Hello,
I am using nxlog to parse log files.
Everything is working perfectly, however, when the log file is rotated, the nxlog application has errors in the parse of the logs.
I did a research, and found the following document:
https://nxlog.co/support-tickets/xmcsv-fails-parse-line-when-cr-split-lf-and-its-integer
Apparently this bug had been solved in the past.
Is it possible that it has returned in some file merge?
Or, could it be a new bug?
2017-05-10 17:00:03 WARNING input file was deleted: D:\Program Files\Microsoft\Exchange\V15\TransportRoles\Logs\MessageTracking\MSGTRKMD2017042106-1.LOG
2017-05-10 17:00:03 WARNING input file was deleted: D:\Program Files\Microsoft\Exchange\V15\TransportRoles\Logs\MessageTracking\MSGTRKMD2017042101-1.LOG
2017-05-10 17:00:03 WARNING input file was deleted: D:\Program Files\Microsoft\Exchange\V15\TransportRoles\Logs\MessageTracking\MSGTRKMD2017042103-1.LOG
2017-05-10 17:00:03 WARNING input file was deleted: D:\Program Files\Microsoft\Exchange\V15\TransportRoles\Logs\MessageTracking\MSGTRKMD2017042105-1.LOG
2017-05-10 17:00:03 ERROR procedure 'parse_csv' failed at line 64, character 43 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 27, got 1 in input '#Software: Microsoft Exchange Server'
2017-05-10 17:00:39 WARNING input file was deleted: D:\Program Files\Microsoft\Exchange\V15\TransportRoles\Logs\MessageTracking\MSGTRKMS2017041020-1.LOG
2017-05-10 17:00:39 ERROR procedure 'parse_csv' failed at line 64, character 43 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 27, got 1 in input '#Software: Microsoft Exchange Server'
https://nxlog.co/support-tickets/xmcsv-fails-parse-line-when-cr-split-lf-and-its-integer
<Input exmsgtrk>
Module im_file
File "%EXMSGTRK%\MSGTRK????????*-*.LOG"
SavePos TRUE
InputType LineBased
Exec if $raw_event =~ /HealthMailbox/ drop();
Exec if $raw_event =~ /Mbx_/ drop();
Exec if $raw_event =~ /^#/ drop();
Exec ExtMessageTracking->parse_csv();
Exec $EventTime = parsedate($EmailTime);
Exec $Message = "Subject: " + $EmailSubject;
</Input>
Version: nxlog-ce-2.9.1716.msi
samysilva created
I have a very basic setup. I was easily able to get the general syslog functionality working.
I have been unable to get the file transport working. I've spent several days trying alternative configurations and Googling for help; all to no avail.
I also tested with om_file - trying to just grab the file and output it locally - the outcome was just a blank file.
Any help will be greatly appreciated.
Here is my config:
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO
<Extension gelf>
Module xm_gelf
</Extension>
<Extension _syslog>
module xm_syslog
</extension>
<Input 1>
Module im_file
file "C:\\MSSQL\\ERRORLOG"
</Input>
<Output 2>
Module om_tcp
Host 192.168.1.50
Port 5550
OutputType GELF_TCP
</Output>
<Route 3>
Path 1 => 2
</Route>
jcottone created
Is it possible to apply a filter that will allow for a windows event (e.g. 4624) to be dropped if it contains a machine name (appended with $) but send all others? The line that contains the payload is:
JCEF_srcUser: xxxxx$
xxxx would need to be a wildcard to be inclusive of all machine accounts.
My reasoning is that for our environment we can't completely drop 4624 altogether but the inclusion of machine accounts creates the bulk of the events (over 90%) which is just noise for my puposes.
Thanks in advance!
CosmicSlopp created
Hi all,
I am evaluating NXLOG and could not find if the om_tcp module supports TCP server (listening mode) in stead of TCP client (connect mode). I have a gui which can connect to a tcp server and display live syslog events so a om_tcp_server is required where the GUI can connect to.
Regards,
Erwin
DJ created
I would like to propose a possibility to have multiple config files in a folder (like how telegraf works)
"Configuration file locations The location of the configuration file can be set via the --config command line flag. Telegraf will also pick up all files matching the pattern *.conf if the -config-directory command line flag is used.
On most systems, the default locations are /etc/telegraf/telegraf.conf for the main configuration file and /etc/telegraf/telegraf.d for the directory of configuration files."
I belive this would enhance NXlog by making it a lot easier to implement where there is a need for different log sources.
It will allow the owner/maintainer of a function or application to create their own nxlog config for their needs. IE The operating system team manages the config file for the system logs The database team manages the config file for the logging required for example SQL server The web server team manages the logging for IIS/Apache
The benefit over having it in one file and have to edit that file for each change in logging needs are:
- No risk for disruption of other logging on the same system.
- adding logging for a new app is as easy as dropping a file into the config dir. Very easy for a deployment tool.
- Clear responsibility - Our app - our config file. Makes paas/saas scenarios a lot easier
mats created
Hi,
First time post so please go easy....
I have a simplet test Windows 2008 server with nxlog installed with the following config file.
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log<Extension _syslog>
Module xm_syslog
</Extension><Input file_in>
Module im_file
File 'D:\\01\\syslogtest.txt'
Exec $Message = $raw_event;
SavePos True
ReadFromLast True
</Input><Processor file_transformer>
Module pm_transformer
Exec $SourceName = 'offline_testing';
OutputFormat syslog_bsd
</Processor><Output file_out>
Module om_udp
Host syslog.domain.com
Port 10000
</Output><Route file_route>
Path file_in => file_transformer => file_out
</Route>
I'm sending my logs to a syslog server running syslog-ng.
When the server is available, everything is good. What I write to the local Windows text file appears on the syslog-ng server.
I enable Windows firewall to simulate the syslog-ng server down.
I write to the local Windows text file and nothing appears in syslog-ng. As expected.
I remove the firewall rule and here is where my problem lies. I don't see what was written to the local text file while the syslog-ng was unavailable on the syslog-ng server.
If I start writing to the text file after disabling the firewall, I see the new stuff coming in but not what was written while the syslog server was "offline".
Can anybody help figure out why this is not working as expected?
Regards,
Victor
peepers1970 created
hello:
the nxlog DEBUG log are:
section 1
2017-04-24 16:15:40 DEBUG check file: /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log
2017-04-24 16:15:40 DEBUG mtime of file '/u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log' changed
2017-04-24 16:15:40 DEBUG file '/u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log' was truncated
2017-04-24 16:15:40 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning
2017-04-24 16:15:40 DEBUG file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log already opened
...
section 2
2017-04-24 16:15:42 DEBUG check file: /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log
2017-04-24 16:15:42 DEBUG mtime of file '/u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log' changed
2017-04-24 16:15:42 DEBUG file size of '/u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log' increased since last read
2017-04-24 16:15:42 DEBUG file '/u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log' has unread data (540975520 > 540709280)
2017-04-24 16:15:42 DEBUG file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log already opened
...
section 3
2017-04-24 16:15:44 DEBUG check file: /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log
2017-04-24 16:15:44 DEBUG mtime of file '/u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log' changed
2017-04-24 16:15:44 DEBUG file '/u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log' was truncated
2017-04-24 16:15:44 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning
2017-04-24 16:15:44 DEBUG file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log already opened
the section2-3 is repeated,and continues to loop.
please help to figure out the reasons,thank you!
alexchen123 created
I do use NXLog to parse the Exchange logs and send them to my Graylog. Time to time, Graylog still receive the line #Software: Microsoft Exchange...
Note that the line is sent once per hours or two hours.
It seems that the check if $raw_event =~ /^#/ drop(); fail to drop the #line randomly.
Bellow part of my config for the input:
<Input in_MSGTRK>
Module im_file
File "\\\\xxxxxxx\\d$\\Exchsvr\\TransportRoles\\Logs\\\MessageTracking\\\\*.log"
SavePos TRUE
ReadFromLast TRUE
Recursive TRUE
CloseWhenIdle TRUE
InputType LineBased
PollInterval 10
Exec if $raw_event =~ /HealthMailbox/ drop();
Exec if $raw_event =~ /^#/ drop();
Exec ParseEXCHANGESMSGTRK->parse_csv();
</Input>
Any clue, help or solution is welcome
Pepper created
I'm having issues leveraging Ansible's win_package to perform installs. It seems the CE installer ommits the required entries in HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall.
For more info:
markhensler created
Hey!
I have a bunch of log data that I'd like to push to a set of redis instances that are used as a queue. In an ideal world, I could use a config like this:
<Output redis-out>
Command LPUSH
Host server1,server2,server3
</Output>
The desired result is that nxlog pushes sequential lines to each of the servers in turn - no duplication, just load distribution.
Is there presently a way to do this? I'm thinking I'm likely to end up running through a hardware load-balancer, but it sure would be nice to just do this in nxlog.
Thanks!
davidatpinger created
I am a first time user of nxlog. I have a fresh install of CentOS. There is nothing on it but the base install, nxlog, netstat, and tcpdump.
I setup a very basic conf file and pointed several switches to the box but I am not getting any output to the log file.
I made sure that nslog is listening on tcp and udp 514 with netstat. I also checked to make sure packets were coming to the box with tcpdump.
Here is my nxlog.conf. Any suggestions?
# Global directives #
########################################
User nxlog
Group nxlog
LogLevel INFO
# Modules #
########################################
<Extension _syslog>
Module xm_syslog
</Extension>
Module im_udp
Host 0.0.0.0
Port 514
#Exec parse_syslog();
</Input>
Module im_tcp
Host 0.0.0.0
Port 514
#Exec parse_syslog();
</Input>
Module om_file
File "%BASEDIR%/logmsg.txt"
</Output>
########################################
# Routes #
########################################
<Route 1>
Path udp_in, tcp_in => default_fileout
</Route>
twright1 created
What conditions will cause Nxlog to reread the saved position? Is it only on start ups, can tcp forwarding timeouts cause it? Is it on any ERROR?
nutzo20 created
Due to package dependency issues, when I try to install the debian package (I was not able to install relevant lib packages like libdbi0 and libperl5.10...), I tried to install the source code package. But also this installation doesn't work:
root@###:/home/### nxlog-ce-2.8.1248/packaging/debian/make_debs.sh nxlog-ce-2.8.1248/packaging/debian/make_debs.sh: 44: ./version.sh: not found control.Debian-squeeze not found, using control.default to build package cp: Aufruf von stat für „control.default“ nicht möglich: Datei oder Verzeichnis nicht gefunden cat: changelog.skel: Datei oder Verzeichnis nicht gefunden nxlog-ce-2.8.1248/packaging/debian/make_debs.sh: 44: dpkg-buildpackage: not found
Can anybody help me? Thanks! :)
jonast created
Hello -
I've been trying to figure this out for a few days, and it just isn't working. I want to allow certain messages by EventID, disallow all other INFO, DEBUG, but also allow all other ERRORs.
What I would like to end up with is: The cherry picked EventIDs (collection of INFO, ERROR, WARNING), and all error messages. Everytime I add a filter by SEVERITY it seems to change the dynamic of the filter.
Any tips? Below is that my config currently looks like, I'm just getting the EventIDs which I want, but I'm not getting all ERROR messages.
----------------------------
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension gelf>
Module xm_gelf
</Extension>
<Input in>
Module im_msvistalog
Exec if ($EventID == 624 or $EventID == 630 or $EventID == 631 or $EventID == 634 or $EventID == 635 or $EventID == 638 or $EventID == 658 or $EventID == 662 or $EventID == 4624 or $EventID == 4625 or $EventID == 4720 or $EventID == 4726 or $EventID == 4727 or $EventID == 4728 or $EventID == 4729 or $EventID == 4730 or $EventID == 4731 or $EventID == 4732 or $EventID == 4733 or $EventID == 4734 or $EventID == 4735 or $EventID == 4737 or $EventID == 4740 or $EventID == 4741 or $EventID == 4742 or $EventID == 4743 or $EventID == 4754 or $EventID == 4755 or $EventID == 4756 or $EventID == 4757 or $EventID == 4758 or $EventID == 4764 or $EventID == 4767);\
else drop();
</Input>
<Output out>
Module om_udp
Host log.myserver.org
Port 5414
OutputType GELF
</Output>
<Route 1>
Path in => out
</Route>
LogMaster created
I'm having trouble creating a file input for multiple windows servers for monitoring weblogic log files for multiple nodes.
The folders are in the following format:
Server1
E:\logs\node1\node1.log100
E:\logs\node2\node2.log100
Server2
E:\logs\node3\node3.log100
E:\logs\node4\node4.log100
etc
So I'm trying to put in the the following:
C:\\logs\\node*\\node*.log*
But it doesn't work. Has anyone else had to over-come this problem before?
Error in the nxlog.log:
ERROR failed to open directory: E:\\logs\\node*\: The filename, directory name, or volume label syntax is incorrect.
Lee.Halford created
the log:
2017-04-01 10:08:29 INFO nxlog-ce-2.8.1248 started
2017-04-01 10:10:18 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning
2017-04-01 10:10:28 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning
2017-04-01 10:10:32 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning
2017-04-01 10:10:36 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning
2017-04-01 10:10:42 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning
2017-04-01 10:10:48 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning
2017-04-01 10:10:54 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning
2017-04-01 10:11:14 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning
2017-04-01 10:11:22 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning
2017-04-01 10:11:30 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning
2017-04-01 10:11:46 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning
2017-04-01 10:11:52 INFO last message repeated 2 times
2017-04-01 10:11:58 INFO input file /u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log was truncated, restarting from beginning
how to adjust the command about nxlog.conf?,Thanks
my nxlog.conf:
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally under
## /usr/share/doc/nxlog-ce/ and is also available online at
## http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
########################################
# Global directives #
########################################
User nxlog
Group nxlog
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO
########################################
# Modules #
########################################
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension multiline>
Module xm_multiline
HeaderLine /^\w{3}\s\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s\d{4}/
</Extension>
<Input oerrorin1>
Module im_file
File '/u01/app/oracle/diag/rdbms/testdb/testdb/trace/alert_testdb.log'
InputType multiline
SavePos TRUE
ReadFromLast FALSE
</Input>
<Output udpout>
Module om_udp
Host XXXXXXXXX
Port 514
</Output>
########################################
# Routes #
########################################
<Route 1>
Path oerrorin1 =>udpout
</Route>
alexchen123 created
Hi all,
I am getting the following error wthin the Nxlog CE log -
2017-04-06 16:37:53 ERROR data size (65080) is over the limit (65000), will be truncated
I have seen the 'BufferSize' command but that just breaks the .conf.
How can I go about increasng this limit?
Thanks.
Mr_M_Cox created
While not systematic, nxlogs often sends partial json strings over its tcp output. The receiving end is unable to parse it.
The client configuration looks like this:
<Extension json> Module xm_json </Extension> <Input eventlogs_json> Module im_msvistalog Exec delete($Keywords); Exec delete($EventReceivedTime); Exec delete($SourceModuleName); Exec delete($SourceModuleType); Exec $Environment = "development"; Exec to_json(); </Input>
Here's an example truncated log. There are 2 opening brackets but only 1 closed. And there's a weird \r in there too at the end.
"{\"EventTime\":\"2017-04-06 13:39:31\",\"Hostname\":\"redacted\",\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":40962,\"SourceName\":\"Microsoft-Windows-PowerShell\",\"ProviderGuid\":\"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}\",\"Version\":1,\"Task\":4,\"OpcodeValue\":2,\"RecordNumber\":1206682,\"ActivityID\":\"{792C42B9-9C21-0001-F1DE-3079219CD201}\",\"ProcessID\":15728,\"ThreadID\":30916,\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Domain\":{\"EventTime\":\"2017-04-06 13:39:30\",\"Hostname\":\"redacted\",\"EventType\":\"INFO\",\"SeverityValue\":2,\"Severity\":\"INFO\",\"EventID\":400,\"SourceName\":\"PowerShell\",\"Task\":4,\"RecordNumber\":2672,\"ProcessID\":0,\"ThreadID\":0,\"Channel\":\"Windows PowerShell\",\"Message\":\"Engine state is changed from None to Available. \\r\\n\\r\\nDetails: \\r\\n\\tNewEngineState=Available\\r\\n\\tPreviousEngineState=None\\r\\n\\r\\n\\tSequenceNumber=13\\r\\n\\r\\n\\tHostName=ConsoleHost\\r\\n\\tHostVersion=4.0\\r\\n\\tHostId=6fc80cc3-85e0-4c9a-a437-1c05ddec479d\\r\\n\\tHostApplication=powershell.exe -command ($(Invoke-WebRequest http://127.0.0.1:redacted/fullstatus -UseBasicParsing).Content | ConvertFrom-Json).\\\"Status\\\"\\r\\n\\tEngineVersion=4.0\\r\\n\\tRunspaceId=cf67d6e2-814b-4d76-82cc-b138ceb2e122\\r\\n\\tPipelineId=\\r\\n\\tCommandName=\\r\\n\\tCommandType=\\r\\n\\tScriptName=\\r\\n\\tCommandPath=\\r\\n\\tCommandLine=\",\"Category\":\"Engine Lifecycle\",\"Opcode\":\"Info\",\"Environment\":\"development\"}\r"
I was able to parse it in python after removeing \r and adding an extra }.
jonapich created
Hi guys,
I wanted to use NXLog to send data from a XML file into GrayLog.
My first test worked fine with a simple XML file. But with a Nessus Report (in XML) it don't work, because this file is more complexe. Do you have an example configuration nxlog.conf to help me ?
My actual nxlog.conf :
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log<Extension gelf>
Module xm_gelf
</Extension><Extension multiline>
Module xm_multiline HeaderLine /^<event>/ EndLine /^</event>/ </Extension> <Extension xmlparser> Module xm_xml </Extension> <Extension json> Module xm_json </Extension> <Input in> Module im_file File "C:\Program Files\Graylog\collector-sidecar\generated\exempleFichier.xml" SavePos FALSE ReadFromLast FALSE InputType multiline <Exec> # Discard everything that doesn't seem to be an xml event if $raw_event !~ /^<event>/ drop(); # Parse the xml event parse_xml(); # Rewrite some fields $EventTime = parsedate($timestamp); delete($timestamp); delete($EventReceivedTime); # Convert to JSON to_json(); </Exec> </Input> <Output out> Module om_udp Host xx.xx.xx.xx Port 12201 </Output> <Route 1> Path in => out </Route>
And a (verry little) preview of my Nessus File...
<Report name="Scan_Nessus" xmlns:cm="http://www.nessus.org/cm">
<ReportHost name="192.168.1.1"><HostProperties>
<tag name="traceroute-hop-8">192.168.1.1</tag>
<tag name="LastUnauthenticatedResults">1490484150</tag>
<tag name="Credentialed_Scan">false</tag>
<tag name="policy-used">policies_scan</tag>
<tag name="patch-summary-total-cves">1</tag>
<tag name="os">other</tag>
<tag name="system-type">general-purpose</tag>
<tag name="operating-system">CISCO IOS</tag>
<tag name="traceroute-hop-7">?</tag>
<tag name="traceroute-hop-6">192.168.1.1</tag>
<tag name="traceroute-hop-5">192.168.1.2</tag>
<tag name="traceroute-hop-4">192.168.1.3</tag>
<tag name="HOST_END">Sun Mar 26 00:22:30 2017</tag>
<tag name="host-ip">192.168.1.1</tag>
<tag name="HOST_START">Sun Mar 26 00:20:19 2017</tag>
</HostProperties>
<ReportItem port="123" svc_name="ntp" protocol="udp" severity="0" pluginID="10884" pluginName="Network Time Protocol (NTP) Server Detection" pluginFamily="Service detection">
<cpe>cpe:/a:ntp:ntp</cpe>
<description>An NTP server with an insecure configuration is listening on port 123.
It provides information about its version, current date, current time, and possibly system information.</description>
<fname>ntp_open.nasl</fname>
<plugin_modification_date>2017/03/21</plugin_modification_date>
<plugin_name>Network Time Protocol (NTP) Server Detection</plugin_name>
<plugin_publication_date>2015/03/20</plugin_publication_date>
<plugin_type>remote</plugin_type>
<risk_factor>None</risk_factor>
<script_version>$Revision: 1.27 $</script_version>
<see_also>http://www.ntp.org</see_also>
<solution>n/a</solution>
<synopsis>An NTP server with an insecure configuration is listening on the remote host.</synopsis>
<plugin_output>
Version : unknown
</plugin_output>
</ReportItem>
Thanks !
ilovegraylog created
Seeing the following errors in the logs on a WIN 2008 R2 machine. Not 100% sure why but is seems to happen intermittently, I can't seem to corrolate it with log file rotations or anything like that.
2017-03-31 12:46:52 ERROR if-else failed at line 10, character 39 in C:\Program Files (x86)\nxlog/conf/app_log/application_log_multiline_extensions.conf. statement execution has been aborted; binary operation failed at line 10, character 36 in C:\Program Files (x86)\nxlog/conf/app_log/application_log_multiline_extensions.conf. expression evaluation has been aborted; missing logdata, no field available in this context at line 10, character 19 in C:\Program Files (x86)\nxlog/conf/app_log/application_log_multiline_extensions.conf. operation possibly after drop()
hen it starts to appear it always happens at the exact same second of a given minute, but the number of minutes in between each erros seems somewhat random
ie.
2017-03-31 10:37:42 ERROR if-else failed at line 16...
2017-03-31 10:40:42 ERROR if-else failed at line 16 ...
2017-03-31 10:41:42 ERROR if-else failed at line 16...
Config would be similar to below.
<Extension app_log_multiline>
Module xm_multiline
HeaderLine /.*\[\d\d \w\w\w \d\d\d\d/
Exec if $raw_event =~ /^\s*$/ drop();
</Extension>
<Input in_app_log_files>
Module im_file
File '%APP_LOGS_DIR%\server_error.log'
SavePos TRUE
ReadFromLast TRUE
InputType app_log_multiline
PollInterval 5
DirCheckInterval 60
CloseWhenIdle TRUE
<Exec>
$Environment = "%ENVIRONMENT_TAG%";
$Application = "%APP_TAG%";
$Service = "%SERVICE_TAG%";
</Exec>
</Input>
smythmark created
