Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

netflow to syslog to file or siem

Hi All,

Is there a way to collect Netflow logs to a file and export them in Syslog format. Trying to get a working solution to collect logs from the sd-wan device(ipfix/netflow) and forward them to our SIEM which only accepts Syslog format. here is the conf file ..let me know what im doing wrong ? <Extension netflow> Module xm_netflow </Extension>

<Extension json> Module xm_json </Extension>

<Input netflowIn1> Module im_udp Host Port 2055 InputType netflow </Input>

<Output Out> Module om_file File "c:\temp\syslog.txt" Exec to_json(); </Output>

<Route nf> Path netflowIn1 => Out </Route>


joshik created
Replies: 1
View post »
last updated
forwarded events

Hello, I have a WEC server receiving the logs form my network computers, in this server I have the NXLog community edition to forward this logs, but in the exabeam analytics does not see logs from the machines the login and log out, I feel that the nxlogs does not forward all events, Do I need to use other version of client or what else should I do to verify if is send the full log?

Regards

Ben


USRJJAAG3643H5DQ created
Replies: 1
View post »
last updated
Support tickets

Hi,

I'd like to know if i can open tickets support using the nxlog community edition or it's just for the enterprise edition users.

Thanks


user created
Replies: 1
View post »
last updated
nxlog - tls renegotation

Hello,

I would like to ask you if there is option for nxlog community edition to disable TLS (module im_ssl) renegotiation for nxlog community edition or if the renegotiations are compliant with RFC 5746?

Thanks for letting me know.

Kind regards,

Marek


Mareknejedly created
Replies: 1
View post »
last updated
Event Log Types

Hello! I an having trouble finding documentation on how/where I would alter the config files to forward all windows logs. I can setup the config to forward logs, which was simple, but specifying which logs to forward is where I am stuck


JacobY created
Replies: 1
View post »
last updated
Multi-tenant in Nxlog Manager

Hello, we need to create a customer user who can have access to the nxlog manager to see his agents, but I would like the customer user to see nothing of other customer users. Is that even possible?

Thank you Antonio


reevo created
Replies: 1
View post »
last updated
Capture Windows Event ID in Logs
Hey all, I want to be able to capture the event IDs of windows events in my SIEM but currently they don't come through and I'm not sure what changes need to be made to make them come through. Below are my config files and an example of how they come in. Any ideas? Thanks in advance How events come in: 10 Jul 2019 16:57:42.364Jul 10 12:57:40 FILESVR******** Service_Control_Manager[532]: The Microsoft Policy Platform Local Authority service entered the running state. 10 Jul 2019 16:57:43.385Jul 10 12:57:41 FILESVR******** Service_Control_Manager[532]: The Microsoft Policy Platform Processor service entered the running state. Config: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_syslog Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 Module xm_exec Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); # Rotate our log file every week on Sunday at midnight When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); Module im_msvistalog * * * Module om_tcp Host ******** Port ******** Exec to_syslog_bsd(); Path eventlog => tcp

adminman created
Replies: 1
View post »
last updated
Rsyslog Refugee --- some basic questions
Hello:

After spending several months trying to understand rsyslog interstellar configuration -- I am thinking of nxlog (enterprise) for a larger deployment in the coming months. Currently I am messing around with the community edition. while the documentation is nice --- some of example for basic things are a little short on info. Google searches has been a little frustrating as it focuses on Windows alerting which is not what we need.

In our environment we have LTE based devices that connect to our VPN. Essentially these are weather stations for the agricultural industry. The devices are capable of sending itef / bsd style syslog messages to a central server. We are looking for a solution to centrally receive these logs and based on the message content reformat and re forward the messages to something like graylog.

For now I am trying to standardize on a config that would allow me to receive bsd style syslog messages over UDP (plain text) and send the messages to a file. I am running nxlog on Linux -- Centos 7.

nxlog-ce-2.10.2150
usage: nxlog [-h/help] [-c/conf conffile] [-f] [-s/stop] [-v/verify]
[-h] print help
[-f] run in foreground, do not daemonize
[-c conffile] specify an alternate config file
[-r] reload configuration of a running instance
[-s] send stop signal to a running nxlog
[-v] verify configuration file syntax

CentOS Linux release 7.6.1810 (Core)


Requirement:

1) All of the weather stations are in the 10.200.0.0/16 subnets.
2) Dump messages from each weather station into a single file --- in the example below (which doesnt work) I was trying to push the messages into agmon-log
3) If the message contains the words "SENSORFAIL" send only those messages to another file ag-sensor-fail.log
4) add a carriage return / lf after each message so the log is formatted nicely.


Nice to have
- Be able to place the messages from each sensor into an individual file based on some patter of their IP address for example 10.200.16.25 could be agmon-16-25.log
- richer content editing controls --- if the weather station is unable to get a wind reading it sends "NO WINDINFO" or "BAD WINDINFO" message. i would like to kick off a python process if this message is received --- while logging the message to a file.
- If the message contains the words "TEMPDATA=/regexpattern/" would love to log the data to a MARIADB database. Not sure how to look for the regex pattern and if backtick or goup matches apply

Can someone please post some snippets or places to look. Brand new to nxlog. The manual is great but needs better more complete examples. Not sure that nxlog is a fit for this and I would like some help to understand if this is the case.

Im really trying to wrap my head around inputs and routes so that I can direct messages from specific host / based on content to a distinct location. Also trying to determine how vibrant the nxlog community is along with support. Made the mistake of investing in rsyslog --- didnt work out.








########################################
# Global directives #
########################################
User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel INFO

########################################
# Modules #
########################################
<Extension _syslog>
Module xm_syslog
</Extension>

<Input in1>
Module im_udp
Port 514
Exec parse_syslog_bsd();
</Input>

<Input in2>
Module im_tcp
Port 514
</Input>

<Input in5>
Module im_udp
Host 10.200.0.0/16;
Port 514
Exec parse_syslog_bsd();
</Input>



<Output fileout1>
Module om_file
File "/var/log/logmsg.txt"
Exec if $Message =~ /error/ $SeverityValue = syslog_severity_value("error");
Exec to_syslog_bsd();
</Output>

<Output fileout2>
Module om_file
File "/var/log/logmsg2.txt"
</Output>


<Output fileout5>
Module om_file
File "/var/log/agmon-log.txt"
Exec to_syslog_bsd();
</Output>



########################################
# Routes #
########################################
<Route 1>
Path in1 => fileout1
</Route>

<Route tcproute>
Path in2 => fileout2
</Route>

<Route 5>
Path in5 => fileout5
</Route>



mrmatthew created
Replies: 1
View post »
last updated
Logs buffer when Graylog is offline

Hi all, searching on internet I found that by defaukt nxlog has a buffer of 65000 bytes, but it seems it's not working in my environment.

I'm using nxlog CE 2.10 (in a Windows 2012 environment) and Graylog 2.5.1 In my nxlog conf file I have 2 inputs (im_msvistalog, im_file) and 1 output (om_udp). I tried to stop the input in Graylog and start it after 1 hour, but logs collected by event viewer during that our were not sent to Graylog.

How can I configure nxlog in order to keep logs in memory while Graylog is offline and send them when Graylog comes back online?

Thank you, Marco.


marcoz90 created
Replies: 1
View post »
last updated
Merge two lines
Hello, this is my conf (without general directives) ``` Module xm_multiline FixedLineCount 2 Exec $raw_event = $raw_event + replace($raw_event, "\r\n", " "); Module im_file File "C:\\temp\\in.txt" InputType ml1 SavePos FALSE ReadFromLast FALSE Module om_file File "C:\\temp\\out.txt" Path in1 => out1 ``` I need merge two lines from in.txt to single line separated with space into out.txt. But this does not work.

Toroque created
Replies: 1
View post »
last updated
Custom tagging for AIX

Hi,

I am trying to add a custom tag message in front of the logs similar to rsyslog custom tagging, but couldn't find a module on tagging logs. The solution in te previous forum on tagging didn't work out.

https://nxlog.co/question/4006/nxlog-logstash-using-custom-tags

Solution in that forum : Exec $tag = 'hl7out';

Does custom tagging works for AIX ? Please provide a solution for it to reflect it in forwarded logs.


sisaadmin created
Replies: 1
View post »
last updated
Add custom field at first place in message
Hi everyone, I would like to add my custom field to log at first place in log. But if i added **Exec $senderversion = "3.5.563";** the field will be at last place in log. is there some way to add a field to the first place ? My configuration and log sample are below. Thanks for any answer. Module xm_json Module im_msvistalog Exec delete($EventTime); Exec delete($EventReceivedTime); Exec delete($SourceModuleName); Exec delete($SourceModuleType); Exec $senderversion = "3.5.563"; Module om_tcp Host 198.19.254.112 Port 514 Exec to_json(); Path eventlog => tcp_event My logs now looks like this: > {"Hostname":"win_template.nxlog.matej","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":214127,"ProcessID":644,"ThreadID":3508,"Channel":"Security","Message":"An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWIN_TEMPLATE$\r\n\tAccount Domain:\t\tNXLOG\r\n\tLogon ID:\t\t0x241DC39F\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","Category":"Logoff","Opcode":"Info","TargetUserSid":"S-1-5-18","TargetUserName":"WIN_TEMPLATE$","TargetDomainName":"NXLOG","TargetLogonId":"0x241dc39f","LogonType":"3",**"senderversion":"3.5.563"**} I would like to make the log look like this: > {**"senderversion":"3.5.563",**"Hostname":"win_template.nxlog.matej","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":214127,"ProcessID":644,"ThreadID":3508,"Channel":"Security","Message":"An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tWIN_TEMPLATE$\r\n\tAccount Domain:\t\tNXLOG\r\n\tLogon ID:\t\t0x241DC39F\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.","Category":"Logoff","Opcode":"Info","TargetUserSid":"S-1-5-18","TargetUserName":"WIN_TEMPLATE$","TargetDomainName":"NXLOG","TargetLogonId":"0x241dc39f","LogonType":"3"}

matejrycek created
Replies: 1
View post »
last updated
Nxlog for Windows auditing Nxlog service stopped

Hi, I need to know if there is any way to receive an event when Nxlog Windows service is stopped. How can I obtain such notification if I don´t have the service working anymore? Is there a solution to audit this case? Thanks!


goodrookie created
Replies: 1
View post »
last updated
string(host_ip) is returning a stale IP.

On a Windows machine, I'm currently trying to create a custom field named client_ip and grab the IP address of the sending client. This works, but when I switch IPs, nxlog keeps sending the old stale IP, not the new IP.

Exec $client_ip = string(host_ip());

But, if I restart the nxlog service on the Windows machine, it starts returning the new correct IP. I don't want to have to restart the service.

How can I make nxlog always resolve and return the current ip?

Or is there another way to grab the IP address and assign that to a custom field?


ryanm created
Replies: 1
View post »
last updated
not resume log files

if I start nxlog manul from the command line like

/opt/nxlog/bin/nxlog -c      # RedHat7

everything works fine ; it reads the input logs from the positions when stopped. if I start it as service

systemctl start nxlog

then it ignores all the records of the input logs written while it was stopped. at my input definitions I have

SavePos          TRUE
ReadFromLast     TRUE

any help is welcomed, thanks, G. Bouras


GeorgeBouras created
Replies: 1
View post »
last updated
what kind of scripts can be run using im_exec

Is there a way that I could write a python script and make it execute through the im_exec module


Divya created
Replies: 1
View post »
last updated
NXlog CE RPM on CentOS - not instaling

Hi there, I've attempted to get NXlog CE installed onto a clean CentOS 7 host, following the documentation, ran 'rpm -ivh nxlog-ce-2.10.2150-1_rhel7.x86_64.rpm' ... whilst the RPM command completes, it appears to do absolutely nothing .. I search the host for any files with 'nxlog' in the filename.. nothing!

Have I got a dud RPM file ? (Downloaded direct via the website)

Any suggestions, or known other versions of NXlog CE that I can use?


pdc created
Replies: 1
View post »
last updated
How to replace the Host IP in the output section by a variable or a regex?

Hello, I'm both new here and new at nxlog so excuse my question if it sounds awkward. I'm trying to configure nxlog for an environment with multiple intermediary loghosts which have different IP addresses. The only pattern is that the machine that is sending the log and the loghost always have a similar first three octets (same subnet). So the computer 192.168.0.10 will send logs to 192.168.0.100 and the computer 10.10.10.30 will send its logs to 10.10.10.100. The last octet of all loghosts are similar as well.

My goal is to be able to call the computer IP with HostIP, match it with a regex [0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3} and transform it to $1.$2.$3.100 which will be the loghost IP. My output module may look like this:

<Output loghost> Module om_udp Host $loghost Port 514 </output>

Why am I doing this? I'm deploying nxlog via GPO and wanted to send a single nxlog.conf to all the domain computers which will find the corresponding loghost based on their own IP.

At this time, none of my attempts to add a regex to an Exec directive in the output module were successful. If any one had come across the need for adding a variable as Host or similar issue, I will appreciate your help. Any other directions are much appreciated.

Thank you, Mikal


mikal created
Replies: 1
View post »
last updated
Move the file to another folder

Hi, I'm looking for a mean to move logs files from one folder to another folder after processed them. I want to know if nxlog has a Procedure like file_copy to do that. Thank you


ppalm created
Replies: 1
View post »
last updated
Logging stops when remote logging is enabled in nxlog CE 2.5.1089

Hi,

There was an issue in nxlog CE 2.5 edition, when remote and local logging both are enabled and for some reason if remote logging is stopped, both loggings are stopped, my understanding is that it has been fixed in latest edition, I would like to know exact versions in which it got fixed and does it fixed in CE or EE?

Error I am referring to in nxlog CE 2.5.1089 is as following: ERROR om_udp apr_socket_send failed Connection refused

Please let me know if it is fixed in CE subsequent versions and if yes, can you please provide exact version in which it got fixed, that would help.

In case of query, please do let me know.

Thanks, Chandrashekhar


chandrashekhark created
Replies: 1
View post »
last updated