Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
Ubuntu 23.10 (Mantic Minotaur)
R Celium created
Hello dear NXLog users,Does anyone know any NXLog release for Ubuntu 23.10 (Mantic Minotaur)? I've tried ubuntu 18 to 22 releases couldn't manage to install. Any NXLog solutions for Mantic Minotaur?Thanks a lot.
R Celium created
Vulnerabilities in NXLog libraries "libcrypto-1_1-x64.dll" and "libssl-1_1-x64.dll, related to "OpenSSL, Version: 1.1.1q"
Djordje created
Vulnerability scanner has discovered a number of vulnerabilities (CVE-2022-4450, CVE-2023-0215, CVE-2023-4807) related to “OpenSSL, version 1.1.1q” in NXLog libraries "libcrypto-1_1-x64.dll" and "libssl-1_1-x64.dll.Are there concrete plans and deadlines for updating these libraries by moving to non-vulnerable OpenSSL versions?
Djordje created
Information missing from certain Windows events
rom created
We are an MSSP that uses NXLog CE (3.2.2329) installed on a Windows Server acting as a Windows Event Collector (WEC) to forward events from the forwarded events channel to a syslog collector that sends everything to our SIEM.TL;DRCertain Windows Events send to our SIEM via NXLog are missing the <EventData> information whereas Event Viewer shows a complete event on the logsource host where NXLog is installed on. Longer versionThe current setup is:Domain Controllers forward their security events using Windows Event Forwarding to our WEC using a source initiated event subscription where the content format is set to ‘Events’ instead of the default ‘RenderedText’ (this change helped solve similar issues where data was missing from events send via NXLog).We've verified that these security events are present in the forwarded events channel on the WEC with a complete XML of the events.NXLog CE (3.2.2329) is installed on this WEC using the following nxlog.conf file:Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Input Security>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="ForwardedEvents">
<Select Path="ForwardedEvents">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output DL>
Module om_tcp
Host 123.123.123.123
Port 514
Exec to_syslog_snare();
</Output>
<Route eventlog_to_DL>
Path Security => DL
</Route>NXLog sends logs to a syslog collector in the same networkThis syslog collector has SIEM agent software forwarding events to our SIEMIn our SIEM we can see all events coming in from the syslog collector, including NXLog Windows events, however some appear to be missing data found in the <EventData> field in the XML of the actual event.The event id's we're having issues with are Windows event ID 4662,4768 and 4776.Other event id's are coming in ‘complete’ as expected such as this event id 4672:<14>Dec 8 11:32:42 dc2.example.com MSWinEventLog 1 Security 5986982 Fri Dec 08 11:32:42 2023 4672 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2.example.com Special Logon Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2155563959-1375260949-369746351-17469 Account Name: server123$ Account Domain: EXAMPLE Logon ID: 0x4D8729AC Privileges: SeSecurityPrivilege SeDebugPrivilege 773449975Or event id 5140:<14>Dec 8 11:32:37 dc2.example.com MSWinEventLog 1 Security 5986753 Fri Dec 08 11:32:37 2023 5140 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2.example.com File Share A network share object was accessed. Subject: Security ID: S-1-5-21-2155563959-1375260949-369746351-18565 Account Name: netwrixsvc Account Domain: EXAMPLE Logon ID: 0x4D86D440 Network Information: Object Type: File Source Address: 172.30.10.10 Source Port: 51173 Share Information: Share Name: \*\ADMIN$ Share Path: ??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 773449390 Whereas we receive the following information for the troubled event id's:4776<11>Dec 8 11:32:29 dc2.example.com MSWinEventLog 3 Security 5986385 Fri Dec 08 11:32:29 2023 4776 Microsoft-Windows-Security-Auditing N/A N/A Failure Audit dc2.example.com Credential Validation N/A 7734490444662<14>Dec 8 11:32:42 dc2.example.com MSWinEventLog 1 Security 5986976 Fri Dec 08 11:32:42 2023 4662 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2.example.com Directory Service Access N/A 7734499584768<14>Dec 8 11:32:41 dc2.example.com MSWinEventLog 1 Security 5986915 Fri Dec 08 11:32:41 2023 4768 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2.example.com Kerberos Authentication Service N/A 773449814 Due to the vast amount of events received by the WEC, extracting a subset of events for troubleshooting provided more challenging than expected. Nevertheless, the customer responsible for the WEC was able to provide me with an .evtx file containing some of the event id 4768 logs. These appear perfectly fine as shown in the screenshot and XML output below:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2023-12-07T10:32:31.691008600Z" />
<EventRecordID>4520638617</EventRecordID>
<Correlation />
<Execution ProcessID="700" ThreadID="1424" />
<Channel>Security</Channel>
<Computer>dc1.example.com</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">netwrixsvc</Data>
<Data Name="TargetDomainName">example</Data>
<Data Name="TargetSid">S-1-5-21-2155563959-1375260949-369746351-18565</Data>
<Data Name="ServiceName">krbtgt</Data>
<Data Name="ServiceSid">S-1-5-21-2155563959-1375260949-369746351-502</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x0</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="PreAuthType">2</Data>
<Data Name="IpAddress">::ffff:172.30.10.10</Data>
<Data Name="IpPort">49712</Data>
<Data Name="CertIssuerName">
</Data>
<Data Name="CertSerialNumber">
</Data>
<Data Name="CertThumbprint">
</Data>
</EventData>
</Event> What could possibly be the cause for these issues? Where can I check next?
rom created
NXLog CE - SLES 12 or SLES 15?
mchojnacki created
Which version of the SUSE distribution supports the available NXLog CE package?The following message appears during the download:
mchojnacki created
Vulnerabilities in NXLog libraries "libcrypto-1_1-x64.dll" and "libssl-1_1-x64.dll, related to "OpenSSL, Version: 1.1.1q" - deleting the files?
Djordje created
Vulnerability scanner has discovered a number of vulnerabilities (CVE-2022-4450, CVE-2023-0215, CVE-2023-4807) related to “OpenSSL, version 1.1.1q” in NXLog libraries "libcrypto-1_1-x64.dll" and "libssl-1_1-x64.dll:If we are using the following modules: im_msvistalog, im_file, om_tcp;and we are NOT using the following modules: im_ssl, om_ssl;would simply deleting the following files from the system: “C:\ProgramFiles\nxlog\libcrypto-1_1-x64.dll”, “C:\ProgramFiles\nxlog\libssl-1_1-x64.dll” (which solves the problem with the vulnerability scanner alerts) affect functionality of NXLog?
Djordje created
How to transfert Windows EventLog by choosing the severity level.
iris created
Hello,I'm using an older version of the NXLog agent (ce-2.0.1716) on Windows Server 2016, and I want to import only EventLogs that correspond to a severity level between 1 and 3 but I really have no idea how to do it. Despite my research and testing, nothing seems to work.Below, you can see the original “nxlog.conf” configuration file for my DC server:define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_msvistalog
#011Information
Exec if ($Severity == 'INFO' and $SourceName == 'CxAudioSvcSource') drop();
Exec if ($Severity == 'INFO' and ($EventId == 0)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 1001)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 107)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 112)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 129)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 146)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 1)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 2000)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 2002)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 200)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 201)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 2024)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 20)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 2415)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 3)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4006)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4007)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4017)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4126)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4257)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 4326)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5017)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 505)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5126)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5257)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5308)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5309)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5310)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5311)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5312)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5313)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5314)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5315)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5320)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5326)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5327)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 5340)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 600)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 6115)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 62170)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 62171)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 7036)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 8006)) drop();
Exec if ($Severity == 'INFO' and ($EventId == 8007)) drop();
#011Warning
Exec if ($Severity == 'WARNING' and ($EventId == 200)) drop();
Exec if ($Severity == 'WARNING' and ($EventId == 202)) drop();
Exec if ($Severity == 'WARNING' and ($EventId == 61)) drop();
Exec if ($Severity == 'WARNING' and ($EventId == 1112)) drop();
Exec if ($Severity == 'WARNING' and ($EventId == 1002)) drop();
#011Success
Exec if ($Severity == 'SUCCESS' and ($EventId == 4672)) drop();
Exec if ($Severity == 'SUCCESS' and ($EventId == 4799)) drop();
#011Error
Exec if ($Severity == 'ERROR' and ($EventId == 2028)) drop();
Exec if ($Severity == 'ERROR' and ($EventId == 6113)) drop();
</Input>
<Output out>
Module om_tcp
Host supervision
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path in => out
</Route>Below, you can see my new “nxlog.conf” configuration file for my DC server:define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0' Path='Application'>
<Select Path='Application'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='Security'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='Setup'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='System'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output out>
Module om_tcp
Host supervision
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path in => out
</Route>Below, you can see an extract of the log file for the NXLog agent for my DC server:2023-12-11 13:42:40 INFO nxlog-ce-2.9.1716 started
2023-12-11 13:42:40 INFO connecting to supervision:514
2023-12-11 14:00:21 WARNING stopping nxlog service
2023-12-11 14:00:21 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:00:23 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:00:25 INFO connecting to supervision:514
2023-12-11 14:00:49 WARNING stopping nxlog service
2023-12-11 14:00:49 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:00:50 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:00:50 INFO connecting to supervision:514
2023-12-11 14:05:41 WARNING stopping nxlog service
2023-12-11 14:05:41 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:05:43 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:05:45 INFO connecting to supervision:514
2023-12-11 14:14:38 WARNING stopping nxlog service
2023-12-11 14:00:21 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:16:24 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:16:27 INFO connecting to supervision:514
2023-12-11 14:19:51 WARNING stopping nxlog service
2023-12-11 14:19:52 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:19:53 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:19:53 INFO connecting to supervision:514
2023-12-11 14:21:53 WARNING stopping nxlog service
2023-12-11 14:21:53 WARNING nxlog-ce received a termination request signal, exiting...
2023-12-11 14:21:54 INFO nxlog-ce-2.9.1716 started
2023-12-11 14:21:54 INFO connecting to supervision:514I also tried options such as:Exec if ($Severity == 'INFO') drop();And I tried by modifying th “input” field with different values below, but nothing seems to work.<Select Path='Application'>[System/Level<3]</Select>
<Select Path='Security'>[System/Level<3]</Select>
<Select Path='System'>[System/Level<3]</Select><Select Path='Application'>[System[Level=3]]</Select>
<Select Path='System'>[System[Level=3]]</Select>
<Select Path='Security'>[System[Level=3]]</Select><Select Path='Application'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='System'>[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path='Security'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>Unfortunaltely, I'm far from being a specialist in log processing and management, so if you you had an idea to suggest to help mesolve my problem, I would be very gratful.Thank you in advance,Arn_no
iris created
ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.
shahpasandi created
Got this error while trying to forward windows 11 event logs to SIEM:ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.my nxlog config is heredefine ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Extension fileop>
Module xm_fileop
</Extension>
Nxlog internal logs
<Input internal>
Module im_internal
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
Win Event Log - Security
<Input inSecurityEvent>
Module im_msvistalog
Query <QueryList> <Query Id=""><Select Path="Security">*</Select></Query></QueryList>
Exec $Message = to_json();
</Input>
<Output outSecurityEvent>
Module om_tcp
Host X.X.X.X
Port 5060
Exec $EventTime = strftime($EventTime, '%Y-%m-%dT%H:%M:%SZ');
to_json();
Exec to_json();
Exec file_write("C:\Program Files\nxlog\data\SecurityEvents_output.log", $raw_event);
</Output>
<Route 1>
Path inSecurityEvent => outSecurityEvent
</Route>This works fine on other version of windows. the problem is windows 11
shahpasandi created
Om_azuremonitor module
mdekshinsg created
Hi.. anybody can clarify if om_azuremonitor work in air gap environment Thx for your inputs
mdekshinsg created
NXLog CE 3.0.2272 - im_systemd
cm created
I have enabled the im_systemd module now included in the community version and i have noticed that every time the nxlog service is started, a huge amount of data is sent. I have configured an output to log these data in file and i get 20M of data every at each restart.
Has anyone ever encountered this behaviour ?
cm created
om_azuremonitor output module resolve URI through DNS
mdekshinsg created
The objective is to configure the Nxlog to send logs to Sentinel LAW. The output module used is om_azuremonitor. The DCE URI directive depends on DNS resolution to resolve the url to ip. We added entry in the local /etc/hosts filleBut nslookup on the URI fails.Any inputs how the DNS can be resolved.There is no specific DNS server configured
mdekshinsg created
I would like to collect log with parameters only from one type of log
Avi Israelov created
Hi,I have the configuration below in which I would like to collect data from “Security" and from ”ForwardedEvents".I would like the data from the Security to be with specific values (e.g. $TaskValue, $Version) while ForwardedEvents ignore them. How can I configure it?
Avi Israelov created
DNS resolution in Nxlog
mdekshinsg created
Hi! Can somebody help me with how DNS resolution works in Nxlog configuration?Thx !
mdekshinsg created
sending logs between 2 nxlog-ce
idan_am created
Hey i try to send logs in TCP from nxlog instance to another to make kind of a proxy so i can set the parse of logs from one place and easier time to configure TLS rather than in my syslog server. But i receive a “end of file” error when the tcp connection is trying to be made between the 2 nxlog-ce instances. So i think i might using the nxlog-ce in a way its not designed to, am i right? Thank you.
idan_am created
ERROR with modules xm_resolver.dll & xm_admin.dll
Siaka TRAORE created
Hello everyone,I need your help with my issue.I use the CE version and restarting the nxlog service, I receive errors loading the xm_resolver.dll & xm_admin.dll modules in the log file. After checking, I noticed that these DLLs are not present on my machine.2023-12-27 17:48:27 ERROR Failed to load module from C:\Program Files\nxlog\modules\extension\xm_resolver.dll, The specified module could not be found. ; 2023-12-27 17:48:27 ERROR Failed to load module from C:\Program Files\nxlog\modules\extension\xm_admin.dll, The specified module could not be found. ; Do you have any idea on how to solve this issue and how can I get these DLLs?Thanks in advance,
Siaka TRAORE created
Sample "Sending emails with Python" not working in Windows
cmarsura created
Hi, I am unable to run your basic example “Sending emails with Python” because nxlog is unable to load the required module.Reducing the code to a minimal set, I found that nxlog is unable to load some basic Python modules that come bundled with the Python installation.Following are some modules that nxlog is unable to load:smtplibsocketsslemail.mime.textwindows_tools.users (after installing with "pip install windows_tools.users")Same file modified to be executed directly from python.exe in same machine, runs correctlynxlog.conf:Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension python>
Module xm_python
PythonCode 'c:\Program Files\nxlog\modules\extension\python\py\send_email.py'
</Extension>
<Input in>
Module im_null
</Input>
<Output out>
Module om_null
</Output>
<Processor myprocessor>
Module pm_null
<Exec>
python_call('main');
</Exec>
</Processor>
<Route myroute>
Path in => myprocessor => out
</Route>send_email.py:import smtplib
#import socket
#import ssl
#import email.mime.text
pip install windows_tools.users
#import windows_tools.users as users
import json
import nxlog
#def main():
def main(event):
# Body that does nothing
print("Hello from Main()")nxlog.log:2023-12-28 11:45:26 ERROR Python ERROR: ImportError('DLL load failed while importing _socket: Impossibile trovare il modulo specificato.')
2023-12-28 11:45:26 ERROR #0 in <module> (...) at: C:\Program Files\Python310\Lib\socket.py:51;
2023-12-28 11:45:26 ERROR #1 in _call_with_frames_removed (...) at: <frozen importlib._bootstrap>:241;
2023-12-28 11:45:26 ERROR #2 in exec_module (...) at: <frozen importlib._bootstrap_external>:882;
2023-12-28 11:45:26 ERROR #3 in _load_unlocked (...) at: <frozen importlib._bootstrap>:685;
2023-12-28 11:45:26 ERROR #4 in _find_and_load_unlocked (...) at: <frozen importlib._bootstrap>:999;
2023-12-28 11:45:26 ERROR #5 in _find_and_load (...) at: <frozen importlib._bootstrap>:1025;
2023-12-28 11:45:26 ERROR #6 in <module> (...) at: C:\Program Files\Python310\Lib\smtplib.py:44;
2023-12-28 11:45:26 ERROR #7 in _call_with_frames_removed (...) at: <frozen importlib._bootstrap>:241;
2023-12-28 11:45:26 ERROR #8 in exec_module (...) at: <frozen importlib._bootstrap_external>:882;
2023-12-28 11:45:26 ERROR #9 in _load_unlocked (...) at: <frozen importlib._bootstrap>:685;
2023-12-28 11:45:26 ERROR #10 in _find_and_load_unlocked (...) at: <frozen importlib._bootstrap>:999;
2023-12-28 11:45:26 ERROR #11 in _find_and_load (...) at: <frozen importlib._bootstrap>:1025;
2023-12-28 11:45:26 ERROR #12 in <module> (...) at: C:\Program Files\nxlog\modules\extension\python\py\send_email.py:1;
2023-12-28 11:45:26 ERROR #13 in _call_with_frames_removed (...) at: <frozen importlib._bootstrap>:241;
2023-12-28 11:45:26 ERROR #14 in exec_module (...) at: <frozen importlib._bootstrap_external>:882;
2023-12-28 11:45:26 ERROR #15 in _load_unlocked (...) at: <frozen importlib._bootstrap>:685;
2023-12-28 11:45:26 ERROR #16 in _find_and_load_unlocked (...) at: <frozen importlib._bootstrap>:999;
2023-12-28 11:45:26 ERROR #17 in _find_and_load (...) at: <frozen importlib._bootstrap>:1025;
2023-12-28 11:45:26 ERROR Couldn't import python module 'send_email'
2023-12-28 11:45:26 INFO nxlog-ce-3.2.2329 started
2023-12-28 11:45:26 ERROR ### ASSERTION FAILED at line 503 in libnxpython.c/nx_python_init(): "conf->thread_state_key == NULL" ###The environment is:Windows Server 2022nxlog-ce-3.2.2329python-3.10.8-amd64.exe
cmarsura created
Does NXLog support tamper-proof logging?
billychua created
Hi Support,I would like to inquire whether NXLog supports tamper-proofing for syslog received and stored in the NXLog Relay Server.Thank you.Regards,Billy
billychua created
Webpage Error
ricky.ho@blackbox.com created
I had to restart the VM running our NXLog Manager (CentOS7).Now I'm getting the following message when attempting to access our NXLog Manager URL: HTTP ERROR 500Problem accessing /nxlog-manager/login.html. Reason: Server Error Caused by:org.apache.tiles.request.render.CannotRenderException: ServletException including path '/WEB-INF/layouts/default.jsp'.
ricky.ho@blackbox.com created
Not in installed apps and finding out version
populouspanda created
Hello :)
I have a friend that is asking why he cant find nxlog on his pc under installed applications, When I run the .msi file I can find it easily. Did his previous security officer install it a different way? (On Windows)
Also how can I see what version of nxlog is currently running? (On Windows)
Thanks
populouspanda created
perl_call() method is not working in windows 11
Ankur Gangwar created
Purpose: To add geographical information (geoip) with the logs.Problem: I am trying to add geoip in the logs coming from linux and windows hosts. For that I have gone through https://docs.nxlog.co/ce/current/index.html#xm_perl. In both (windows and linux hosts). i am not able to run nxlog, after modifying the nxlog config according to the given link.Windows-11: First, I have installed perl-5.28.2.1, after that i have modified the config. When i am trying to restart nxlog service, It is showing the following error in log file:2023-12-04 07:09:22 ERROR Failed to load module from C:\Program Files\nxlog\modules\extension\xm_perl.dll, The specified module could not be found. ; The specified module could not be found.
2023-12-04 07:09:22 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:62; couldn't parse statement at line 65, character 0 in C:\Program Files\nxlog\conf\nxlog.conf; function 'perl_call()' does not exist or takes different arguments
2023-12-04 07:09:22 ERROR module 'sys_in' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:81
2023-12-04 07:09:22 ERROR route 1 is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:81
2023-12-04 07:09:22 WARNING no routes defined!
2023-12-04 07:09:22 WARNING not starting unused module sys_in
2023-12-04 07:09:22 WARNING not starting unused module sys_outconfig is as follows:Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension perl>
Module xm_perl
PerlCode C:\Program Files\nxlog\modules\extension\perl\processlogs.pl
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
Sending the system logs over tcp
<Input sys_in>
Module im_msvistalog
<Exec>
$raw_event = "windows " + to_json();
perl_call("process")
</Exec>
</Input>
#setting the output to rsyslog server
<Output sys_out>
Module om_tcp
Host <ip-address of rsyslog server>
Port 514
# First we parse the input natively from nxlog
Exec parse_syslog_bsd();
# Now call the 'process' subroutine defined in 'processlogs.pl'
Exec to_json();
</Output>
<Route 1>
Path sys_in => sys_out
</Route>Linux-Ubuntu(22.04): I have not installed perl as it is already installed. So i modified the config, and restarted the nxlog service, but in the logs it is showing as:2023-12-04 14:41:52 ERROR the perl interpreter failed to parse /etc/nxlog/processlogs.pl
2023-12-04 14:41:52 INFO nxlog-ce-3.2.2329 started
2023-12-04 14:41:52 INFO connecting to <ip-address of rsyslog server>:514
2023-12-04 14:41:52 ERROR the perl interpreter failed to parse /etc/nxlog/processlogs.plConfig is as follows:## This is a sample configuration file. See the nxlog reference manual about the
configuration options. It should be installed locally under
/usr/share/doc/nxlog-ce/ and is also available online at
http://nxlog.org/docs
########################################
Global directives
########################################
User nxlog
Group nxlog
include /etc/nxlog/nxlog.d/*.conf
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO
########################################
Modules
########################################
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension perl>
Module xm_perl
PerlCode /etc/nxlog/processlogs.pl
</Extension>
<Input in1>
Module im_file
File "/var/log/auth.log"
<Exec>
$raw_event = " ankurlapauthlogs " + $raw_event;
</Exec>
</Input>
<Output fileout1>
Module om_tcp
Host <ip-address of rsyslog server>
Port 514
Exec perl_call("process");
Exec to_syslog_bsd();
</Output>
########################################
Routes
########################################
<Route 1>
Path in1 => fileout1
</Route>P.S. i am using the same processlogs.pl file as given in the refrence manual.
Ankur Gangwar created