Hi, We have a following log file from open source password manager solution. It runs on tomcat. We have graylog server where we would like to send the log data and parse it. Now, we can send the log file to graylog however the entire line comes as one message block, instead of parsing into fields automatically. I am wondering how can i convert the file into csv and send to graylog. Here is sample log. It doesn't come with any header. 2018-08-25T07:40:14Z, ERROR, http.PwmResponse, {117412} 5028 ERROR_BAD_SESSION (client unable to reply with session key) [xx.xx.47.82] 2018-08-25T07:40:15Z, ERROR, filter.SessionFilter, {117413} 5028 ERROR_BAD_SESSION (client unable to reply with session key) [xx.xx.47.82] 2018-08-25T07:40:15Z, ERROR, http.PwmResponse, {117413} 5028 ERROR_BAD_SESSION (client unable to reply with session key) [xx.xx.47.82] 2018-08-25T07:40:17Z, ERROR, filter.SessionFilter, {117415} 5028 ERROR_BAD_SESSION (client unable to reply with session key) [xx.xx.47.82] 2018-08-25T07:40:17Z, ERROR, http.PwmResponse, {117415} 5028 ERROR_BAD_SESSION (client unable to reply with session key) [xx.xx.47.82] 2018-08-25T10:04:28Z, ERROR, filter.RequestInitializationFilter, {117422} 5063 ERROR_SECURITY_VIOLATION (current network address 'yy.yy.185.123' has changed from original network address 'yy.yy.173.181') [yy.yy.173.181] 2018-08-25T10:04:28Z, ERROR, http.PwmResponse, {117422} 5063 ERROR_SECURITY_VIOLATION (current network address 'yy.yy.185.123' has changed from original network address 'yy.yy.173.181') [yy.yy.173.181] 2018-08-25T11:08:03Z, INFO , auth.LDAPAuthenticationRequest, {117467} authID=130, successful ldap authentication for UserIdentity{"userDN":"CN=UserA,CN=Users,DC=org,DC=com","ldapProfile":"default"} (606ms) type: AUTHENTICATED, using strategy BIND, using proxy connection: false, returning bind dn: CN=UserA,CN=Users,DC=org,DC=com [yy.yy.32.238] 2018-08-25T11:08:03Z, INFO , event.AuditService, audit event: {"perpetratorID":"UserA","perpetratorDN":"CN=UserA,CN=Users,DC=org,DC=com","perpetratorLdapProfile":"default","sourceAddress":"yy.yy.32.238","sourceHost":"yy.yy.32.238","type":"USER","eventCode":"AUTHENTICATE","guid":"941aa151-8998-4c89-b690-484e623429d8","timestamp":"2018-08-25T05:38:03Z","message":"type=AUTHENTICATED, source=LOGIN_FORM","narrative":"UserA (CN=UserA,CN=Users,DC=org,DC=com) has authenticated","xdasTaxonomy":"XDAS_AE_AUTHENTICATE_ACCOUNT","xdasOutcome":"XDAS_OUT_SUCCESS"} 2018-08-25T11:08:48Z, INFO , operations.PasswordUtility, {117467,UserA} user 'UserIdentity{"userDN":"CN=UserA,CN=Users,DC=org,DC=com","ldapProfile":"default"}' successfully changed password [yy.yy.32.238] 2018-08-25T11:08:49Z, INFO , event.AuditService, audit event: {"perpetratorID":"UserA","perpetratorDN":"CN=UserA,CN=Users,DC=org,DC=com","perpetratorLdapProfile":"default","sourceAddress":"yy.yy.32.238","sourceHost":"yy.yy.32.238","type":"USER","eventCode":"CHANGE_PASSWORD","guid":"00c158d5-0ea5-46aa-8c8c-cd279f783ecd","timestamp":"2018-08-25T05:38:49Z","narrative":"UserA (CN=UserA,CN=Users,DC=org,DC=com) has changed their password","xdasTaxonomy":"XDAS_AE_SET_CRED_ACCOUNT","xdasOutcome":"XDAS_OUT_SUCCESS"} 2018-08-25T11:10:04Z, ERROR, filter.RequestInitializationFilter, {117471} 5063 ERROR_SECURITY_VIOLATION (current network address 'yy.yy.112.147' has changed from original network address 'xx.xx.243.3') [xx.xx.243.3] I wrote the following nxlog conf but it doesn't seems to be working. Module xm_csv Fields $DateTime,$Type,$Category,$Details FieldTypes string,string,string,string Delimiter "," Module im_file File "C:\\Users\\Documents\\TempOut\\PWM\\PWM.log" PollInterval 1 ReadFromLast False #Recursive True SavePos False Exec tomcat->parse_csv(); Appreciate your assistance in getting this working.

Hi all,

I've set up nxlog (4.1.4016) to monitor a logfile that is been written to constantly. For some reason, when i start nxlog, the programm that creates the loglines no longer adds info to the existing log. A simple commandline 'echo logline >> thelog.txt' does add the line to the logfile (and processed by nxlog), but other logging is not added. As soon as I stop the NXLog service, the log is modified again.

NXLog is running as system, the programm is running as a normal user.

Any suggestions for troubleshooting would be welcome, as I have no clue what is happening.

Hi all,

I am new here, so hello.

I am trying to work out a solution to collect IIS Access Log data from Azure App Services and then forward to a SIEM such as Splunk, Loggly or ElasticSearch for Security analysis, Anomoly identification and alerting.

As far I can see NXLog may provide the link between the Azure Access Logs and my chosen SIEM. Am I right? I would prefer to not get into rewriting of code, hence my interest in NXLog. In addition it appears that NXL:og seems to be widely supported by SIEM tools.

With regards to implementation, would I be correct in thinking that one needs to setup a Linux or WIndows VM on Azure with NXLog running on it. I am trying to avoid onprem installs.

In conclusion, I would welcome your advice on how I could use NXLog as a simple collector and forwarder of Access data. One final word, the Access Logs are currently stored in Azure Storage Blobs, although I could go back to storing them in the File System.

Thanks.

hi,

Is somebody has got an experience of im_dbi ?

I tried this example but /tmp/output is filled of blank char ? I checked nxlog log at starting, everything is OK. Driver mysql has been installed correcly

<Input dbi> Module im_dbi Driver mysql Option host 127.0.0.1 Option username mysql Option password mysql Option dbname logdb SQL SELECT id, facility, severity, hostname,
timestamp, application, message
FROM log </Input>

<Output file> Module om_file File "tmp/output" </Output>

<Route dbi_to_file> Path dbi => file </Route>

Hello! I've been fighting for a week, but the ideas have ended. When you delete files, Windows generates 2 Events 4663 then 4660. In EventID:4663 there is a file name, in EventID:4660 there is a result. The Marker can use the _EventRecordID_, which will differ by 1 for these two events. The idea with the help pm_evcorr add in EventID:4663 field from EventID:4660. As far as I understood, the design should be this: 1. EventID:4663 arrives 2. If EventID:4660 arrives within 2 seconds and in it _EventRecordID_ greater by 1, then 3. We drop the _ObjectName_ from the event 4663 into event 4660. User guides tell us that the design should be of the form ``` # If TriggerCondition is true, wait Interval seconds for # RequiredCondition to be true and then do the Exec. If Interval is # 0, there is no window on matching. TriggerCondition $Message =~ /^pair-first/ RequiredCondition $Message =~ /^pair-second/ Interval 30 Exec $raw_event = "got pair"; ``` And ``` Exec $new_field = 'new field value'; ``` But the problem is that it's absolutely certain that something (or rather everything) is not doing so ``` # If TriggerCondition is true, wait Interval seconds for # RequiredCondition to be true and then do the Exec. If Interval is # 0, there is no window on matching. TriggerCondition $EventID =4663 RequiredCondition $EventID =4660 and $EventRecordID = get_prev_event_data("EventRecordID" + 1); - Here the main problem Interval 2 Exec $FileName = get_prev_event_data("ObjectName"); ``` I will be very grateful for the help, the hint what to read or examples.

Hello! I'm trying to deploy nxlog with GPO on windows, but sims like MSI package from https://nxlog.co/products/nxlog-community-edition/download not working properly. After creating GPO nothing happens, I have tried install as well with scrip (cmd /c Msiexec /I \file server\share\nxlog-ce-2.9.1716.msi /qn) nothing.

When I run the script on local PC getting the error "This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer package."

We using AD 2012 and windows 10/8 machines. Is there any way to deploy nxlog massive on all PC's?

Thx

Hello everybody, I'm sorry to bother you with another question concerning Windows Eventlog forwarding to graylog. Unfortunately I'm not able to figure this out on my own. used versions: nxlog 2.10.2102 (running on Windows Server 2016) graylog 2.4.6 (running on Debian 9) I have two nxlog setups. One using syslog and another one using GELF. Both do not work as I would expect. **1. Syslog** ``` Module xm_syslog Module im_msvistalog Exec delete($Keywords); Exec if ($EventType == "VERBOSE") drop(); Module om_tcp Host graylog Port 5140 Exec $raw_event = replace($raw_event, "\n", " "); Exec $raw_event = replace($raw_event, "\r", " "); Exec $raw_event = replace($raw_event, "\t", " "); Exec to_syslog_ietf(); Path eventlog => out_graylog ``` The problem is that there are eventlog entries containing line breaks. Unfortunately they are not removed by the replace commands. So in graylog one message is split into many messages with every linebreak. Using wireshark I can observe that the linebreaks consist of LF characters (Unix line endings). **2. Gelf** ``` Module xm_gelf Module im_msvistalog Exec delete($Keywords); Exec if ($EventType == "VERBOSE") drop(); Module om_tcp Host graylog Port 12201 OutputType GELF Path eventlog => out_graylog ``` Unfortunately this setup does not work at all. No messages are showing up in Graylog (of course I've activated the correspnding input). Using wireshark I can observe that a lot of TCP packets are sent to graylog but none of them contain readable messages. Can anybody help me with either setup? Thanks and Regards, Carsten

hi,

I'm working on monitoring a log file using nxlog. I have the File set to "C:\Program Files\test1.log" but it's saying that the "input file does not exist". I tried running a python script to check the file using the os module

import os

test = os.listdir('C:\Program Files\test1.log') print(test)

This will return an error "FileNotFoundError: The system cannot find the path specified"

I noticed that this error has been encountered before but none of the solutions I tried work.

any help is much appreciated.

Thanks, skawt

Hello,

is the any way to set custom timeout in om_http? or custom retry mechanism?

Thanks

Hi. I am having an issue with forwarding event logs from a centralized server to an rsyslog and indexed in splunk. The logs are forwarded but the Event ID (the most important part) is missing. I am also having an issue with control characters on , this however could be blamed on rsyslog, but as I understand it the issue with control characters could be solved in the nxlog config.

Anyone care to give me a nudge in the correct way here?

//Thx

i am getting data from a database, one of these fields containts an xml, is it possible to convert this single field to json?

sample data { "id": 27101, "ResponseStatus": "SUCCESS", "RequestTime": "2018-09-19 14:21:48", "ResponseXml": "<?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?>\r\n<Envelope xmlns=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot;><Header /><Body><from>Jani</from></Body></Envelope>\r\n", "RequestMode": "DSS", "ErrorCode": null, }

i want the ResponseXml field to be converted to json aswell, i also want to keep the other fields

or any other sollution to parse the xml so i have access to the data inside the xml

thx!

Hi folks,

I am trying to capture analytics and debug logs on windows server 2012 r2. The logs are under applications and services log and the log path is Microsoft-Windows-DNSServer/Analytical

When I enable it, i get the following error

2018-09-19 16:52:23 ERROR failed to subscribe to msvistalog events using bookmark: The caller is trying to subscribe to a direct channel which is not allowed. The events for a direct channel go directly to a logfile and cannot be subscribed to. 2018-09-19 16:52:23 ERROR failed to subscribe to msvistalog events,the Query is invalid: [error code: 50]

I have tried few methods but none of them are working.

any idea how can we capture windows debug and analytics logs using nxlog?

Dear all,

I'm trying to get hold of the IIS logs and I get the following issue when I try to restart the service.... we are working on a extra.conf file and I know that it is the one that hinders the service to start.... I just cant see where in the code I mess up.

Here's the code.

Created by NXlog Configuration AT 04-07-2018 08:20:12

NXlog Configuration Version 2018-05-14

Created On HOSTNAMEWEB03

OS INFO 2008 - nxlogserver: 10.233.26.20

dnsloginfo $Undefined DHCPLOGINFO $Undefined###

Start off with Definitions

Rootdir defined from: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\nxlog,installdir;HKEY_LOCAL_MACHINE\SOFTWARE\nxlog,installdir

define ROOT <C:\Program Files\nxlog>

Generic Settings for ALL installations

define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %LOGFILE% LogLevel INFO

<Extension _syslog> Module xm_syslog </Extension>

<Extension _exec> Module xm_exec </Extension>

<Extension _json> Module xm_json </Extension>

Define our inputs

Start ISS created by # 18-09-2018###

<Input IIS> Module im_file File C:\inetpub\logs\LogFiles\W3SVC1\* SavePos True InputType LineBased </Input>

END ISS Inserted by # 18-09-2018###

<Input winlog> Module im_msvistalog ReadFromLast TRUE ResolveSID TRUE <QueryXML> <QueryList> <Query Id='1'> <Select Path='Application'></Select> <Select Path='Security'></Select> <Select Path='System'>*</Select> </Query> </QueryList> </QueryXML> </Input>

Define the output that goes to LP for analysis

<Output syslogout> Module om_tcp Host 10.2XX.26.2X Port 514 Exec to_syslog_bsd(); </Output>

<Output winout> Module om_tcp Host 10.2XX.26.2X Port 514 Exec to_json(); $Message = $raw_event;to_syslog_bsd(); </Output>

Tie together inputs to outputs

<Route 1> Path winlog => winout </Route> include %CONFDIR%\extra.conf

Configuration Completed

The following is taken out of the nxlog.log

2018-09-19 09:28:10 WARNING nxlog received a termination request signal, exiting... nxlog failed to start: Invalid 'include' directive at C:\Program Files\nxlog\conf\extra.conf:86 Failed to open config file <C:\Program Files\nxlog>\conf\extra.conf The filename, directory name, or volume label syntax is incorrect.

2018-09-19 09:41:15 INFO nxlog-4.0.3735 started 2018-09-19 09:41:15 WARNING not starting unused module syslogout 2018-09-19 09:41:15 INFO connecting to 10.233.26.20:514 2018-09-19 09:44:00 WARNING stopping nxlog service 2018-09-19 09:44:00 WARNING nxlog received a termination request signal, exiting... nxlog failed to start: Invalid 'include' directive at C:\Program Files\nxlog\conf\extra.conf:86 Failed to open config file <C:\Program Files\nxlog>\conf\extra.conf The filename, directory name, or volume label syntax is incorrect.

nxlog failed to start: Invalid 'include' directive at C:\Program Files\nxlog\conf\extra.conf:86 Failed to open config file <C:\Program Files\nxlog>\conf\extra.conf The filename, directory name, or volume label syntax is incorrect.

Hi i am trying to use the im_odbc module with nxlog-4.1.4016 running on a windows 2016 server. but it seems like i am in an loop. I looked at the documentation and took notice of the required id field, but the output is always the same ID, as if the position (savepos ) is not saved. sqlserver : 14.0.2002.14 **this is my minimalized input config** Module im_odbc SavePos TRUE ConnectionString DSN=dbserver;database=db;UID=sa;Pwd=password; SQL select Id as id from table where id = ? Exec $Level = "INFO"; **this is my output config** Module om_file File "D:\\_Data\\log_null_output.log" **this is the output of the file** 2018-09-18 16:39:49 adss-dbserver INFO id: 26335 2018-09-18 16:39:50 adss-dbserver INFO id: 26335 2018-09-18 16:39:51 adss-dbserver INFO id: 26335 2018-09-18 16:39:52 adss-dbserver INFO id: 26335 **debug logging nxlog** 2018-09-18 17:26:14 DEBUG CONFIG: adss_sql 2018-09-18 17:26:14 DEBUG SQL: select Id as id from SigningTransactionLogs where id = ? 2018-09-18 17:26:14 DEBUG nx_expr_new_field: Level 2018-09-18 17:26:14 DEBUG field declared at line 9, character 12 in C:\Program Files\nxlog\conf\inputs\adss_sql.in 2018-09-18 17:26:14 DEBUG left_value expr 2018-09-18 17:26:14 DEBUG adding string [INFO] 2018-09-18 17:26:14 DEBUG string literal declared at line 9, character 21 in C:\Program Files\nxlog\conf\inputs\adss_sql.in 2018-09-18 17:26:14 DEBUG literal 2018-09-18 17:26:14 DEBUG assignment declared at line 9, character 22 in C:\Program Files\nxlog\conf\inputs\adss_sql.in 2018-09-18 17:26:14 DEBUG assignment: left_value = expr 2018-09-18 17:26:14 DEBUG statement: assignment 2018-09-18 17:26:14 DEBUG finished parsing statements .... 2018-09-18 17:26:16 DEBUG new event in event_thread [adss_sql:READ] 2018-09-18 17:26:16 DEBUG nx_event_to_jobqueue: READ (adss_sql) 2018-09-18 17:26:16 DEBUG event added to jobqueue 2018-09-18 17:26:16 DEBUG future event, event thread sleeping -697014233us in cond_timedwait 2018-09-18 17:26:16 DEBUG worker 0 got signal for new job 2018-09-18 17:26:16 DEBUG worker 0 processing event 0x164caf0 2018-09-18 17:26:16 DEBUG PROCESS_EVENT: READ (adss_sql) 2018-09-18 17:26:16 DEBUG odbc read 2018-09-18 17:26:16 DEBUG im_odbc_execute with last id 0 2018-09-18 17:26:16 DEBUG resultset column: id (bigint identity) 2018-09-18 17:26:16 DEBUG fetching from id 0 2018-09-18 17:26:16 DEBUG NO DATA 2018-09-18 17:26:16 DEBUG worker 0 waiting for new event 2018-09-18 17:26:16 DEBUG new event in event_thread [_fileop:SCHEDULE] 2018-09-18 17:26:16 DEBUG new event in event_thread [_fileop:SCHEDULE] 2018-09-18 17:26:16 DEBUG new event in event_thread [adss_sql:READ] 2018-09-18 17:26:16 DEBUG future event, event thread sleeping 1000000us in cond_timedwait 2018-09-18 17:26:17 DEBUG event thread wait time is up (after 1000000us) 2018-09-18 17:26:17 DEBUG new event in event_thread [_fileop:SCHEDULE] 2018-09-18 17:26:17 DEBUG new event in event_thread [_fileop:SCHEDULE] 2018-09-18 17:26:17 DEBUG new event in event_thread [adss_sql:READ] 2018-09-18 17:26:17 DEBUG nx_event_to_jobqueue: READ (adss_sql) 2018-09-18 17:26:17 DEBUG event added to jobqueue 2018-09-18 17:26:17 DEBUG future event, event thread sleeping -698029889us in cond_timedwait 2018-09-18 17:26:17 DEBUG worker 1 got signal for new job 2018-09-18 17:26:17 DEBUG worker 1 processing event 0x164c910 2018-09-18 17:26:17 DEBUG PROCESS_EVENT: READ (adss_sql) 2018-09-18 17:26:17 DEBUG odbc read 2018-09-18 17:26:17 DEBUG im_odbc_execute with last id 0 2018-09-18 17:26:17 DEBUG resultset column: id (bigint identity) 2018-09-18 17:26:17 DEBUG fetching from id 0 2018-09-18 17:26:17 DEBUG NO DATA

Hello!

Are there plans for an update of NXLog Community Edition to integrate TLS 1.3 (or rather OpenSSL 1.1.1)?

Unfortunately I didn't find any information about this. If this question has already been asked, I would be thankful if anyone could show me this thread.

Regards

Running NXLOG on Windows 2016

Error failed to subscribe to msvistalog events, the channel was not found [error code: 15007], the specific channel could not be found. check channel configuration

NXLOG config file as requested.

Sample of NXLOG configuration file

This is a sample configuration file. See the nxlog reference manual about the

configuration options. It should be installed locally and is also available

online at http://nxlog.org/docs/

Please set the ROOT to the folder your nxlog was installed into,

otherwise it will not start.

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension _syslog> Module xm_syslog </Extension>

<Input in> Module im_msvistalog

For windows 2003 and earlier use the following:

Module im_mseventlog

Query <QueryList>
<Query Id="0">
<Select Path="Application"></Select>
<Select Path="System"></Select>
<Select Path="Security"></Select>
<Select Path="ForwardedEvents"></Select>
<Select Path="Setup"></Select>
<Select Path="Microsoft-Windows-Sysmon/Operational"></Select>
</Query>
</QueryList> </Input>

<Output out> Module om_tcp Host x.x.x.x Port 514 Exec to_syslog_snare(); </Output>

<Route 1> Path in => out </Route>

Hi, According to this documentation https://nxlog.co/documentation/nxlog-user-guide#om_http I can use 'AddHeader' to put my custom headers to http request. However, when I put it in config i get: ERROR invalid keyword: AddHeader

I also tried

 Exec 				add_http_header('Application-Id', 'b1f8b7a0-5cc5-11e8-8230-0db3d3bfb10d');

This time error is: procedure 'add_http_header()' does not exist or takes different arguments.

What's the correct way to add a http header"?

Hello,

As the name entices, I am getting multiple errors with XML files.

Here is my conf: <Extension xml> Module xm_xml </Extension>

<Extension json> Module xm_json </Extension>

<Input in> Module im_file File "C:\Users\administrator\Desktop\2016.xml" SavePos FALSE ReadFromLast FALSE Exec parse_xml(); Exec to_json(); </Input>

<Output out> Module om_file File "C:\Users\administrator\Desktop\testxml.txt" </Output>

Here are the errors: 2018-09-10 15:58:04 ERROR procedure 'parse_xml' failed at line 33, character 20 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been ab orted; XML parse error at line 1: no element found 2018-09-10 15:58:04 ERROR procedure 'parse_xml' failed at line 33, character 20 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been ab orted; XML parse error at line 1: not well-formed (invalid token)

Thanks for your time.

Hi, I'm trying to send messages from NXLog into Logstash with a custom TAG. Logstash would filter those messages and then send them into specific topics in Kafka. For example my current Logstash + Filebeats works like that:

filebeat.yml has:

paths: - /var/log/*.log

tags: ["EXAMPLE_1"]

Logstash.yml has :

output { if "EXAMPLE_1" in [tags]{ kafka { bootstrap_servers => "example_dns:9092" topic_id => "example_1_topic_kafka" } } }

Is it possible to recreate such simple config with NXLog?

Hello,

I'm using NXlog CE 2.10.2102 on a Win 2012 R2 x64 server to collect both the four default Windows logs and the Forwarded Events snd send to a Syslog server as Snare formatted. However, some events only contains their System segment, missing their entire EventData. For example, all of events 1000 and 1001 and all 4624 events with Kerberos login. 4624 with Advapi are passed just fine. I've no idea why is that, every idea would be welcomed.

Here's my configuration:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO

<Extension _syslog> Module xm_syslog </Extension>

<Input in> Module im_msvistalog <QueryXML> <QueryList>
<Query Id="0"> <Select Path="ForwardedEvents"></Select> <Select Path="Application"></Select> <Select Path="System"></Select> <Select Path="Security"></Select> </Query> </QueryList> </QueryXML> <Exec> $Message =~ s/(\t|\R)/ /g; to_syslog_snare(); </Exec> </Input>

<Output out> Module om_udp Host 1.2.3.4 </Output>

<Route 66> Path in => out </Route>