I'm new to NXlog, and I'm trying to get NXlog working on a Windows Server 2012 R2 server. I downloaded NXlog Community Edition, and amended the nxlog.conf file as I required. When trying to start the 'nxlog' service I get the following error: "Windows could not start the nxlog service on Local Computer. Error 2: The system cannot find the file specified." After doing some troubleshooting I noticed the file 'C:\Program Files (x86)\nxlog\nxlog.exe' is missing. It doesn't seem to have got installed during installation. I've had the same behaviour on two of my test servers, any ideas?

Hi. I have a script that fetches S3 logs from Amazon, unpacks them and puts them them to folder. I'm using this NXlog script below. Problem is that NXlog doesn't start and I get following errors: status nxlog.service ● nxlog.service - NXLog daemon Loaded: loaded (/usr/lib/systemd/system/nxlog.service; enabled; vendor preset: disabled) Active: activating (auto-restart) (Result: exit-code) since Sat 2018-11-24 02:44:31 EET; 2s ago Process: 10620 ExecStartPre=/opt/nxlog/bin/nxlog -v (code=exited, status=1/FAILURE) Nov 24 02:44:31 fetcher nxlog[10620]: 2018-11-24 02:44:31 DEBUG stopping EXTENSION modules Nov 24 02:44:31 fetcher nxlog[10620]: 2018-11-24 02:44:31 DEBUG stopping module csv Nov 24 02:44:31 fetcher nxlog[10620]: 2018-11-24 02:44:31 DEBUG shutdown_modules: INPUT Nov 24 02:44:31 -fetcher nxlog[10620]: 2018-11-24 02:44:31 DEBUG shutdown_modules: PROCESSOR Nov 24 02:44:31 -fetcher nxlog[10620]: 2018-11-24 02:44:31 DEBUG shutdown_modules: OUTPUT Nov 24 02:44:31 fetcher nxlog[10620]: 2018-11-24 02:44:31 DEBUG shutdown_modules: EXTENSION Nov 24 02:44:31 fetcher nxlog[10620]: 2018-11-24 02:44:31 DEBUG no entries found, not writing configcache.dat Nov 24 02:44:31 fetcher nxlog[10620]: 2018-11-24 02:44:31 DEBUG nxlog_shutdown() leave Nov 24 02:44:31 fetcher systemd[1]: Unit nxlog.service entered failed state. Nov 24 02:44:31 fetcher systemd[1]: nxlog.service failed. 2018-11-24 02:48:15 DEBUG Error in Exec block: [to_syslog_bsd();] 2018-11-24 02:48:15 ERROR [modules.c:489/nx_ctx_config_modules()] -;[module.c:1567/nx_module_parse_exec_block()] Couldn't parse Exec block at /opt/nxlog/etc/nxlog.conf:37;[expr-grammar.y:381/parser_do()] couldn't parse statement at line 37, character 21 in /opt/nxlog/etc/nxlog.conf;[expr.c:3359/nx_expr_statement_new_procedure()] procedure 'to_syslog_bsd()' does not exist or takes different arguments 2018-11-24 02:48:15 DEBUG nxlog_shutdown() enter 2018-11-24 02:48:15 DEBUG stopping INPUT modules 2018-11-24 02:48:15 DEBUG stopping module in 2018-11-24 02:48:15 DEBUG stopping PROCESSOR modules 2018-11-24 02:48:15 DEBUG stopping OUTPUT modules 2018-11-24 02:48:15 DEBUG stopping module out 2018-11-24 02:48:15 DEBUG stopping EXTENSION modules 2018-11-24 02:48:15 DEBUG stopping module csv 2018-11-24 02:48:15 DEBUG shutdown_modules: INPUT 2018-11-24 02:48:15 DEBUG shutdown_modules: PROCESSOR 2018-11-24 02:48:15 DEBUG shutdown_modules: OUTPUT 2018-11-24 02:48:15 DEBUG shutdown_modules: EXTENSION 2018-11-24 02:48:15 DEBUG no entries found, not writing configcache.dat 2018-11-24 02:48:15 DEBUG nxlog_shutdown() leave ######################################## # Global directives # ######################################## User nxlog Group nxlog LogFile /opt/nxlog/var/log/nxlog/nxlog.log LogLevel debug Moduledir /opt/nxlog/libexec/nxlog/modules/ define ROOT /opt/nxlog CacheDir /opt/nxlog/var/log/nxlog/ Pidfile /opt/nxlog/var/log/nxlog/nxlog.pid SpoolDir /opt/nxlog/var/log/nxlog/ ######################################## # Modules # ######################################## <Extension csv> Module xm_csv </Extension> <Input in> Module im_file File "/home/cust/*.csv" ReadFromLast FALSE SavePos FALSE </Input> <Output out> Module om_udp Host 10.10.10.10 Port 514 Exec to_syslog_bsd(); #Exec to_syslog_ietf(); </Output> ######################################## # Routes # ######################################## <Route 1> Path in => out </Route>

Hi Team, trying to capture some log files, and get them to the right facility or local, currently I have this <Input messages> Module im_file File "D:\dhcp\logs\*.log" </Input> Which does work but I need to get them to facility 21 and local5, any idea how to format my entry so this works? Thanks,

Hello, I'm currently facing an issue with missing log when log file rotate. Same problem as described here: https://nxlog.co/question/3495/missing-log-when-log-file-rotate I'm using NXLog CE 2.10.2102. I tried to upgrade to last version (2.10.2150) but still same problem. Could you tell me if this issue has been fixed in CE edition please? If not do you have any idea when it will be fixed? Thank you very much. Nicolas

We're using NX Log (CE) as a test to see if it will work for our purposes. The overall idea is to use it as a forwarder of syslog flat files to any brand of SIEM. My config looks like this: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension syslog> Module xm_syslog </Extension> #<Input Alerts> Module im_file File 'E:\DGQradarExports\ForwarderCust\Alerts\*' ReadFromLast True Exec parse_syslog(); #</Input> <Input Events> Module im_file File 'E:\DGQradarExports\ForwarderCust\Events\*' ReadFromLast True Exec parse_syslog(); </Input> <Input Process> Module im_file File 'E:\DGQradarExports\ForwarderCust\Process\*' ReadFromLast True Exec parse_syslog(); </Input> <Output Customer> Module om_tcp Host 192.168.160.141 Port 514 </Output> <Route customer_siem> Path Events,Process => Customer </Route> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension> My log just shows this: 2018-11-19 08:50:43 INFO nxlog-ce-2.10.2102 started 2018-11-19 08:50:43 INFO connecting to 192.168.160.141:514 QRadar shows an information source has registered but no data ever flows. I should see a 'connection was successful' message shouldn't I? Is there any way to up the logging so I can tell if NX Log is even reading the files and attempting to send them? I really can't tell what it's doing currently. Multiple files exist in the input directories, I'm trying to have NX Log work through all of them, send them to SIEM and then wait for more files. Config examples seem straightforward, I just can't tell what it's doing. Any help is appreciated.

Hi, Would like to know whether there is an option to input the files generated by log4net and push it to loggly. The file format from log4net could be with same extension or on rolling numbers. For example, the file name could be like samplelog-10102018.txt, samplelog-10102018.txt.1, samplelog-10102018.txt.2 or samplelog-10102018.1.txt, samplelog-10102018.2.txt, samplelog-10102018.3.txt. Tried with filename in input block (with in nxlog.conf file) as samplelog*.txt and samplelog*.txt.*, but could not get the details in loggly. How to read multiple files in a location with filenames in rotation based on dateformat. Thanks in advance!

Hi, I am using the nxlog agent version 2.10.2102 to send windows logs to a server. I know that buffering to disk is an option in the event that connectivity is interrupted. But, can someone tell me if this is an option when using UDP? If so how does the UDP protocol know when the connectivity is lost? Does the NXlog agent poll the server in between bursts of UDP activity to determine when to buffer to disk ?? Or can i only use buffering when configured as sending via TCP ? thanks guys

Hi all, can anyone tell me an easy way to make the following chnages to my MSI file before I push it out via a Group Policy What tool can i use thats free and easy to use to edit the file to make it do the following things: I want the service to start automatically after its been installed (currently i have to do a reboot which i want to avoid) edit the nxlog.conf (within the MSI) file to include it as part of the installation. Ive tried using ORCA and some others with no sucess. thanks

Hi, I'm using the im_msvistalog input to grab events from the Windows security log however the important information is being ignored. This is one my Windows events: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="AD FS Auditing" /> <EventID Qualifiers="0">411</EventID> <Level>0</Level> <Task>3</Task> <Keywords>0x8090000000000000</Keywords> <TimeCreated SystemTime="2018-11-06T09:22:29.086191400Z" /> <EventRecordID>85712874</EventRecordID> <Channel>Security</Channel> <Computer>server1</Computer> <Security UserID="S-8-8-88-8888-8888-8888-8888" /> </System> <EventData> <Data>00000000-0000-0000-0000-000000000000</Data> <Data>http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName</Data> <Data>user1@domain.com</Data> <Data>System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain.com at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)</Data> <Data>8.8.8.8</Data> </EventData> <RenderingInfo Culture="en-US"> <Message>Token validation failed. See inner exception for more details. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 Token Type: http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName Client IP: 8.8.8.8 Error message: user1@domain.com Exception details: System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain.com at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)</Message> <Level>Information</Level> <Task /> <Opcode>Info</Opcode> <Channel /> <Provider /> <Keywords><Keyword>Audit Failure</Keyword><Keyword>Classic</Keyword> </Keywords> </RenderingInfo> </Event> As you can see, the relevant information is between EventData and Message tags. But this information does not appear in the output message: {"EventTime":"2018-11-06 09:22:29" ,"Hostname":"server1" ,"Keywords":-9182839640208441344 ,"EventType":"AUDIT_FAILURE" ,"SeverityValue":4 ,"Severity":"ERROR" ,"EventID":411 ,"SourceName":"AD FS Auditing" ,"Task":3 ,"RecordNumber":85712874 ,"ProcessID":0 ,"ThreadID":0 ,"Channel":"Security" ,"Domain":"domain.com" ,"AccountName":"service1" ,"AccountType":"User" ,"EventReceivedTime":"2018-11-06 09:22:31" ,"SourceModuleName":"eventlog" ,"SourceModuleType":"im_msvistalog" } This is my nxlog config: <Input eventlog> Module im_msvistalog Channel ForwardedEvents Exec $Message = to_json(); </Input> <Output graylog> Module om_tcp Host graylog.server.com Port 1111 OutputType GELF_TCP </Output> <Route 1> Path eventlog => graylog </Route> According to the docs, Data between EvenData tags is automatically extracted if it is named, but it isn't in my case. Can data be extracted manually somehow? I'm running nxlog CE 2.9. Thanks

Hi! I have an issue with NXlog CE 2.10.2102. I noticed that nxlog send the same log many times on some PCs. This happends when the PC reboot. I found that the file "configcache.dat" is not always overwritten. How to avoid this issue? Here is a part of my conf <Processor in_win_eventlog_buffer_disk> Module pm_buffer MaxSize 61440 Type Disk WarnLimit 49152 </Processor> <Input in_win_eventlog> Module im_msvistalog SavePos TRUE Query \ <QueryList> \ <Query Id="0"> \ <Select Path="Security">*</Select> \ <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> \ <Select Path="Microsoft-Windows-PrintService/Operational">*</Select> \ </Query> \ </QueryList> <Exec> if $EventID>=5151 and $EventID<=5159 drop(); if $EventID==4688 or $EventID==4689 drop(); if ($Channel == 'Security') $_ds = 'win-security'; else if ($Channel == 'Microsoft-Windows-Sysmon/Operational') { $_ds = 'win-sysmon'; delete($UserID); delete($AccountName); } else { $_ds = 'win-customapps'; delete($UserID); delete($AccountName); } $_fmt = 'json'; $_conv_to_json = TRUE; </exec> </Input> <Route r_win_eventlog> Path in_win_eventlog => in_win_eventlog_buffer_disk => out_logs_pref </Route>

Im not sure why im get this access denied in the nxlog logs 2018-11-01 10:17:45 ERROR failed to subscribe to msvistalog events,access denied [error code: 5]; Access is denied. Im using nxlog EE v4 on windows 2012 server and it is run as default system user Any suggestions where to look in the windows configuration or nxlog configuration itself ?

Hi Team, Do anyone know what nxlog file should be installed on Amazon Linux AMI? I was going through the below forum and it's pretty confusing: https://forums.aws.amazon.com/thread.jspa?threadID=51647 Any help would be appreciated.

I was trying to read the DNS log file but was given an error of "WARNING input file does not exist", and it also depends on the directory that the file was in, here were the results. It appears that Windows was restricting the read permissions based on the residing (system?) directories, any idea? On one server: C:\Windows\System32\dns\dns.txt - Error C:\dns.txt - No error C:\Windows\Temp\dns.txt - No error On a different server: It produced error regardless which directory the log file is in. ==== nxlog.conf snip below: define DNSLOGFILE 'c:\Windows\System32\dns\dns.txt' <Input dnslog> Module im_file File %DNSLOGFILE% InputType LineBased SavePos TRUE ReadFromLast TRUE ... </Input> ==== Note, I have already turned on Loglevel DEBUG, which shows the file was blacklist'ed for retry, but only after it failed to read the file. I have also already read this thread (https://nxlog.co/question/920/input-file-does-not-exist) which was close but did not resolve my issue. Thanks in advance.

This is less a question and more of an observation. I am currently running nxlog 4.1.4016 on Ubuntu 18.04.1 LTS in a vmware environment. Say I boot the VM up and the nxlog service kicks off correctly and works as intended ultimately writing to a network share that I have mounted. If I do a "sudo systemctl restart nxlog.service" or even "./nxlog -r" in order to reload nxlog with a slightly modified config file, UDP packet receive errors and UDP receive buffer errors start climbing from 0 like crazy (netstat -suna). A reboot of the VM from this state does not even fix the issue, the errors immediately appear. In order to fix the issue, I had to purge the nxlog install and do a reinstall in order to prevent any further issues. My config consists of listening for UDP on 2 ports, going through a memory buffer, and writing to the mounted share.

Hi everybody, To protect the logs from loss, I turned on the recommended settings in client's config: PersistLogqueue TRUE SyncLogqueue TRUE CacheFlushInterval always CacheSync TRUE But now I see that parts of log are duplicated much more often than before these setting was enabled. Why cache in memory works better? In case with cache on disk I hope to see best result. Thank you so much!

Hello all, I am having an issue that I believe is specific to the Windows Server 2003 R2 systems I am trying to install Nxlog CE on. I am getting the following error from the nxlog.log file. ERROR Failed to load module from C:\Program Files\nxlog\modules\input\im_msvistalog.dll, The specified module could not be found. ; The specified module could not be found Because its a 32bit OS we installed nxlog in C:\Program Files. I checked and the file im_msvistalog.dll is indeed where it is supposed to be. This error has occurred on most but not all 32bit Windows Server 2003 R2. Any help you can give me would be greatly appreciated. Thanks S

Hello, I have an application that logs some API requests and responses. Each request is logged in a different file, as a single line. In the system there are thousands of files, and Nxlog seems to have issues sending the logs to Elasticsearch. It reads the file, I can see im_file_add_file command in logs, but it takes a long time to actually send the message. How does Nxlog process multiple files in a single directory?

Hello, Do you known if it's possible to send DHCP and DC log to a SYSLOG-NG server I don't know how specify the facilities for the windows logs Thanks in advance.

Hello, I am running a trial version of EE, but when I try to start NxLog, I get errors saying it cannot find the modules. Here is my conf file. I have verified that nxlog is installed at C:\Program Files\nxlog. configuration options. It should be installed locally and is also available online at http://nxlog.org/docs/ Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start. define ROOT C:\Program Files\nxlog #define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log #LogLevel DEBUG <Extension json> Module xm_json </Extension> <Input in> For Windows 2008 and later Module im_msvistalog For Windows 2003 and earlier #Module im_mseventlog File &quot;c:\\documents and settings\\administrator\\desktop\\events\\app.evtx&quot; Exec to_json(); </Input> <Output out> Module om_tcp Host localhost Port 5013 </Output> <Route 1> Path in => out </Route> Error logs 2018-10-12 13:51:24 ERROR Failed to load module from C:\Program Files\nxlog\modules\input\im_msvistalog.dll, The specified module could not be found. ; The specified module could not be found. 2018-10-12 13:51:24 WARNING no functional input modules! 2018-10-12 13:51:24 ERROR module 'in' is not declared at C:\Program Files\nxlog\conf\nxlog.conf:42 2018-10-12 13:51:24 ERROR route 1 is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:42 2018-10-12 13:51:24 INFO nxlog-4.1.4046-trial started 2018-10-12 13:51:24 WARNING not starting unused module out

Hello, i am setting up SSL connection between rsyslog over linux box and nxlog endpoint. While win boxes connect like a charm linux boxes issue the following: 2018-10-12 11:51:26 ERROR remote ssl socket was reset? (SSL_ERROR_SSL with errno=9); End of file found I then found on your forum this post https://nxlog.co/question/1926/nxlog-ce-v291716-certificate-built-ecdsa-key where they talk about rebuild certificate without Digital Signature KeyUsage flag. I assumed to rebuild client.crs since my rootCA.crt does not report any Digital Signature : X509v3 extensions: X509v3 Subject Key Identifier: AB:E6:E4:61:11:89:43:21:87:FB:91:08:44:C0:15:A7:41:3B:A3:53 X509v3 Authority Key Identifier: keyid:AB:E6:E4:61:11:89:43:21:87:FB:91:08:44:C0:15:A7:41:3B:A3:53 DirName:/C=US/ST=Some-State/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (e.g. server FQDN or YOUR name)/emailAddress=Email Address serial:AF:06:5F:4B:97:ED:81:90 X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign I built a new client.csr without any trace of X509v3 extensions, but i always get the same error message. Any help is well appreciated. Thanks