SO I was in the process of creating a custom parser for NetMotion VPN logs but for some reason, no matter what I specify in the nxlog.conf I have no output.I originally had an older agent so I uninstalled and reinstalled with the latest download. - No changeI originally had an Exec stanza with some regex to capture some groups and assign them to some variables, I removed that whole section and am simply doing "parse_syslog(); - No change This was my original conf filepanic SOFT define INSTALLDIR C:\Program Files\nxlog define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log LogLevel DEBUG LogFile %MYLOGFILE% <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Input NetMotion> Module im_file File "C:\Testing-logs\NetMotion.txt" <Exec> if $raw_event =~ /m_user="([^"]+).+?pop_ip_srv="([^"]+).+?ses_start="([^"]+).+?ses_state="([^"]+).+?vip="([^"]+)/ { if $4 == 'Connected' $event_type = 'VPN_SESSION_IP_ASSIGNED'; $version = 'v1'; $time = $3; $account = $1; $assigned_ip = $6; $source_ip = $2; $authentication_result = 'SUCCESS'; $authentication_target = $5; } </Exec> </Input> <Output local_file> Module om_file Exec to_json(); File "C:\Testing-logs\Parsed.txt" </Output> <Route NM_to_file> Path NetMotion => local_file </Route>After that was not producing anything I decided to rip the whole thing out and simply do a “parse_syslog” like below but still no luck.panic SOFT define INSTALLDIR C:\Program Files\nxlog define LOGDIR %INSTALLDIR%\data define MYLOGFILE %LOGDIR%\nxlog.log LogLevel DEBUG LogFile %MYLOGFILE% <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> <Input NetMotion> Module im_file File "C:\Testing-logs\NetMotion.txt" Exec parse_syslog(); </Input> <Output local_file> Module om_file Exec to_json(); File "C:\Testing-logs\Parsed.txt" </Output> <Route NM_to_file> Path NetMotion => local_file </Route>I've done similar things before and have never really had an issue but this is throwing me for a loop. The nxlog.log shows no errors and actually says that the routes are being processed. Even when I was applying the custom regex it showed the regex being applied and everythign workign but there were still no lines being written to the Parsed.txt file. Can anyone see anythign blatantly obvious that I'm missing that could stop this from working?

Hi folks,how can we download the latest agent version without going true the manual download page.Since the change of your webpage, the previous links do not work anymore.This crucial, to have the latest agents in place.Thank youNick

Hello, I'm having trouble forwarding Logs from my ePO instance to nxlog. ePO will say Syslog connection success under test connection, however, nxlog.log will say “Error Module ssl coulden't read the input; invalid header received by Syslog_TLS input reader, input is not RFC 5425 compliant.” It seems like nxlog is having trouble decrypting due to maybe a certificate issue but im not sure. Any help would be greatly appreciated. 

I want collect chrome histroy log, follow the https://docs.nxlog.co/userguide/integrate/browser-history.html#google-chrome-history-location-and-details guide on windows terminal, because the http://www.ch-werner.de/ site is down, so I can't download “SQLite ODBC Driver”，but i found another substitution  https://www.devart.com/odbc/sqlite/download.html , I don't know if this driver is not as same as  “SQLite ODBC Driver”. But when I run nxlog, I got some error info.2023-02-14 11:23:25 INFO [im_odbc|odbc] im_odbc successfully connected to the database2023-02-14 11:23:25 WARNING [im_odbc|odbc] im_odbc detected a disconnection, attempting to reconnect in 10 seconds2023-02-14 11:23:25 ERROR [im_odbc|odbc] SQLExecute failed, 22001:2:390:[Devart][ODBC]String data, right-truncated (odbc error code: -1) my input conf like below<Input odbc>   Module              im_odbc   PollInterval        1200   ConnectionString    DRIVER=Devart ODBC Driver for SQLite; Database=D:\ProgramFiles\logs\History_Chrome;Version=3;   SQL               Select visits.id AS id,urls.url AS URL,urls.title AS Title FROM visits INNER JOIN urls ON visits.url = urls.id WHERE visits.id > ?   Exec                $Hostname = hostname();   Exec                to_json();</Input>I want to know what's wrong with my config ,or how to fix it. 

Getting “Ajax request cannot be executed” error when downloading CE-3.1.2319.msi file from nxlog.co.

I havent been able to download the files for any of the community edition agents. https://nxlog.co/downloads/nxlog-ce#nxlog-community-edition , select the OS version and click Download.  5 sec later I get a pop up stating “Undefined”.  I have tried on different Browsers, platforms, and workstations and there is no change in the behavior.

Hello,This is not a installation question.Using wget, as I have done for past 6 years was grab a NXLog-CE installation and install on my Linux core servers.   Yesterday 11/22/2022 I was unable to do this. I also noticed the Web Site has changed for downloading community versions and now  I need to make account. I'm assuming at this point,  Steps  needed  are install NXLog on any core servers I need to make account  on NXLog  site, Download the package needed. Transfer the NXLog package to  a closed environment that we have,  Upload NXLog package to a internal repo and distribute it as needed?   I'm also assuming this is a security procedure taken by NXLog?   If anyone could enlighten me on the new changes  that would be great.Thanks-Greg 

I am sending Windows logs to Graylog via nxlog community edition, but certain processes are generating so much logs that I'd rather not send at all, so I'm trying to figure out how to modify nxlog config to exclude logs with specific terms or generated by a specific process using the “ProcessName” field for example. any help would be appreciated.

Hi,I get the above error when I tried to start nxlog server. Below is my config file. Please assists. thank you Panic Softdefine INSTALLDIR C:\Program Files\nxlog#ModuleDir %INSTALLDIR%\modules#CacheDir  %INSTALLDIR%\data#SpoolDir  %INSTALLDIR%\datadefine CERTDIR %INSTALLDIR%\certdefine CONFDIR %INSTALLDIR%\conf\nxlog.d# Note that these two lines define constants only; the log file location# is ultimately set by the `LogFile` directive (see below). The# `MYLOGFILE` define is also used to rotate the log file automatically# (see the `_fileop` block).define LOGDIR c:\datadefine MYLOGFILE %INSTALLDIR%\data\nxlog.log# If you are not using NXLog Manager, disable the `include` line# and enable LogLevel and LogFile.#include %CONFDIR%\*.confLogLevel    INFOLogFile     %MYLOGFILE%<Extension exec>   Module        xm_exec</Extension><Extension _syslog>   Module  xm_syslog</Extension><Extension fileop>   Module      xm_fileop</Extension># This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`# is changed in managed.conf via NXLog Manager, rotation of the new# file should also be configured there.<Extension _fileop>   Module  xm_fileop   # Check the size of our log file hourly, rotate if larger than 5MB   <Schedule>       Every   1 hour       <Exec>           if ( file_exists('%MYLOGFILE%') and                (file_size('%MYLOGFILE%') >= 5M) )           {                file_cycle('%MYLOGFILE%', 8);           }       </Exec>   </Schedule>   # Rotate our log file every week on Sunday at midnight   <Schedule>       When    @weekly       Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);   </Schedule></Extension><Input tcp>   Module      im_tcp   ListenAddr  0.0.0.0:514</Input>define LOCALFILE  'C:\Users\Administrator\Documents\Data'<Output file>   Module  om_file   File    %LOCALFILE%</Output><Route tcp_to_file>   Path    tcp => file</Route> Error Message:2023-02-06 00:41:43 INFO [CORE|main] nxlog-5.6.7727 (50b2a4353@REL_v5.6) started on Windows2023-02-06 00:41:43 ERROR [om_file|file] failed to open C:\Users\Administrator\Documents\Data; Access is denied.  2023-02-06 00:41:43 INFO [im_tcp|tcp] listening on 0.0.0.0:514 Regards, Billy

If a customer purchases 100 NXLog Enterprise licenses and needs more six months later, do they place an order for the additional licenses separately or increase the original order? Are they able to deploy and then true-up, or do they need a unique key for each before deploying?

Hi team, i have converted auit messages in multiline to singleline using multiline parser. problem is two spaces are added instead of one space after semicolon. message1;message2; single line: message1;. message2; There is two space first simicolon and message2 instead of one how to remove extra space

I would like to ask, in some circumstances NXLogAgent on Windows, the agent cannot forwarding log to FortiSIEM (sometimes the agent was stopped by itself), I need to manual restart the agent to make the agent running again, in this situation is it abnormal or not?Another question would be about the log format can be parsed by FortiSIEM or I need to custom parser to parse this log format or someone can provide this parser to me?Best Regards, 

Good Afternoon.I currently run a NX log solution that was setup by the vendor of our cloud IDS. I do know that we have a collection of logs coming from workstations to a central server and that server uploads the logs to the IDS. That being said, I have set up a gray log server on an Ubuntu box and I want to send my Windows DNS logs to that server so that I have a way to search DNS queries made by workstations should on of them become compromised. (via malware, ransomware, etc) I realize that there is already a config fiile for nx log that sends the event viewer logs so I am assuming that I would have to use that same file to have nx send dns logs to a different location (if that is even possible).   So my questions are, Is it possible to do that? If so, is the collection service that has to be stopped in order to edit the config file?I would send these logs to the same online IDS service but we are already going over our quota every month and management doesn't see the need to upgrade our service. Therefore, I am left to figure out another way to stay on top of DNS threat hunting. Any input will be greatly appreciated.

Hi Folks,I have a tcp output that has 3 hosts in sequence to send to graylog (failover), but I would like to "randomly" switch the ouputs to better distribute the load on the nodes. In my config example, 'graylog_1' will always receive all events. Is there a bultin solution for processor/output to send randomly to the multiple nodes?Config example:<Output out_graylog>   Module om_tcp     FlowControl False      Host 192.168.0.10:514 # graylog_1      Host 192.168.0.11:514 # graylog_2      Host 192.168.0.12:514 # graylog_3 </Output>A viP/loadbalancer for graylog is not the solution I'm looking for, I want to understand the power of nxlog and its customization.

It would be nice if you eliminate scrolling with wrapping in this forum posts.

Hi the pronblem is that all works but I don´t receive any log.Graylog version 4.3 in debian 11.  Sidecar graylog 1.2 and NXLOG 3.0 if my memory doesn´t fail.What can i do?Thanks and happy new year.

Guys, does anyone know where I can get information on average resource consumption by the Nxlog CE agent?Thanks.James \0/

Hi All,I have requirement to forward the windows logs to QRadar using NX . Below is my config file , I am unable to receive the log in my SIEM platform. I could encounter the error : ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found. Check channel configuration.Panic Soft#NoFreeOnExit TRUEdefine ROOT     C:\Program Files\nxlogdefine CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data<Extension _syslog>   Module      xm_syslog</Extension># Snare compatible example configuration# Collecting event log<Input eventlog>   Module    im_msvistalog   <QueryXML>       <QueryList>           <Query Id='0'>               <Select Path='Application'>*</Select>               <Select Path='Security'>*[System/Level<4]</Select>               <Select Path='System'>*</Select>               <Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select>               <Select Path='Microsoft-Windows-PowerShell/Operational'>*</Select>               <Select Path='Windows PowerShell'>*</Select>           </Query>       </QueryList>   </QueryXML>   <Exec>       if $Category == undef $Category = 0;       if $EventType == 'CRITICAL'       {           $EventTypeNum = 1;           $EventTypeStr = "Critical";       }       else if $EventType == 'ERROR'       {           $EventTypeNum = 2;           $EventTypeStr = "Error";       }       else if $EventType == 'INFO'       {           $EventTypeNum = 4;           $EventTypeStr = "Informational";       }       else if $EventType == 'WARNING'       {           $EventTypeNum = 3;           $EventTypeStr = "Warning";       }       else if $EventType == 'VERBOSE'       {           $EventTypeNum = 5;           $EventTypeStr = "Verbose";       }       else       {           $EventTypeNum = 0;           $EventTypeStr = "Audit";       }       if $OpcodeValue == 0 $Opcode = "Info";       if $TaskValue == 0 $TaskValue = "None";       $EpochTime = string(integer($EventTime));       $EpochTime =~ /^(?<sec>\d+)(?<ms>\d{6})$/;       $EpochTime = $sec;       if $TaskValue == 12288 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSTATECHANGE"; }       else if $TaskValue == 12289 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSUBSYSTEMEXTENSION"; }       else if $TaskValue == 12290 { $TaskStr = "SE_ADT_SYSTEM_INTEGRITY"; }       else if $TaskValue == 12291 { $TaskStr = "SE_ADT_SYSTEM_IPSECDRIVEREVENTS"; }       else if $TaskValue == 12292 { $TaskStr = "SE_ADT_SYSTEM_OTHERS"; }       else if $TaskValue == 12544 { $TaskStr = "SE_ADT_LOGON_LOGON"; }       else if $TaskValue == 12545 { $TaskStr = "SE_ADT_LOGON_LOGOFF"; }       else if $TaskValue == 12546 { $TaskStr = "SE_ADT_LOGON_ACCOUNTLOCKOUT"; }       else if $TaskValue == 12547 { $TaskStr = "SE_ADT_LOGON_IPSECMAINMODE"; }       else if $TaskValue == 12548 { $TaskStr = "SE_ADT_LOGON_SPECIALLOGON"; }       else if $TaskValue == 12549 { $TaskStr = "SE_ADT_LOGON_IPSECQUICKMODE"; }       else if $TaskValue == 12550 { $TaskStr = "SE_ADT_LOGON_IPSECUSERMODE"; }       else if $TaskValue == 12551 { $TaskStr = "SE_ADT_LOGON_OTHERS"; }       else if $TaskValue == 12552 { $TaskStr = "SE_ADT_LOGON_NPS"; }       else if $TaskValue == 12553 { $TaskStr = "SE_ADT_LOGON_CLAIMS"; }       else if $TaskValue == 12554 { $TaskStr = "SE_ADT_LOGON_GROUPS"; }       else if $TaskValue == 12800 { $TaskStr = "SE_ADT_OBJECTACCESS_FILESYSTEM"; }       else if $TaskValue == 12801 { $TaskStr = "SE_ADT_OBJECTACCESS_REGISTRY"; }       else if $TaskValue == 12802 { $TaskStr = "SE_ADT_OBJECTACCESS_KERNEL"; }       else if $TaskValue == 12803 { $TaskStr = "SE_ADT_OBJECTACCESS_SAM"; }       else if $TaskValue == 12804 { $TaskStr = "SE_ADT_OBJECTACCESS_OTHER"; }       else if $TaskValue == 12805 { $TaskStr = "SE_ADT_OBJECTACCESS_CERTIFICATIONAUTHORITY"; }       else if $TaskValue == 12806 { $TaskStr = "SE_ADT_OBJECTACCESS_APPLICATIONGENERATED"; }       else if $TaskValue == 12807 { $TaskStr = "SE_ADT_OBJECTACCESS_HANDLE"; }       else if $TaskValue == 12808 { $TaskStr = "SE_ADT_OBJECTACCESS_SHARE"; }       else if $TaskValue == 12809 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLPACKETDROPS"; }       else if $TaskValue == 12810 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLCONNECTION"; }       else if $TaskValue == 12811 { $TaskStr = "SE_ADT_OBJECTACCESS_DETAILEDFILESHARE"; }       else if $TaskValue == 12812 { $TaskStr = "SE_ADT_OBJECTACCESS_REMOVABLESTORAGE"; }       else if $TaskValue == 12813 { $TaskStr = "SE_ADT_OBJECTACCESS_CBACSTAGING"; }       else if $TaskValue == 13056 { $TaskStr = "SE_ADT_PRIVILEGEUSE_SENSITIVE"; }       else if $TaskValue == 13057 { $TaskStr = "SE_ADT_PRIVILEGEUSE_NONSENSITIVE"; }       else if $TaskValue == 13058 { $TaskStr = "SE_ADT_PRIVILEGEUSE_OTHERS"; }       else if $TaskValue == 13312 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSCREATION"; }       else if $TaskValue == 13313 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSTERMINATION"; }       else if $TaskValue == 13314 { $TaskStr = "SE_ADT_DETAILEDTRACKING_DPAPIACTIVITY"; }       else if $TaskValue == 13315 { $TaskStr = "SE_ADT_DETAILEDTRACKING_RPCCALL"; }       else if $TaskValue == 13316 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PNPACTIVITY"; }       else if $TaskValue == 13317 { $TaskStr = "SE_ADT_DETAILEDTRACKING_TOKENRIGHTADJ"; }       else if $TaskValue == 13568 { $TaskStr = "SE_ADT_POLICYCHANGE_AUDITPOLICY"; }       else if $TaskValue == 13569 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHENTICATIONPOLICY"; }       else if $TaskValue == 13570 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHORIZATIONPOLICY"; }       else if $TaskValue == 13571 { $TaskStr = "SE_ADT_POLICYCHANGE_MPSSCVRULEPOLICY"; }       else if $TaskValue == 13572 { $TaskStr = "SE_ADT_POLICYCHANGE_WFPIPSECPOLICY"; }       else if $TaskValue == 13573 { $TaskStr = "SE_ADT_POLICYCHANGE_OTHERS"; }       else if $TaskValue == 13824 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_USERACCOUNT"; }       else if $TaskValue == 13825 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_COMPUTERACCOUNT"; }       else if $TaskValue == 13826 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP"; }       else if $TaskValue == 13827 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_DISTRIBUTIONGROUP"; }       else if $TaskValue == 13828 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_APPLICATIONGROUP"; }       else if $TaskValue == 13829 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_OTHERS"; }       else if $TaskValue == 14080 { $TaskStr = "SE_ADT_DSACCESS_DSACCESS"; }       else if $TaskValue == 14081 { $TaskStr = "SE_ADT_DSACCESS_DSCHANGES"; }       else if $TaskValue == 14082 { $TaskStr = "SE_ADT_DS_REPLICATION"; }       else if $TaskValue == 14083 { $TaskStr = "SE_ADT_DS_DETAILED_REPLICATION"; }       else if $TaskValue == 14336 { $TaskStr = "SE_ADT_ACCOUNTLOGON_CREDENTIALVALIDATION"; }       else if $TaskValue == 14337 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBEROS"; }       else if $TaskValue == 14338 { $TaskStr = "SE_ADT_ACCOUNTLOGON_OTHERS"; }       else if $TaskValue == 14339 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBCREDENTIALVALIDATION"; }       else if $TaskValue == 65280 { $TaskStr = "SE_ADT_UNKNOWN_SUBCATEGORY"; }       else { $TaskStr = "Unknown[" + $taskValue + "]"; }   if $KeywordsStr == undef {       if $TaskValue == 0 {           $KeywordsStr = 'None';       } else {           $KeywordsStr = '0';       }   }   if $TaskStr == undef {       $TaskStr = $TaskValue;   }   if $EventType == 'AUDIT_SUCCESS' {       $KeywordsStr = "Audit Success";       $EventTypeNum = 8;   } else {       $KeywordsStr = "Audit Failure";       $EventTypeNum = 16;   }       $Message = "AgentDevice=WindowsLog" +           "\tAgentLogFile=" + $Channel +           "\tSource=" + $SourceName +           "\tComputer=" + hostname_fqdn() +           "\tOriginatingComputer=" + host_ip() +           "\tUser=" + $AccountName +           "\tDomain=" + $Domain +           "\tEventIDCode=" + $EventID +           "\tEventType=" + $EventTypeNum +           "\tEventCategory=" + $TaskValue +           "\tRecordNumber=" + $RecordNumber +           "\tTimeGenerated=" + $EpochTime +           "\tTimeWritten=" + $EpochTime +           "\tLevel=" + $EventTypeStr +           "\tKeywords=" + $KeywordsStr +           "\tTask=" + $TaskStr +           "\tOpcode=" + $Opcode +           "\tMessage=" + $Message;       $Hostname = host_ip();       delete($SourceName);       delete($Severity);       delete($SeverityValue);       to_syslog_bsd();   </Exec></Input># # Converting events to Snare format and sending them out over TCP syslog<Output out>    Module      om_tcp    Host        10.x.x.x    Port        514    Exec        to_syslog_bsd();</Output># # Connect input 'in' to output 'out'<Route 1>    Path        eventlog => out</Route>  

Hello,I'm trying to forward the VPN logs of a Zyxel ATP700 to my SIEM (InsightIDR), the forwarding works fine, but I can't format them as indicated in this documentationhttps://docs.rapid7.com/insightidr/rapid7-universal-vpn/Can someone help me?Thank you

Currently, I have GrayLog running as a docker image on an unraid server. Everything is working well. I also have a MS Windows lab environment that I want to forward logs into Graylog with the help of nxlog. I followed the instructions at: https://docs.nxlog.co/userguide/integrate/graylog.html and I don't have any errors, but I also don't have any data. Any ideas on how I can troubleshoot this to determine where my issue is?