Hi, First time post so please go easy.... I have a simplet test Windows 2008 server with nxlog installed with the following config file. define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog>     Module      xm_syslog </Extension> <Input file_in>     Module im_file     File 'D:\\01\\syslogtest.txt'     Exec $Message = $raw_event;     SavePos True     ReadFromLast True </Input> <Processor file_transformer>     Module pm_transformer     Exec $SourceName = 'offline_testing';     OutputFormat syslog_bsd </Processor> <Output file_out>     Module      om_udp     Host        syslog.domain.com     Port        10000 </Output> <Route file_route>     Path        file_in => file_transformer => file_out </Route>   I'm sending my logs to a syslog server running syslog-ng. When the server is available, everything is good.  What I write to the local Windows text file appears on the syslog-ng server. I enable Windows firewall to simulate the syslog-ng server down. I write to the local Windows text file and nothing appears in syslog-ng.  As expected. I remove the firewall rule and here is where my problem lies.  I don't see what was written to the local text file while the syslog-ng was unavailable on the syslog-ng server. If I start writing to the text file after disabling the firewall, I see the new stuff coming in but not what was written while the syslog server was "offline". Can anybody help figure out why this is not working as expected? Regards, Victor

hello: the nxlog  DEBUG  log  are: section 1 2017-04-24 16:15:40 DEBUG check file: /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log 2017-04-24 16:15:40 DEBUG mtime of file '/u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log' changed 2017-04-24 16:15:40 DEBUG file '/u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log' was truncated 2017-04-24 16:15:40 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning 2017-04-24 16:15:40 DEBUG file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log already opened ... section 2 2017-04-24 16:15:42 DEBUG check file: /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log 2017-04-24 16:15:42 DEBUG mtime of file '/u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log' changed 2017-04-24 16:15:42 DEBUG file size of '/u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log' increased since last read 2017-04-24 16:15:42 DEBUG file '/u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log' has unread data (540975520 > 540709280) 2017-04-24 16:15:42 DEBUG file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log already opened ... section 3 2017-04-24 16:15:44 DEBUG check file: /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log 2017-04-24 16:15:44 DEBUG mtime of file '/u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log' changed 2017-04-24 16:15:44 DEBUG file '/u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log' was truncated 2017-04-24 16:15:44 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning 2017-04-24 16:15:44 DEBUG file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log already opened the section2-3  is repeated，and continues to loop. please help to figure out the reasons，thank you!

I do use NXLog to parse the Exchange logs and send them to my Graylog.  Time to time, Graylog still receive the line #Software: Microsoft Exchange...    Note that the line is sent once per hours or two hours.  It seems that the check if $raw_event =~ /^#/ drop(); fail to drop the #line randomly. Bellow part of my config for the input: <Input in_MSGTRK>     Module          im_file     File            "\\\\xxxxxxx\\d$\\Exchsvr\\TransportRoles\\Logs\\\MessageTracking\\\\*.log"     SavePos         TRUE     ReadFromLast     TRUE     Recursive        TRUE     CloseWhenIdle   TRUE     InputType       LineBased         PollInterval    10     Exec if $raw_event =~ /HealthMailbox/ drop();     Exec if $raw_event =~ /^#/ drop();     Exec ParseEXCHANGESMSGTRK->parse_csv();     </Input>   Any clue, help or solution is welcome   

I'm having issues leveraging Ansible's win_package to perform installs.  It seems the CE installer ommits the required entries in HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall. For more info: https://docs.ansible.com/ansible/latest/win_package_module.html https://docs.microsoft.com/windows/desktop/Msi/uninstall-registry-key https://groups.google.com/d/msg/ansible-project/sgT8C55-eqE/S-UkP3HGCgAJ https://groups.google.com/d/msg/ansible-project/i615RqrZrAs/G8SeGvSQAwAJ

Hey! I have a bunch of log data that I'd like to push to a set of redis instances that are used as a queue.  In an ideal world, I could use a config like this: <Output redis-out>     Command LPUSH     Host server1,server2,server3 </Output> The desired result is that nxlog pushes sequential lines to each of the servers in turn - no duplication, just load distribution. Is there presently a way to do this?  I'm thinking I'm likely to end up running through a hardware load-balancer, but it sure would be nice to just do this in nxlog. Thanks!

I am a first time user of nxlog.  I have a fresh install of CentOS.  There is nothing on it but the base install, nxlog, netstat, and tcpdump. I setup a very basic conf file and pointed several switches to the box but I am not getting any output to the log file. I made sure that nslog is listening on tcp and udp 514 with netstat.  I also checked to make sure packets were coming to the box with tcpdump. Here is my nxlog.conf.  Any suggestions? ######################################## # Global directives                    # ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO   define BASEDIR /var/log/nxlog   ######################################## # Modules                              # ######################################## <Extension _syslog>     Module      xm_syslog </Extension>   <Input udp_in>     Module      im_udp     Host        0.0.0.0     Port        514     #Exec       parse_syslog(); </Input>   <Input tcp_in>     Module      im_tcp     Host        0.0.0.0     Port        514     #Exec        parse_syslog(); </Input>   <Output default_fileout>     Module      om_file     File        "%BASEDIR%/logmsg.txt" </Output>   ######################################## # Routes                               # ######################################## <Route 1>     Path        udp_in, tcp_in => default_fileout </Route>  

What conditions will cause Nxlog to reread the saved position? Is it only on start ups, can tcp forwarding timeouts cause it? Is it on any ERROR?

Due to package dependency issues, when I try to install the debian package (I was not able to install relevant lib packages like libdbi0 and libperl5.10...), I tried to install the source code package. But also this installation doesn't work:   root@###:/home/### nxlog-ce-2.8.1248/packaging/debian/make_debs.sh nxlog-ce-2.8.1248/packaging/debian/make_debs.sh: 44: ./version.sh: not found control.Debian-squeeze not found, using control.default to build package cp: Aufruf von stat für „control.default“ nicht möglich: Datei oder Verzeichnis nicht gefunden cat: changelog.skel: Datei oder Verzeichnis nicht gefunden nxlog-ce-2.8.1248/packaging/debian/make_debs.sh: 44: dpkg-buildpackage: not found   Can anybody help me? Thanks! :)  

Hello -   I've been trying to figure this out for a few days, and it just isn't working. I want to allow certain messages by EventID, disallow all other INFO, DEBUG, but also allow all other ERRORs. What I would like to end up with is: The cherry picked EventIDs (collection of INFO, ERROR, WARNING), and all error messages. Everytime I add a filter by SEVERITY it seems to change the dynamic of the filter.  Any tips? Below is that my config currently looks like, I'm just getting the EventIDs which I want, but I'm not getting all ERROR messages. ---------------------------- ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension gelf>     Module      xm_gelf </Extension> <Input in>     Module      im_msvistalog     Exec if ($EventID == 624 or $EventID == 630 or $EventID == 631 or $EventID == 634 or $EventID == 635 or $EventID == 638 or $EventID == 658 or $EventID == 662 or $EventID == 4624 or $EventID == 4625 or $EventID == 4720 or $EventID == 4726 or $EventID == 4727 or $EventID == 4728 or $EventID == 4729 or $EventID == 4730 or $EventID == 4731 or $EventID == 4732 or $EventID == 4733 or $EventID == 4734 or $EventID == 4735 or $EventID == 4737 or $EventID == 4740 or $EventID == 4741 or $EventID == 4742 or $EventID == 4743 or $EventID == 4754 or $EventID == 4755 or $EventID == 4756 or $EventID == 4757 or $EventID == 4758 or $EventID == 4764 or $EventID == 4767);\         else drop();     </Input> <Output out>     Module      om_udp     Host        log.myserver.org     Port        5414     OutputType  GELF </Output> <Route 1>      Path        in => out </Route>

I'm having trouble creating a file input for multiple windows servers for monitoring weblogic log files for multiple nodes.  The folders are in the following format: Server1 E:\logs\node1\node1.log100 E:\logs\node2\node2.log100 Server2 E:\logs\node3\node3.log100 E:\logs\node4\node4.log100 etc So I'm trying to put in the the following: C:\\logs\\node*\\node*.log* But it doesn't work. Has anyone else had to over-come this problem before? Error in the nxlog.log: ERROR failed to open directory: E:\\logs\\node*\: The filename, directory name, or volume label syntax is incorrect.

  the log: 2017-04-01 10:08:29 INFO nxlog-ce-2.8.1248 started 2017-04-01 10:10:18 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning 2017-04-01 10:10:28 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning 2017-04-01 10:10:32 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning 2017-04-01 10:10:36 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning 2017-04-01 10:10:42 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning 2017-04-01 10:10:48 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning 2017-04-01 10:10:54 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning 2017-04-01 10:11:14 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning 2017-04-01 10:11:22 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning 2017-04-01 10:11:30 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning 2017-04-01 10:11:46 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning 2017-04-01 10:11:52 INFO last message repeated 2 times 2017-04-01 10:11:58 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning how to adjust the command about nxlog.conf?,Thanks my nxlog.conf: ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally under ## /usr/share/doc/nxlog-ce/ and is also available online at ## http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html ######################################## # Global directives                    # ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ######################################## # Modules                              # ######################################## <Extension _syslog>     Module      xm_syslog </Extension> <Extension multiline>  Module xm_multiline  HeaderLine /^\w{3}\s\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s\d{4}/ </Extension> <Input oerrorin1>  Module    im_file  File     '/u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log'  InputType multiline  SavePos TRUE  ReadFromLast  FALSE </Input> <Output udpout>  Module    om_udp  Host   XXXXXXXXX  Port   514 </Output> ######################################## # Routes                               # ######################################## <Route 1>     Path        oerrorin1 =>udpout </Route>  

Hi all, I am getting the following error wthin the Nxlog CE log -  2017-04-06 16:37:53 ERROR data size (65080) is over the limit (65000), will be truncated I have seen the 'BufferSize' command but that just breaks the .conf.  How can I go about increasng this limit? Thanks.

While not systematic, nxlogs often sends partial json strings over its tcp output. The receiving end is unable to parse it. The client configuration looks like this: <Extension json> Module xm_json </Extension> <Input eventlogs_json> Module im_msvistalog Exec delete($Keywords); Exec delete($EventReceivedTime); Exec delete($SourceModuleName); Exec delete($SourceModuleType); Exec $Environment = "development"; Exec to_json(); </Input> Here's an example truncated log. There are 2 opening brackets but only 1 closed. And there's a weird \r in there too at the end. "{\"EventTime\":\"2017-04-06 13:39:31\",\"Hostname\":\"redacted\",\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":40962,\"SourceName\":\"Microsoft-Windows-PowerShell\",\"ProviderGuid\":\"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}\",\"Version\":1,\"Task\":4,\"OpcodeValue\":2,\"RecordNumber\":1206682,\"ActivityID\":\"{792C42B9-9C21-0001-F1DE-3079219CD201}\",\"ProcessID\":15728,\"ThreadID\":30916,\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Domain\":{\"EventTime\":\"2017-04-06 13:39:30\",\"Hostname\":\"redacted\",\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":400,\"SourceName\":\"PowerShell\",\"Task\":4,\"RecordNumber\":2672,\"ProcessID\":0,\"ThreadID\":0,\"Channel\":\"Windows PowerShell\",\"Message\":\"Engine state is changed from None to Available. \\r\\n\\r\\nDetails: \\r\\n\\tNewEngineState=Available\\r\\n\\tPreviousEngineState=None\\r\\n\\r\\n\\tSequenceNumber=13\\r\\n\\r\\n\\tHostName=ConsoleHost\\r\\n\\tHostVersion=4.0\\r\\n\\tHostId=6fc80cc3-85e0-4c9a-a437-1c05ddec479d\\r\\n\\tHostApplication=powershell.exe -command ($(Invoke-WebRequest http://127.0.0.1:redacted/fullstatus -UseBasicParsing).Content | ConvertFrom-Json).\\\"Status\\\"\\r\\n\\tEngineVersion=4.0\\r\\n\\tRunspaceId=cf67d6e2-814b-4d76-82cc-b138ceb2e122\\r\\n\\tPipelineId=\\r\\n\\tCommandName=\\r\\n\\tCommandType=\\r\\n\\tScriptName=\\r\\n\\tCommandPath=\\r\\n\\tCommandLine=\",\"Category\":\"Engine Lifecycle\",\"Opcode\":\"Info\",\"Environment\":\"development\"}\r" I was able to parse it in python after removeing \r and adding an extra }.

Hi guys, I wanted to use NXLog to send data from a XML file into GrayLog. My first test worked fine with a simple XML file. But with a Nessus Report (in XML) it don't work, because this file is more complexe. Do you have an example configuration nxlog.conf to help me ? My actual nxlog.conf : define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension gelf> Module xm_gelf </Extension> <Extension multiline> Module xm_multiline HeaderLine /^<event>/ EndLine /^</event>/ </Extension> <Extension xmlparser> Module xm_xml </Extension> <Extension json> Module xm_json </Extension> <Input in> Module im_file File "C:\Program Files\Graylog\collector-sidecar\generated\exempleFichier.xml" SavePos FALSE ReadFromLast FALSE InputType multiline <Exec> # Discard everything that doesn't seem to be an xml event if $raw_event !~ /^<event>/ drop(); # Parse the xml event parse_xml(); # Rewrite some fields $EventTime = parsedate($timestamp); delete($timestamp); delete($EventReceivedTime); # Convert to JSON to_json(); </Exec> </Input> <Output out> Module om_udp Host xx.xx.xx.xx Port 12201 </Output> <Route 1> Path in => out </Route> And a (verry little) preview of my Nessus File... <Report name="Scan_Nessus" xmlns:cm="http://www.nessus.org/cm"> <ReportHost name="192.168.1.1"><HostProperties> <tag name="traceroute-hop-8">192.168.1.1</tag> <tag name="LastUnauthenticatedResults">1490484150</tag> <tag name="Credentialed_Scan">false</tag> <tag name="policy-used">policies_scan</tag> <tag name="patch-summary-total-cves">1</tag> <tag name="os">other</tag> <tag name="system-type">general-purpose</tag> <tag name="operating-system">CISCO IOS</tag> <tag name="traceroute-hop-7">?</tag> <tag name="traceroute-hop-6">192.168.1.1</tag> <tag name="traceroute-hop-5">192.168.1.2</tag> <tag name="traceroute-hop-4">192.168.1.3</tag> <tag name="HOST_END">Sun Mar 26 00:22:30 2017</tag> <tag name="host-ip">192.168.1.1</tag> <tag name="HOST_START">Sun Mar 26 00:20:19 2017</tag> </HostProperties> <ReportItem port="123" svc_name="ntp" protocol="udp" severity="0" pluginID="10884" pluginName="Network Time Protocol (NTP) Server Detection" pluginFamily="Service detection"> <cpe>cpe:/a:ntp:ntp</cpe> <description>An NTP server with an insecure configuration is listening on port 123. It provides information about its version, current date, current time, and possibly system information.</description> <fname>ntp_open.nasl</fname> <plugin_modification_date>2017/03/21</plugin_modification_date> <plugin_name>Network Time Protocol (NTP) Server Detection</plugin_name> <plugin_publication_date>2015/03/20</plugin_publication_date> <plugin_type>remote</plugin_type> <risk_factor>None</risk_factor> <script_version>$Revision: 1.27 $</script_version> <see_also>http://www.ntp.org</see_also> <solution>n/a</solution> <synopsis>An NTP server with an insecure configuration is listening on the remote host.</synopsis> <plugin_output>   Version : unknown </plugin_output> </ReportItem> Thanks !

Seeing the following errors in the logs on a WIN 2008 R2 machine. Not 100% sure why but is seems to happen intermittently, I can't seem to corrolate it with log file rotations or anything like that.  2017-03-31 12:46:52 ERROR if-else failed at line 10, character 39 in C:\Program Files (x86)\nxlog/conf/app_log/application_log_multiline_extensions.conf. statement execution has been aborted; binary operation failed at line 10, character 36 in C:\Program Files (x86)\nxlog/conf/app_log/application_log_multiline_extensions.conf. expression evaluation has been aborted; missing logdata, no field available in this context at line 10, character 19 in C:\Program Files (x86)\nxlog/conf/app_log/application_log_multiline_extensions.conf. operation possibly after drop() hen it starts to appear it always happens at the exact same second of a given minute, but the number of minutes in between each erros seems somewhat random  ie. 2017-03-31 10:37:42 ERROR if-else failed at line 16... 2017-03-31 10:40:42 ERROR if-else failed at line 16 ... 2017-03-31 10:41:42 ERROR if-else failed at line 16... Config would be similar to below. <Extension app_log_multiline>     Module xm_multiline     HeaderLine /.*\[\d\d \w\w\w \d\d\d\d/     Exec if $raw_event =~ /^\s*$/ drop(); </Extension>   <Input in_app_log_files>     Module im_file     File '%APP_LOGS_DIR%\server_error.log'     SavePos TRUE     ReadFromLast TRUE      InputType app_log_multiline     PollInterval 5     DirCheckInterval 60     CloseWhenIdle TRUE     <Exec>          $Environment = "%ENVIRONMENT_TAG%";          $Application = "%APP_TAG%";          $Service = "%SERVICE_TAG%";     </Exec>      </Input>  

OK, first cry for help. I've an install that I have inherited from a colleague - until four days ago I had never seen nxlog - and it has caused some performance issues. The issue is that the are problems are occurring on VDIs on a cloud infrastructure. The cloud provider (a local operation, not one of the big boys like Amazon and Azure) says that they keep seeing machines suddenly taking large amounts of memory for periods of up to 5 minutes. This stops new processes being created (so you can't start task manager to ientify which process is hogging the memory, and in some cases it locks the VDI up so that the user has to be moved off it. The cloud providers are saying that this was not aproblem before nxlog was installed at the start of the week. (However, the reason my colleague installed it is that the infrastructure has been attacked and there's at least some indicaion of compromise: so we are logging it to track any possible misuse)  Am I right in thinking that adding a sleep statement to the conf file (which the documentation describes as a kind of poor man's rate limiting), passing the conf file out to all the instances on the individual VDIs, and then restarting services, should alleviate this? Or need I look elsewhere for the problem? Like I said, please make allowances for n00b status.. J

Hello :), I make a file rotation when my logs size exceed with 'file_cycle'. I have something like this :      Exec    if outUDP->file_size() > 10k  \             {  \                 log_info('size exceeded');  \                 file_cycle(%LOGDIR% + $programSource + '\\' + get_var('date') + '.log'); \                 outUDP->reopen();  \             } So my logs paths are : C:\logs\programA\20170329.log C:\logs\programA\20170329.log.1 C:\logs\programA\20170329.log.2 C:\logs\programB\20170329.log.1 C:\logs\programB\20170329.log.2 But I wanted something more like : C:\logs\programA\20170329.log C:\logs\programA\20170329.1.log C:\logs\programA\20170329.2.log C:\logs\programB\20170329.1.log C:\logs\programB\20170329.2.log I wanted to make it by myself using 'rotate_to' instead of 'file_cycle' . The probleme is if nxlog restarts, I need it to continue the file rotation without overwrite the files that already exist. I can't check if C:\logs\programA\20170329.1.log exists then C:\logs\programA\20170329.2.log until I find the last... It is possible to change it using 'file_cycle'? Or do you have another idea? Thanks :)  

I get this error:   MSI (s) (E4:9C) [19:13:39:684]: Product: NXLog-CE -- Error 1401. Could not create key: S-1-5-21-1688939787-1905098679-239004068-17022\Software\Microsoft.  System error 87.  Verify that you have sufficient access to that key, or contact your support personnel. Error 1401. Could not create key: S-1-5-21-1688939787-1905098679-239004068-17022\Software\Microsoft.  System error 87.  Verify that you have sufficient access to that key, or contact your support personnel.   when using this method as part of a script...   $process = ([WMICLASS]"\\$server\ROOT\CIMV2:Win32_Process").Create("cmd.exe /c " + $remoteProcess1)   The command issued is...   msiexec.exe /i nxlog-ce.msi /q   This method works great for other MSI packages   Any one know why this might be happening?  I ensured that the account creating the remote process has administrative rights. Why would this need to access the HKEY_Users hive?   I also noticed that if I load the same User Profile on the remote machine that I am using to start the remote process, the installation works fine.   Once that is done no other Administrator can remove the NXLog agent.  I try using the uninstall string and it fails.  THe only way to remove NXLog is to log on as the same user and uninstall.  

Where can I find the documenation for this om_redis module? Only resource I can find is: https://nxlog.co/question/1593/redis-module-lpush  

Hi All, I have previously got smtp logs to go into Graylog using NXlog, it was worknig fine. I then had a disk sapce issue on the graylog host so had to redo some bits, including the nxlog.conf for our SMTP server.  The SMTP log header specifes the following #Software: Microsoft Internet Information Services 8.5 #Version: 1.0 #Date: 2017-03-26 23:00:10 #Fields: date time c-ip cs-username s-sitename s-computername s-port cs-method cs-uri-query sc-bytes time-taken  This is the error I am getting ERROR if-else failed at line 44, character 436 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 44, character 224 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 11, got 8 in input I ahve checked and rechecked and their should be 11 items as per the .conf. define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension gelf>     Module         xm_gelf </Extension> <Extension fileop>     Module         xm_fileop </Extension>  <Extension json>     Module      xm_json </Extension> # Create the parse rule for IIS logs. You can copy these from the header of the IIS log file. <Extension w3c>     Module             xm_csv     Fields             $date, $time, $c-ip, $cs-username, $s-sitename, $s-computername, $s-port, $cs-method, $cs-uri-query, $sc-bytes, $time-taken     FieldTypes         string, string, string, string, string, string, integer, string, string, integer, integer     Delimiter         ' '     QuoteChar         '"'     EscapeControl     FALSE     UndefValue         '-' </Extension> <Input smtp>     Module        im_file     File        "C:\\Logs\\SMTPSVC1\\\ex*.log"     SavePos      TRUE     Exec        if $raw_event =~ /^#/ drop();                    \                 else                                             \                 {                                                \                     w3c->parse_csv();                            \                     $EventTime = parsedate($date + " " + $time); \                     $SourceName = "smtp";                         \                     $Message = to_json();                         \                 } </Input> <Input eventlog>     Module      im_msvistalog </Input> <Output graylog>     Module      om_udp     Host        graylog.mydomain.com     Port        12201     OutputType    GELF     #Use the following line for debugging (uncomment the fileop extension above as well)     #Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event); </Output> <Route eventlog>    Path        eventlog => graylog </Route> <Route smtp-to-graylog>     Path        smtp => graylog </Route> Its so frustracting that I know this was working correctly. Any help would be great. Thanks