Hello, I am using NXLOG to capture windows event viewer logs . I have below requirements (1) Forward Event ID 4624 events (2) Forward Event ID 4689 events only for a specific process name (say notepad.exe) . By default 4689 is common to many processes. Both of the above events are from "Security" category of Event Viewer. If i use below syntax, it does not work . I am guessing this is because i have repeated "Select Path = Security" twice with the same query ID. How can i configure both of the above filters together in my QUERY block ? ``` Query \ \ *[System[(EventID=4624]]\ *[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='')]]\ \ ``` Do i need to define 2 separate QUERY blocks one with ID=0 & other with ID =1 like this ? ``` Query \ \ *[System[(EventID=4624]]\ \ \ *[System[(EventID=4689)] and EventData[Data[@Name='ProcessName'] and (Data='C:\Windows\System32\notepad.exe')]]\ \ ```

Hello There,

I'm working on customer poc that to collect database log and convert it to syslog to send another monitoring tool.

the om_file working as expect, but there are only send on info severity. it there any way that I can process that db log format and make it have severity in syslog ?

thank you , Kriengsak

Hello, We are using NXLOG to forward our windows event viewer logs to our syslog server. On our Windows clients, we have enabled process auditing, so this logs 1000s of events for every process that gets launched and terminated. There is a common event ID - 4688 when a process gets created (launched) . If we launch 5 different programs/processes on the Windows client, this in turn creates 5 events each with the same event ID 4688 but the actual message in each event contains the name of the corresponding process or program that was launched. For example Event 4688 ... a process "cmd.exe" was launched Event 4688 ... a process "word.exe" was launched Event 4688 ... a process "notepad.exe" was launched Event 4688 ... a process "abc.exe" was launched Event 4688 ... a process "xyz.exe" was launched My requirement is to only forward those events that are coming from a particular process say "notepad.exe" & ignore the other processes even though each one of them has same EVENT ID. Hope i am clear. Below is a snippet of the "Input" module from my nxlog.conf . How can i customize or filter my below code to filter on the process name "notepad.exe" that i want instead of sending every event 4688. Module im_msvistalog ReadFromLast True Query \ \ *[System[(EventID=4688]]\ \

nxlog-ce-2.9.1716
Ubuntu 16.04 LTS (OS)

I am trying to parse JSON to SYSLOG

There are two issues.
1. the NoCache TRUE does not seem to work. (I also tried SavePOS false) and it always caches the file.

2. When I do get it to work; it uses the localhost (which is not where the logs are from) and the time/date stamp from the JSON file (but no other data is there).

Is there an example of parsing JSON to _syslog_bsd()? for forwarding to a SEIM

```
#######################################
# Global directives #
########################################
User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel DEBUG
NoCache TRUE

########################################
# Modules #
########################################

Module xm_json



Module xm_syslog



SavePos FALSE
Module im_file
File '/tmp/json/*.json'
Exec $Message = to_json(); to_syslog_bsd();



Module om_file
File "/var/log/nxlog/syslog.log"
Exec to_syslog_bsd();



########################################
# Routes #
########################################

Path in => fileout1

```

resulting output is

```
Feb 16 02:43:14 [redacted hostname] {"EventReceivedTime":"2018-02-16 02:43:14","SourceModuleName":"in","SourceModuleType":"im_file"}
```
Date is localtime for the conversion

Source JSON is OKTA logs

Currently we can route based off of MessageSourceAddress. But we are interested in routing messages to a folder based off of particular octets.

For example...(this doesn't work...just used to show what we would like to try to do on a conceptual basis).

if ($MessageSourceAddress == "192.*.*.100" ) { reroute("1"); }

We've tried escaping the wildcards, using 0s...I don't think that regex would work there...so what is the prescribed solution? Does anybody have something similar in place? Even just to get a host that ends in a specific octet would be helpful.

Regards,

-Tony

Hello,

I'm trying to forward Windows Event logs to a server that uses rsyslog. I've read through the reference manual for configuration but I keep getting the same error when starting the executable.

It says "ERROR apr_sockaddr_info failed for hostname:port#; The requested name is valid, but no data of the requested type was found."

I'm not sure what that means, been stuck on it for over a week now. Have all of my firewalls off so don't think it's that. Does nxlog work with ipv6 addresses? That seems to be the only difference between my systems and the examples I've read

Hi I was wondering why the folowing config results in an error : *nxlog.conf; syntax error, unexpected -, expecting (* --------- Module im_msvistalog Exec if $cs-uri-stem== '/health' drop(); --------- I am trying to filter some URL's from the eventlog's IIS-log I got it partial working with the xpath query but i think that the drop filter method makes it far more flexible. thx!

Does someone have a link to the latest source for nxlog-ce-2.9.1716?

Hello, I was wondering is there a command where I can tell NXLOG to ignore the first 32 lines of a file that I am wanting to read in? The log file is a dhcp log on Win 2012 R2 and the first 32 lines is info about Event IDs and their meanings. I'd like to to tell NxLog to ignore first 32 lines when reading in the log files. Thanks in advance for any info. Really love nxlog.

Can someone please provide a documentation for nxlog installation ( nxlog-3.99.3269-1aix.ppc.trial.rpm ) in AIX 7.1.

Hello: I have a week trying to replace the default TAB delimiter for comma, so far I got this: Module xm_syslog Delimiter , Module im_msvistalog Module om_tcp Host 192.168.1.2 Port 514 Exec to_syslog_snare(); Path in => out I also try changing , for 0x2C Sadly doesn't work, all I can see is the delimiter change for a extrange character . I'm using the latest community version. I really hope that someone help me with a clear answer.

I am parsing my own log file send to logstash. My log file looks like as below. 2018-02-01 12:01:59,574 receive 'AccountReady' is True. account is 12345. Current local time is 2018-02-01 12:01:59.574. Current UTC time is 2018-02-01 04:01:59.574. 2018-02-01 12:01:59,685 receive 'AccountReady' is True. account is 23456. Current local time is 2018-02-01 12:01:59.685. Current UTC time is 2018-02-01 04:01:59.685. 2018-02-01 12:01:59,710 receive 'AccountReady' is True. account is 34567. Current local time is 2018-02-01 12:01:59.710. Current UTC time is 2018-02-01 04:01:59.710. 2018-02-01 12:07:12,460 _Disconnect 2018-02-01 12:07:13,382 BeforeReConnect is triggered. 2018-02-01 12:07:14,449 AfterReConnec is triggered (It`s already reconnected.) 2018-02-01 12:07:14,451 Restart is not trigger because the connection is reconnected. I have many files like this. and the nxlog config looks like this Module xm_multiline HeaderLine /^(\d{4}\-(0[1-9]|1[012])\-([0|1|2]\d|3[0|1]) ([0|1]\d|2[0-3])\:([0-5]\d)\:([0-5]\d),\d{3})/ Module im_file File "C:\\Code\\MyProj\\bin\\Debug\\Logs\\*.*" SavePos TRUE ReadFromLast FALSE InputType multi Module om_udp Host 192.168.1.104 Port 12020 OutputType Dgram Path aplogfile => udp_logstash Most of these logs are parsed correctly, but some message are not . For example , the first two line should send as one message, but it send twice for first line and second line. This situation are only happened at first line in some files. Does anyone ever touched the same problem? Thanks!

We are currently using im_mark to generate heartbeat events in order for our monitoring to prove that log flow is operational. On several source machines we are having issues where the heartbeats do not appear to be generated in a timely manner, causing significant quantities of false alerts.

The configuration uses im_mark to generate a mark event at (currently) 5 minute intervals which is then used in two routes. The first sends it to the destination along with the log data where it is used by the monitoring software, the second writes it out to a file for debug purposes. On affected machines this file is reporting that (usually) two heartbeats are being generated at 5 minute intervals before a (apparently random) delay of between 15 minutes to approximately 80 minutes. During these periods the service continues running correctly and log data is submitted.

Attempted resolutions: Restart service. No effect. Remove the configcache.dat file. No effect Increased the generation time from 1 to 5 minutes. Issue appeared to go but returned on different machines after a week or so. Increased the number of threads in the configuration. No effect. Tested both the raw Windows API (WaitForSingleObject) and Apache Portable Runtime apr_thread_cond_timedwait methods with a simple test program. Issue was not evident.

Please let me know if you require any additional information.

Hi Folks, I have been playing with nxlog config for more than 24 hrs but i am not able to get a specific windows security event into the graylog server. I can send non filtered events without issue. Here is the nxlog.conf file ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_syslog Module xm_gelf Module im_msvistalog Query \ \ # *\ # *\ # *[System[(EventID=EventID=4625 or EventID=4740)]]\ *\ \ Module pm_buffer # 100Mb disk buffer MaxSize 102400 Type disk Module om_tcp Host SERVER_IP Port 5044 OutputType GELF_TCP Exec $short_message = $raw_event; Path in => out ************************************ In the log file i get the following error, 2018-02-01 03:24:50 ERROR failed to subscribe to msvistalog events using bookmark: The specified query is invalid. 2018-02-01 03:24:50 ERROR failed to subscribe to msvistalog events,the Query is invalid: [error code: 15001] somtimes the error changes and service won't start, this happens when i uncomment specific event line and comment all security event line nxlog failed to start: Expected but saw at C:\Program Files\graylog\collector-sidecar\generated\nxlog.conf:31 Appreciate if someone can guide me in right direction. Thanks, Navdeep

New deployment on Windows 10 OS which should push logs to an AlienVault SIEM, when I replace the config file with the file provided by AlienVault the nxlog service fails to start. Log shows the following error message: **nxlog failed to start: Expected at C:\Program Files (x86)\nxlog\conf\nxlog.conf:809**

is it possible to override the sourcemodulname?

´code line´

Modul OM_SSL ... .... .... Exec $SourceModulName = "Thomas"

Thanks in Advance

Thomas

Hi. I try to send windows events, How can I change the default separator field (tab) for comma?

Hi, I'm using om_ssl to send syslog over TLS with the following config. Module om_ssl Host my_host Port 514 AllowUntrusted TRUE OutputType Syslog_TLS Exec to_syslog_ietf(); Nxlog is producing the following error: `ERROR SSL certificate verification failed: unable to get local issuer certificate (err: 20)` How do I configure om_ssl to skip all certificate verification? Thanks!

Hello!

We run NXLog version nxlog-3.2.1991-x86 on Windows Server 2016.

Thanks for a good and well documented product. However, we have an issue when closing down the NXLog service. Sometimes stopping the service fails with the following error message:

"Error 109: The pipe has been ended".

When this happens, no cache file is created (configcache.dat) and at startup the whole table is sent again.

It is easy to reproduce this issue. Just stop the service after 5 seconds of running. However, it also happens after run time of 24 hours.

On this machine we use NXLog for monitoring a table in MS SQL and send the content to syslog over TCP. We have not changed the default setting for table polling interval (every second). As a work around we will lower the polling interval to every 60 second.

Kind regards.

// Erik

Dear Community i have a output module in a file. Which creates a folder named with incomer IP Address. In this folder will be a file named Syslog+time+.log. This file is created every hour new. Thats works very good. Every new syslog sender is creating a new filder with its own IP address Abstarct C:\Program Files (x86)\nxlog\data\\Syslog-.log Reality C:\Program Files (x86)\nxlog\data\123.123.123.123\Syslog-2018-23-01.log C:\Program Files (x86)\nxlog\data\123.123.123.123\Syslog-2018-23-02.log and so on a another folder C:\Program Files (x86)\nxlog\data\124.124.124.124\Syslog-2018-23-01.log Code: Module om_file File $MessageSourceAddress+"/Syslog-"+ strftime(now(),"%Y-%m-%d-%H") + ".log" CreateDir TRUE up to this stage everything works. Now I want create a deletion process of the files which are older than a particular time. I try to use file_remove function but it is not working for me. I try to get the IP folder name with $MessageSourceAddress. Therefore i create a variable (test). This variable should carry the foldername (123.123.123.123). with Exec {if not defined get_var('test') {create_var('test');} set_var('test',$MessageSourceAddress);} Now I try to request the variable back in the file_remove function: Exec file_remove('C:\\Program Files (x86)\\nxlog\\data\\+ 'get_var('test')'\\*.log', (now())); I always get this error 2018-01-23 14:20:20 WARNING stopping nxlog service 2018-01-23 14:20:20 WARNING nxlog received a termination request signal, exiting... 2018-01-23 14:20:22 ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:96; couldn't parse statement at line 96, character 72 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; syntax error, unexpected TOKEN_FUNCPROC, expecting ) 2018-01-23 14:20:22 ERROR module 'file2' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:130 2018-01-23 14:20:22 WARNING not starting unused module eventlog whole output module Module om_file File $MessageSourceAddress+"/Syslog-"+ strftime(now(),"%Y-%m-%d-%H") + ".log" CreateDir TRUE ##Variable create Exec {if not defined get_var('test') {create_var('test');} set_var('test',$MessageSourceAddress);} ## deltet old files Exec file_remove('C:\\Program Files (x86)\\nxlog\\data\\+ 'get_var('test')'\\*.log', (now())); Exec to_syslog_ietf();