Hello,

I can send the event log from Server 2012 with the same configuration, but it is not running on Server 2016. The event log does not go to Graylog. Does NXLog not work on Server 2016? If so, what is the appropriate nxlog.conf?

Thanks.

So...

I have about 3 days of experience with NXLog and what I am attempting to do is pull Cisco Umbrella Logs via an s3fs mount, unzip them and then read the logs using nxlog.

I am still working out the specifics of how to get all the logs unzipped and into one working file but my test file is failing to be read and sent to the syslog server.

I have taken a new nxlog.conf and set it up with the following:


########################################
# Global directives #
########################################
User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel INFO

########################################
# Modules #
########################################
<Extension csv>
Module xm_csv
</Extension>

<Input in>
Module im_file
File "/tmp/incoming.csv"
</Input>

<Output out>
Module om_udp
Host 10.x.x.x
Port 10514
Exec to_syslog_bsd();
</Output>

########################################
# Routes #
########################################
<Route 1>
Path in => out
</Route>


My nxlog.log file shows no issues with the connection or service but I am not getting any data from my test file.

Has anyone been able to do this or can you provide guidance on why I am not getting any data to transfer using my current setup?

Hello, I am using NXLOG to capture windows event viewer logs . I have below requirements (1) Forward Event ID 4624 events (2) Forward Event ID 4689 events only for a specific process name (say notepad.exe) . By default 4689 is common to many processes. Both of the above events are from "Security" category of Event Viewer. If i use below syntax, it does not work . I am guessing this is because i have repeated "Select Path = Security" twice with the same query ID. How can i configure both of the above filters together in my QUERY block ? ``` Query \ \ *[System[(EventID=4624]]\ *[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='')]]\ \ ``` Do i need to define 2 separate QUERY blocks one with ID=0 & other with ID =1 like this ? ``` Query \ \ *[System[(EventID=4624]]\ \ \ *[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]\ \ ```

Hello There,

I'm working on customer poc that to collect database log and convert it to syslog to send another monitoring tool.

the om_file working as expect, but there are only send on info severity. it there any way that I can process that db log format and make it have severity in syslog ?

thank you , Kriengsak

Hello, We are using NXLOG to forward our windows event viewer logs to our syslog server. On our Windows clients, we have enabled process auditing, so this logs 1000s of events for every process that gets launched and terminated. There is a common event ID - 4688 when a process gets created (launched) . If we launch 5 different programs/processes on the Windows client, this in turn creates 5 events each with the same event ID 4688 but the actual message in each event contains the name of the corresponding process or program that was launched. For example Event 4688 ... a process "cmd.exe" was launched Event 4688 ... a process "word.exe" was launched Event 4688 ... a process "notepad.exe" was launched Event 4688 ... a process "abc.exe" was launched Event 4688 ... a process "xyz.exe" was launched My requirement is to only forward those events that are coming from a particular process say "notepad.exe" & ignore the other processes even though each one of them has same EVENT ID. Hope i am clear. Below is a snippet of the "Input" module from my nxlog.conf . How can i customize or filter my below code to filter on the process name "notepad.exe" that i want instead of sending every event 4688. Module im_msvistalog ReadFromLast True Query \ \ *[System[(EventID=4688]]\ \

nxlog-ce-2.9.1716
Ubuntu 16.04 LTS (OS)

I am trying to parse JSON to SYSLOG

There are two issues.
1. the NoCache TRUE does not seem to work. (I also tried SavePOS false) and it always caches the file.

2. When I do get it to work; it uses the localhost (which is not where the logs are from) and the time/date stamp from the JSON file (but no other data is there).

Is there an example of parsing JSON to _syslog_bsd()? for forwarding to a SEIM

```
#######################################
# Global directives #
########################################
User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel DEBUG
NoCache TRUE

########################################
# Modules #
########################################

Module xm_json



Module xm_syslog



SavePos FALSE
Module im_file
File '/tmp/json/*.json'
Exec $Message = to_json(); to_syslog_bsd();



Module om_file
File "/var/log/nxlog/syslog.log"
Exec to_syslog_bsd();



########################################
# Routes #
########################################

Path in => fileout1

```

resulting output is

```
Feb 16 02:43:14 [redacted hostname] {"EventReceivedTime":"2018-02-16 02:43:14","SourceModuleName":"in","SourceModuleType":"im_file"}
```
Date is localtime for the conversion

Source JSON is OKTA logs

Currently we can route based off of MessageSourceAddress. But we are interested in routing messages to a folder based off of particular octets.

For example...(this doesn't work...just used to show what we would like to try to do on a conceptual basis).

if ($MessageSourceAddress == "192.*.*.100" ) { reroute("1"); }

We've tried escaping the wildcards, using 0s...I don't think that regex would work there...so what is the prescribed solution? Does anybody have something similar in place? Even just to get a host that ends in a specific octet would be helpful.

Regards,

-Tony

Hello,

I'm trying to forward Windows Event logs to a server that uses rsyslog. I've read through the reference manual for configuration but I keep getting the same error when starting the executable.

It says "ERROR apr_sockaddr_info failed for hostname:port#; The requested name is valid, but no data of the requested type was found."

I'm not sure what that means, been stuck on it for over a week now. Have all of my firewalls off so don't think it's that. Does nxlog work with ipv6 addresses? That seems to be the only difference between my systems and the examples I've read

Hi I was wondering why the folowing config results in an error : *nxlog.conf; syntax error, unexpected -, expecting (* --------- Module im_msvistalog Exec if $cs-uri-stem== '/health' drop(); --------- I am trying to filter some URL's from the eventlog's IIS-log I got it partial working with the xpath query but i think that the drop filter method makes it far more flexible. thx!

Does someone have a link to the latest source for nxlog-ce-2.9.1716?

Hello, I was wondering is there a command where I can tell NXLOG to ignore the first 32 lines of a file that I am wanting to read in? The log file is a dhcp log on Win 2012 R2 and the first 32 lines is info about Event IDs and their meanings. I'd like to to tell NxLog to ignore first 32 lines when reading in the log files. Thanks in advance for any info. Really love nxlog.

Can someone please provide a documentation for nxlog installation ( nxlog-3.99.3269-1aix.ppc.trial.rpm ) in AIX 7.1.

Hello: I have a week trying to replace the default TAB delimiter for comma, so far I got this: Module xm_syslog Delimiter , Module im_msvistalog Module om_tcp Host 192.168.1.2 Port 514 Exec to_syslog_snare(); Path in => out I also try changing , for 0x2C Sadly doesn't work, all I can see is the delimiter change for a extrange character . I'm using the latest community version. I really hope that someone help me with a clear answer.

I am parsing my own log file send to logstash. My log file looks like as below. 2018-02-01 12:01:59,574 receive 'AccountReady' is True. account is 12345. Current local time is 2018-02-01 12:01:59.574. Current UTC time is 2018-02-01 04:01:59.574. 2018-02-01 12:01:59,685 receive 'AccountReady' is True. account is 23456. Current local time is 2018-02-01 12:01:59.685. Current UTC time is 2018-02-01 04:01:59.685. 2018-02-01 12:01:59,710 receive 'AccountReady' is True. account is 34567. Current local time is 2018-02-01 12:01:59.710. Current UTC time is 2018-02-01 04:01:59.710. 2018-02-01 12:07:12,460 _Disconnect 2018-02-01 12:07:13,382 BeforeReConnect is triggered. 2018-02-01 12:07:14,449 AfterReConnec is triggered (It`s already reconnected.) 2018-02-01 12:07:14,451 Restart is not trigger because the connection is reconnected. I have many files like this. and the nxlog config looks like this Module xm_multiline HeaderLine /^(\d{4}\-(0[1-9]|1[012])\-([0|1|2]\d|3[0|1]) ([0|1]\d|2[0-3])\:([0-5]\d)\:([0-5]\d),\d{3})/ Module im_file File "C:\\Code\\MyProj\\bin\\Debug\\Logs\\*.*" SavePos TRUE ReadFromLast FALSE InputType multi Module om_udp Host 192.168.1.104 Port 12020 OutputType Dgram Path aplogfile => udp_logstash Most of these logs are parsed correctly, but some message are not . For example , the first two line should send as one message, but it send twice for first line and second line. This situation are only happened at first line in some files. Does anyone ever touched the same problem? Thanks!

We are currently using im_mark to generate heartbeat events in order for our monitoring to prove that log flow is operational. On several source machines we are having issues where the heartbeats do not appear to be generated in a timely manner, causing significant quantities of false alerts.

The configuration uses im_mark to generate a mark event at (currently) 5 minute intervals which is then used in two routes. The first sends it to the destination along with the log data where it is used by the monitoring software, the second writes it out to a file for debug purposes. On affected machines this file is reporting that (usually) two heartbeats are being generated at 5 minute intervals before a (apparently random) delay of between 15 minutes to approximately 80 minutes. During these periods the service continues running correctly and log data is submitted.

Attempted resolutions: Restart service. No effect. Remove the configcache.dat file. No effect Increased the generation time from 1 to 5 minutes. Issue appeared to go but returned on different machines after a week or so. Increased the number of threads in the configuration. No effect. Tested both the raw Windows API (WaitForSingleObject) and Apache Portable Runtime apr_thread_cond_timedwait methods with a simple test program. Issue was not evident.

Please let me know if you require any additional information.

Hi Folks, I have been playing with nxlog config for more than 24 hrs but i am not able to get a specific windows security event into the graylog server. I can send non filtered events without issue. Here is the nxlog.conf file ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_syslog Module xm_gelf Module im_msvistalog Query \ \ # *\ # *\ # *[System[(EventID=EventID=4625 or EventID=4740)]]\ *\ \ Module pm_buffer # 100Mb disk buffer MaxSize 102400 Type disk Module om_tcp Host SERVER_IP Port 5044 OutputType GELF_TCP Exec $short_message = $raw_event; Path in => out ************************************ In the log file i get the following error, 2018-02-01 03:24:50 ERROR failed to subscribe to msvistalog events using bookmark: The specified query is invalid. 2018-02-01 03:24:50 ERROR failed to subscribe to msvistalog events,the Query is invalid: [error code: 15001] somtimes the error changes and service won't start, this happens when i uncomment specific event line and comment all security event line nxlog failed to start: Expected but saw at C:\Program Files\graylog\collector-sidecar\generated\nxlog.conf:31 Appreciate if someone can guide me in right direction. Thanks, Navdeep

New deployment on Windows 10 OS which should push logs to an AlienVault SIEM, when I replace the config file with the file provided by AlienVault the nxlog service fails to start. Log shows the following error message: **nxlog failed to start: Expected at C:\Program Files (x86)\nxlog\conf\nxlog.conf:809**

is it possible to override the sourcemodulname?

´code line´

Modul OM_SSL ... .... .... Exec $SourceModulName = "Thomas"

Thanks in Advance

Thomas

Hi. I try to send windows events, How can I change the default separator field (tab) for comma?

Hi, I'm using om_ssl to send syslog over TLS with the following config. Module om_ssl Host my_host Port 514 AllowUntrusted TRUE OutputType Syslog_TLS Exec to_syslog_ietf(); Nxlog is producing the following error: `ERROR SSL certificate verification failed: unable to get local issuer certificate (err: 20)` How do I configure om_ssl to skip all certificate verification? Thanks!