I'm trying to get the DNS logging going with the im_etw input module with no luck. I get this error on my log, ERROR Failed to load module from C:\Program Files (x86)\nxlog\modules\input\im_etw.dll, The specified module could not be found. ; The specified module could not be found. I have a enterprise version of nxlog running. Not sure how to install that module.

thx

hi,

When I tried to use PollInterval parameter in the im_file module, I see updates in my output file is more often then I use in this parameter. Why that? This parameter is not working?

Hi,

I tried to use pm_blocker module. My configuration looks like:

<Processor buffer> Module pm_buffer # 100Mb disk buffer MaxSize 102400 Type disk </Processor>

<Processor blocker> Module pm_blocker <Schedule> Every 5 min First 2017-11-27 13:12:20 Exec blocker->block(TRUE); </Schedule> <Schedule> Every 5 min First 2017-11-27 13:12:00 Exec blocker->block(FALSE); </Schedule> </Processor>

<Input in> Module im_batchcompress ListenAddr 0.0.0.0 Port 1514 </Input>

<Output out> Module om_file File 'C:\Temp\NXLog\ + $Hostname + '' + $FileName Exec if $FileName =~ s/-/./g; CreateDir TRUE </Output>

<Output out2> Module om_file File 'C:\Temp\NXLog2' + $Hostname + '' + $FileName Exec if $FileName =~ s/-/./g; CreateDir TRUE </Output>

<Route 1> Path in => out </Route>

<Route 2> Path in => buffer => blocker => out2 </Route>

If we can see, pm_blocker used only in second Route. But if we run nxlog with this configuration, we can see block and in first Route. Why? I dont understand.

How I can use update our files periodically in Route2??

Hello,

we have compiled latest NXLOG Community Edition on AIX V.7.1 with GCC 4.8.xx. Actually we have one issue with "im_file" and logfiles with wildcards like "*".

NXLOG quits after writing an "core dump" ....

Follwoing Output we are receiving in "DEBUG" mode:

017-11-28 12:13:10 DEBUG pidfile /usr/local/var/run/nxlog/nxlog.pid created 2017-11-28 12:13:10 DEBUG parsing path: itm6_custom_log => out_file 2017-11-28 12:13:10 DEBUG adding module itm6_custom_log to route 1 2017-11-28 12:13:10 DEBUG adding module out_file to route 1 2017-11-28 12:13:10 DEBUG jobgroup created with priority 99 2017-11-28 12:13:10 DEBUG jobgroup created with priority 10 2017-11-28 12:13:10 DEBUG spawning 4 worker threads 2017-11-28 12:13:10 DEBUG worker thread 0 started 2017-11-28 12:13:10 DEBUG worker thread 1 started 2017-11-28 12:13:10 DEBUG worker thread 2 started 2017-11-28 12:13:10 DEBUG worker thread 3 started 2017-11-28 12:13:10 DEBUG event thread started 2017-11-28 12:13:10 DEBUG nx_event_to_jobqueue: MODULE_START (_syslog) 2017-11-28 12:13:10 DEBUG event added to jobqueue 2017-11-28 12:13:10 DEBUG nx_event_to_jobqueue: MODULE_START (json) 2017-11-28 12:13:10 DEBUG event added to jobqueue 2017-11-28 12:13:10 DEBUG nx_event_to_jobqueue: MODULE_START (was_sys_multi) 2017-11-28 12:13:10 DEBUG event added to jobqueue 2017-11-28 12:13:10 DEBUG nx_event_to_jobqueue: MODULE_START (itm6_custom_log) 2017-11-28 12:13:10 DEBUG event added to jobqueue 2017-11-28 12:13:10 WARNING not starting unused module out 2017-11-28 12:13:10 DEBUG nx_event_to_jobqueue: MODULE_START (out_file) 2017-11-28 12:13:10 DEBUG event added to jobqueue 2017-11-28 12:13:10 INFO nxlog-ce-2.8.1248 started 2017-11-28 12:13:10 DEBUG no events or no future events, event thread sleeping in condwait 2017-11-28 12:13:10 DEBUG worker 3 processing event 0x301763f8 2017-11-28 12:13:10 DEBUG PROCESS_EVENT: MODULE_START (itm6_custom_log) 2017-11-28 12:13:10 DEBUG START: itm6_custom_log 2017-11-28 12:13:10 DEBUG Value specified for File parameter contains wildcards: '/usr/app/sw/log/itm6*.log' 2017-11-28 12:13:10 DEBUG reading directory entries under '/usr/app/sw/log' to check for matching files Segmentation fault (core dumped)

Somone has the same failure or could help us soliving this issue ???

Greets Alaettin from Stuttgart/Germany

I currently have NXlog community version installed on Windows 2012 R2 server. SEIM Manager is requesting that I stop sending Windows Security Event ID 5156 traffic from server. Is this possible. Thank you.

Hi, I tried schedule 2 jobs for blocking log-messages, as is described in documentation: Example 4.6. Two scheduled jobs in the context of the im_tcp module But I need change blocking mode every minute. For example: every even minut block messages, and every odd minutes pass all messages. I tried to use default syntax from cron:

<Processor blocker> Module pm_blocker <Schedule> When 0-59/2 * * * * Exec blocker->block(TRUE); Exec log_info("Block: True"); </Schedule> <Schedule> When 1-59/2 * * * * Exec blocker->block(FALSE); Exec log_info("Block: False"); </Schedule> </Processor>

But all this schedules was run simultaneously. How I can schedule this jobs?

It seems I have a problem with Nxlog-ce and Windows eventlog after power resume/reconnect to the network.

On the high level we won't get any logs from a a machine before we restart the nxlog service. It shows as runnig but sends no logs. As soon as you restart it, the logs are sent.

I Enabled debug logging and got the following

2017-11-27 08:02:40 DEBUG before nx_logqueue_push, size: 26 2017-11-27 08:02:40 DEBUG nx_event_to_jobqueue: DATA_AVAILABLE (eventlogOUT) 2017-11-27 08:02:40 DEBUG executing statements 2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\conf\add-on\eventlog_client.conf:3 2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\conf\add-on\eventlog_client.conf:4 2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\conf\add-on\eventlog_client.conf:5 2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\conf\add-on\eventlog_client.conf:6 2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\conf\add-on\eventlog_client.conf:7 2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\conf\add-on\eventlog_client.conf:8 2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\conf\add-on\eventlog_client.conf:9 2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\conf\add-on\eventlog_client.conf:10 2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\conf\add-on\eventlog_client.conf:11 2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\conf\add-on\eventlog_client.conf:12 2017-11-27 08:02:40 DEBUG before nx_logqueue_push, size: 27 2017-11-27 08:02:40 DEBUG nx_event_to_jobqueue: DATA_AVAILABLE (eventlogOUT) 2017-11-27 08:02:40 ERROR Exception was caused by "apr_sockaddr_info_get(&sa, omconf->host, APR_INET, omconf->port, 0, pool)" at om_udp.c:279/om_udp_connect(); [om_udp.c:279/om_udp_connect()] apr_sockaddr_info failed for Myhost.mydomain.XX:12235; Det begärda namnet är giltigt men data för den begärda typen kunde inte hittas.
2017-11-27 08:02:40 DEBUG worker 2 processing event 0x27a5078 2017-11-27 08:02:40 DEBUG PROCESS_EVENT: DATA_AVAILABLE (eventlogOUT) 2017-11-27 08:02:40 DEBUG om_udp_write 2017-11-27 08:02:40 DEBUG module eventlogOUT is not running, not reading any more data 2017-11-27 08:02:40 DEBUG worker 2 waiting for new event 2017-11-27 08:02:40 DEBUG executing statements

my NXlog.conf looks like this

Nxlog.conf

Created: 10/12/2017 15:21:54

LogLevel DEBUG define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension gelf> Module xm_gelf </Extension>

Include plug-in directory

include %ROOT%\conf\add-on\*.conf

and I have an include file for the eventlog that looks like this <Input eventlogIN> Module im_msvistalog </Input>

<Output eventlogOUT> Module om_udp Host myhost.mydomain.xx Port 12235 OutputType GELF </Output>

<Route eventlog> Path eventlogIN => eventlogOUT </Route>

Has anyone seen this before or got some ideas?

Hello community, I have to collect Security logs from a Windows Server 2003. Sometimes, I have the following errors :

2017-11-22 09:03:52 INFO nxlog-ce-2.9.1504 started

2017-11-22 09:03:52 INFO connecting to siem.nutrition.lan:1514

2017-11-22 09:03:52 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 1 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs.

2017-11-22 09:03:54 INFO Successfully reopened Security EventLog

2017-11-22 09:03:54 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 2 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs.

2017-11-22 09:03:57 INFO Successfully reopened Security EventLog

2017-11-22 09:03:57 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 4 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs.

2017-11-22 09:04:02 INFO Successfully reopened Security EventLog

2017-11-22 09:04:02 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 8 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs.

2017-11-22 09:04:11 INFO Successfully reopened Security EventLog

2017-11-22 09:04:11 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 16 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs.

Here is my config file : 

 

define ROOT C:\Program Files\nxlog

 

Moduledir %ROOT%\modules

CacheDir %ROOT%\data

Pidfile %ROOT%\data\nxlog.pid

SpoolDir %ROOT%\data

LogFile %ROOT%\data\nxlog.log

 

############################

# EXTENSION 

############################

 

# Enable json extension

<Extension json>

    Module xm_json

</Extension>

 

# Enable syslog extension

<Extension syslog>

    Module xm_syslog

</Extension>

 

# Enable conversion module

<Extension charconv>

    Module xm_charconv

    AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2

</Extension>

 

 

############################

# INPUT 

############################

 

# Nxlog internal logs

<Input internal>

    Module im_internal

    Exec to_json();

</Input>

 

# Windows Event Log for 2003 server

<Input eventlog2003>

  # Module for Windows 2003 server

    Module im_mseventlog

Sources Security

    Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;

    Exec convert_fields("AUTO", "utf-8");

    Exec $Message = to_json(); to_syslog_bsd();

</Input>

 

 

############################

# OUTPUT 

############################

 

 

<Output siem>

    Module         om_tcp

    Host    collector.company.com

    Port    1514

</Output>

 

<Route 1>

    Path     eventlog2003, internal => siem

</Route>

HI,

I have NXLog (nxlog-ce-2.9.1716) deployed to over 100 Windows servers to send Windows events to Graylog and its working fantastically on all but one server, our main File server. On this one server, the same 5145 events seem to be repeating events up to 19 times - from what I can see, they are identical on Graylog but don't appear duplicated on the file server - the only difference I can see is the volume of events which (by design we need to see file access successes as well as failures and have ABE enabled so see up to 170k events per min).

We don't see the issue on any other server, I have implemented the no repeat module (config below) but still no joy. Any suggestions or advice welcome please?

NXLog configuration file. See the nxlog reference manual for more info

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension gelf> Module xm_gelf </Extension>

<Input in> # Use 'im_mseventlog' for Windows XP and 2003 Module im_msvistalog Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004 or $EventID == 5156) drop();
else{
if ( $EventType == "INFO" ) $SyslogSeverityValue = 6;
if ( $EventType == "WARNING" ) $SyslogSeverityValue = 4;
if ( $EventType == "ERROR" ) $SyslogSeverityValue = 3;
} </Input>

<Processor norepeat> Module pm_norepeat CheckFields Hostname, SourceName, Message </Processor>

<Output out> Module om_udp #Our Graylog server Host [our graylog server] Port 12201 OutputType GELF </Output>

<Route 1> Path in => norepeat => out </Route>

I am attempting to use NXLog in conjunction with Graylog's Sidecar Collector to send data to my Graylog server. I have been able to successfully telnet to my Graylog server through port 5044, so I know it is not a firewall issue, yet I keep getting these errors in my NXLog error log:

2017-11-08 14:37:09 ERROR om_tcp detected a connection error;Connection reset by peer 2017-11-08 14:37:25 ERROR om_tcp detected a connection error;End of file found

And nothing is being received by my Graylog server.

Here is my generated NXLog configuration:

define ROOT /usr/bin

<Extension gelf> Module xm_gelf </Extension>

User nxlog Group nxlog

Moduledir /usr/libexec/nxlog/modules CacheDir /var/spool/collector-sidecar/nxlog PidFile /var/run/graylog/collector-sidecar/nxlog.pid

define LOGFILE /var/log/graylog/collector-sidecar/nxlog.log LogFile %LOGFILE% LogLevel DEBUG

<Extension logrotate> Module xm_fileop <Schedule> When @daily Exec file_cycle('%LOGFILE%', 7); </Schedule> </Extension>

<Input 59fcda86ccba8e2573422cb4> Module im_file File '/var/log/httpd/syriac_access_log' PollInterval 1 SavePos True ReadFromLast True Recursive True RenameCheck False Exec $FileName = file_name(); # Send file name with each message </Input>

<Output 59fcda56ccba8e2573422c80> Module om_tcp Host graylog.library.vanderbilt.edu Port 5044 OutputType GELF_TCP Exec $short_message = $raw_event; # Avoids truncation of the short_message field. Exec $gl2_source_collector = '485f3ca7-ca1e-4959-be00-117a50e2b1db'; Exec $collector_node_id = 'graylog-collector-sidecar'; Exec $Hostname = hostname_fqdn(); </Output>

<Route route-0> Path 59fcda86ccba8e2573422cb4 => 59fcda56ccba8e2573422c80 </Route>

I would appreciate any advice or guidance. Thank you!

Hello,

I have what I think is a fairly straightforward situation. I'm running queries against an MS-SQL server to retrieve data every 5 minutes. The wrinkle is that I am using unixodbc from a ubuntu 16.04 machine with nxlog to do this. I'm able to retrieve all of the data once on a fresh install of nxlog. However, I'm not seeing new data every 5 minutes and I certain there should be more data as our SQL source is continually writing new entries...

My input section has a fairly complicated query...

xm_perl provides enhanced capabilities to run scripts that can enhance the logs/events that are generated. Is there an expected release soon that will include this functionality for the Windows version?

Hello,

could someone point me into the direction of  how to configure nxlog enterprise with kafka topic subscriptions for pub/sub?

I have only seen mention of the capability, though no specifics or connector?

Thank you,

Rob 

Yet the source code for this module is present in the (relatively old) source .tar.gz.

• Should the .debs contain im_mvistalog.so?
• Is there a plan to release newer sources?  If we use nxlog I'd prefer to deploy on Alpine Linux
• Is there a way to search the forum?  I'm sure these questions have been asked already

Thanks!

Hi, i am using the nxlog-ce-2.9.1716-1_rhel7.x86_64.rpm and i have the following conf

<Output graylogout> Module om_udp Host somehost.com Port 12201 OutputType GELF </Output>

If i do "host somehost.com" -> It returns 2 IP in different order

$>host somehost.com X.X.X.X Y.Y.Y.Y

$>host somehost.com Y.Y.Y.Y X.X.X.X

But nxlog always send messages to only one host (X.X.X.X). Does nxlog do a DNS request once? if is that the case, how do i balance the traffic?

Hello,

Does NXlog provide a classification taxonomy or is classification up to the customer?

Do you have recommended taxonomies?

Thank you.

Hello,

I would like to forward logs generated by HypErV.

In event viewer they are in Applications and Services logs -> Microsoft -> Windows -> Hyper-V-*

I tried to add a query in the input configuration but I didn't manage to find the correct path to configure.

I tried several path but each time I have an error "the channel was not found "

Query <QueryList> \

           <Query Id="0"> \
            <Select Path="Security">*</Select> \
            <Select Path="Hyper-V-logs">*</Select> \
           </Query> \
          </QueryList>
</Input>

What should I put instead of Hyper-V-logs to send hyperV logs?

Can someone help me?

Regards,