I setup nxlog on windows 2008 , windows 2008 R2 , windows 2012 and windows 2016.

windows 2008 and 2008 R2 nxlog have some issue with connection with syslog server while 2012 and 2016 works perfectly fine.

> nxlog log file

2019-01-31 22:06:31 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host. 2019-01-31 22:06:32 INFO connecting to <some loadbalancer IP> 2019-01-31 22:24:57 INFO reconnecting in 1 seconds 2019-01-31 22:24:58 INFO connecting to <some loadbalancer IP>:514 2019-01-31 22:41:51 INFO reconnecting in 1 seconds 2019-01-31 22:41:52 INFO connecting to <some loadbalancer IP>:514 2019-02-01 00:45:43 INFO reconnecting in 1 seconds 2019-02-01 00:45:44 INFO connecting to <some loadbalancer IP>:514 2019-02-01 01:00:56 INFO reconnecting in 1 seconds 2019-02-01 01:00:56 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host. 2019-02-01 01:00:56 INFO reconnecting in 2 seconds 2019-02-01 01:00:57 INFO connecting to <some loadbalancer IP>:514 2019-02-01 01:19:06 WARNING received a system shutdown request 2019-02-01 01:19:06 WARNING stopping nxlog service 2019-02-01 01:19:06 WARNING nxlog-ce received a termination request signal, exiting... 2019-02-01 01:19:42 INFO nxlog-ce-2.10.2150 started 2019-02-01 01:19:42 INFO connecting to <some loadbalancer IP>:514 2019-02-01 01:20:09 INFO reconnecting in 1 seconds 2019-02-01 01:20:09 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host. 2019-02-01 01:20:10 INFO connecting to <some loadbalancer IP>:514 2019-02-01 01:20:13 WARNING received a system shutdown request 2019-02-01 01:20:13 WARNING stopping nxlog service 2019-02-01 01:20:13 WARNING nxlog-ce received a termination request signal, exiting... 2019-02-01 01:20:47 INFO nxlog-ce-2.10.2150 started 2019-02-01 01:20:47 INFO connecting to <some loadbalancer IP>o:514 2019-02-01 02:03:05 INFO reconnecting in 1 seconds 2019-02-01 02:03:05 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host. 2019-02-01 02:03:06 INFO connecting to <some loadbalancer IP>:514

> Configuration file

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log

LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogLevel INFO

<Extension _syslog>
    Module xm_syslog
</Extension>

<Input eventlog>
  Module im_msvistalog
  <QueryXML>
  <QueryList>
     <Query Id='0'>
         <Select Path='Application'>*</Select>
         <Select Path='Security'>*</Select>
         <Select Path='System'>*</Select>
     </Query>
  </QueryList>
  </QueryXML>
</Input>

<Output tcp>
  Module om_tcp
  Host <Load Balancer IP>
  Port 514
  Exec to_syslog_snare();
</Output>

<Route 1>
  Path eventlog => tcp
</Route>

What could be the issue? Is there anything more to be added in 2008 and 2008R2?

So we have several systems/appliances that only send to one location. However, we have a need to send logs to more than one location the issue is that the logs are sent in LEEF format and one system uses LEEF and the other system uses CEF.

I know NXLog will do the multiple sending however, will it also convert the logs it is sending?

I am asking this because we were told the Snare Central Server could do it and found out that it cannot do it without the agents installed. Clearly you cannot install agents on an appliance so before we go to the trouble of trying to setup and build out an NXLog server we need to know if this type of thing is possible.

I want to send the window event log generated from the normal PC to the graylog.

My first plan was to install sysmon and send it to graylog, but I had difficulty with the transport part

So I got to know nxlog.

I need the Windows event log from sysmon, which is the Windows security log. Can I check this in nxlog?

Thank you for your guide.

And I want to know the difference between nxlog and sysmon log

I am attempting to use `xm_ifileop` to rotate some logfiles I am collecting with nxlog. I can see that rotation works as expected if I specify the file path but can I use the same logic to rotate all files in directory. Example: `/var/log/osquery/` on linux/mac and `C:\ProgramData\osquery\log` on windows has 3 files in it that start with `osdqueryd.` and I want to watch those and rotate them if they get over 3M. I have tried on windows and Mac to use a `*` in the file path to specify the directory: `define OSQLOGFILE C:\\ProgramData\\osquery\\log\\osqueryd.\*` but that doesn't rotate the log. If I specify each file by name then it works as expected but then I need 3 xm_fileop sections. Is there an easy way to tell nxlog to rotate all files matching a pattern? Here is my logic so far: ``` Module xm_fileop # Check the log file size every hour and rotate if larger than 3 MB Every 1 hour Exec if (file_exists('%OSQLOGFILE%') and (file_size('%OSQLOGFILE%') >= 1M)) file_cycle('%OSQLOGFILE%', 4); ```

Is it possible to manipulate the ID in SQL queries done by NXLog agent? The documentation states this in im_dbi module:

The module automatically appends a WHERE id > ? LIMIT 10 clause to the statement. The result set returned by the SELECT statement must contain an id column which is then stored and used for the next query.

I have a database that does not get new reqords very often so i want to reset that id for testing and development purposes in the receiving end.

Hi,

I have installed community version on Linux 18.04 AMD 64 and I encountered problem with stopping NX Log service. When I hit "sudo service nxlog stop", the command process but the service still persist. When I hit "sudo service nxlog status", the result is: ● nxlog.service - LSB: logging daemon Loaded: loaded (/etc/init.d/nxlog; generated) Active: failed (Result: exit-code) since Sun 2019-01-27 16:50:34 CET; 33s ago Docs: man:systemd-sysv-generator(8) Process: 8744 ExecStart=/etc/init.d/nxlog start (code=exited, status=1/FAILURE) Tasks: 7 (limit: 2321) CGroup: /system.slice/nxlog.service └─30012 /usr/bin/nxlog

led 27 16:50:34 logstash-VirtualBox systemd[1]: Starting LSB: logging daemon... led 27 16:50:34 logstash-VirtualBox nxlog[8744]: * Starting nxlog daemon... led 27 16:50:34 logstash-VirtualBox nxlog[8744]: 2019-01-27 16:50:34 ERROR Another instance is already running (pid 30012);Resource temporarily unavailable led 27 16:50:34 logstash-VirtualBox nxlog[8744]: Failed to start nxlog! led 27 16:50:34 logstash-VirtualBox nxlog[8744]: ...fail! led 27 16:50:34 logstash-VirtualBox systemd[1]: nxlog.service: Control process exited, code=exited status=1 led 27 16:50:34 logstash-VirtualBox systemd[1]: nxlog.service: Failed with result 'exit-code'. led 27 16:50:34 logstash-VirtualBox systemd[1]: Failed to start LSB: logging daemon.

Could you please advice me how I can stop it and run it again? Is the service working right when I do "sudo service nxlog status"?

Thank you for all your advice.

Kind regards,

Marek

I have my NXlog server successfully receiving rsyslog messages from client Linux boxes. Now I'm trying to have NXlog forward those messages to my Graylog server using GELF. NXlog and Graylog are both running on CentOS 7 If anyone can point me in the right direction config file wise I'd be greatly appreciative.

Hello all, I'm currently running NXLog Enterprise in Version nxlog-4.0.3550-x64 with the following config: Module im_msvistalog File C:\logs\Security.evtx Module im_msvistalog File C:\logs\Application.evtx Trying to read-in from 2 local evtx files. In the nxlog.log I see the following error: 2019-01-21 14:34:33 ERROR ### ASSERTION FAILED at line 1945 in im_msvistalog.c/im_msvistalog_start(): "((nx_im_msvistalog_subscr_t **)(imconf->q_subs->elts))[imconf->q_subs->nelts-1]->query = imconf->_query" ### 2019-01-21 14:34:36 ERROR last message repeated 4 times 2019-01-21 14:34:36 ERROR ### ASSERTION FAILED at line 1945 in im_msvistalog.c/im_msvistalog_start(): "((nx_im_msvistalog_subscr_t **)(imconf->q_subs->elts))[imconf->q_subs->nelts-1]->query = imconf->_query" ### Do you know what I'm doing wrong here? From what I've read in the manual, the enterprise edition should be able to read evtx files. best regards, micsnare

With the following config file I am capturing the entire MS DNS logs. This includes the DNS header info which I want to filter out. I need help figuring out what I can add that will allow me to filter out the DNS header information.

define TAP_Sender_IP XXX.XXX.XXX.XXX define TAP_Sender_Port XXX

define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO

<Extension _syslog> Module xm_syslog </Extension>

<Input DNS> Module im_file File "C:\DNSlogs.txt" SavePos True <Exec> if ($raw_event =~ /^#/) OR ($raw_event == '') drop();
else { to_syslog_bsd(); } </Exec> </Input>

<Output Tap> Module om_udp Host %TAP_Sender_IP% Port %TAP_Sender_Port% </Output>

<Route primary> Path DNS => Tap </Route>

This config removes the blank spaces between DNS entries but leaves the file header. I'm Not sure what I need to change to prevent this from capturing the DNS header information. Does anyone have any suggestions Thanks in Advance Dags

Hello,

I am still very new with nxlog, and currently, I am very stuck. I need to configure nxlog to pick up application files (currently we are only receiving standard windows logs). For testing purposes, I have installed and configured nxlog on my test machine.

We are using extra.conf to avoid making changes in nxlog config itself, which we install on the server automatically.

Here is my configuration which works fine on my test machine, but on the real application server, it only produces an empty file. Can it be related to the server itself, or am I just missing something? Logs are not showing any error messages.

<Extension xmlparser> Module xm_xml </Extension>

<Extension multiline_1> Module xm_multiline HeaderLine /^<Message>/ EndLine /^</Message>/ </Extension>

<Input timmsg> Module im_file File 'C:\Users\Administrator\Desktop\msg.log' SavePos FALSE ReadFromLast FALSE InputType multiline_1 <Exec>

Parse the xml event

parse_xml();

  # Rewrite some fields 
$EventTime = parsedate($timestamp);
delete($timestamp);
delete($EventReceivedTime);

  # Convert to JSON
  to_json();
</Exec>

</Input>

Define the output that goes to LogPoint for analysis

<Output timout> Module om_file File "C:\Users\administrator\Desktop\1.txt" </Output>

Tie together inputs to outputs

<Route 2> Path timmsg => timout </Route>

Here at ABB Facts we have been using solarwinds forwarding client with Kiwi but the client is showing its age and no longer works properly.

I have set up nxlog as a replacement forwarder and it works fine but the priority is now set to Debug on all the windows events instead of Notice or Info as it was with the Solarwinds forwarder.

My conf file is very simple and shouldnt cause this problem. I have searched for a solution but without any luck.

Here is my conf file:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension syslog> Module xm_syslog </Extension>

<Input internal> Module im_internal </Input>

<Input eventlog> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="System"></Select>
<Select Path="Security"></Select>
</Query>
</QueryList>
</Input>

<Output out> Module om_udp Host 10.250.254.19 Port 514 </Output>

I am trying to install nxlog on Windows server 2000. However, I get the error "Installation directory must be on a local hard drive." I have tried using administrative command prompt, Same Error.

Can anyone help me out here?

Hello I have a server that send logs (with nxlog-ce), that has 3 network interface (3 differents IPs). So any time that reboot server, I see (on my SIEM) incoming logs from a different IP. Is there a way to set on nxlog the default interface?

Hi how can I modify my query to remember the last recordid? Right now im using the timestamp and its working but I want to use the recordid as the timestamp is causing another issue.

<Input in> Module im_odbc IdType integer ConnectionString DSN=SMS SQL;database=CM_IMG;encrypt=true;trustServerCertificate=true; SQL SELECT RecordID as id,'Microsoft_SCEP' as Name, MAL.DetectionTime as SCEPMalDetectTime, SY.Name0 as TargetHost,SY.Resource_Domain_OR_Workgr0 as NTdomain, U.UserName,MAL.Process,MAL.Path,MAL.ThreatID, MAL.ThreatName,MAL.SeverityID,TR.Category,CA.DefaultAction as CleanAction, PA.DefaultAction as PendingAction,MAL.ExecutionStatus,MAL.ActionSuccess,MAL.ErrorCode, CASE WHEN (LEN(MAL.Path) - LEN(REPLACE(MAL.Path, ';file:', ''))) = 0 THEN 1 ELSE (LEN(MAL.Path) - LEN(REPLACE(MAL.Path, ';file:', '')))/6 END AS MaliciousFileCt FROM CM_IMG.SCCM_Ext.vex_EP_Malware MAL LEFT JOIN CM_IMG.dbo.v_R_System SY on SY.ResourceID = MAL.ResourceID LEFT JOIN CM_IMG.dbo.v_Users U on U.UserID = MAL.UserID LEFT JOIN CM_IMG.dbo.EP_ThreatCategories TR on TR.CategoryID = MAL.CategoryID LEFT JOIN CM_IMG.dbo.EP_ThreatDefaultActions CA on CA.DefaultActionID = MAL.CleaningAction LEFT JOIN CM_IMG.dbo.EP_ThreatDefaultActions PA on PA.DefaultActionID = MAL.PendingActions where MAL.DetectionTime >= dateadd(minute, -5, GetDate()) SavePos TRUE </Input>

Hi,

I'm testing out the nxlog-ce-2.10.2150 and am trying to do simple exclusion of log files, as explained should be possible here: https://nxlog.co/documentation/nxlog-user-guide-full#im_file_config_exclude

However, no matter how I try, I get this:

2019-01-09 13:31:19 ERROR invalid keyword: Exclude at /etc/nxlog/nxlog.conf:109

Is this something that simply is not included in the community edition or what gives?

Thanks for any help,

Mika

I've been unable to install Nxlog on Centos7 command line. I've researched the documentation and have used

yum install nxlog-ce-2.10.2150-1_rhel7.x86_64.rpm

at the command prompt and getting

No package nxlog-ce-2.10.2150-1_rhel7.x86_64.rpm available Error: nothing to do

Can you please assist? Thank you.

Fresh install of CentOS 7. Downloaded nxlog-ce-2.10.2150-1_rhel7.x86_64.rpm Ran yum install on file, it installed all the dependencies and finished successfully, no errors. Next step in the guide says to edit /opt/nxlog/etc/nxlog.conf -this file doesn't exist. the only nxlog.conf I could find is in /etc/. After much googling I figured I'd move forward, next step is to verify conf file "/etc/nxlog.conf -v" - here's the output: [root@LS-PHL-NXL001 opt]# su root /etc/nxlog.conf /etc/nxlog.conf: line 9: User: command not found /etc/nxlog.conf: line 10: Group: command not found /etc/nxlog.conf: line 12: LogFile: command not found /etc/nxlog.conf: line 13: LogLevel: command not found /etc/nxlog.conf: line 18: syntax error near unexpected token `newline' /etc/nxlog.conf: line 18: `' I'm not sure what to do next. What did I do wrong and how do I fix it?

I'm trying to configure Windows Management Instrumentation (im_wmi) for a host on a different subnet. I'm getting an error:

chown: cannot access ‘wmiusername:nxlog’: No such file or directory. where am I going wrong? My config is as below:

```
########################################
User nxlog
Group nxlog

LogFile /opt/nxlog/var/log/nxlog/nxlog.log
LogLevel DEBUG


########################################
# Inputs #
########################################


Module im_wmi
Host 10.x.x.x
Username wmiusername
Password SomePassword
Domain domain.com
ReadFromLast True



Module om_file
File "/opt/nxlog/var/windows/" + $AccountName + ".log"



Path wmi => file

```

Hi,
I have installed the nxlog package on Linux. I am trying to use nxlog as syslog with SSL support. Following is the configuration file:


## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally under
## /usr/share/doc/nxlog-ce/ and is also available online at
## http://nxlog.org/docs

########################################
# Global directives #
########################################
User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel INFO

########################################
# Modules #
########################################
<Extension _syslog>
Module xm_syslog
</Extension>
<Input ssl>
Module im_ssl
Host localhost
Port 6292
CertFile /var/lib/nxlog/cert/certificate.pem
CertKeyFile /var/lib/nxlog/cert/key.pem
InputType Syslog_TLS
Exec parse_syslog_ietf();
</Input>

<Input in1>
Module im_udp
Port 514
Exec parse_syslog_bsd();
</Input>

<Input in2>
Module im_tcp
Port 514
</Input>

<Output fileout1>
Module om_file
File "/var/log/logmsg.txt"
Exec if $Message =~ /error/ $SeverityValue = syslog_severity_value("error");
Exec to_syslog_bsd();
</Output>

<Output fileout2>
Module om_file
File "/var/log/logmsg2.txt"
</Output>

########################################
# Routes #
########################################
<Route 1>
Path in1 => fileout1
</Route>

<Route tcproute>
Path in2 => fileout2
</Route>


Itry to run this in foreground using nxlog -f. nxLog starts but it shows the warning - "WARNING not starting unused module ssl ". Does this mean SSL is not being used by nxLog? Why it says unused and how to correct it.

I'm trying to use the NXLog to Transfer my MS Exchange Server Transport Logs to an Elastic Search Server. I added the follwing config to the nxlog.conf File:

define BASEDIR C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking

<Input in_exchange> Module im_file File '%BASEDIR%\MSGTRK????????-.LOG' # Exports all logs in Directory SavePos TRUE Exec if $raw_event =~ /HealthMailbox/ drop(); Exec if $raw_event =~ /^#/ drop(); </Input>

<Output out_exchange> Module om_udp Host <IP of Elastic Search Server> Port <Port of the Elasioc Search Server> Exec $SyslogFacilityValue = 2; Exec $SourceName = 'exchange_msgtrk_log'; Exec to_syslog_bsd(); </Output>

<Route exchange> Path in_exchange => out_exchange </Route>

When I start the nxlog Service it states in the log: INFO nxlog-ce-2.10.2150 started

I don't get any information on the ElasticSearch Server. In the Wireshark I don't see any UDP packet and so I guess the NXLOg Service don't do anything.

Are there any more inormation or debugging logs to use?

Thanks for any hint

Michael