Output fileout2> Module om_file File "/var/log/logmsg2.txt" </Output> <Output fileout5> Module om_file File "/var/log/agmon-log.txt" Exec to_syslog_bsd(); </Output> ######################################## # Routes # ######################################## <Route 1> Path in1 => fileout1 </Route> <Route tcproute> Path in2 => fileout2 </Route> <Route 5> Path in5 => fileout5 </Route>

Hi all, searching on internet I found that by defaukt nxlog has a buffer of 65000 bytes, but it seems it's not working in my environment. I'm using nxlog CE 2.10 (in a Windows 2012 environment) and Graylog 2.5.1 In my nxlog conf file I have 2 inputs (im_msvistalog, im_file) and 1 output (om_udp). I tried to stop the input in Graylog and start it after 1 hour, but logs collected by event viewer during that our were not sent to Graylog. How can I configure nxlog in order to keep logs in memory while Graylog is offline and send them when Graylog comes back online? Thank you, Marco.