i'm unable to connect centralized log server from client machine

nxlog.config:

User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel INFO


########################################
# Modules #
########################################


<Input in>
Module im_file
File "/var/log/messages"

</Input>

<Output out>
Module om_udp
Host 192.168.58.175
Port 514

########################################
# Routes #
########################################
<Route>
Path in => out
</Route>

Hello there,

I am working with a multiline module. This particular file has 38 lines, but I'd like to only ship the lines that contain a colon. Is there a way to write an exec that if the line does not contain a colon then drop the line?

Here is my config so far:

<Extension log>

Module	xm_multiline
#FixedLineCount
HeaderLine /^---Begin event transaction---/
#EndLine /^---Event Reporting Complete---/

</Extension>

<Extension json>

Module xm_json

</Extension>

<Input in>

Module im_file

	File   "C:\\Users\\Administrator\\Desktop\\SRR_Error.txt"
	InputType		log
	SavePos			FALSE
	ReadFromLast	FALSE
	Exec			$message = $raw_event; to_json();

</Input>

Thanks,

Currently we are sending our Exchange 2013 logs to our Graylog server using the CSV converter built into Graylog. We parse based on the following fields in 2013.

Fields $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data

FieldTypes Datetime,ip4addr,String,ip4addr,String,String,String,String,String,String,String,String,String,String,Integer,String,String,String,String,String,String,String,String,String,ip4addr,ip4addr,String`

When I use these strings to parse Exchange 2016 logs I am unable to breakup the data within the CSV being sent. It appears that some fields changed but I don't know what the fields should be labeled or what type of field they are.

Does anyone have a working Exchange 2016 Message Tracking exporter for NXLog-CE?

When using NXlogs does any data get collected by Nxlogs.co and what data is passed?

Hi,

We have a compliance requirement to keep our software up-to-date and wonder if it'd be possible to subscribe to something where you notify us of updates and include your change log from the installation files \usr\share\doc\nxlog-ce\changelog.txt

Thanks James

Hi, can somebody help me to solve this problem

2018-05-15 16:33:33 ERROR failed to open /var/log/freeradius/linelog-accounting;Permission denied 2018-05-15 16:33:35 ERROR apr_stat failed on file /var/log/freeradius/linelog-accounting;Permission denied

Hi, I just want to fileter the windows logs. I mean I dont want to collect the info type, because I need just the warning and the critical types. Where and how can I set this settings up?

Thanks!

I am trying to use multiline to ship a log file. Here is my config:

<Extension log>

Module	xm_multiline
HeaderLine /^\---Begin event transaction---/
EndLine /^\---Event Reporting Complete---/

</Extension>

<Extension json>

Module xm_json

</Extension>

<Input in>

Module im_file

	File   "C:\\Users\\Administrator\\Desktop\\log.txt"
	SavePos			FALSE
	ReadFromLast	FALSE
	Exec			to_json();

</Input>

<Output out>

Module		om_tcp
	
	Host		(server)
	Port		5010

</Output>

<Route>

Path	in => out

</Route>

I have blank entries in my database; 1 blank entry for each line that should be a part of the multiline (37 in one case).

Any help would be appreciated.

Thanks,

**Hey,** **I am currently having trouble finding a way to input multiple inputs. So I am currently forwarding my DNS log with the following:** > define ROOT C:\Program Files (x86)\nxlog > > Moduledir %ROOT%\modules > CacheDir %ROOT%\data > Pidfile %ROOT%\data\nxlog.pid > SpoolDir %ROOT%\data > LogFile %ROOT%\data\nxlog.log > > > Module xm_gelf > ShortMessageLength -1 > > > > Module im_file > File "C:\DNS\dns.log" > SavePos TRUE > InputType LineBased > > > > Module om_udp > Host 192.168.0.168 > Port 5414 > OutputType GELF > > > > Path dns => out > **That works 100% and I am happy with the results. The issue comes with trying to send the DNS log and sending Windows Event logs as well. I tried the following but it always comes back with errors.** ------------------------------------------------------------------------------------------------------------------------------------- **Both DNS and Winlogs** > define ROOT C:\Program Files (x86)\nxlog > > Moduledir %ROOT%\modules > CacheDir %ROOT%\data > Pidfile %ROOT%\data\nxlog.pid > SpoolDir %ROOT%\data > LogFile %ROOT%\data\nxlog.log > > > Module xm_gelf > ShortMessageLength -1 > > > > Module im_msvistalog > # For windows 2003 and earlier use the following: > # Module im_mseventlog > > > > Module im_file > File "C:\DNS\dns.log" > SavePos TRUE > InputType LineBased > > > > Module om_udp > Host 192.168.0.168 > Port 5414 > OutputType GELF > > > > Module om_tcp > Host 192.168.0.168 > Port 12201 > OutputType GELF_TCP > > > > Path in => out > > > > Path dns => out > Error: 2018-05-03 10:46:31 ERROR module 'in' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:42 2018-05-03 10:46:31 ERROR module 'out' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:42 2018-05-03 10:46:31 ERROR route 2 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:42 2018-05-03 10:46:31 ERROR module 'dns' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:46 2018-05-03 10:46:31 ERROR module 'out' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:46 2018-05-03 10:46:31 ERROR route 1 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:46 2018-05-03 10:46:31 WARNING no routes defined! 2018-05-03 10:46:31 WARNING not starting unused module in2 2018-05-03 10:46:31 WARNING not starting unused module dns1 2018-05-03 10:46:31 WARNING not starting unused module out1 2018-05-03 10:46:31 WARNING not starting unused module out2 2018-05-03 10:46:31 INFO nxlog-ce-2.9.1716 started **Just looking for a way to maybe input it correctly or find a way to use multiple NXLog config files**

Hello I try to use nxlog-ce to collect the log of an aruba controller The log file is well created, but it remains empty Could you help me ?

for information : the aruba controller is correctly configured since I get the logs well with the software "visual syslog server"

here is the nxlog.conf file used

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile C:\Program Files (x86)\nxlog\nxlog.pid SpoolDir C:\Program Files (x86)\nxlog\data LogFile C:\Program Files (x86)\nxlog\nxlog.log

<Extension fileop> Module xm_fileop </Extension>

<Extension syslog> Module xm_syslog </Extension>

<Input in> Module im_udp Host IP Adress of my Windows serveur Port 514 </Input>

<Output out> Module om_file File 'D:\arubasyslogs\aruba.log' </Output>

<Route 1> Path in_Aruba => out_file </Route>

Hi there

Maybe a dumb/newbie question: I'm not a Windows guy, but I know EventLogs have some weird normalization trick where GUIDs/etc have to be cross-referenced against some locale data to show you what you really want to see. I'm trying to run nxlog on a domain controller, but instead of forwarding (to syslog) "english text", we're seeing "Object: Object Server: DS Object Type: %{bf967a9c-0de6-11d0-a285-00aa003049e2} Object Name: %{d7cb26ca-1f06-4d..." kind of stuff

It looks fine in the the EventLog viewer on the DC, and running "nxlog -f" from the command line doesn't show any error, so any ideas what's missing?

According to this: https://nxlog.co/question/794/64-bit-windows-event-log-support-community-vs-enterprise I would think standard "this user was added to this group" kind of Security messages would be covered, but I suspect this isn't the case with the community edition?

So do you need the enterprise version to get all Eventlog "translations" that are really standard on systems like domain controllers?

This is with nxlog-ce-2.9.1716.msi.

Thanks, Jason

Hi,

I'm trying to read from a .evtx file directly using the File directive in im_msvistalog. I keep getting an error: Assertion failed at line 1945 in im_msvistalog.c/im_msvistalog_start(): "((nx_im_msvistalog_subscr_t **)(imconf->q_subs->nelts-1->query = imconf->_query""

I'm running Windows 10 with nxlog-4.0.3550. I've tested with different files with the same error.

Hello, is there an solution to install nxlog on Debian 9? When does the Debian 9 package released?

Can NXLog run as-is on Windows Embedded? Specifically Windows Embedded Standard 6.1?

Hi,

I am trying to forward Windows 2016 event logs to a RHEL 7 syslog collector, on the community edition. I am not receiving any logs at the collector. I know that this is not a network issue as syslog generator tools (such as kiwi) are working. Current config is below:

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension _syslog> Module xm_syslog </Extension>

<Input in> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="Security">*[System[(EventID=4624 or EventID=4634 or EventID=4656 or EventID=4659 or EventID=4662 or EventID=4663 or EventID=4672 or EventID=4676 or EventID=6272 or EventID=6278)]]</Select>
</Query>
</QueryList> </Input>

<Output out> Module om_udp Host <myhostip> Port 514 Exec to_syslog_snare(); </Output>

<Route 1> Path in => out </Route>

Any pointers as to where I'm going wrong? Ideally I would like to send all Windows Event logs, not just the IDs listed above.

Hi all.

We've got nxlog installed on multiple servers, and at least once a day we get an incident where the CPU usage massively spikes - 90%+ being used by nxlog. Then the service stops (presumably killed because of the high CPU).

Has anyone experienced this before?

Hey!

I can think of several ways to solve this, but I'm looking to see if anyone has a better idea. I'm getting some logs that are uploaded as a gzipped file. I need to uncompress the file and then send the log content to several destinations, but for this purpose, let's assume that I'm using om_tcp as the destination. I'm considering a couple of options, but has anyone already done something like this or have a brilliant idea for handling it?

Thanks!

Hi, I'm new in NXLOG and Graylog. I'm using nxlog to send Windows server log to Graylog, My final goal is to transfer and log in ssl, but proceed by step. All my machines are on my company lan The configuration of NXLOG with OM_UDP

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension _syslog> Module xm_gelf </Extension>

<Input in> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="Security">*[System[(EventID=4624 or EventID=4634 or EventID=4656 or EventID=4659 or EventID=4662 or EventID=4663 or EventID=4672 or EventID=4676 or EventID=6272 or EventID=6278)]]</Select>
</Query>
</QueryList> </Input>

<Output out> Module om_udp Host 10.0.0.22 Port 12201 #Exec to_syslog_snare(); Exec if ($ProcessName =~ /TbService.exe/ or $ProcessName =~ /w3wp.exe/) drop(); OutputType GELF </Output>

<Route 1> Path in => out </Route>

works correctly, while the one, identical, that I did with OM_TCP

<Output out> Module om_tcp Host 10.0.0.22 Port 12201 #Exec to_syslog_snare(); Exec if ($ProcessName =~ /TbService.exe/ or $ProcessName =~ /w3wp.exe/) drop(); OutputType GELF </Output>

create this log

018-04-11 19:48:06 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-11 19:48:06 INFO reconnecting in 2 seconds 2018-04-11 19:48:07 INFO connecting to 10.0.0.22:12201 2018-04-11 19:48:07 INFO reconnecting in 1 seconds 2018-04-11 19:48:07 ERROR om_tcp send failed; An established connection was aborted by the software in your host machine.
2018-04-11 19:48:08 INFO connecting to 10.0.0.22:12201 2018-04-11 19:52:59 ERROR couldn't connect to tcp socket on 10.0.0.22:12201; No connection could be made because the target machine actively refused it.
2018-04-11 19:53:01 INFO connecting to 10.0.0.22:12201 2018-04-11 19:53:02 INFO reconnecting in 4 seconds 2018-04-12 10:02:09 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:10 INFO connecting to 10.0.0.22:12201 2018-04-12 10:02:10 INFO reconnecting in 1 seconds 2018-04-12 10:02:10 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:11 INFO connecting to 10.0.0.22:12201 2018-04-12 10:02:11 INFO reconnecting in 1 seconds 2018-04-12 10:02:11 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:11 INFO reconnecting in 2 seconds 2018-04-12 10:02:12 INFO connecting to 10.0.0.22:12201 2018-04-12 10:02:12 INFO reconnecting in 1 seconds 2018-04-12 10:02:12 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:13 INFO connecting to 10.0.0.22:12201 2018-04-12 10:02:13 INFO reconnecting in 1 seconds 2018-04-12 10:02:13 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:13 INFO connecting to 10.0.0.22:12201

does not work correctly In graylog i recive 1 message / minute Instead of 15/20 which I receive with the udp onfiguration,even if the Graylog input message counter reports about 20 / minute. It seems that most messages are discarded as incorrect On Graylog server firewall port 12201 tcp/udp is open, and on windows server 12201 port is open too. I have no idea what's going on. thank you

Hello,

I would like to use nxlog-xchg utility as described in the documentation.

Where can I find this utility ? I use the community edition.

Thanks.

Hi everyone,

The user guide section for the om_http module explains:

Each event is transferred in a single POST request.
https://nxlog.co/documentation/nxlog-user-guide#om_http

When https is used, is the TLS handshake also performed for each event? This seems like it would be quite inefficient.

Are there any plans to support bulk / batch exporting of many events in a single http post, specifically for exporting data to the Splunk HEC?

rsyslog and syslog-ng support batch exporting events to Splunk using the external python script omsplunkhec.py, as explained here:
https://www.splunk.com/blog/2017/03/30/syslog-ng-and-hec-scalable-aggregated-data-collection-in-splunk.html

NXLog supports batch exporting events to Elasticsearch using their bulk API:
https://nxlog.co/documentation/nxlog-user-guide#om_elasticsearch