All, I'm somewhat new to Netwrix, and I need some help understanding how I can send ONLY specific logs up to our SEIM.  I've dug through the documentation a bit, and will continue to do so.  I'm sure someone on here can whip up a quick response... Here is my config file, please help me with mocking up a config that will only send up events 4648 and 4624... ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog>     Module xm_syslog </Extension> <Input internal>     Module im_internal </Input> <Input eventlog>     Module im_msvistalog </Input> <Output out>     Module      om_udp     Host        xx.yy.zz.xyz     Port        514     Exec        to_syslog_snare(); </Output> <Route 1>     Path        eventlog, internal => out </Route>  

What is the best way to do a log rotation? I'm using fileop and I wanted log rotation at midnight, but it hasn't been working. Would it be better to move the Schedule to the Output section? <Extension fileop>     Module      xm_fileop     # Check the size of our log file every hour and rotate if it is larger than 1Mb     <Schedule>         Every   1 hour         Exec    if (file_size('%LOGFILE%') >= 1M) file_cycle('%LOGFILE%', 500);     </Schedule>     # Rotate our log file every week on sunday at midnight     <Schedule>         When    @midnight         Exec    file_cycle('%LOGFILE%', 500);     </Schedule> </Extension>

Two related threads I found on this https://nxlog.co/question/2029/logon-vs-logoff-events-seim https://nxlog.co/question/1711/configuration-send-windows-security-logs-only Posted a question the Windows forums as well https://social.technet.microsoft.com/Forums/windowsserver/en-US/f70aa0fd-9f59-470a-bafe-47c82f4a7151/broken-xml-for-eventid-4624?forum=winserver8gen There are domain controllers that a logging server connects to using Windows Eventlog Forwarding (poll). In the eventlog eventid 4624 comes in but in the message field its all % placeholders but the XML data is correct. Before some patching the xml data was broken. The Data fields looked like this <Data Name="AuthenticationPackageName">Kerberos</Data> <Data Name="WorkstationName"> <Data Name="LogonGuid">{B3A61084-7036-1568-AFB2-3290B7F943F9}</Data> </Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> But now are more correct and look like this <Data Name="AuthenticationPackageName">Kerberos</Data> <Data Name="WorkstationName" /> <Data Name="LogonGuid">{B3A61084-7036-1568-AFB2-3290B7F943F9}</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> The issue is only when nothing is in the WorktationName field. NXlog reads this and converts to JSON and thats where NXlog is obviosly having problems The JSON looks like this "AuthenticationPackageName":"Kerberos","WorkstationName' /> <Data Name='LogonGuid":"{B3A6..... So at the workstation name it fails to parse the XML, possibly because the XML field is closed with /> instead of a full </Data> Another issue is that the Message field does not come through NXlog at all. Would love to get some help debugging this.

All, I'm struggling with NXLOG forwarding events to our SEIM.  I'm able to see Logoff (4647) events, but not Logon (4624) events.  Under the WIndows Event Log, we see both events occuring as expected, but our SEIM is only getting Logoffs... Our config file is standard, but here it is below... ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog>     Module xm_syslog </Extension> <Input internal>     Module im_internal </Input> <Input eventlog>     Module im_msvistalog </Input> <Output out>     Module      om_udp     Host        xx.yy.zz.xyz     Port        514     Exec        to_syslog_snare(); </Output> <Route 1>     Path        eventlog, internal => out </Route>

I am unable to replace \r\n and \t when using to_json. When using to_syslog_bsd I can replace them, but not with JSON. Do I have an error in my config or is this a bug? Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_syslog </Extension> <Extension json> Module xm_json </Extension> <Input internal> Module im_internal </Input> <Input eventlog> Module im_msvistalog For windows 2003 and earlier use the following: Module im_mseventlog </Input> <Input mark> Module im_mark MarkInterval 60 Mark 226d61792074686520666f726365206265207769746820796f7522 </Input> <Output out> Module om_udp Host logspot.server.org Port 514 Exec $raw_event = replace($raw_event, "\r\n", " "); Exec $raw_event = replace($raw_event, "\t", " "); Exec to_json(); </Output> <Route 1> Path eventlog, internal, mark => out </Route>

With the latest release of nxlog-ce the gelf output module via udp creates an malfomed zlib that is not detected by gelfd ruby module is there a way to force also on udp gelf to send uncompressed.  

Hello, when will NXLog CE support IPv6? Thanks in advance!

Hi,  I am using disk buffer. There is limit when using memory or desk ? I am using nxlog with graylog to forward log. For the disk buffer, the file never gets empty even after the connexion is back between nxlog and graylog?    Thanks 

Hello All,   I am planning to use nxlog client as syslog agent forwarder to my syslog server on remote location. I have various devices whcih can create 20 -500 Events per seconds. I want to collect all thsoe events on one of the system with nxlog and then forward it to remove server.    I am looking for system requirement to ensure system is up and running all time with nxlog client in it.       Regards, Gaurang 

Hi, how can I truncate message to custom fields? For example: I have: message: 2016-09-26 12:58:54 ru1-t001-web01 INFO "\Processor(_Total)\% Processor Time"="50.762249" I need: message: 2016-09-26 12:58:54 ru1-t001-web01 INFO "\Processor(_Total)\% Processor Time"="50.762249" processorTime: 50.762249 Is it possible? Thank you.        

I'm attemping to install nxlog on a fresh Ubuntu 16.04 machine from nxlog-ce_2.9.1716_ubuntu_1604_amd64.deb. It seems to install correctly, however I get an error from the post-installation script. Relevant output from 'dpkg -i nxlog-ce_2.9.1716_ubuntu_1604_amd64.deb': Preparing to unpack nxlog-ce_2.9.1716_ubuntu_1604_amd64.deb ... Unpacking nxlog-ce (2.9.1716) ... Setting up nxlog-ce (2.9.1716) ... [....] Starting nxlog (via systemctl): nxlog.serviceFailed to start nxlog.service: Unit nxlog.service not found. failed! dpkg: error processing package nxlog-ce (--install): subprocess installed post-installation script returned error exit status 5 Running the dpkg command again, or just ignoring that it "failed" and running '/etc/init.d/nxlog start' afterwards both are successful. Any idea why this is happening? The dpkg command returning an error status is causing issues when performing the installation via an automation script.

Hi I installed NXLog Enterprise Edition v3.0.1775 on a Windows Server 2012 R2 Standard. For about about 5 days, NXLog was running fine on this server. I needed to reboot the server and now the NXLog service doesn't start. I'm getting an Error 1053: The nxlog service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion. Any thoughts on what the cause is? Thank you in advance.

I have the following configuration:   define DEFAULT_OUTPUTS null_output include c:/Program Files (x86)/nxlog/conf/nxlog.conf.d/\\*.default <Extension app_log_multiline>   Module xm_multiline   HeaderLine /^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3}/ </Extension> <Input app_logs>   Module im_file   InputType app_log_multiline   RenameCheck true   File "C:\\ProgramData\\App\\EventLog\\TestFile.log"   Exec $type = 'windows_log_files';   Exec $Message = $raw_event;   Exec $file_path = file_name(); </Input> <Route r_app_logs>   Path app_logs => testfile </Route> and <Output testfile>   Module om_file   Exec to_json();   File "C:\\testlogoutput.txt" </Output> If the log file contains the following lines: 2016-09-15 02:00:37.906 TestEvent 2016-09-15 02:00:42.251 TestEvent2 with an empty line after the second log line, the output is correct: {     "EventReceivedTime":"2016-09-19 22:35:32",     "SourceModuleName":"app_logs",     "SourceModuleType":"im_file",     "type":"windows_log_files",     "Message":"2016-09-15 02:00:37.906 TestEvent",     "file_path":"C:\\ProgramData\\App\\EventLog\\TestFile.log" } {     "EventReceivedTime":"2016-09-19 22:35:32",     "SourceModuleName":"app_logs",     "SourceModuleType":"im_file",     "type":"windows_log_files",     "Message":"2016-09-15 02:00:42.251 TestEvent2",     "file_path":"C:\\ProgramData\\App\\EventLog\\TestFile.log" }   However, if the log file contains the same two lines as above, without an empty line after the second log line, the output becomes: {     "EventReceivedTime":"2016-09-19 22:40:59",     "SourceModuleName":"app_logs",     "SourceModuleType":"im_file",     "type":"windows_log_files",     "Message":"2016-09-15 02:00:37.906 TestEvent\r\n2016-09-15 02:00:42.251 TestEvent2",     "file_path":"C:\\ProgramData\\App\\EventLog\\TestFile.log" } Basically, unless there is an empty line after the final log event, it seems that multiline is combining the last two lines into one, even though the HeaderLine is matched correctly. Did I configure something wrong?

## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log #to enable syslog format #<Extension _syslog> #   Module      xm_syslog #</Extension>   <Extension fileop>  Module xm_fileop </Extension>   <Input read_file>     Module    im_file     File     "C:\\exnxlog.log"     InputType LineBased     SavePos TRUE          Exec $Message = $raw_event; </Input> <Output out_debug>     Module    om_file     File "C:\\log_debug.txt"  </Output>   <Route 1>     Path        read_file=> out_debug </Route>

Hi, I'd like to collect windows additional logs to check error of synchronisation on users computer. So, I activated  "Synclog" with this command : "wevtutil.exe sl Microsoft-Windows-OfflineFiles/SyncLog /e:true /l:3" I added this query in my nxlog configuration file : <Select Path="Microsoft-Windows-OfflineFiles/SyncLog">*</Select> NXLog failed to start with this error :     ERROR failed to subscribe to msvistalog events,the Query is invalid:  [error code: 50] However my query seems valid, I've build it from XML query in custom view builder on the windows event manager. If I delete this line in my configuration file I've no problem so my problem is here. Have you an idea please ? Thank you

Hello everyone, I would like to catch a log from windows network drives, but I cannot did it. May I know it is supported by nxlog?  Would you please advise, thank you.   <Input filelogs>     Module    im_file     File    "\\\\192.168.1.1\\test\*"     SavePos TRUE     ReadFromLast TRUE     PollInterval 5     Exec $Message = $raw_event; </Input> NXLog.log: 2016-09-14 18:16:53 INFO nxlog-ce-2.8.1248 started 2016-09-14 18:16:53 ERROR failed to open \\192.168.1.1\test\*; Access is denied.   2016-09-14 18:17:03 ERROR apr_stat failed on file \\192.168.1.1\test\*; Access is denied.   2016-09-14 18:17:13 ERROR apr_stat failed on file \\192.168.1.1\test\*; Access is denied.   2016-09-14 18:17:23 ERROR apr_stat failed on file \\192.168.1.1\test\*; Access is denied.   2016-09-14 18:17:33 ERROR apr_stat failed on file \\192.168.1.1\test\*; Access is denied.   2016-09-14 18:17:53 ERROR apr_stat failed on file \\192.168.1.1\test\*; The filename, directory name, or volume label syntax is incorrect.   2016-09-14 18:18:33 ERROR apr_stat failed on file \\192.168.1.1\test\*; The filename, directory name, or volume label syntax is incorrect.   2016-09-14 18:19:43 ERROR apr_stat failed on file \\192.168.1.1\test\*; The filename, directory name, or volume label syntax is incorrect.  The share drvice is able to access by everyone, or guest.

Hi! I'm using nxlog to parse a json file and transfer it to Graylog. When it transfer to Graylog the format of a timestamp is changed. How can i prevent nxlog to change the timestamp format ? Thanks in advance

Hello,   I'm new with NXLOG and I don't know how to configure the nxlog.conf file when having many IP entries from UDP sources.   I heritated an implementation that has too many ef and else because the IPs sources. I have some errors and with all those if and elses is pretty difficult to correct the problem. Then I was wondering if ther is a way to separate the entries to avoid using if else if if else if every where. I saw this option for outputs, but not sure if that works in the same way with inputs. Thank you very much for your help and support. It will be really appreciated. Cordially,   clombo

I'm setting up a new server for the first time with Enterprise Edition. Where does NXLog keep its data and can I move it to a different partition?

using om_tcp is there a way to define a sequence of destination IP's such that the list is used in sequence if 1st IP fails to complete 3-way handshake, and then re-check the 1st IP to see if it came back. simple scenario, admin reboots dest IP #1, or the FW admin deletes a FW rule thus blocking IP #1, NXlog could recognize IP #1 is down and then send to IP #2 in the list. in general, its a failover mechanism. can it be done?