We have configured  NXLog to monitor DHCP server logs and  sends it to two different destinations using TCP:what is the correct way of routing the output to two diffrent distnations..<Output out1>   Module      om_tcp   Host        destination1   Port       XXX  </Output><Output out2>   Module      om_tcp   Host        destination2   Port        XXXX   </Output><Route route1>   Path        input1 => out1   Path        input2 => out2</Route>

I am experiencing a problem with the NXLog Graylog sidecarwhere large CSV messages are being truncated when sent to Graylog via im_file and xm_gelf. The issue occurs regardless of whether I use UDP or TCP transport. Specifically, when a single field (FullFormattedMessage) exceeds approximately 11,000 bytes, the message gets truncated to 64 characters in Graylog's interface causing the entire large field to be omitted. This truncation appears to be due to the $ShortMessage field, which has a character limit.Additionally, when the message is truncated, the $EventTime field, which is derived from a CSV column using parsedate(), does not parse correctly. It seems that when the message reaches its size limit, the $row_event is sent without executing any further processing. My current NXLog configuration is as follows:define INSTALLDIR /etc/nxlog define CERTDIR %INSTALLDIR%/cert define CONFDIR %INSTALLDIR%/nxlog.d define LOGDIR /var/log/nxlog define MYLOGFILE %LOGDIR%/nxlogCSVtest.log LogLevel INFO LogFile %MYLOGFILE% <Extension csv> Module xm_csv Fields IpAddress,UserAgent,Key,CreatedTime,UserName,FullFormattedMessage </Extension> <Extension gelf> Module xm_gelf </Extension> <Input file> Module im_file File '/home/user/test/logs_to_send.csv' <Exec> csv->parse_csv(); if ($UserName =~ /USER_A/) drop(); if (not defined($CreatedTime) or $CreatedTime=='' ) drop(); $EventTime = parsedate($CreatedTime); $CreatedTime = undef; # These fields are needed for Graylog $gl2_source_collector = '${sidecar.nodeId}'; $collector_node_id = '${sidecar.nodeName}'; &lt;/Exec&gt; </Input> <Output graylog_udp> Module om_udp Host 127.0.0.1 Port 5555 OutputType GELF_UDP </Output> <Route 1> Path file => graylog_udp </Route> The log file indicates an "Invalid CSV input" error for each row that is giving me the problem, but only displays the first 960 characters of the CSV rows in question.2024-02-13 16:59:08 ERROR Invalid CSV input: <the first 960 characters of the csv row> I am running NXLog CE on Ubuntu 22.04 with the Graylog sidecar, using package version nxlog-ce_3.2.2329_ubuntu22_amd64.On the data that desn't get the error it's working great, I know i'm hitting some limitation but i would like to know witch one and how can i change it.

Hi,  I can send the log to 1 Server only.  How do I send the same log to 2 server for just in case 1 got wipe out by ransomwareThis is the configuration that work for #1 Server.  My #2 Server has different IP.   What is the proper way to do this? <Extension _gelf>   Module      xm_gelf</Extension># Snare compatible example configuration# Collecting event log<Input in>    Module      im_msvistalog</Input># Sends Eevent in GELF format to Graylog Servers<Output out>    Module      om_udp    Host        10.10.12.68    Port        12201    OutputType  GELF</Output># # Connect input 'in' to output 'out'<Route 1>    Path        in => out</Route>

When sending data to InsightIDR, you have to specify a unique port for each data source.  For example, on an AD DC, you need a unique port for security event logs, DNS logs, and DHCP logs.  As it currently appears, I would need a template or individual configuration on each system. To optimize/simplify this, is it possible to use FIELDS and PATTERNS in templates?  e.g. DC1_SecLog=<port 1000>, DC1_DNS=<port 1001>.  In the template reference a FIELD/PATTERN based on the agent info like hostname and/or tags?  Just looking for a way to minimize the number of templates I have to manage.

Learning how to build out templates and I see in the documentation, that you there should be an option for “MASTER” or “SUB” template types as described here:  https://docs.nxlog.co/manager/current/templates/index.htmlHowever, my new server (5.7.5935) does not have that option when creating a template.  Is there something that needs to be enabled or some set of actions before that becomes visible? 

Initiated a 30-day trial today to test what I had thought would be a fairly straightforward use case. The following config works fine to forward Windows events from the local machine via syslog, but when I add the File directive for im_msvistalog to the Input module section the events in the file are not forwarded over syslog. The file is correctly formatted and can be read via the event viewer. I also tested writing the contents of the file to a local json file as-per examples in the documentation, that worked fine as well. The file is publicly available at: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_sysmon-3-rdp-tun.evtx Here are the contents of the config file: NoCache True define LOGHOST 192.168.xxx.xxx <Extension syslog> Module xm_syslog </Extension> <Input event_in> Module im_msvistalog File C:\Program Files\nxlog\logs\test_log.evtx Exec $Hostname = hostname(); </Input> <Output tcp_out> Module om_tcp Host %LOGHOST%:514 Exec to_syslog_snare(); </Output> <Route 1> Path event_in => tcp_out </Route>

Hi All,I am collecting and sending logs from a Windows Domain Controller (only security events). When I start the nxlog service, the logs are send in “real time”. However, Over time, a delay is generated, causing the accumulated delay to be hours after one day. What could happen to explain this behavior?Configurationdefine ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _json> Module xm_json </Extension> <Input windows_security_eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Security">*</Select> </Query> </QueryList> </QueryXML> ReadFromLast True SavePos True </Input> <Output out_chronicle_windevents> Module om_tcp Host 172.16.94.69 Port 41001 Exec $EventTime = integer($EventTime) / 1000; Exec $EventReceivedTime = integer($EventReceivedTime) / 1000; Exec to_json(); </Output> <Route r2> Path windows_security_eventlog => out_chronicle_windevents </Route> Environment descriptionNXLog CE is running on Windows 2022 server Package version is 3.2.2329   

I'm trying to capture Secure Syslog from an external source. The sender is green lights, but the NXLog.log file is showing a lot of this:2024-01-22 15:58:08 INFO nxlog-ce-3.2.2329 started 2024-01-22 15:58:08 INFO connecting to 127.0.0.1:6515 2024-01-22 15:58:08 INFO successfully connected to 127.0.0.1:6515… … 2024-01-22 16:14:32 WARNING SSL connection closed from (IP_REDACTED):53601 2024-01-22 16:14:32 ERROR SSL certificate verification failed: unable to get local issuer certificate (err: 20) 2024-01-22 16:14:32 WARNING SSL connection closed from (IP_REDACTED):46645 2024-01-22 16:14:32 ERROR SSL certificate verification failed: unable to get local issuer certificate (err: 20) 2024-01-22 16:14:32 WARNING SSL connection closed from (IP_REDACTED)47010 2024-01-22 16:14:32 ERROR SSL certificate verification failed: unable to get local issuer certificate (err: 20) 2024-01-22 16:14:32 WARNING SSL connection closed from (IP_REDACTED):46931 2024-01-22 16:14:32 ERROR SSL certificate verification failed: unable to get local issuer certificate (err: 20) 2024-01-22 16:14:32 WARNING SSL connection closed from (IP_REDACTED):46939 2024-01-22 16:14:32 INFO SSL connection accepted from (IP_REDACTED):43341and so on.I have tried just about every combination of certs/directives that I can find or think of, but I cannot get the connection to establish correctly. I validated the cert and chain using openssl and even tried using AllowExpired but that directive is not supported, apparently. The sending service is all green lights and happy. Any thoughts would be appreciated!Community version 3.2.2329 (Windows)conf:define ROOT C:\Program Files\nxlog define CERTDIR C:\Program Files\nxlog\cert Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> <Input ssl> Module im_ssl Host 192.168.1.11 Port 6514 CAFile %CERTDIR%\Valid_Public_CA.crt CertFile %CERTDIR%\Valid_Public_cert.crt CertKeyFile %CERTDIR%\Valid_Public_key_decrypted.key AllowUntrusted TRUE Exec parse_syslog(); </Input> <Output ssl_output> Module om_sslHost 127.0.0.1 Port 6515 CAFile %CERTDIR%\Self-Signed.pem AllowUntrusted TRUE </Output> <Route 1> Path ssl => ssl_output </Route>

Hi Team,Can some one help me out here!I tried so many Windows DNS NXLog query (NXLog Community Edition) to capture the Audit Logs from Event Viewer, but no luck.Can you please provide the Windows DNS NXLog Query (NXLog Community Edition) to capture the Audit logs from Event Viewer.  Thanks

Hello,I have Windows SQL server 2019 installed on Windows server 2019. i have installed the nxlog community edition on Server to forward the  Database logs generating in following path: C:\Program Files\Microsoft SQL Server\MSSQL15.BAMSM\MSSQL\Log\ERRORLOGI have written following conf in nxlog but it i have not received any logs in Syslog Server. Kindly help me to resolve the issue if there is any changes to be done in the below mentioned configuration:<Extension _syslog>   Module          xm_syslog</Extension><Input in>   Module      im_file   File      “C:\\Program Files\\Microsoft SQL Server\\MSSQL15.BAMSM\\MSSQL\\Log\\ERRORLOG”   SavePos      TRUE   Recursive TRUE</Input><Output out>   Module      om_udp   Host        192.168.105.10   Port        514   Exec        $Message = "TEST DB LOG " + $raw_event;   Exec        to_syslog_bsd();</Output><Route 1>   Path        in => out</Route>

Hello All,We are using NxLog community edition for deployments and realized that there's no rpm available for SLES 12 (its does have for SLES 15). How can I get rpm for sles 12.? I can see the rpm available under Enterprise downloads. How to contact support to get this.?Thank you

can be deleted

Hello dear NXLog users,Does anyone know any NXLog release for Ubuntu 23.10 (Mantic Minotaur)? I've tried ubuntu 18 to 22 releases couldn't manage to install. Any NXLog solutions for Mantic Minotaur?Thanks a lot.  

Vulnerability scanner has discovered a number of vulnerabilities (CVE-2022-4450, CVE-2023-0215, CVE-2023-4807) related to “OpenSSL, version 1.1.1q” in NXLog libraries "libcrypto-1_1-x64.dll" and "libssl-1_1-x64.dll.Are there concrete plans and deadlines for updating these libraries by moving to non-vulnerable OpenSSL versions?

We are an MSSP that uses NXLog CE (3.2.2329) installed on a Windows Server acting as a Windows Event Collector (WEC) to forward events from the forwarded events channel to a syslog collector that sends everything to our SIEM.TL;DRCertain Windows Events send to our SIEM via NXLog are missing the <EventData> information whereas Event Viewer shows a complete event on the logsource host where NXLog is installed on. Longer versionThe current setup is:Domain Controllers forward their security events using Windows Event Forwarding to our WEC using a source initiated event subscription where the content format is set to ‘Events’ instead of the default ‘RenderedText’ (this change helped solve similar issues where data was missing from events send via NXLog).We've verified that these security events are present in the forwarded events channel on the WEC with a complete XML of the events.NXLog CE (3.2.2329) is installed on this WEC using the following nxlog.conf file:Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data include %CONFDIR%\*.conf define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Input Security> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0" Path="ForwardedEvents"> <Select Path="ForwardedEvents">*</Select> </Query> </QueryList> </QueryXML> </Input> <Output DL> Module om_tcp Host 123.123.123.123 Port 514 Exec to_syslog_snare(); </Output> <Route eventlog_to_DL> Path Security => DL </Route>NXLog sends logs to a syslog collector in the same networkThis syslog collector has SIEM agent software forwarding events to our SIEMIn our SIEM we can see all events coming in from the syslog collector, including NXLog Windows events, however some appear to be missing data found in the <EventData> field in the XML of the actual event.The event id's we're having issues with are Windows event ID 4662,4768 and 4776.Other event id's are coming in ‘complete’ as expected such as this event id 4672:<14>Dec 8 11:32:42 dc2.example.com MSWinEventLog 1 Security 5986982 Fri Dec 08 11:32:42 2023 4672 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2.example.com Special Logon Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-2155563959-1375260949-369746351-17469 Account Name: server123$ Account Domain: EXAMPLE Logon ID: 0x4D8729AC Privileges: SeSecurityPrivilege SeDebugPrivilege 773449975Or event id 5140:<14>Dec 8 11:32:37 dc2.example.com MSWinEventLog 1 Security 5986753 Fri Dec 08 11:32:37 2023 5140 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2.example.com File Share A network share object was accessed. Subject: Security ID: S-1-5-21-2155563959-1375260949-369746351-18565 Account Name: netwrixsvc Account Domain: EXAMPLE Logon ID: 0x4D86D440 Network Information: Object Type: File Source Address: 172.30.10.10 Source Port: 51173 Share Information: Share Name: \*\ADMIN$ Share Path: ??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 773449390 Whereas we receive the following information for the troubled event id's:4776<11>Dec 8 11:32:29 dc2.example.com MSWinEventLog 3 Security 5986385 Fri Dec 08 11:32:29 2023 4776 Microsoft-Windows-Security-Auditing N/A N/A Failure Audit dc2.example.com Credential Validation N/A 7734490444662<14>Dec 8 11:32:42 dc2.example.com MSWinEventLog 1 Security 5986976 Fri Dec 08 11:32:42 2023 4662 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2.example.com Directory Service Access N/A 7734499584768<14>Dec 8 11:32:41 dc2.example.com MSWinEventLog 1 Security 5986915 Fri Dec 08 11:32:41 2023 4768 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2.example.com Kerberos Authentication Service N/A 773449814 Due to the vast amount of events received by the WEC, extracting a subset of events for troubleshooting provided more challenging than expected. Nevertheless, the customer responsible for the WEC was able to provide me with an .evtx file containing some of the event id 4768 logs. These appear perfectly fine as shown in the screenshot and XML output below: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> <EventID>4768</EventID> <Version>0</Version> <Level>0</Level> <Task>14339</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2023-12-07T10:32:31.691008600Z" /> <EventRecordID>4520638617</EventRecordID> <Correlation /> <Execution ProcessID="700" ThreadID="1424" /> <Channel>Security</Channel> <Computer>dc1.example.com</Computer> <Security /> </System> <EventData> <Data Name="TargetUserName">netwrixsvc</Data> <Data Name="TargetDomainName">example</Data> <Data Name="TargetSid">S-1-5-21-2155563959-1375260949-369746351-18565</Data> <Data Name="ServiceName">krbtgt</Data> <Data Name="ServiceSid">S-1-5-21-2155563959-1375260949-369746351-502</Data> <Data Name="TicketOptions">0x40810010</Data> <Data Name="Status">0x0</Data> <Data Name="TicketEncryptionType">0x12</Data> <Data Name="PreAuthType">2</Data> <Data Name="IpAddress">::ffff:172.30.10.10</Data> <Data Name="IpPort">49712</Data> <Data Name="CertIssuerName"> </Data> <Data Name="CertSerialNumber"> </Data> <Data Name="CertThumbprint"> </Data> </EventData> </Event> What could possibly be the cause for these issues? Where can I check next? 

Which version of the SUSE distribution supports the available NXLog CE package?The following message appears during the download:

Vulnerability scanner has discovered a number of vulnerabilities (CVE-2022-4450, CVE-2023-0215, CVE-2023-4807) related to “OpenSSL, version 1.1.1q” in NXLog libraries "libcrypto-1_1-x64.dll" and "libssl-1_1-x64.dll:If we are using the following modules: im_msvistalog, im_file, om_tcp;and we are NOT using the following modules: im_ssl, om_ssl;would simply deleting the following files from the system: “C:\ProgramFiles\nxlog\libcrypto-1_1-x64.dll”, “C:\ProgramFiles\nxlog\libssl-1_1-x64.dll” (which solves the problem with the vulnerability scanner alerts) affect functionality of NXLog?

Hello,I'm using an older version of the NXLog agent (ce-2.0.1716) on Windows Server 2016, and I want to import only EventLogs that correspond to a severity level between 1 and 3 but I really have no idea how to do it. Despite my research and testing, nothing seems to work.Below, you can see the original “nxlog.conf” configuration file for my DC server:define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog #011Information Exec if ($Severity == 'INFO' and $SourceName == 'CxAudioSvcSource') drop(); Exec if ($Severity == 'INFO' and ($EventId == 0)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 1001)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 107)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 112)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 129)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 146)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 1)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 2000)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 2002)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 200)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 201)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 2024)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 20)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 2415)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 3)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4006)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4007)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4017)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4126)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4257)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4326)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5017)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 505)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5126)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5257)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5308)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5309)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5310)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5311)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5312)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5313)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5314)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5315)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5320)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5326)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5327)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5340)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 600)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 6115)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 62170)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 62171)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 7036)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 8006)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 8007)) drop(); #011Warning Exec if ($Severity == 'WARNING' and ($EventId == 200)) drop(); Exec if ($Severity == 'WARNING' and ($EventId == 202)) drop(); Exec if ($Severity == 'WARNING' and ($EventId == 61)) drop(); Exec if ($Severity == 'WARNING' and ($EventId == 1112)) drop(); Exec if ($Severity == 'WARNING' and ($EventId == 1002)) drop(); #011Success Exec if ($Severity == 'SUCCESS' and ($EventId == 4672)) drop(); Exec if ($Severity == 'SUCCESS' and ($EventId == 4799)) drop(); #011Error Exec if ($Severity == 'ERROR' and ($EventId == 2028)) drop(); Exec if ($Severity == 'ERROR' and ($EventId == 6113)) drop(); </Input> <Output out> Module om_tcp Host supervision Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path in => out </Route>Below, you can see my new “nxlog.conf” configuration file for my DC server:define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0' Path='Application'> <Select Path='Application'>[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='Security'>[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='Setup'>[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='System'>[System[(Level=1 or Level=2 or Level=3)]]</Select> </Query> </QueryList> </QueryXML> </Input> <Output out> Module om_tcp Host supervision Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path in => out </Route>Below, you can see an extract of the log file for the NXLog agent for my DC server:2023-12-11 13:42:40 INFO nxlog-ce-2.9.1716 started 2023-12-11 13:42:40 INFO connecting to supervision:514 2023-12-11 14:00:21 WARNING stopping nxlog service 2023-12-11 14:00:21 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:00:23 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:00:25 INFO connecting to supervision:514 2023-12-11 14:00:49 WARNING stopping nxlog service 2023-12-11 14:00:49 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:00:50 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:00:50 INFO connecting to supervision:514 2023-12-11 14:05:41 WARNING stopping nxlog service 2023-12-11 14:05:41 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:05:43 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:05:45 INFO connecting to supervision:514 2023-12-11 14:14:38 WARNING stopping nxlog service 2023-12-11 14:00:21 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:16:24 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:16:27 INFO connecting to supervision:514 2023-12-11 14:19:51 WARNING stopping nxlog service 2023-12-11 14:19:52 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:19:53 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:19:53 INFO connecting to supervision:514 2023-12-11 14:21:53 WARNING stopping nxlog service 2023-12-11 14:21:53 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:21:54 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:21:54 INFO connecting to supervision:514I also tried options such as:Exec if ($Severity == 'INFO') drop();And I tried by modifying th “input” field with different values below, but nothing seems to work.<Select Path='Application'>[System/Level<3]</Select> <Select Path='Security'>[System/Level<3]</Select> <Select Path='System'>[System/Level<3]</Select><Select Path='Application'>[System[Level=3]]</Select> <Select Path='System'>[System[Level=3]]</Select> <Select Path='Security'>[System[Level=3]]</Select><Select Path='Application'>[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='System'>[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='Security'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>Unfortunaltely, I'm far from being a specialist in log processing and management, so if you you had an idea to suggest to help mesolve my problem, I would be very gratful.Thank you in advance,Arn_no

Got this error while trying to forward windows 11 event logs to SIEM:ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.my  nxlog config is heredefine ROOT C:\Program Files\nxlog #define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension json> Module xm_json </Extension> <Extension fileop> Module xm_fileop </Extension> Nxlog internal logs <Input internal> Module im_internal Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json(); </Input> Win Event Log - Security <Input inSecurityEvent> Module im_msvistalog Query <QueryList> <Query Id=""><Select Path="Security">*</Select></Query></QueryList> Exec $Message = to_json(); </Input> <Output outSecurityEvent> Module om_tcp Host X.X.X.X Port 5060 Exec $EventTime = strftime($EventTime, '%Y-%m-%dT%H:%M:%SZ'); to_json(); Exec to_json(); Exec file_write("C:\Program Files\nxlog\data\SecurityEvents_output.log", $raw_event); </Output> <Route 1> Path inSecurityEvent => outSecurityEvent </Route>This works fine on other version of windows. the problem is windows 11

Hi.. anybody can clarify if om_azuremonitor work in air gap environment  Thx for your inputs