Hi Team,

Do anyone know what nxlog file should be installed on Amazon Linux AMI?

I was going through the below forum and it's pretty confusing: https://forums.aws.amazon.com/thread.jspa?threadID=51647

Any help would be appreciated.

I was trying to read the DNS log file but was given an error of "WARNING input file does not exist", and it also depends on the directory that the file was in, here were the results. It appears that Windows was restricting the read permissions based on the residing (system?) directories, any idea?

On one server:
C:\Windows\System32\dns\dns.txt - Error
C:\dns.txt - No error
C:\Windows\Temp\dns.txt - No error

On a different server:
It produced error regardless which directory the log file is in.

====
nxlog.conf snip below:

define DNSLOGFILE 'c:\Windows\System32\dns\dns.txt'

<Input dnslog>
Module im_file
File %DNSLOGFILE%
InputType LineBased
SavePos TRUE
ReadFromLast TRUE
...
</Input>
====

Note, I have already turned on Loglevel DEBUG, which shows the file was blacklist'ed for retry, but only after it failed to read the file. I have also already read this thread (https://nxlog.co/question/920/input-file-does-not-exist) which was close but did not resolve my issue.

Thanks in advance.

This is less a question and more of an observation.

I am currently running nxlog 4.1.4016 on Ubuntu 18.04.1 LTS in a vmware environment. Say I boot the VM up and the nxlog service kicks off correctly and works as intended ultimately writing to a network share that I have mounted. If I do a "sudo systemctl restart nxlog.service" or even "./nxlog -r" in order to reload nxlog with a slightly modified config file, UDP packet receive errors and UDP receive buffer errors start climbing from 0 like crazy (netstat -suna). A reboot of the VM from this state does not even fix the issue, the errors immediately appear. In order to fix the issue, I had to purge the nxlog install and do a reinstall in order to prevent any further issues. My config consists of listening for UDP on 2 ports, going through a memory buffer, and writing to the mounted share.

Hi everybody, To protect the logs from loss, I turned on the recommended settings in client's config:

PersistLogqueue TRUE SyncLogqueue TRUE CacheFlushInterval always CacheSync TRUE

But now I see that parts of log are duplicated much more often than before these setting was enabled. Why cache in memory works better? In case with cache on disk I hope to see best result.

Thank you so much!

Hello all,

I am having an issue that I believe is specific to the Windows Server 2003 R2 systems I am trying to install Nxlog CE on. I am getting the following error from the nxlog.log file.

ERROR Failed to load module from C:\Program Files\nxlog\modules\input\im_msvistalog.dll, The specified module could not be found. ; The specified module could not be found

Because its a 32bit OS we installed nxlog in C:\Program Files. I checked and the file im_msvistalog.dll is indeed where it is supposed to be. This error has occurred on most but not all 32bit Windows Server 2003 R2. Any help you can give me would be greatly appreciated.

Thanks

S

Hello,

I have an application that logs some API requests and responses. Each request is logged in a different file, as a single line. In the system there are thousands of files, and Nxlog seems to have issues sending the logs to Elasticsearch. It reads the file, I can see im_file_add_file command in logs, but it takes a long time to actually send the message.

How does Nxlog process multiple files in a single directory?

Hello,

Do you known if it's possible to send DHCP and DC log to a SYSLOG-NG server

I don't know how specify the facilities for the windows logs

Thanks in advance.

Hello,

I am running a trial version of EE, but when I try to start NxLog, I get errors saying it cannot find the modules.

Here is my conf file. I have verified that nxlog is installed at C:\Program Files\nxlog.

configuration options. It should be installed locally and is also available

online at http://nxlog.org/docs/

Please set the ROOT to the folder your nxlog was installed into,

otherwise it will not start.

define ROOT C:\Program Files\nxlog #define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

LogFile %ROOT%\data\nxlog.log #LogLevel DEBUG

<Extension json> Module xm_json </Extension>

<Input in>

For Windows 2008 and later

Module      im_msvistalog

For Windows 2003 and earlier

#Module im_mseventlog

File		"c:\\documents and settings\\administrator\\desktop\\events\\app.evtx"

Exec		to_json();

</Input>

<Output out>

Module      om_tcp
Host        localhost
Port        5013

</Output>

<Route 1> Path in => out </Route>

Error logs

2018-10-12 13:51:24 ERROR Failed to load module from C:\Program Files\nxlog\modules\input\im_msvistalog.dll, The specified module could not be found. ; The specified module could not be found.
2018-10-12 13:51:24 WARNING no functional input modules! 2018-10-12 13:51:24 ERROR module 'in' is not declared at C:\Program Files\nxlog\conf\nxlog.conf:42 2018-10-12 13:51:24 ERROR route 1 is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:42 2018-10-12 13:51:24 INFO nxlog-4.1.4046-trial started 2018-10-12 13:51:24 WARNING not starting unused module out

Hello,

i am setting up SSL connection between rsyslog over linux box and nxlog endpoint. While win boxes connect like a charm linux boxes issue the following:

2018-10-12 11:51:26 ERROR remote ssl socket was reset? (SSL_ERROR_SSL with errno=9); End of file found

I then found on your forum this post https://nxlog.co/question/1926/nxlog-ce-v291716-certificate-built-ecdsa-key where they talk about rebuild certificate without Digital Signature KeyUsage flag.

I assumed to rebuild client.crs since my rootCA.crt does not report any Digital Signature :

X509v3 extensions:
    X509v3 Subject Key Identifier:
        AB:E6:E4:61:11:89:43:21:87:FB:91:08:44:C0:15:A7:41:3B:A3:53
    X509v3 Authority Key Identifier:
        keyid:AB:E6:E4:61:11:89:43:21:87:FB:91:08:44:C0:15:A7:41:3B:A3:53
        DirName:/C=US/ST=Some-State/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (e.g. server FQDN or YOUR name)/emailAddress=Email Address
        serial:AF:06:5F:4B:97:ED:81:90

    X509v3 Basic Constraints:
        CA:TRUE
    X509v3 Key Usage:
        Certificate Sign, CRL Sign

I built a new client.csr without any trace of X509v3 extensions, but i always get the same error message.

Any help is well appreciated. Thanks

Hi guys! I really someone can help because I think I have tested all the things I could think of to make it work...

Ok, so we have those logs:

'[2018-10-11T12:06:47,434][DEBUG][o.e.a.s.TransportSearchAction] [master01] [245674] Failed to execute fetch phase org.elasticsearch.transport.RemoteTransportException: [hot08][10.10.30.168:9300][indices:data/read/search[phase/fetch/id]] Caused by: org.elasticsearch.search.SearchContextMissingException: No search context found for id [245674] at org.elasticsearch.search.SearchService.findContext(SearchService.java:520) ~[elasticsearch-6.2.4.jar:6.2.4] at org.elasticsearch.search.SearchService.executeFetchPhase(SearchService.java:487) ~[elasticsearch-6.2.4.jar:6.2.4] at org.elasticsearch.action.search.SearchTransportService$11.messageReceived(SearchTransportService.java:440) ~[elasticsearch-6.2.4.jar:6.2.4] at org.elasticsearch.action.search.SearchTransportService$11.messageReceived(SearchTransportService.java:437) ~[elasticsearch-6.2.4.jar:6.2.4] at org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$ProfileSecuredRequestHandler$1.doRun(SecurityServerTransportInterceptor.java:258) ~[?:?] at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-6.2.4.jar:6.2.4] at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:135) ~[elasticsearch-6.2.4.jar:6.2.4] at org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$ProfileSecuredRequestHandler.lambda$messageReceived$0(SecurityServerTransportInterceptor.java:307) ~[?:?] at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60) ~[elasticsearch-6.2.4.jar:6.2.4] at org.elasticsearch.xpack.security.transport.ServerTransportFilter$NodeProfile.lambda$inbound$2(ServerTransportFilter.java:166) ~[?:?] at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.maybeRun(AuthorizationUtils.java:183) ~[?:?] at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.setRunAsRoles(AuthorizationUtils.java:177) ~[?:?] at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.authorize(AuthorizationUtils.java:165) ~[?:?] at org.elasticsearch.xpack.security.transport.ServerTransportFilter$NodeProfile.lambda$inbound$3(ServerTransportFilter.java:168) ~[?:?] at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60) ~[elasticsearch-6.2.4.jar:6.2.4] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$2(AuthenticationService.java:184) ~[?:?] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$4(AuthenticationService.java:217) ~[?:?] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:228) ~[?:?] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:182) ~[?:?] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access$000(AuthenticationService.java:143) ~[?:?] at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:113) ~[?:?] at org.elasticsearch.xpack.security.transport.ServerTransportFilter$NodeProfile.inbound(ServerTransportFilter.java:142) ~[?:?] at org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$ProfileSecuredRequestHandler.messageReceived(SecurityServerTransportInterceptor.java:314) ~[?:?] at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:66) ~[elasticsearch-6.2.4.jar:6.2.4] at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1555) ~[elasticsearch-6.2.4.jar:6.2.4] at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:672) ~[elasticsearch-6.2.4.jar:6.2.4] at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-6.2.4.jar:6.2.4] at org.elasticsearch.common.util.concurrent.TimedRunnable.doRun(TimedRunnable.java:41) ~[elasticsearch-6.2.4.jar:6.2.4] at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) ~[elasticsearch-6.2.4.jar:6.2.4] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_181] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_181] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]'

I really need only the first 3 lines, and is possible, make only one at the end.

I have tried the following config:

<Extension multi> Module xm_multiline HeaderLine /^[\d{0,4}-\d{0,2}-\d{0,2}\D\d\d{0,2}:\d{0,2}:\d{0,2}\D\d{0,4}]*/ EndLine /^.+(at)/ </Extension>

<Input elastic-log> InputType multi Module im_file File "/var/log/elasticsearch/mega.log.test" </Input>

<Output file> Module om_file File '/tmp/output' </Output>

The the output file keep giving me all the lines instead of the first 3 that I expect...

I have tested my regular expressions and I know they are working so.. why I can't have my first 3 lines!!!!???? :)

Any help will be very appreciated. R.

I'm attempting to use NXLog (community edition atm) to read in active directory logs into NXLog and output to syslog/json. I have a text file (one username per line) that I need to be able to compare to the username in the Windows event logs from AD. I need to be able to drop messages that the username in the Windows AD Event logs if it matches a username in the text file of usernames.

I've spent quite a bit of time googling and reading documentation and haven't found a method to achieve this. Can anyone assit?

Hello guyz, i am setting up nxlog service in our network and i am focusing to work with apache custom log and nxlog. Since Apache is at the end of a reverse proxies chain, the only way to keep forwarders ip adresses, is to use an Apache conditional variable (X-Forwarded-For) able to switch between combined and custom log (as explained in details here: http://www.techstacks.com/howto/log-client-ip-and-xforwardedfor-ip-in-apache.html). Apache log variable %h is replaced by %{X-Forwarded-For}i which is a string empty or containing one / more ip addresses. In this specific case when nxlog hit a custom log, parse_kvp error is reported. My Apache conf includes: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded CustomLog "logs/access.log" combined env=!forwarded CustomLog "logs/access.log" proxy env=forwarded On the net i was able to find working examples with Apache common log only. My config: ``` define ROOT C:\\Program Files (x86)\\nxlog define ROOT_STRING C:\\Program Files (x86)\\nxlog define CERTDIR %ROOT%\\cert Moduledir %ROOT%\\modules CacheDir %ROOT%\\data Pidfile %ROOT%\\data\\nxlog.pid SpoolDir %ROOT%\\data LogFile %ROOT%\\data\\nxlog.log Module xm_fileop Module xm_json Module xm_syslog Module xm_exec ## Create the parse rule for IIS logs. You can copy these from the header of the IIS log file. Module xm_csv Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $csReferer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string Delimiter ' ' UndefValue - ## In questa macchina con frontend Apache usiamo ext kvp invece di w3c Module xm_kvp KVPDelimiter & KVDelimiter = Module xm_kvp KVPDelimiter ; KVDelimiter = #QuoteMethod None Module im_file File "C:\Apache_install\httpd-2.4.25-win64-VC14\Apache24\logs\access.log" Exec if $raw_event =~ /^(\S+) (\S+) (\S+) \[([^\]]+)\] \"(\S+) (.+) HTTP.\d\.\d\" (\d+) (\d+) \"([^\"]+)\" \"([^\"]+)\"/\ { \ $Hostname = $1; \ if $3 != '-' $AccountName = $3; \ $EventTime = parsedate($4); \ $HTTPMethod = $5; \ $HTTPURL = $6; \ $HTTPResponseStatus = $7; \ $FileSize = $8; \ $HTTPReferer = $9; \ $HTTPUserAgent = $10; \ } #Exec if $raw_event =~ /^(\S+) (\S+) (\S+) \[([^\]]+)\] \"(\S+) (.+) HTTP.\d\.\d\" (\d+) (\d+) \"([^\"]+)\" \"([^\"]+)\"/\ # { \ # $Hostname = $1; \ # if $3 != '-' $AccountName = $3; \ # $EventTime = parsedate($4); \ # $HTTPMethod = $5; \ # $HTTPURL = $6; \ # $HTTPResponseStatus = $7; \ # $FileSize = $8; \ # $HTTPReferer = $9; \ # $HTTPUserAgent = $10; \ # if $HTTPURL =~ /\?(.+)/ { $HTTPParams = $1; } \ # kvp->parse_kvp($HTTPParams); \ # delete($EventReceivedTime); \ # kvp2->to_kvp(); \ # } Module im_internal Exec $Message = to_json(); # Windows Event Log Module im_msvistalog # Query per ridurre Event Log . Usato il QueryXML non il comando Query # I commenti nella quey vanno indicati in XML: *[System[(Level=1 or Level=2 or Level=3)]]*[System[(Level=1 or Level=2 or Level=3)]]*[System[(Level=1 or Level=2 or Level=3)]]****[System[(Level=1 or Level=2 or Level=3)]]*[System[(Level=1 or Level=2 or Level=3)]]*[System[(EventID=4689 or EventID=5158 or EventID=5440 or EventID=5444)]]*[System[(EventID=501 or EventID=400 or EventID=600)]] Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; Exec to_json(); # 100Mb disk buffer Module pm_buffer MaxSize 102400 Type disk # RFC5424 come indicato https://www.scip.ch/en/?labs.20141106 Module pm_transformer Exec $Hostname = hostname(); Outputformat syslog_rfc5424 Module om_ssl Host IP.IP.IP.IP Port 443 CAFile %CERTDIR%/nxlog_rootCA.crt CertFile %CERTDIR%/client.crt CertKeyFile %CERTDIR%/client.key KeyPass secret AllowUntrusted TRUE OutputType Binary Exec to_syslog_ietf(); # Rimuovo CRLF LF TAB - lato server in om_file non funziona Exec $raw_event =~ s/(\t|\r|\n)//g; $raw_event = replace($raw_event, '{', '[" "] {', 1); #tag windows Exec $raw_event =~ s/(\[.*])//g; $raw_event = replace($raw_event, '{', '[tag="windows"] {', 1); #Use the following line for debugging (uncomment the fileop extension above as well) #Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event); Path Apache, internal, eventlog => rfc5424 => buffer => ssl_out ``` Is there any solution for nxlog conf to work with this kind of apache custom log? Thanks in advance

hi everyone

I've been searching this forum and the web, but can't find if there is a way to make nxlog include its version in the syslogs it forwards out

Thanks!

Hi everybody,

I have a very mystical case and I need your help, please:

1. I have nxlog server nxlog-3.2.2016-1.x86_64
2. I installed a update to latest version of nxlog server (nxlog-4.1.4016-1.x86_64)
3. Config for clients was not change.
4. In the logfile of nxlog server I see many errors and nxlog do not save data:

2018-09-25 10:50:32 ERROR zlib decompression error, data error (Z_DATA_ERROR) incorrect header check

5. If I did downgrade version, this problem is go, everything is ok.

What's happened?! Please, help me.

Hi, We have a following log file from open source password manager solution. It runs on tomcat. We have graylog server where we would like to send the log data and parse it. Now, we can send the log file to graylog however the entire line comes as one message block, instead of parsing into fields automatically. I am wondering how can i convert the file into csv and send to graylog. Here is sample log. It doesn't come with any header. 2018-08-25T07:40:14Z, ERROR, http.PwmResponse, {117412} 5028 ERROR_BAD_SESSION (client unable to reply with session key) [xx.xx.47.82] 2018-08-25T07:40:15Z, ERROR, filter.SessionFilter, {117413} 5028 ERROR_BAD_SESSION (client unable to reply with session key) [xx.xx.47.82] 2018-08-25T07:40:15Z, ERROR, http.PwmResponse, {117413} 5028 ERROR_BAD_SESSION (client unable to reply with session key) [xx.xx.47.82] 2018-08-25T07:40:17Z, ERROR, filter.SessionFilter, {117415} 5028 ERROR_BAD_SESSION (client unable to reply with session key) [xx.xx.47.82] 2018-08-25T07:40:17Z, ERROR, http.PwmResponse, {117415} 5028 ERROR_BAD_SESSION (client unable to reply with session key) [xx.xx.47.82] 2018-08-25T10:04:28Z, ERROR, filter.RequestInitializationFilter, {117422} 5063 ERROR_SECURITY_VIOLATION (current network address 'yy.yy.185.123' has changed from original network address 'yy.yy.173.181') [yy.yy.173.181] 2018-08-25T10:04:28Z, ERROR, http.PwmResponse, {117422} 5063 ERROR_SECURITY_VIOLATION (current network address 'yy.yy.185.123' has changed from original network address 'yy.yy.173.181') [yy.yy.173.181] 2018-08-25T11:08:03Z, INFO , auth.LDAPAuthenticationRequest, {117467} authID=130, successful ldap authentication for UserIdentity{"userDN":"CN=UserA,CN=Users,DC=org,DC=com","ldapProfile":"default"} (606ms) type: AUTHENTICATED, using strategy BIND, using proxy connection: false, returning bind dn: CN=UserA,CN=Users,DC=org,DC=com [yy.yy.32.238] 2018-08-25T11:08:03Z, INFO , event.AuditService, audit event: {"perpetratorID":"UserA","perpetratorDN":"CN=UserA,CN=Users,DC=org,DC=com","perpetratorLdapProfile":"default","sourceAddress":"yy.yy.32.238","sourceHost":"yy.yy.32.238","type":"USER","eventCode":"AUTHENTICATE","guid":"941aa151-8998-4c89-b690-484e623429d8","timestamp":"2018-08-25T05:38:03Z","message":"type=AUTHENTICATED, source=LOGIN_FORM","narrative":"UserA (CN=UserA,CN=Users,DC=org,DC=com) has authenticated","xdasTaxonomy":"XDAS_AE_AUTHENTICATE_ACCOUNT","xdasOutcome":"XDAS_OUT_SUCCESS"} 2018-08-25T11:08:48Z, INFO , operations.PasswordUtility, {117467,UserA} user 'UserIdentity{"userDN":"CN=UserA,CN=Users,DC=org,DC=com","ldapProfile":"default"}' successfully changed password [yy.yy.32.238] 2018-08-25T11:08:49Z, INFO , event.AuditService, audit event: {"perpetratorID":"UserA","perpetratorDN":"CN=UserA,CN=Users,DC=org,DC=com","perpetratorLdapProfile":"default","sourceAddress":"yy.yy.32.238","sourceHost":"yy.yy.32.238","type":"USER","eventCode":"CHANGE_PASSWORD","guid":"00c158d5-0ea5-46aa-8c8c-cd279f783ecd","timestamp":"2018-08-25T05:38:49Z","narrative":"UserA (CN=UserA,CN=Users,DC=org,DC=com) has changed their password","xdasTaxonomy":"XDAS_AE_SET_CRED_ACCOUNT","xdasOutcome":"XDAS_OUT_SUCCESS"} 2018-08-25T11:10:04Z, ERROR, filter.RequestInitializationFilter, {117471} 5063 ERROR_SECURITY_VIOLATION (current network address 'yy.yy.112.147' has changed from original network address 'xx.xx.243.3') [xx.xx.243.3] I wrote the following nxlog conf but it doesn't seems to be working. Module xm_csv Fields $DateTime,$Type,$Category,$Details FieldTypes string,string,string,string Delimiter "," Module im_file File "C:\\Users\\Documents\\TempOut\\PWM\\PWM.log" PollInterval 1 ReadFromLast False #Recursive True SavePos False Exec tomcat->parse_csv(); Appreciate your assistance in getting this working.

Hi all,

I've set up nxlog (4.1.4016) to monitor a logfile that is been written to constantly. For some reason, when i start nxlog, the programm that creates the loglines no longer adds info to the existing log. A simple commandline 'echo logline >> thelog.txt' does add the line to the logfile (and processed by nxlog), but other logging is not added. As soon as I stop the NXLog service, the log is modified again.

NXLog is running as system, the programm is running as a normal user.

Any suggestions for troubleshooting would be welcome, as I have no clue what is happening.

Hi all,

I am new here, so hello.

I am trying to work out a solution to collect IIS Access Log data from Azure App Services and then forward to a SIEM such as Splunk, Loggly or ElasticSearch for Security analysis, Anomoly identification and alerting.

As far I can see NXLog may provide the link between the Azure Access Logs and my chosen SIEM. Am I right? I would prefer to not get into rewriting of code, hence my interest in NXLog. In addition it appears that NXL:og seems to be widely supported by SIEM tools.

With regards to implementation, would I be correct in thinking that one needs to setup a Linux or WIndows VM on Azure with NXLog running on it. I am trying to avoid onprem installs.

In conclusion, I would welcome your advice on how I could use NXLog as a simple collector and forwarder of Access data. One final word, the Access Logs are currently stored in Azure Storage Blobs, although I could go back to storing them in the File System.

Thanks.

hi,

Is somebody has got an experience of im_dbi ?

I tried this example but /tmp/output is filled of blank char ? I checked nxlog log at starting, everything is OK. Driver mysql has been installed correcly

<Input dbi> Module im_dbi Driver mysql Option host 127.0.0.1 Option username mysql Option password mysql Option dbname logdb SQL SELECT id, facility, severity, hostname,
timestamp, application, message
FROM log </Input>

<Output file> Module om_file File "tmp/output" </Output>

<Route dbi_to_file> Path dbi => file </Route>

Hello! I've been fighting for a week, but the ideas have ended. When you delete files, Windows generates 2 Events 4663 then 4660. In EventID:4663 there is a file name, in EventID:4660 there is a result. The Marker can use the _EventRecordID_, which will differ by 1 for these two events. The idea with the help pm_evcorr add in EventID:4663 field from EventID:4660. As far as I understood, the design should be this: 1. EventID:4663 arrives 2. If EventID:4660 arrives within 2 seconds and in it _EventRecordID_ greater by 1, then 3. We drop the _ObjectName_ from the event 4663 into event 4660. User guides tell us that the design should be of the form ``` # If TriggerCondition is true, wait Interval seconds for # RequiredCondition to be true and then do the Exec. If Interval is # 0, there is no window on matching. TriggerCondition $Message =~ /^pair-first/ RequiredCondition $Message =~ /^pair-second/ Interval 30 Exec $raw_event = "got pair"; ``` And ``` Exec $new_field = 'new field value'; ``` But the problem is that it's absolutely certain that something (or rather everything) is not doing so ``` # If TriggerCondition is true, wait Interval seconds for # RequiredCondition to be true and then do the Exec. If Interval is # 0, there is no window on matching. TriggerCondition $EventID =4663 RequiredCondition $EventID =4660 and $EventRecordID = get_prev_event_data("EventRecordID" + 1); - Here the main problem Interval 2 Exec $FileName = get_prev_event_data("ObjectName"); ``` I will be very grateful for the help, the hint what to read or examples.

Hello! I'm trying to deploy nxlog with GPO on windows, but sims like MSI package from https://nxlog.co/products/nxlog-community-edition/download not working properly. After creating GPO nothing happens, I have tried install as well with scrip (cmd /c Msiexec /I \file server\share\nxlog-ce-2.9.1716.msi /qn) nothing.

When I run the script on local PC getting the error "This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer package."

We using AD 2012 and windows 10/8 machines. Is there any way to deploy nxlog massive on all PC's?

Thx