Hello, I'm trying to forward Windows Event logs to a server that uses rsyslog. I've read through the reference manual for configuration but I keep getting the same error when starting the executable. It says "ERROR apr_sockaddr_info failed for hostname:port#; The requested name is valid, but no data of the requested type was found." I'm not sure what that means, been stuck on it for over a week now. Have all of my firewalls off so don't think it's that. Does nxlog work with ipv6 addresses? That seems to be the only difference between my systems and the examples I've read

Hi I was wondering why the folowing config results in an error : nxlog.conf; syntax error, unexpected -, expecting ( Module im_msvistalog Exec if $cs-uri-stem== '/health' drop(); I am trying to filter some URL's from the eventlog's IIS-log I got it partial working with the xpath query but i think that the drop filter method makes it far more flexible. thx!

Does someone have a link to the latest source for nxlog-ce-2.9.1716?

Hello, I was wondering is there a command where I can tell NXLOG to ignore the first 32 lines of a file that I am wanting to read in? The log file is a dhcp log on Win 2012 R2 and the first 32 lines is info about Event IDs and their meanings. I'd like to to tell NxLog to ignore first 32 lines when reading in the log files. Thanks in advance for any info. Really love nxlog.

Can someone please provide a documentation for nxlog installation ( nxlog-3.99.3269-1aix.ppc.trial.rpm ) in AIX 7.1.

Hello: I have a week trying to replace the default TAB delimiter for comma, so far I got this: <Extension _syslog> Module xm_syslog Delimiter , </Extension> <Input in> Module im_msvistalog </Input> <Output out> Module om_tcp Host 192.168.1.2 Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path in => out </Route> I also try changing , for 0x2C Sadly doesn't work, all I can see is the delimiter change for a extrange character <NULL>. I'm using the latest community version. I really hope that someone help me with a clear answer.

I am parsing my own log file send to logstash. My log file looks like as below. 2018-02-01 12:01:59,574 receive 'AccountReady' is True. account is 12345. Current local time is 2018-02-01 12:01:59.574. Current UTC time is 2018-02-01 04:01:59.574. 2018-02-01 12:01:59,685 receive 'AccountReady' is True. account is 23456. Current local time is 2018-02-01 12:01:59.685. Current UTC time is 2018-02-01 04:01:59.685. 2018-02-01 12:01:59,710 receive 'AccountReady' is True. account is 34567. Current local time is 2018-02-01 12:01:59.710. Current UTC time is 2018-02-01 04:01:59.710. 2018-02-01 12:07:12,460 _Disconnect 2018-02-01 12:07:13,382 BeforeReConnect is triggered. 2018-02-01 12:07:14,449 AfterReConnec is triggered (It`s already reconnected.) 2018-02-01 12:07:14,451 Restart is not trigger because the connection is reconnected. I have many files like this. and the nxlog config looks like this <Extension multi> Module xm_multiline HeaderLine /^(\d{4}\-(0[1-9]|1[012])\-([0|1|2]\d|3[0|1]) ([0|1]\d|2[0-3])\:([0-5]\d)\:([0-5]\d),\d{3})/ </Extension> <Input aplogfile> Module im_file File "C:\\Code\\MyProj\\bin\\Debug\\Logs\\*.*" SavePos TRUE ReadFromLast FALSE InputType multi </Input> <Output udp_logstash> Module om_udp Host 192.168.1.104 Port 12020 OutputType Dgram </Output> <Route 1> Path aplogfile => udp_logstash </Route> Most of these logs are parsed correctly, but some message are not . For example , the first two line should send as one message, but it send twice for first line and second line. This situation are only happened at first line in some files. Does anyone ever touched the same problem? Thanks!

We are currently using im_mark to generate heartbeat events in order for our monitoring to prove that log flow is operational. On several source machines we are having issues where the heartbeats do not appear to be generated in a timely manner, causing significant quantities of false alerts. The configuration uses im_mark to generate a mark event at (currently) 5 minute intervals which is then used in two routes. The first sends it to the destination along with the log data where it is used by the monitoring software, the second writes it out to a file for debug purposes. On affected machines this file is reporting that (usually) two heartbeats are being generated at 5 minute intervals before a (apparently random) delay of between 15 minutes to approximately 80 minutes. During these periods the service continues running correctly and log data is submitted. Attempted resolutions: Restart service. No effect. Remove the configcache.dat file. No effect Increased the generation time from 1 to 5 minutes. Issue appeared to go but returned on different machines after a week or so. Increased the number of threads in the configuration. No effect. Tested both the raw Windows API (WaitForSingleObject) and Apache Portable Runtime apr_thread_cond_timedwait methods with a simple test program. Issue was not evident. Please let me know if you require any additional information.

Hi Folks, I have been playing with nxlog config for more than 24 hrs but i am not able to get a specific windows security event into the graylog server. I can send non filtered events without issue. Here is the nxlog.conf file This is a sample configuration file. See the nxlog reference manual about the configuration options. It should be installed locally and is also available online at http://nxlog.org/docs/ Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_syslog Module xm_gelf Module im_msvistalog Query &#13; &#13; # &#13; # &#13; # [System[(EventID=EventID=4625 or EventID=4740)]]&#13; &#13; &#13; Module pm_buffer 100Mb disk buffer MaxSize 102400 Type disk Module om_tcp Host SERVER_IP Port 5044 OutputType GELF_TCP Exec $short_message = $raw_event; Path in => out ************************************ In the log file i get the following error, 2018-02-01 03:24:50 ERROR failed to subscribe to msvistalog events using bookmark: The specified query is invalid. 2018-02-01 03:24:50 ERROR failed to subscribe to msvistalog events,the Query is invalid: [error code: 15001] somtimes the error changes and service won't start, this happens when i uncomment specific event line and comment all security event line nxlog failed to start: Expected but saw at C:\Program Files\graylog\collector-sidecar\generated\nxlog.conf:31 Appreciate if someone can guide me in right direction. Thanks, Navdeep

New deployment on Windows 10 OS which should push logs to an AlienVault SIEM, when I replace the config file with the file provided by AlienVault the nxlog service fails to start. Log shows the following error message: nxlog failed to start: Expected </Processor> at C:\Program Files (x86)\nxlog\conf\nxlog.conf:809

is it possible to override the sourcemodulname? ´code line´ Modul OM_SSL ... .... .... Exec $SourceModulName = "Thomas" Thanks in Advance Thomas

Hi. I try to send windows events, How can I change the default separator field (tab) for comma?

Hi, I'm using om_ssl to send syslog over TLS with the following config. <Output syslog> Module om_ssl Host my_host Port 514 AllowUntrusted TRUE OutputType Syslog_TLS Exec to_syslog_ietf(); </Output> Nxlog is producing the following error: ERROR SSL certificate verification failed: unable to get local issuer certificate (err: 20) How do I configure om_ssl to skip all certificate verification? Thanks!

Hello! We run NXLog version nxlog-3.2.1991-x86 on Windows Server 2016. Thanks for a good and well documented product. However, we have an issue when closing down the NXLog service. Sometimes stopping the service fails with the following error message: "Error 109: The pipe has been ended". When this happens, no cache file is created (configcache.dat) and at startup the whole table is sent again. It is easy to reproduce this issue. Just stop the service after 5 seconds of running. However, it also happens after run time of 24 hours. On this machine we use NXLog for monitoring a table in MS SQL and send the content to syslog over TCP. We have not changed the default setting for table polling interval (every second). As a work around we will lower the polling interval to every 60 second. Kind regards. // Erik

Dear Community i have a output module in a file. Which creates a folder named with incomer IP Address. In this folder will be a file named Syslog+time+.log. This file is created every hour new. Thats works very good. Every new syslog sender is creating a new filder with its own IP address Abstarct C:\Program Files (x86)\nxlog\data<IP Address>\Syslog-.log Reality C:\Program Files (x86)\nxlog\data\123.123.123.123\Syslog-2018-23-01.log C:\Program Files (x86)\nxlog\data\123.123.123.123\Syslog-2018-23-02.log and so on a another folder C:\Program Files (x86)\nxlog\data\124.124.124.124\Syslog-2018-23-01.log Code: Module om_file File $MessageSourceAddress+"/Syslog-"+ strftime(now(),"%Y-%m-%d-%H") + ".log" CreateDir TRUE up to this stage everything works. Now I want create a deletion process of the files which are older than a particular time. I try to use file_remove function but it is not working for me. I try to get the IP folder name with $MessageSourceAddress. Therefore i create a variable (test). This variable should carry the foldername (123.123.123.123). with Exec {if not defined get_var('test') {create_var('test');} set_var('test',$MessageSourceAddress);} Now I try to request the variable back in the file_remove function: Exec file_remove('C:\Program Files (x86)\nxlog\data\+ 'get_var('test')'\*.log', (now())); I always get this error 2018-01-23 14:20:20 WARNING stopping nxlog service 2018-01-23 14:20:20 WARNING nxlog received a termination request signal, exiting... 2018-01-23 14:20:22 ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:96; couldn't parse statement at line 96, character 72 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; syntax error, unexpected TOKEN_FUNCPROC, expecting ) 2018-01-23 14:20:22 ERROR module 'file2' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:130 2018-01-23 14:20:22 WARNING not starting unused module eventlog whole output module Module om_file File $MessageSourceAddress+"/Syslog-"+ strftime(now(),"%Y-%m-%d-%H") + ".log" CreateDir TRUE ##Variable create Exec {if not defined get_var('test') {create_var('test');} set_var('test',$MessageSourceAddress);} ## deltet old files Exec file_remove('C:\\Program Files (x86)\\nxlog\\data\\+ 'get_var('test')'\\*.log', (now())); Exec to_syslog_ietf();

Hello, what is best way to merge information from two events to a new one. I have one evenet with connectioninformation and a second event with the userid. And I need the user ID addtionalt to the first event with the connection information forwarded in a syslog stream. There is a connectio ID in the event that I can use as filter. Problem is, that there are some more events too with the same connection ID.

I was trying to change the global DateFormat as stated in the docs to be able to have the milliseconds included in the output after parsing json, but when i start nxlog i get the message "Invalid keyword: DateFormat at /etc/nxlog.conf" ######################################## # Global directives # ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO DateFormat "YYYY-MM-DDThh:mm:ss.sUTC" The version of nxlog is 2.9.1716 (nxlog-ce) Am i doing something wrong? Or is this function not supported in the community edition? Thanks, Roman

Hi All, Is it possible to use Exec command to add username to logs? If so, can someone point me to resource on how to do it? Can the same be used to add current assigned IP address? Regards Jake

Hello folks, since weeks i am trying to get filtered informations from a domain controller but i dont get the right informations. If i choose the EVENT IDs i want to get, there comes no input on the graylog side but if i select * from Application, Security or System., all the messages are coming. but i dont want that. i only want add,modify,delete account for example. How do i have to do that? Here is one of my spectacular config files with filters: https://pastebin.com/cptCmt9e and thats the simple working one https://pastebin.com/aXt5waFT

wiht the community eddition when the nxlog-ce is listening on /dev/log and for some reasons the systemd-journald (debian 9) removes the socket the nxlog blocks the compleate host. (even no login possible) after a restart of nxlog the host recovers.