have recently been trying the Community Edition of nxlog which does exactly what I need (and more) but have an issue with the msi. In order to be something I could deploy it has to pass uninstall and re-install tests. Unfortunatley the uninstall via Windows installer leaves a lot of file and registry entries behind that subsequently causes issues with a re-installation. Does anyone know if this is likely to be addressed within CE? Does anyone know if Enterprise edition has the same msi issue? Thanks. 

Hello All,

I am using nxlog-ce-2.9.1716 client to collect logs from my device and then forward it to logstash. I want to make sure nxlog client accept syslogs from particular source instead any. However when using specific IP in im_udp module, I am getting error as below:

"2017-03-07 16:04:51 ERROR failed to start im_udp; couldn't bind udp socket to 172.20.20.20:514; The requested address is not valid in its context. " 

my input driver is configured as below:

<Input in>
    Module    im_udp
    Host    172.20.20.20
    Port    514
</Input>

I tried by changing host as below as well:

Host 172.20.20.20/32 - No luck

Host 172.20.20.20/255.255.255.0 - No luck

Host 172.20.20.20/255.255.255.255 - No luck

Host 172.20.20.20 255.255.255.255 - no luck

Host 172.20.20.20 255.255.255.0 - No luck

However if I make Host 0.0.0.0 - it works , but this is not what I am looking for. 

Please help if I am missing anything. 

Regards,

Gaurang 

Hi!

I'm new to NXLOG so sorry if this is a dumb question.

So I have a Windows 2012 server that I'm attempting to set up to accept Syslog messages from an outsourced proxy system. I've been able to get NXLOG accept the logs and dump them to a flat file which our SIEM tool can pick up. However it ends up being a gigantic file... 

I'm trying to refine this now.

Instead of a huge file that we purge out every day, I'd like to have NXLOG limit the log dump to something like 200MB, copy the now older 200MB file to a different directory appending a time stamp to it, then start collecting in a new file in the original folder. The catch is, the live log that is in the original folder needs to keep the same file name, otherwise our SIEM tool won't know what to look for.

I've tried to have a PowerShell script do this and it works, however, if the NXLOG service is running, the log dump file is locked. We could get around this by disabling the service while copying the old log file to a new location, however we'd lose 10-30 minutes of logs in the file copy (not ideal).

Going through the reference manual I see a few ways to limit file size, starting a new file, and copying files over directly in the NXLOG config file. However it's turning out to be a problem condencing all of that into one configuration file that works on Windows. I've only been able to get a 1 of 3 pieces working at one time.

I appreciate any help the community can provide! Let me know if there are any questions or if something isn't clear.

​

What is the most efficient way to parse Microsoft DNS Server debug logs into something more tidy, say into a CSV or KVP format on the nxlog agent?

Consider the following log message:

"24/02/2017 16:37:22 09B0 PACKET  0000009657E7BA40 UDP Rcv 10.0.100.15   a490   Q [0001   D   NOERROR] A      (7)example(3)com(0)"

First of all, what would be the most efficient way performance-wise to convert this into a CSV or KVP format?

And also, is there some other way besides using Exec and replacing parenthesis and numbers in a sed-like manner to get the clean query name? We have tried to use the Exec method before, but we were hitting some serious performance issues on busy DNS servers.

I have currently switched on to using the pm_pattern module to drop invalid log lines (the beginning of the log file and empty lines) and I was wondering if there would be some easy way to perform both of the tasks (the formatting and the cleaning) using the pm_pattern module?

An example output could look something like the following:

datetime=24/02/2017 16:37:22,thread_id=09B0,context=PACKET,packet_id=0000009657E7BA40,protocol=UDP,action=Rcv,remote_ip=10.0.100.15,
xid=a490,event_type=-,opcode=Q,flags_hex=0001,is_authorative=-,is_truncated=-,recursion_desired=D,recursion_available=-,
response_code=NOERROR,question_type=A,question_name=example.com

The empty or "-" values result from fields specified in the DNS debug log format that are not present in the above message (e.g. all possible flags would be "ATDR", and event_type is "-" because "R" marks a response but an empty value (whitespace) marks a query.

And of course, if the above even is possible, would it be too resource consuming?

I'm not sure how to characterize what's going on, but here goes...

My route path has two inputs, an itermittently high-volume input, and a low-volume input. The high-volume input can be thousands in a couple minutes, or it can be practically nothing. The low-volume input is, at most, one or two entries per ~3-4 minutes. There are also three outputs, two HTTP and a rotated file. They are disconnecting a fair bit, presumably due to timeouts or lack of pipelining or something.

In my current configuration, I consistently find that my log data for the high-volume log gets dropped after a couple minutes. I'm not sure if the timing correlates with the HTTP disconnects, but it might. Sometimes I get just over a thousand log lines through, sometimes I get a couple hundred log lines, sometimes I get a couple thousand. Interestingly, the low-volume log is unaffected.

I do have flow control enabled, and putting a buffer on the inputs did not seem to help. I didn't try disabling flow control because I don't understand it very well. I have to have both inputs going into the same route because how the messages interleave is important to the meaning of the entries.

Here's the path that I use:

  Path       vg_tsw_client, vg_tsw_combat => vg_tsw_pattern => vg_tsw_unparse_finder => vg_tsw_testfile, vg_tsw_es, vg_tsw_cdb

_client is the low-volume, _combat is the high volume. _pattern is a pm_pattern with ~25-30 regexes and a small script on every pattern (0-10 lines), _unparse_finder is a pm_null uses add_to_route to copy unmatched patterns to a new route (0 hits lately) and does some light data enrichment via Exec. _testfile is the rotated file output, _es and _cdb are the HTTP outputs.

Thanks in advance.

Hello, I have question.

My variable $EventTime contains DateTime in only this format "2017-12-30 01:30:00"
How me with use NxLog, convert to UNIX TIME format or convert to this format  Dec 30 01:30:00.

Thank

Hello,

I need to read logfiles from oracle, which are structured in xml with attributes

It's nxlog still unable to access the attributes?

I've read here that the entrerprise edition does it 

https://nxlog.co/announcing-nxlog-enterprise-edition-v30

Handling structured data formats better

The xm_xml extension has been enhanced so that it can now parse nested XML and data stored in XML attributes. Parsing of nested JSON has been also implemented in xm_json and UTF-8 validation can be enforced in order to avoid parser failures caused by invalid UTF-8 in other tools.

This is a feature of the enterprise edition only or it will be ported to community edition too?

I'm trying to get a PatternDB working correctly, and it looks like I'm getting some fields but not all of them. There's only one pattern that's actually generating extra fields, and even it is dropping the first field (ParsedDate). Not sure what's going on here...

Config file (via file inclusion):

<Extension json>
    Module      xm_json
</Extension>

<Extension syslog>
    Module      xm_syslog
</Extension>

<Input vg_tsw_client>
  Module     im_file
  File       "C:\Program Files (x86)\Steam\steamapps\common\The Secret World\ClientLog.txt"
  Exec       if not ($raw_event =~ /Scaleform\.TSWACT/) drop();
  Exec         parse_syslog();
</Input>

<Input vg_tsw_combat>
  Module     im_file
  File       "C:\Program Files (x86)\Steam\steamapps\common\The Secret World\CombatLog-*.txt"
  Exec       if ($raw_event =~ /Sprinting [VI]+/) drop();
  Exec         parse_syslog();
</Input>

<Processor vg_tsw_pattern>
    Module    pm_pattern
    PatternFile %ROOT%\conf\SecretWorld\patterndb.xml
</Processor>

<Output vg_tsw_testfile>
  Module     om_file
  File       "C:\\ProgramData\\nxlogs\\vg-tsw-logs.log"
  Exec       to_json();
</Output>

<Route vg_tsw_route>
  Path       vg_tsw_client, vg_tsw_combat => vg_tsw_pattern => vg_tsw_testfile
</Route>

Pattern DB:

<?xml version='1.0' encoding='UTF-8'?>
<patterndb>
 <created>2010-01-01 01:02:03</created>
 <version>42</version>
 
<group>
  <name>tswCombat</name>
  <id>50284624</id>
  <matchfield>
    <name>SourceModuleName</name>
    <type>exact</type>
    <value>vg_tsw_combat</value>
  </matchfield>

  <pattern>
    <id>1000</id>
    <name>basic combat swing</name>

    <matchfield>
     <name>Message</name>
     <type>regexp</type>
        <!-- [00:00:28] (Critical) Solomon County Cop's Spray and Pray hits (Normal) Ravenous Horde for 522 physical damage. (Normal) -->
     <value>^\[([^\]]+)\] ((?:\(Critical\) |\(Normal\) )?)(.+?'s|Your) (.+?) hits \((Normal|Glancing)\) (.*?) for (\d+) (physical|magical) damage. \((Normal|Penetrated|Blocked)\)</value>
     <capturedfield>
      <name>ParsedTime</name>
      <type>datetime</type>
     </capturedfield>
     <capturedfield>
      <name>CriticalHit</name>
      <type>string</type>
     </capturedfield>
     <capturedfield>
        <name>AttackerName</name>
        <type>string</type>
     </capturedfield>
     <capturedfield>
        <name>AttackName</name>
        <type>string</type>
     </capturedfield>
     <capturedfield>
        <name>Glancing</name>
        <type>string</type>
     </capturedfield>
     <capturedfield>
        <name>VictimName</name>
        <type>string</type>
     </capturedfield>
     <capturedfield>
        <name>Damage</name>
        <type>integer</type>
     </capturedfield>
     <capturedfield>
        <name>DamageType</name>
        <type>string</type>
     </capturedfield>
     <capturedfield>
        <name>BlockOrPen</name>
        <type>string</type>
     </capturedfield>
    </matchfield>

    <set>
     <field>
       <name>type</name>
       <value>Swing</value>
       <type>string</type>
     </field>
    </set>
  </pattern>
</group>

<group>
  <name>tswClient</name>
  <id>50284625</id>
  <matchfield>
    <name>SourceModuleName</name>
    <type>exact</type>
    <value>vg_tsw_client</value>
  </matchfield>
 
  <pattern>
    <id>2000</id>
    <name>tswact load plugin</name>

    <matchfield>
     <name>Message</name>
     <type>regexp</type>
        <!-- [2017-02-10 05:47:07Z #3886] [ID:0] ERROR: Scaleform.TSWACT - TSWACT Loaded for |Sheriban| -->
     <value>^\[([0-9-:]+)Z #\d+\] \[ID:\d+\] ERROR: Scaleform.TSWACT - TSWACT Loaded for - \|(\w+)\|</value>
     <capturedfield>
      <name>ParsedTime</name>
      <type>string</type>
     </capturedfield>
     <capturedfield>
      <name>PlayerName</name>
      <type>string</type>
     </capturedfield>
    </matchfield>

    <set>
     <field>
       <name>type</name>
       <value>TswactLoaded</value>
       <type>string</type>
     </field>
    </set>
  </pattern>
 
  <pattern>
    <id>2001</id>
    <name>tswact load playfield</name>

    <matchfield>
     <name>Message</name>
     <type>regexp</type>
        <!-- [2017-02-10 05:47:07Z #3886] [ID:0] ERROR: Scaleform.TSWACT - Playfield - |Kingsmouth Town| -->
     <value>^\[([0-9-:]+)Z #\d+\] \[ID:\d+\] ERROR: Scaleform.TSWACT - Playfield - \|(\w+)\|</value>
     <capturedfield>
      <name>ParsedTime</name>
      <type>datetime</type>
     </capturedfield>
     <capturedfield>
      <name>ZoneName</name>
      <type>string</type>
     </capturedfield>
    </matchfield>

    <set>
     <field>
       <name>type</name>
       <value>SetZoneName</value>
       <type>string</type>
     </field>
    </set>
  </pattern>

  <pattern>
    <id>2002</id>
    <name>tswact enter combat</name>

    <matchfield>
     <name>Message</name>
     <type>regexp</type>
        <!-- [2017-02-10 05:00:22Z #10910] [ID:0] ERROR: Scaleform.TSWACT - Enter combat - |Sheriban|Buffs:Sprinting VI:Elemental Force:Third Degree :World Domination| -->
     <value>^\[([0-9-:]+)Z #\d+\] \[ID:\d+\] ERROR: Scaleform.TSWACT - Enter combat - \|(\w+)\|</value>
     <capturedfield>
      <name>ParsedTime</name>
      <type>datetime</type>
     </capturedfield>
     <capturedfield>
      <name>PlayerName</name>
      <type>string</type>
     </capturedfield>
    </matchfield>

    <set>
     <field>
       <name>type</name>
       <value>EnterCombat</value>
       <type>string</type>
     </field>
    </set>
    <exec>
      $TestField = 'testValue';
    </exec>
  </pattern>
</group>

</patterndb>

Some of the output I'm getting:

{"EventReceivedTime":"2017-02-10 11:45:00","SourceModuleName":"vg_tsw_combat","SourceModuleType":"im_file","SyslogFacilityValue":1,"SyslogFacility":"USER","SyslogSeverityValue":5,"SyslogSeverity":"NOTICE","SeverityValue":2,"Severity":"INFO","EventTime":"2017-02-10 11:45:00","Hostname":"shepard","Message":"[11:45:00] Your Pop Shot hits (Normal) Undead Islander for 1437 physical damage. (Normal)","CriticalHit":"","AttackerName":"Your","AttackName":"Pop Shot","Glancing":"Normal","VictimName":"Undead Islander","Damage":1437,"DamageType":"physical","BlockOrPen":"Normal","PatternID":1000,"PatternName":"basic combat swing","type":"Swing"}
{"EventReceivedTime":"2017-02-10 11:45:00","SourceModuleName":"vg_tsw_combat","SourceModuleType":"im_file","SyslogFacilityValue":1,"SyslogFacility":"USER","SyslogSeverityValue":5,"SyslogSeverity":"NOTICE","SeverityValue":2,"Severity":"INFO","EventTime":"2017-02-10 11:45:00","Hostname":"shepard","Message":"[11:45:00] (Critical) Your Pop Shot hits (Normal) Undead Islander for 2965 physical damage. (Penetrated)","CriticalHit":"(Critical) ","AttackerName":"Your","AttackName":"Pop Shot","Glancing":"Normal","VictimName":"Undead Islander","Damage":2965,"DamageType":"physical","BlockOrPen":"Penetrated","PatternID":1000,"PatternName":"basic combat swing","type":"Swing"}
{"EventReceivedTime":"2017-02-10 11:45:00","SourceModuleName":"vg_tsw_combat","SourceModuleType":"im_file","SyslogFacilityValue":1,"SyslogFacility":"USER","SyslogSeverityValue":5,"SyslogSeverity":"NOTICE","SeverityValue":2,"Severity":"INFO","EventTime":"2017-02-10 11:45:00","Hostname":"shepard","Message":"[11:45:00] You gain buff Live Wire"}
{"EventReceivedTime":"2017-02-10 11:45:01","SourceModuleName":"vg_tsw_client","SourceModuleType":"im_file","SyslogFacilityValue":1,"SyslogFacility":"USER","SyslogSeverityValue":5,"SyslogSeverity":"NOTICE","SeverityValue":2,"Severity":"INFO","EventTime":"2017-02-10 11:45:01","Hostname":"shepard","Message":"[2017-02-10 16:45:01Z #18498] [ID:0] ERROR: Scaleform.TSWACT - Out of combat - |Sheriban|"}
{"EventReceivedTime":"2017-02-10 11:45:10","SourceModuleName":"vg_tsw_combat","SourceModuleType":"im_file","SyslogFacilityValue":1,"SyslogFacility":"USER","SyslogSeverityValue":5,"SyslogSeverity":"NOTICE","SeverityValue":2,"Severity":"INFO","EventTime":"2017-02-10 11:45:10","Hostname":"shepard","Message":"[11:45:10] Buff Live Wire terminated."}

Some of the vg_tsw_combat input file:

[11:45:00] Your One in the Chamber hits (Normal) Undead Islander for 231 physical damage. (Normal)
[11:45:00] Buff Sudden Return terminated on Undead Islander.
[11:45:00] Buff One in the Chamber terminated on Undead Islander.
[11:45:00] You gained 146 XP.
[11:45:00] Undead Islander died.
[11:45:00] Your Sudden Return hits (Normal) Undead Islander for 259 physical damage. (Normal)
[11:45:00] Your Pop Shot hits (Normal) Undead Islander for 2045 physical damage. (Penetrated)
[11:45:00] Your Pop Shot hits (Normal) Undead Islander for 2175 physical damage. (Penetrated)
[11:45:00] Your Pop Shot hits (Normal) Undead Islander for 1437 physical damage. (Normal)
[11:45:00] (Critical) Your Pop Shot hits (Normal) Undead Islander for 2965 physical damage. (Penetrated)
[11:45:00] You gain buff Live Wire
[11:45:02] You start using Sprinting VI.
[11:45:03] You gain buff Sprinting VI
[11:45:03] You successfully used Sprinting VI.
[11:45:10] Buff Live Wire terminated.

Some of the vg_tsw_client input:

[2017-02-10 16:33:43Z #6790] [ID:0] ERROR: Scaleform.TSWACT - TSWACT Loaded for |Sheriban|
[2017-02-10 16:33:43Z #6790] [ID:0] ERROR: Scaleform.TSWACT - Playfield - |The Savage Coast|
[2017-02-10 16:34:12Z #7313] [ID:0] ERROR: Scaleform.TSWACT - Enter combat - |Sheriban|Buffs:World Domination|
[2017-02-10 16:34:14Z #7373] [ID:0] ERROR: Scaleform.TSWACT - Out of combat - |Sheriban|
[2017-02-10 16:39:06Z #10609] [ID:0] ERROR: MagicCommand - Trying to prepone the execute timeline to the pass. Spell:7760057
[2017-02-10 16:39:06Z #10624] [ID:0] ERROR: Scaleform.TSWACT - Enter combat - |Sheriban|Buffs:Elemental Force:World Domination|
[2017-02-10 16:39:08Z #10655] [ID:0] ERROR: Scaleform.TSWACT - Out of combat - |Sheriban|
[2017-02-10 16:44:58Z #18330] [ID:0] ERROR: MagicCommand - Trying to prepone the execute timeline to the pass. Spell:7760057
[2017-02-10 16:44:59Z #18388] [ID:0] ERROR: Scaleform.TSWACT - Enter combat - |Sheriban|Buffs:Elemental Force:World Domination|
[2017-02-10 16:45:01Z #18498] [ID:0] ERROR: Scaleform.TSWACT - Out of combat - |Sheriban|

Any ideas?

Hello There,

Please help me to get answers of below questions.

1. What all logs can be captured using NXLog client on Windows, Unix, AIX and Linux platforms?

2. What is the system prerequsites for installing NXLog client on Windows, UNIX, AIX and Linux platforms?

Thank you.

Hello  ,

Do someone have an issue when install on REDHAT TIKANGA ?? 

Error message bellow mentioned :

~[root@osgdt01 tmp]# rpm -ivh nxlog-3.0.1814-1_rhel6.x86_64.rpm
error: nxlog-3.0.1814-1_rhel6.x86_64.rpm: Header V4 RSA/SHA1 signature: BAD, key ID 1da9e40e
error: nxlog-3.0.1814-1_rhel6.x86_64.rpm cannot be installed

anyone know what's signature: BAD ??

I have no idea for this error message , even I google it .

Thanks

Hello,

I am trying to setup NXLog so that multiple Windows Servers will send their Event logs to a central server, and that server will output them into basic text files. The logs are delivered to the central server just fine, but instead of going to separate routes as I have configured, all logs appear to be delivered to the same route, which happens to be the first one listed. Any help would be greatly appreciated.

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

########## BEGIN EXTENSIONS ##########

<Extension syslog>
    Module  xm_syslog
</Extension>

########## END EXTENSIONS ##########

########## BEGIN INPUTS ##########

<Input in_xxx>
    Module      im_tcp
    Host 0.0.0.0
    Port 514
</Input>

<Input in_yyy>
    Module      im_tcp
    Host 0.0.0.0
    Port 514
</Input>

<Input in_zzz>
    Module      im_tcp
    Host 0.0.0.0
    Port 514
</Input>

########## END INPUTS ##########

########## BEGIN OUTPUTS ##########

<Output out_xxx>
    Module      om_file
    File "C:\\Logs\\xxx_NXLog.txt"
    CreateDir FALSE
    Truncate FALSE
    OutputType LineBased
</Output>

<Output out_yyy>
    Module      om_file
    File "C:\\Logs\\yyy_NXLog.txt"
    CreateDir FALSE
    Truncate FALSE
    OutputType LineBased
</Output>

<Output out_zzz>
    Module      om_file
    File "C:\\Logs\\zzz_NXLog.txt"
    CreateDir FALSE
    Truncate FALSE
    OutputType LineBased
</Output>

########## END OUTPUTS ##########

########## BEGIN ROUTES ##########

<Route 1>
    Path        in_xxx => out_xxx
</Route>

<Route 2>
    Path        in_yyy => out_yyy
</Route>

<Route 3>
    Path        in_zzz => out_zzz
</Route>

########## END ROUTES ##########

Thank you.

if we setup a function to identify the IP of the client server and based on that answer, to then forward logs based on that IP info

Two questions, I am attempting to install the nxlog-ce via powershell and the process hangs at the accept eula screen and also it seems the way to install requires copying over the default configuration file after install.

- Is there a flag I can pass to accept the eula?

- Is there a way to pass the path to the config file at install to automatically overwrite the config at installation time without stop/starting the process?

i.e. nxlog.msi /accepteula /install /quiet/ /conf=\\path\to\conf

So to add, if I do:

msiexec /i nxlog.msi /quiet

It will install quietly, but if I launch it with Start-Process msiexec -ArguementList "/i nxlog.msi /quiet", it will still launch the EULA splash again. So, not sure if that is a bug in PowerShell, but would still like to pass the config file at installation without having to overwrite it.

I'm trying to get nxlog to read from a mysql table and output any changes from the last table read to a text file in csv tab delineated format.  Right now all it's doing is injecting multiple carriage returns into the text file with no text.  Am I heading in the right direction or have I totally borked the config?  I'm working with the following config:

<Extension csv>
        Module xm_csv
        Fields $facility, $severity, $hostname, $timestamp, $application, $message
        FieldTypes string, string, string, string, string, string
        Delimiter \t
</Extension>

<Input dbiin>
    Module im_dbi
        SavePos TRUE
        Driver mysql
        Option host localhost
        Option username USERNAME
        Option dbname DBNAME
        Option password PASSWORD
        SQL SELECT facility, severity, hostname, timestamp, application, message FROM table
</Input>

<Output out>
       Module om_file
       File "/var/log/test.txt"
</Output>

<Route 1>

      Path dbiin => out

</Route>

Hello. I have a question.

I get multiline messages

how can I combine into a single line, multiline message ??

for example this message, In this message 4 lines

Jul 21 17:59:10 <14> 1 2016-07-04T00: 53: 02.000000 + 03: 00 node = sec-sflow type = SYSCALL msg = audit (1467579182.055: 3248181): arch = 111

2 syscall = success = yes exit = 4 a0 = 7fc7783127a8 a1 = 2 a2 = a3 = 0 8 items = 1 ppid = 11013 pid = 30363 auid = 0 0 uid = gid = 0 = 0 euid

suid = 0 fsuid = 0 = 0 egid sgid = 0 = 0 fsgid tty = (none) ses = 28 comm = "sshd"

exe = "/ usr / sbin / sshd" key = "root_action"

Thank!

Hello!

It appears that any nested data - e.g. from EventData - will be overwritten if the field exists on the event itself.

For example, please see your documentation on sysmon.  Notice that ProcessID is a field on the event, and is also a field under EventData, albeit with different data.

The resulting JSON output includes only the ProcessID from the event itself, not from the eventdata.  In the example at the link, notice that the Event.ProcessID is 1680.  The Event.EventID.ProcessID is 25848.  Notice that the data from the latter (generally more specific to this type of event, and thus generally more important) is not available as structured data anywhere.

Personally I'm not using this at the moment, but, I could see many situations where the generic Event fields overwrite valuable information from Event Data.

Cheers!

Hello,

Could you please clarify how can I cut out some fields from forwarded event?

My situation is the following;

I have a local log file on the server where installed nxlog agent. Using im_file module I have defined path to file and filename. After that I configured to forward this log to remote syslog server. When I opened forwarded log on the romete syslog server and find out that my log line was changed. It was added time and server name wehere original log file is stored. I have posted a line from the remote server and marked columns which were added during the forwarding.

Jan 12 13:16:28 siem-vm Jan 12 00:01:37 mail2-vm-srv postfix/cleanup[7412]: 6EC1E2A23F9: message-id=<20170111220136.5AE682A23F6>

Can you help me?

Thank you in advance.

Hi, can anyone help me with the output of my nxlog.conf
I want to convert epoch time from my Bro logs;

Part of the logs:

1482865199.693051 FSYupp4bmRs8tT5Jyg 3 5A00020E4289E78C695848......
1482865200.300809 FmXyl22Uxsq1cudDd8 3 5A00020E4289E78C695848......
1482865200.203542 FAuSUU3X9pgdSJ2D2g 3 5A00020E4289E78C695848.......
1482865201.043722 F0KUdW3Nm5edyqPXLl 3 0CEAC9CAD430F24F334575.......

My current settings are

<Output o.name.log>
 Module om_tcp
 Host xx.xxx.xxx.xxx
 Port xxxx
 OutputType LineBased
</Output>

Thanks!

I'm attempting to demo xnlog and running into a problem where the Windows Server 2016 event logs are being sent to AWS ElasticSearch Service with the EventTime being a string. This basically renders it impossible to index the logs, as the Kibana board requires a time-field name and is not recongizing the string as a datetime.  Any suggestions on this, or is this a potential bug with Server 2016?

Hi everybody,

stumbled over a problem that sometimes I get hostnames from nxlog other times it's fqdns. Happens only with internal nxlog messages.I tired to fix this by using the Exec $Hostname = hostname_fqdn(); statement.

# Nxlog internal logs
<Input internal>
   Module im_internal
   Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
   Exec $Hostname = hostname_fqdn(); 
</Input>

Still get messages with designation nxlog: internal that have a source_host with hostname only and not fqdn.

Either I am missing something really obvious or something is broken. Any guidance to troubleshoot or figure out what is going on much appreciated

Best regards

Tobias