I am trying to install nxlog on Windows server 2000. However, I get the error "Installation directory must be on a local hard drive." I have tried using administrative command prompt, Same Error. Can anyone help me out here?

Hello I have a server that send logs (with nxlog-ce), that has 3 network interface (3 differents IPs). So any time that reboot server, I see (on my SIEM) incoming logs from a different IP. Is there a way to set on nxlog the default interface?

Hi how can I modify my query to remember the last recordid? Right now im using the timestamp and its working but I want to use the recordid as the timestamp is causing another issue. <Input in> Module im_odbc IdType integer ConnectionString DSN=SMS SQL;database=CM_IMG;encrypt=true;trustServerCertificate=true; SQL SELECT RecordID as id,'Microsoft_SCEP' as Name, MAL.DetectionTime as SCEPMalDetectTime, SY.Name0 as TargetHost,SY.Resource_Domain_OR_Workgr0 as NTdomain, U.UserName,MAL.Process,MAL.Path,MAL.ThreatID, MAL.ThreatName,MAL.SeverityID,TR.Category,CA.DefaultAction as CleanAction, PA.DefaultAction as PendingAction,MAL.ExecutionStatus,MAL.ActionSuccess,MAL.ErrorCode, CASE WHEN (LEN(MAL.Path) - LEN(REPLACE(MAL.Path, ';file:', ''))) = 0 THEN 1 ELSE (LEN(MAL.Path) - LEN(REPLACE(MAL.Path, ';file:', '')))/6 END AS MaliciousFileCt FROM CM_IMG.SCCM_Ext.vex_EP_Malware MAL LEFT JOIN CM_IMG.dbo.v_R_System SY on SY.ResourceID = MAL.ResourceID LEFT JOIN CM_IMG.dbo.v_Users U on U.UserID = MAL.UserID LEFT JOIN CM_IMG.dbo.EP_ThreatCategories TR on TR.CategoryID = MAL.CategoryID LEFT JOIN CM_IMG.dbo.EP_ThreatDefaultActions CA on CA.DefaultActionID = MAL.CleaningAction LEFT JOIN CM_IMG.dbo.EP_ThreatDefaultActions PA on PA.DefaultActionID = MAL.PendingActions where MAL.DetectionTime >= dateadd(minute, -5, GetDate()) SavePos TRUE </Input>

Hi, I'm testing out the nxlog-ce-2.10.2150 and am trying to do simple exclusion of log files, as explained should be possible here: https://nxlog.co/documentation/nxlog-user-guide-full#im_file_config_exclude However, no matter how I try, I get this: 2019-01-09 13:31:19 ERROR invalid keyword: Exclude at /etc/nxlog/nxlog.conf:109 Is this something that simply is not included in the community edition or what gives? Thanks for any help, Mika

I've been unable to install Nxlog on Centos7 command line. I've researched the documentation and have used yum install nxlog-ce-2.10.2150-1_rhel7.x86_64.rpm at the command prompt and getting No package nxlog-ce-2.10.2150-1_rhel7.x86_64.rpm available Error: nothing to do Can you please assist? Thank you.

Fresh install of CentOS 7. Downloaded nxlog-ce-2.10.2150-1_rhel7.x86_64.rpm Ran yum install on file, it installed all the dependencies and finished successfully, no errors. Next step in the guide says to edit /opt/nxlog/etc/nxlog.conf -this file doesn't exist. the only nxlog.conf I could find is in /etc/. After much googling I figured I'd move forward, next step is to verify conf file "/etc/nxlog.conf -v" - here's the output: [root@LS-PHL-NXL001 opt]# su root /etc/nxlog.conf /etc/nxlog.conf: line 9: User: command not found /etc/nxlog.conf: line 10: Group: command not found /etc/nxlog.conf: line 12: LogFile: command not found /etc/nxlog.conf: line 13: LogLevel: command not found /etc/nxlog.conf: line 18: syntax error near unexpected token `newline' /etc/nxlog.conf: line 18: `<Extension _syslog>' I'm not sure what to do next. What did I do wrong and how do I fix it?

I'm trying to configure Windows Management Instrumentation (im_wmi) for a host on a different subnet. I'm getting an error: chown: cannot access ‘wmiusername:nxlog’: No such file or directory. where am I going wrong? My config is as below: <br/>######################################## <br/>User nxlog <br/>Group nxlog <br/> <br/>LogFile /opt/nxlog/var/log/nxlog/nxlog.log <br/>LogLevel DEBUG <br/> <br/> <br/>######################################## <br/># Inputs # <br/>######################################## <br/> <br/><Input wmi> <br/> Module im_wmi <br/> Host 10.x.x.x <br/> Username wmiusername <br/> Password SomePassword <br/> Domain domain.com <br/> ReadFromLast True <br/></Input> <br/> <br/><Output file> <br/> Module om_file <br/> File "/opt/nxlog/var/windows/" + $AccountName + ".log" <br/></Output> <br/> <br/><Route wmi_to_file> <br/> Path wmi => file <br/></Route> <br/>

Hi, I have installed the nxlog package on Linux. I am trying to use nxlog as syslog with SSL support. Following is the configuration file: ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally under ## /usr/share/doc/nxlog-ce/ and is also available online at ## http://nxlog.org/docs ######################################## # Global directives # ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ######################################## # Modules # ######################################## <Extension _syslog> Module xm_syslog </Extension> <Input ssl> Module im_ssl Host localhost Port 6292 CertFile /var/lib/nxlog/cert/certificate.pem CertKeyFile /var/lib/nxlog/cert/key.pem InputType Syslog_TLS Exec parse_syslog_ietf(); </Input> <Input in1> Module im_udp Port 514 Exec parse_syslog_bsd(); </Input> <Input in2> Module im_tcp Port 514 </Input> <Output fileout1> Module om_file File "/var/log/logmsg.txt" Exec if $Message =~ /error/ $SeverityValue = syslog_severity_value("error"); Exec to_syslog_bsd(); </Output> <Output fileout2> Module om_file File "/var/log/logmsg2.txt" </Output> ######################################## # Routes # ######################################## <Route 1> Path in1 => fileout1 </Route> <Route tcproute> Path in2 => fileout2 </Route> Itry to run this in foreground using nxlog -f. nxLog starts but it shows the warning - "WARNING not starting unused module ssl ". Does this mean SSL is not being used by nxLog? Why it says unused and how to correct it.

I'm trying to use the NXLog to Transfer my MS Exchange Server Transport Logs to an Elastic Search Server. I added the follwing config to the nxlog.conf File: define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking <Input in_exchange> Module im_file File '%BASEDIR%\MSGTRK????????-.LOG' # Exports all logs in Directory SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input> <Output out_exchange> Module om_udp Host <IP of Elastic Search Server> Port <Port of the Elasioc Search Server> Exec $SyslogFacilityValue = 2; Exec $SourceName = 'exchange_msgtrk_log'; Exec to_syslog_bsd(); </Output> <Route exchange> Path in_exchange => out_exchange </Route> When I start the nxlog Service it states in the log: INFO nxlog-ce-2.10.2150 started I don't get any information on the ElasticSearch Server. In the Wireshark I don't see any UDP packet and so I guess the NXLOg Service don't do anything. Are there any more inormation or debugging logs to use? Thanks for any hint Michael

Hello All Happy New Year!!! I am trying to delete IIS logs older than 7 days. I tried using the following: <Extension _fileop> Module xm_fileop <Schedule> Every 1 day Exec file_remove('E:\IIS Logs\W3SVC1\*.log', (now() - 6048000 )); </Schedule> </Extension> But the above did not work - the file(s) were not deleted and no entries in the nxlog logfile. Note: the nxlog-ce documentation states the following regarding wildcard usage: file_remove(string file); Remove file. It is possible to specify a wildcard in the filename (but not in the path). The backslash () must be escaped if used as the directory separator with wildcards (for example, C:\test\*.log). This procedure will reopen the LogFile if it is removed. An error is logged if the operation fails. For Debugging purposes, I tried using the following: <Extension _fileop> Module xm_fileop <Schedule> Every 1 day Exec if (file_ctime("E:\IIS Logs\W3SVC1\*.log") <= now()) log_info("File is older"); </Schedule> </Extension> The following entry is in the nxlog logfile: 2019-01-02 18:10:19 ERROR failed to read file creation time on 'E:\IIS Logs\W3SVC1*.log': The filename, directory name, or volume label syntax is incorrect. Note: Maybe file_cname cannot except wildcards in the filename because if I use the following: <Schedule> Every 10 sec Exec if (file_ctime("E:\IIS Logs\W3SVC1\u_ex181224.log") <= now()) log_info("File is older"); </Schedule> Then I receive the following in the nxlog logfile: 2019-01-02 18:23:08 INFO File is older If I try the following: <Schedule> Every 10 sec Exec if (file_ctime("E:\IIS Logs\W3SVC1\u_ex181224.log") <= now()) log_info("File is older"); Exec file_remove("E:\IIS Logs\W3SVC1\u_ex181224.log", (now() - 6048000 )); </Schedule> The following appears in nxlog logfile: 2019-01-02 18:26:26 INFO File is older 2019-01-02 18:26:28 WARNING input file was deleted: E:\IIS Logs\W3SVC1\u_ex181224.log All of the above is leading me to believe the file_remove procedure does not support wildcards in the name. Does anyone have any experience with this? Anyone have a suggestion on how I can implement the above? Ideally, I would like to pass in the IIS Logs parent folder and recursively delete files older than 7 days in all sub-folders. Using nxlog-ce-2.10.2150 Many thanks Stephen

I am having this issue on both Ubuntu and FreeBSD. While trying to compile the pattern parser, it is failing because xcc doesn't exist: Ubuntu: xcc -b -i patterndb_parser.xcc -o patterndb_parser.c /bin/bash: xcc: command not found make[5]: [Makefile:738: patterndb_parser.c] Error 127 (ignored) FreeBSD: Making all in pattern xcc -b -i patterndb_parser.xcc -o patterndb_parser.c make[4]: exec(xcc) failed (No such file or directory) *** Error code 1 (ignored) Both of these lead to the build failing because patterndb_parser.c was not generated: Ubuntu: gcc: error: patterndb_parser.c: No such file or directory gcc: fatal error: no input files compilation terminated. make[5]: *** [Makefile:480: patterndb_parser.lo] Error 1 FreeBSD: cc: error: no such file or directory: 'patterndb_parser.c' cc: error: no input files *** Error code 1 Stop. Where does xcc come from? Google is not helping me at all, nor find, nor looking though the git repository.

Hi everybody, I use nxlog with module om_batchcompress + SSL (self-signed certificates). In nxlog client's log many errors sometimes: ERROR remote ssl socket was reset? (SSL_ERROR_SYSCALL with errno=9); End of file found What is means? Thank you so much. versions: client nxlog-3.2.2002 server nxlog-4.1.4046

Hi, This error is found in the logs nxlog client enterprise from time to time: 2018-12-26 00:00:00 INFO LogFile C:\nxlog\data\nxlog.log reopened 2018-12-26 00:00:00 INFO inode changed for 'C:\nxlog\data\nxlog.log' (79652->79655): reopening possibly rotated file 2018-12-26 00:00:11 ERROR failed to read config cache; string expected for config cache version 2018-12-26 00:00:11 ERROR exiting... I use recommended configuration for nxlog client: PersistLogqueue TRUE SyncLogqueue TRUE CacheFlushInterval always CacheSync TRUE <Input in> Module im_file File 'C:\logs\????-??-??.log' BufferSize 2500000 SavePos TRUE </Input> <Output out> BufferSize 9500000 Module om_batchcompress Host 192.168.1.100 Port 1514 </Output> Why is this happening? Thanks for any ideas! I use client nxlog-3.2.2002 server nxlog-4.1.4046

Hello, I have an application that logs some API requests and responses. Each request is logged in a different file, as a single line. In the system there are thousands of files, and Nxlog seems to have issues sending the logs to Elasticsearch. It reads the file, I can see im_file_add_file command in logs, but it takes a long time to actually send the message. How does Nxlog process multiple files in a single directory? Thanks

Hi, I am very new to this and trying to configure the nxLog as a syslog server on windows 2012. I added the following to the default config file: <Extension _syslog> Module xm_syslog </Extension> <Input ssl> Module im_ssl Host localhost Port 6393 CertFile %CERTDIR%/ukfff6292.pem CertKeyFile %CERTDIR%/private.pfx InputType Syslog_TLS Exec parse_syslog_ietf(); </Input> Then on cmd, I start the nxLog with -f option. I get the following error 2018-12-24 11:32:55 ERROR SSL error, couldn't read cert, no start line, 2018-12-24 11:32:55 WARNING no functional input modules! 2018-12-24 11:32:55 INFO nxlog-ce-2.10.2150 started 2018-12-24 11:32:55 ERROR SSL error, couldn't read cert, no start line, Please help me regarding this.

I'm trying to install/compile the Community Edition on FreeBSD 11. I'm having the same issues as were addressed in here: https://nxlog.co/question/2570/freebsd-port ie "The port currently needs a little bit more work since it does not properly pick up PCRE from when not in /usr (as on FreeBSD) and I don't really like to hack use to work around that ;-)." and also here: https://nxlog-ce-users.narkive.com/CyxivMgF/nxlog-2-7-1191-fails-to-configure-on-vanilla-freebsd-10-0 "checking pcre.h usability... no checking pcre.h presence... no checking for pcre.h... no configure: error: please install pcre-dev ***@logger:~/nxlog-ce-2.7.1191 # pcre.h is installed from ports: ***@logger:~/nxlog-ce-2.7.1191 # find / -name pcre.h /usr/ports/devel/pcre/work/pcre-8.33/pcre.h /usr/local/include/pcre.h" I have a similar configuration and error: checking pcre.h usability... no checking pcre.h presence... no checking for pcre.h... no configure: error: please install pcre-dev [simonq@freebsd11 /usr/local]$ find . -name pcre.h ./include/pcre.h I tried the same fix from there, modifying the configure.sh script to set CFLAGS="-I/usr/local/include", and even adding --includedir=/usr/local/include to the ./configure line, and oldincludedir, since that is apparently used by clang, vs gcc/includedir, but with no change. The config.log looks like it should be looking in the right place: Invocation command line was $ ./configure --libexecdir=/usr/local/lib --bindir=/usr/local/bin --sysconfdir=/usr/local/etc --libdir=/usr/local/lib --localstatedir=/var --includedir=/usr/local/include --oldincludedir=/usr/local/include PCRE_CFLAGS='-I/usr/local/include' PCRE_LIBS='-L/usr/local/lib -Wl,-R/usr/local/lib -lpcre' includedir='/usr/local/include' oldincludedir='/usr/local/include' configure:13250: checking pcre.h usability configure:13250: cc -c conftest.c >&5 conftest.c:64:10: fatal error: 'pcre.h' file not found #include <pcre.h> ^~~~~~~~ 1 error generated. | #include <pcre.h> configure:13250: result: no configure:13250: checking pcre.h presence configure:13250: cc -E conftest.c conftest.c:31:10: fatal error: 'pcre.h' file not found #include <pcre.h> ^~~~~~~~ 1 error generated. | #include <pcre.h> configure:13250: result: no configure:13250: checking for pcre.h configure:13250: result: no configure:13257: error: please install pcre-dev I'm just wondering if anyone else has worked this out? There is a package for the Enterprise Edition for FreeBSD, so there must be a way to get it to compile..

We are facing these error messages in NXLog log files: 2018-12-09 23:45:16 ERROR om_tcp detected a connection error;Connection timed out 2018-12-09 23:45:16 INFO reconnecting in 2 seconds 2018-12-09 23:45:17 INFO connecting to 192.168.1.2:1468 2018-12-10 01:56:53 INFO reconnecting in 1 seconds 2018-12-10 01:56:53 ERROR om_tcp detected a connection error;Connection timed out 2018-12-10 01:56:53 INFO reconnecting in 2 seconds 2018-12-10 01:56:54 INFO connecting to 192.168.1.2:1468 2018-12-10 04:08:30 INFO reconnecting in 1 seconds 2018-12-10 04:08:30 ERROR om_tcp detected a connection error;Connection timed out 2018-12-10 04:08:30 INFO reconnecting in 2 seconds 2018-12-10 04:08:31 INFO connecting to 192.168.1.2:1468 I suspect that our firewall is blocking those connections eventually as i can't see any TCP Keep-Alive packets in tcpdump from the server where the NXLog agent is installed. On 2015-04-01 2.9.1361 changelog is this line: All tcp based network modules are now using TCP_KEEPALIVE to detect dead peers. Any ideas on how to fix this?

Hi, We have had few instances on several servers in the past few weeks, where the NXlog application crashes when starting the service. Commonality so far is Windows Server 2012 Standard. Reinstall of the application corrects the problem, but doesn't sound like a solution. Anyone else experiencing this issue? Any fixes? Following is the error from the Application Log: Faulting application name: nxlog.exe, version: 4.1.4016.0, time stamp: 0x00000000 Faulting module name: ntdll.dll, version: 6.2.9200.22376, time stamp: 0x5a90c271 Exception code: 0xc0000374 Fault offset: 0x00000000000da535 Faulting process id: 0x18a4 Faulting application start time: 0x01d490bb5247014e Faulting application path: C:\Program Files\nxlog\nxlog.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: 8ffb8b3b-fcae-11e8-944f-005056856b7b Faulting package full name: Faulting package-relative application ID:

Hello, I have two questions. First, a latest nxlog-ce formally supports Windows Server 2016 ? I saw the following url, and now it seems to support the Windows Server 2016. https://nxlog.co/documentation/nxlog-user-guide/platforms.html Second, the eventlog source limitation on Windows Server 2016 (the OS have over 256 sources, but the nxlog could treat up to 256 sources) is solved ? I saw the following forum questions. https://nxlog.co/question/2594/256-sources-limit https://nxlog.co/question/3200/eventlog-source-limitation-server-2016

I have the following NXLog config below that reads a file from disk and forwards it to another host (syslog). By default, it appears NXLog only forwards the data in the log file if it has changed. How can you configure 'nxlog.conf' so that it always forwards the file, even if the data hasn't changed? <Input in> Module im_file File "C:\myfile.txt" </Input> <Output out> Module om_tcp Host 127.0.0.1 Port 12345 </Output> <Route 1> Path in => out </Route>