I will install nxlog client with many computers ，but it means I will configure the same nxlog.conf one by one , it seems too trouble，please give me some good advise, thinks!

Good afternoon. I am trying to see if NXlog can solve a use case I have with IIS. Input file file contains: #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken 2017-11-22 11:00:17 192.168.30.60 HEAD /Autodiscover - 443 - 192.168.30.58 HttpProxy.ClientAccessServer2010Ping 401 2 5 325 166 0 What I was hoping I could do with NXlog was to read the log file then send it in syslog in key value pairs using the fields I defined (which would match what IIS gives me I need Nxlog to send in syslog -> <12> date="2017-11-22",time="11:00:17",s-ip="192.168.30.60",cs-method="HEAD"..... Thanks Dave

Is there a way to put a wildcard in a regular expression? Here is an example of my Headerline that I need to set: Jun 11 16:10:05 tst-tst01-rp adevents: ---Begin event transaction--- So I have this for my headerline, but it doesn't seem to work: Headerline /^\w\w\w \d\d \d\d:\d\d:\d\d \w\w\w-\w\w\w\d\d-\w\w adevents: ---Begin event transaction---/ I was hoping to be able to use a wildcard like this, but it doesn't work: Headerline /^*---Begin event transaction---/ Thanks for your time.

Hi, New to nxlog i don't even know where to search for that kind of needs... SFB is a Microsoft UC client with several hundred Mo logs per day. I need to extract only a few information between strings for each PC. How can i achieve that ?? For Exp i need to extract this spécific info between those delimiters : <v3:Density>0.004195841</v3:Density> Thanks for any help.

I am having trouble getting multiline to work with ClamSentinel DriveAdd logs. below is the raw log as ClamSentinel outputs the information. ##################################################################################################################### ##### Thursday, June 07, 2018 2:05:09 PM (jereme.powers@POS-LOGFIL1) ------------------------------------------------------------------------------- ----------- SCAN SUMMARY ----------- Known viruses: 6539461 Engine version: 0.99.4 Scanned directories: 9 Scanned files: 13 Infected files: 0 Data scanned: 21.52 MB Data read: 169.16 MB (ratio 0.13:1) Time: 17.069 sec (0 m 17 s) ##### Thursday, June 07, 2018 2:10:31 PM (jereme.powers@POS-LOGFIL1) ------------------------------------------------------------------------------- ----------- SCAN SUMMARY ----------- Known viruses: 6539461 Engine version: 0.99.4 Scanned directories: 9 Scanned files: 13 Infected files: 0 Data scanned: 21.52 MB Data read: 169.16 MB (ratio 0.13:1) Time: 16.608 sec (0 m 16 s) ##### Thursday, June 07, 2018 2:12:13 PM (jereme.powers@POS-LOGFIL1) ------------------------------------------------------------------------------- ----------- SCAN SUMMARY ----------- Known viruses: 6539461 Engine version: 0.99.4 Scanned directories: 9 Scanned files: 13 Infected files: 0 Data scanned: 21.52 MB Data read: 169.16 MB (ratio 0.13:1) Time: 16.234 sec (0 m 16 s) ##################################################################################################################### I have tried many different regex combinations for the headerline but so far I have not been able to parse everything together into one line. ##################################################################################################################### Here is my nxlog config... define ROOT C:\Program Files (x86)\nxlog define LOGFILE %ROOT%\data\nxlog.log Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log ################################################################################## ################## # Extensions # ################## <Extension json> Module xm_json </Extension> <Extension _syslog> Module xm_syslog </Extension> <Extension charconv> Module xm_charconv </Extension> <Extension Eventlog_CSV> Module xm_csv Fields $EventTime, $EventType, $Severity, $Channel, $Hostname, $EventID, $SourceName, $AccountName, $AccountType, $Domain, $Message, $Task, $Category, $Keywords, $UserID, $SeverityValue, $ProviderGuid, $Version, $OpcodeValue, $Opcode, $ActivityID, $RelatedActivityID, $ProcessID, $ThreadID, $RecordNumber FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string, string Delimiter ; </Extension> <Extension multiline_CLAMWIN-ScanLog> Module xm_multiline Exec if $raw_event =~ /^\s*$/ drop(); else { $raw_event = replace($raw_event, "\r", " "); } HeaderLine /^\w{4}\s\w{7}\s\w{0,5}\s\w{0,4}\s\d{2}\s\d{2}:\d{2}:\d{2}\s\d{4}/ </Extension> <Extension multiline_CLAMWIN-UpdateLog> Module xm_multiline Exec if $raw_event =~ /^\s*$/ drop(); else { $raw_event = replace($raw_event, "\r", " "); } HeaderLine /^--------------------------------------/ </Extension> <Extension multiline_CLAMSentinel-DriveAddLog> Module xm_multiline Exec if $raw_event =~ /^\s*$/ drop(); else { $raw_event = replace($raw_event, "\r", " "); } HeaderLine /^[#]{5}\s\w{6,9},\s\w{3,9}\s\d{2},\s\d{4}\s\d+:\d+:\d+\s\w{2}\s[(].[)]$/ </Extension> ################################################################################## ##################### # WINDOWS Events # ##################### <Processor Filter_XML> Module pm_pattern PatternFile %ROOT%\conf\patterndb.xml </Processor> <Input IN_Eventlog> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="Security"></Select> <Select Path="Application"></Select> <Select Path="System"></Select> <Select Path="Setup">*</Select> </Query> </QueryList> ######################################### # Windows Events - Filter Application # ######################################### #Exec if ($Application =~ /appdata\roaming\dropbox\bin\dropbox.exe/) drop(); #Exec if ($Application =~ /nxlog\nxlog.exe/) drop(); #Exec if ($Application =~ /windows\system32\spoolsv.exe/) drop(); ######################################### # Filter by Source and Destination IP # ######################################### #Exec if ($SourceAddress =~ /8.8.8.8/) drop(); #Exec if ($DestAddress =~ /8.8.8.8/) drop(); ######################### # Filter by EventID # ######################### Exec if ($EventID == 4656 or $EventID == 4663) drop(); </Input> <Output OUT_Eventlog> Module om_file File "C:\ProgramData\.clamwin\log\WINEVENTLOGS.log" Exec if not defined $PatternID or not defined $Message { drop(); } Exec $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " "); Exec if not defined $AccountName { $AccountName = "-"; } Exec if not defined $AccountType { $AccountType = "-"; } Exec if not defined $Domain { $Domain = "-"; } Exec Eventlog_CSV->to_csv(); $raw_event = $Hostname + ' WIN-NXLOG ' + $raw_event + ' Task: ' + $Task + ' Category: '+ $Category + ' Keywords: ' + $Keywords + ' UserID: ' + $UserID + ' Severity: ' + $SeverityValue + ' ProviderGuid: ' + $ProviderGuid + ' Version: ' + $Version + ' OpcodeValue: ' + $OpcodeValue + ' Opcode: ' + $Opcode + ' ActivityID: ' + $ActivityID + ' RelatedActivityID: ' + $RelatedActivityID + ' ProcessID: ' + $ProcessID + ' ThreadID: ' + $ThreadID + ' RecordNumber: ' + $RecordNumber; </Output> <Route route_winevents_logs> Path IN_Eventlog => Filter_XML => OUT_Eventlog </Route> ################################################################################## ############### # CLAMWIN # ############### ############## # ScanLog # ############## <Input IN_CLAMWIN-ScanLog> Module im_file File "C:\ProgramData\.clamwin\log\ClamScanLog.txt" InputType multiline_CLAMWIN-ScanLog SavePos FALSE </Input> <Output OUT_CLAMWIN-ScanLog> Module om_file File "C:\ProgramData\.clamwin\log\CLAMWIN-ScanLog.log" Exec $Hostname = hostname_fqdn(); Exec $raw_event = $Hostname + " " + $raw_event + " " + 'CLAM-NXLOG'; </Output> <Route route_CLAMWIN-ScanLog> Path IN_CLAMWIN-ScanLog => OUT_CLAMWIN-ScanLog </Route> ################# # UpdateLog # ################# <Input IN_CLAMWIN-UpdateLog> Module im_file File "C:\ProgramData\.clamwin\log\ClamUpdateLog.txt" InputType multiline_CLAMWIN-UpdateLog SavePos FALSE </Input> <Output OUT_CLAMWIN-UpdateLog> Module om_file File "C:\ProgramData\.clamwin\log\CLAMWIN-UpdateLog.log" Exec $Hostname = hostname_fqdn(); Exec $raw_event = $Hostname + " " + $raw_event + " " + 'CLAM-NXLOG'; </Output> <Route route_CLAMWIN-UpdateLog> Path IN_CLAMWIN-UpdateLog => OUT_CLAMWIN-UpdateLog </Route> ################################################################################## ##################### # CLAMSentinel # ##################### ################### # DriveAddLog # ################### <Input IN_CLAMSentinel-DriveAddLog> Module im_file File "C:\ProgramData\.clamwin\log\ClamSentinel_DriveAddLog.txt" InputType multiline_CLAMSentinel-DriveAddLog SavePos FALSE </Input> <Output OUT_CLAMSentinel-DriveAddLog> Module om_file File "C:\ProgramData\.clamwin\log\CLAMSentinel-DriveAddLog.log" Exec $Hostname = hostname_fqdn(); Exec $raw_event = $Hostname + " " + $raw_event + " " + 'CLAM-NXLOG'; </Output> <Route route_CLAMSentinel-DriveAddLog> Path IN_CLAMSentinel-DriveAddLog => OUT_CLAMSentinel-DriveAddLog </Route> ##################################################################################################################### Everything is working but the DriveAddLog section. Please help!

We recently enabled logging on CIFS share hosted on our Netapp. The audit logs that are generated are stored on a network share currently in EVTX format (XML logs are also an option). I have a windows server that has NXLog installed and can mount the network share where the EVTX files are located. What is the best module to use get these EVTX or XML files into our Graylog server on a regular basis?

We currently have an issue where we pass log4net data into logstash it stops writing events after a period of time. We deployed Nxlogs to pull IIS logs into logstash where logstash stopped processing new events after 20 minutes using the Udp appender. Unfortunately using tcp isn't an option due to the protential risk of it slowing our production environment down. Has anyone got any suggestions on how we can use NXlogs and stop logstash from stopping (we use the community edition) or is the only way to parse it into a messaging queue like Redis first then logstash?

Trying to upgrade nxlog which requires the un-install of the old version. The program is not listed under windows programs and I cannot locate an unistall.exe. How do you uninstall?

Hi I need to replace any accented vowel (á,é,í,ó,ú) on raw event. I tried (for just 'a' vowel): $raw_event = replace($raw_event, "á", 'a'); But it doesn't work

I am trying out nxlog community edition in centos i am getting an error Error : om_udp apr_socket_send failed;Connection refused What could be the solution

i'm unable to connect centralized log server from client machine nxlog.config: User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ######################################## # Modules # ######################################## <Input in> Module im_file File "/var/log/messages" </Input> <Output out> Module om_udp Host 192.168.58.175 Port 514 ######################################## # Routes # ######################################## <Route> Path in => out </Route>

Hello there, I am working with a multiline module. This particular file has 38 lines, but I'd like to only ship the lines that contain a colon. Is there a way to write an exec that if the line does not contain a colon then drop the line? Here is my config so far: <Extension log> Module xm_multiline #FixedLineCount HeaderLine /^---Begin event transaction---/ #EndLine /^---Event Reporting Complete---/ </Extension> <Extension json> Module xm_json </Extension> <Input in> Module im_file File &quot;C:\\Users\\Administrator\\Desktop\\SRR_Error.txt&quot; InputType log SavePos FALSE ReadFromLast FALSE Exec $message = $raw_event; to_json(); </Input> Thanks,

Currently we are sending our Exchange 2013 logs to our Graylog server using the CSV converter built into Graylog. We parse based on the following fields in 2013. Fields $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data FieldTypes Datetime,ip4addr,String,ip4addr,String,String,String,String,String,String,String,String,String,String,Integer,String,String,String,String,String,String,String,String,String,ip4addr,ip4addr,String` When I use these strings to parse Exchange 2016 logs I am unable to breakup the data within the CSV being sent. It appears that some fields changed but I don't know what the fields should be labeled or what type of field they are. Does anyone have a working Exchange 2016 Message Tracking exporter for NXLog-CE?

When using NXlogs does any data get collected by Nxlogs.co and what data is passed?

Hi, We have a compliance requirement to keep our software up-to-date and wonder if it'd be possible to subscribe to something where you notify us of updates and include your change log from the installation files \usr\share\doc\nxlog-ce\changelog.txt Thanks James

Hi, can somebody help me to solve this problem 2018-05-15 16:33:33 ERROR failed to open /var/log/freeradius/linelog-accounting;Permission denied 2018-05-15 16:33:35 ERROR apr_stat failed on file /var/log/freeradius/linelog-accounting;Permission denied

Hi, I just want to fileter the windows logs. I mean I dont want to collect the info type, because I need just the warning and the critical types. Where and how can I set this settings up? Thanks!

I am trying to use multiline to ship a log file. Here is my config: <Extension log> Module xm_multiline HeaderLine /^\---Begin event transaction---/ EndLine /^\---Event Reporting Complete---/ </Extension> <Extension json> Module xm_json </Extension> <Input in> Module im_file File &quot;C:\\Users\\Administrator\\Desktop\\log.txt&quot; SavePos FALSE ReadFromLast FALSE Exec to_json(); </Input> <Output out> Module om_tcp Host (server) Port 5010 </Output> <Route> Path in =&gt; out </Route> I have blank entries in my database; 1 blank entry for each line that should be a part of the multiline (37 in one case). Any help would be appreciated. Thanks,

Hey, I am currently having trouble finding a way to input multiple inputs. So I am currently forwarding my DNS log with the following: > define ROOT C:\Program Files (x86)\nxlog > > Moduledir %ROOT%\modules > CacheDir %ROOT%\data > Pidfile %ROOT%\data\nxlog.pid > SpoolDir %ROOT%\data > LogFile %ROOT%\data\nxlog.log > > <Extension gelf> > Module xm_gelf > ShortMessageLength -1 > </Extension> > > <Input dns> > Module im_file > File "C:\DNS\dns.log" > SavePos TRUE > InputType LineBased > </Input> > > <Output out> > Module om_udp > Host 192.168.0.168 > Port 5414 > OutputType GELF > </Output> > > <Route 2> > Path dns => out > </Route> That works 100% and I am happy with the results. The issue comes with trying to send the DNS log and sending Windows Event logs as well. I tried the following but it always comes back with errors. Both DNS and Winlogs > define ROOT C:\Program Files (x86)\nxlog > > Moduledir %ROOT%\modules > CacheDir %ROOT%\data > Pidfile %ROOT%\data\nxlog.pid > SpoolDir %ROOT%\data > LogFile %ROOT%\data\nxlog.log > > <Extension gelf> > Module xm_gelf > ShortMessageLength -1 > </Extension> > > <Input in1> > Module im_msvistalog > # For windows 2003 and earlier use the following: > # Module im_mseventlog > </Input> > > <Input dns2> > Module im_file > File "C:\DNS\dns.log" > SavePos TRUE > InputType LineBased > </Input> > > <Output out2> > Module om_udp > Host 192.168.0.168 > Port 5414 > OutputType GELF > </Output> > > <Output out1> > Module om_tcp > Host 192.168.0.168 > Port 12201 > OutputType GELF_TCP > </Output> > > <Route 1> > Path in => out > </Route> > > <Route 2> > Path dns => out > </Route> Error: 2018-05-03 10:46:31 ERROR module 'in' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:42 2018-05-03 10:46:31 ERROR module 'out' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:42 2018-05-03 10:46:31 ERROR route 2 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:42 2018-05-03 10:46:31 ERROR module 'dns' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:46 2018-05-03 10:46:31 ERROR module 'out' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:46 2018-05-03 10:46:31 ERROR route 1 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:46 2018-05-03 10:46:31 WARNING no routes defined! 2018-05-03 10:46:31 WARNING not starting unused module in2 2018-05-03 10:46:31 WARNING not starting unused module dns1 2018-05-03 10:46:31 WARNING not starting unused module out1 2018-05-03 10:46:31 WARNING not starting unused module out2 2018-05-03 10:46:31 INFO nxlog-ce-2.9.1716 started Just looking for a way to maybe input it correctly or find a way to use multiple NXLog config files

Hello I try to use nxlog-ce to collect the log of an aruba controller The log file is well created, but it remains empty Could you help me ? for information : the aruba controller is correctly configured since I get the logs well with the software "visual syslog server" here is the nxlog.conf file used define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile C:\Program Files (x86)\nxlog\nxlog.pid SpoolDir C:\Program Files (x86)\nxlog\data LogFile C:\Program Files (x86)\nxlog\nxlog.log <Extension fileop> Module xm_fileop </Extension> <Extension syslog> Module xm_syslog </Extension> <Input in> Module im_udp Host IP Adress of my Windows serveur Port 514 </Input> <Output out> Module om_file File 'D:\arubasyslogs\aruba.log' </Output> <Route 1> Path in_Aruba => out_file </Route>