With the latest release of nxlog-ce the gelf output module via udp creates an malfomed zlib that is not detected by gelfd ruby module is there a way to force also on udp gelf to send uncompressed.  

Hello, when will NXLog CE support IPv6? Thanks in advance!

Hi,  I am using disk buffer. There is limit when using memory or desk ? I am using nxlog with graylog to forward log. For the disk buffer, the file never gets empty even after the connexion is back between nxlog and graylog?    Thanks 

Hello All,   I am planning to use nxlog client as syslog agent forwarder to my syslog server on remote location. I have various devices whcih can create 20 -500 Events per seconds. I want to collect all thsoe events on one of the system with nxlog and then forward it to remove server.    I am looking for system requirement to ensure system is up and running all time with nxlog client in it.       Regards, Gaurang 

Hi, how can I truncate message to custom fields? For example: I have: message: 2016-09-26 12:58:54 ru1-t001-web01 INFO "\Processor(_Total)\% Processor Time"="50.762249" I need: message: 2016-09-26 12:58:54 ru1-t001-web01 INFO "\Processor(_Total)\% Processor Time"="50.762249" processorTime: 50.762249 Is it possible? Thank you.        

I'm attemping to install nxlog on a fresh Ubuntu 16.04 machine from nxlog-ce_2.9.1716_ubuntu_1604_amd64.deb. It seems to install correctly, however I get an error from the post-installation script. Relevant output from 'dpkg -i nxlog-ce_2.9.1716_ubuntu_1604_amd64.deb': Preparing to unpack nxlog-ce_2.9.1716_ubuntu_1604_amd64.deb ... Unpacking nxlog-ce (2.9.1716) ... Setting up nxlog-ce (2.9.1716) ... [....] Starting nxlog (via systemctl): nxlog.serviceFailed to start nxlog.service: Unit nxlog.service not found. failed! dpkg: error processing package nxlog-ce (--install): subprocess installed post-installation script returned error exit status 5 Running the dpkg command again, or just ignoring that it "failed" and running '/etc/init.d/nxlog start' afterwards both are successful. Any idea why this is happening? The dpkg command returning an error status is causing issues when performing the installation via an automation script.

Hi I installed NXLog Enterprise Edition v3.0.1775 on a Windows Server 2012 R2 Standard. For about about 5 days, NXLog was running fine on this server. I needed to reboot the server and now the NXLog service doesn't start. I'm getting an Error 1053: The nxlog service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion. Any thoughts on what the cause is? Thank you in advance.

I have the following configuration:   define DEFAULT_OUTPUTS null_output include c:/Program Files (x86)/nxlog/conf/nxlog.conf.d/\\*.default <Extension app_log_multiline>   Module xm_multiline   HeaderLine /^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3}/ </Extension> <Input app_logs>   Module im_file   InputType app_log_multiline   RenameCheck true   File "C:\\ProgramData\\App\\EventLog\\TestFile.log"   Exec $type = 'windows_log_files';   Exec $Message = $raw_event;   Exec $file_path = file_name(); </Input> <Route r_app_logs>   Path app_logs => testfile </Route> and <Output testfile>   Module om_file   Exec to_json();   File "C:\\testlogoutput.txt" </Output> If the log file contains the following lines: 2016-09-15 02:00:37.906 TestEvent 2016-09-15 02:00:42.251 TestEvent2 with an empty line after the second log line, the output is correct: {     "EventReceivedTime":"2016-09-19 22:35:32",     "SourceModuleName":"app_logs",     "SourceModuleType":"im_file",     "type":"windows_log_files",     "Message":"2016-09-15 02:00:37.906 TestEvent",     "file_path":"C:\\ProgramData\\App\\EventLog\\TestFile.log" } {     "EventReceivedTime":"2016-09-19 22:35:32",     "SourceModuleName":"app_logs",     "SourceModuleType":"im_file",     "type":"windows_log_files",     "Message":"2016-09-15 02:00:42.251 TestEvent2",     "file_path":"C:\\ProgramData\\App\\EventLog\\TestFile.log" }   However, if the log file contains the same two lines as above, without an empty line after the second log line, the output becomes: {     "EventReceivedTime":"2016-09-19 22:40:59",     "SourceModuleName":"app_logs",     "SourceModuleType":"im_file",     "type":"windows_log_files",     "Message":"2016-09-15 02:00:37.906 TestEvent\r\n2016-09-15 02:00:42.251 TestEvent2",     "file_path":"C:\\ProgramData\\App\\EventLog\\TestFile.log" } Basically, unless there is an empty line after the final log event, it seems that multiline is combining the last two lines into one, even though the HeaderLine is matched correctly. Did I configure something wrong?

## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log #to enable syslog format #<Extension _syslog> #   Module      xm_syslog #</Extension>   <Extension fileop>  Module xm_fileop </Extension>   <Input read_file>     Module    im_file     File     "C:\\exnxlog.log"     InputType LineBased     SavePos TRUE          Exec $Message = $raw_event; </Input> <Output out_debug>     Module    om_file     File "C:\\log_debug.txt"  </Output>   <Route 1>     Path        read_file=> out_debug </Route>

Hi, I'd like to collect windows additional logs to check error of synchronisation on users computer. So, I activated  "Synclog" with this command : "wevtutil.exe sl Microsoft-Windows-OfflineFiles/SyncLog /e:true /l:3" I added this query in my nxlog configuration file : <Select Path="Microsoft-Windows-OfflineFiles/SyncLog">*</Select> NXLog failed to start with this error :     ERROR failed to subscribe to msvistalog events,the Query is invalid:  [error code: 50] However my query seems valid, I've build it from XML query in custom view builder on the windows event manager. If I delete this line in my configuration file I've no problem so my problem is here. Have you an idea please ? Thank you

Hello everyone, I would like to catch a log from windows network drives, but I cannot did it. May I know it is supported by nxlog?  Would you please advise, thank you.   <Input filelogs>     Module    im_file     File    "\\\\192.168.1.1\\test\*"     SavePos TRUE     ReadFromLast TRUE     PollInterval 5     Exec $Message = $raw_event; </Input> NXLog.log: 2016-09-14 18:16:53 INFO nxlog-ce-2.8.1248 started 2016-09-14 18:16:53 ERROR failed to open \\192.168.1.1\test\*; Access is denied.   2016-09-14 18:17:03 ERROR apr_stat failed on file \\192.168.1.1\test\*; Access is denied.   2016-09-14 18:17:13 ERROR apr_stat failed on file \\192.168.1.1\test\*; Access is denied.   2016-09-14 18:17:23 ERROR apr_stat failed on file \\192.168.1.1\test\*; Access is denied.   2016-09-14 18:17:33 ERROR apr_stat failed on file \\192.168.1.1\test\*; Access is denied.   2016-09-14 18:17:53 ERROR apr_stat failed on file \\192.168.1.1\test\*; The filename, directory name, or volume label syntax is incorrect.   2016-09-14 18:18:33 ERROR apr_stat failed on file \\192.168.1.1\test\*; The filename, directory name, or volume label syntax is incorrect.   2016-09-14 18:19:43 ERROR apr_stat failed on file \\192.168.1.1\test\*; The filename, directory name, or volume label syntax is incorrect.  The share drvice is able to access by everyone, or guest.

Hi! I'm using nxlog to parse a json file and transfer it to Graylog. When it transfer to Graylog the format of a timestamp is changed. How can i prevent nxlog to change the timestamp format ? Thanks in advance

Hello,   I'm new with NXLOG and I don't know how to configure the nxlog.conf file when having many IP entries from UDP sources.   I heritated an implementation that has too many ef and else because the IPs sources. I have some errors and with all those if and elses is pretty difficult to correct the problem. Then I was wondering if ther is a way to separate the entries to avoid using if else if if else if every where. I saw this option for outputs, but not sure if that works in the same way with inputs. Thank you very much for your help and support. It will be really appreciated. Cordially,   clombo

I'm setting up a new server for the first time with Enterprise Edition. Where does NXLog keep its data and can I move it to a different partition?

using om_tcp is there a way to define a sequence of destination IP's such that the list is used in sequence if 1st IP fails to complete 3-way handshake, and then re-check the 1st IP to see if it came back. simple scenario, admin reboots dest IP #1, or the FW admin deletes a FW rule thus blocking IP #1, NXlog could recognize IP #1 is down and then send to IP #2 in the list. in general, its a failover mechanism. can it be done?

we are using nxlog to collect logs. there are 30 locations, where each location has a log collection servers. when users will travel, we are trying to make them send logs to their closest available log collection server. is there a way to do this with nxlog?  

So normally I'd define ShortMessageLength during the extension definition part of my configuration file like so: <Extension gelf>   Module xm_gelf   ShortMessageLength -1 </Extension> Unfortunately, there are other issues preventing me from doing that. Is there a way to define ShortMessageLength in the input or output areas instead? When I try to like so: <Input win_dns_logs_in>     Module im_file     File 'C:\\dns.txt'     ShortMessageLength -1     InputType LineBased </Input>   I get the following error: "invalid keyword: ShortMessageLength" Thanks,      

Hi everyone, Here is a brief overview of what I'm trying to do: ​ +----------+ tcp1514 +-----+ tcp514 +---------+ |Originator|---->----|Relay|---->----|Collector| +----------+ +-----+ syslog +---------+ 192.168.56.10 192.168.56.18 192.168.56.14 ​ Here is the message I get in RSA: ​ReceivedTimeStamp RelayHostname [LogMessage] I would like to have this ​ReceivedTimeStamp OriginatorHostname [LogMessage] I think I'm supposed to throw in an Exec: $Hostname=hostname(); somewhere, but where exactly ? Here is what my conf files look like: Originator: ​ <Input in> Module im_file Recursive TRUE File 'C:\\IIS\\*.log' </Input> <Output out> Module om_tcp Host 192.168.56.18 Port 1514 </Output> <Route 1> Path in => out </Route> ​ Relay: ​ <Extension syslog> Module xm_syslog </Extension> <Input in> Module im_tcp Port 1514 Host 0.0.0.0 </Input> <Output out> Module om_tcp Host 192.168.56.14 Port 514 Exec to_syslog_bsd(); </Output> <Route 1> Path in => out </Route> ​ Thanks for your help.

Hi,   I have following log:   23.08.2016 22:00:00: [20740] INFO: Line 1 23.08.2016 22:00:00: [20740] Line 2 23.08.2016 22:00:00: [20740] Line 3 23.08.2016 22:00:00: [20740] Line 4 23.08.2016 22:00:00: [20740] Line 5 23.08.2016 22:00:00: [20745] INFO: Line 1 23.08.2016 22:00:00: [20745] Line 2 23.08.2016 22:00:00: [20745] Line 3 23.08.2016 22:00:00: [20745] Line 4 23.08.2016 22:00:00: [20745] Line 5   Each multiline log line is beginning with an empty line. So I tried to use the empty line as header: <Extension multilineEmtpyLine>     Module xm_multiline     HeaderLine /^$/ </Extension> <Input foo>     Module im_file     File "C:/logfile/foo.log"          #enabling multilining     InputType multilineEmtpyLine     SavePos TRUE     Exec $Message = $raw_event; </Input> <Output localTCP>     Module om_tcp     Host localhost     Port 5544         Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");     Exec $raw_event = to_json();        # Uncomment for debug output     Exec file_write('c:\nxlog\nxlog_localtcp_debug_output.log', $raw_event + "\n"); </Output> <Route nxlogLocal>     #Path topbeat_debug, ttp_debug => localTCP     Path foo=> localTCP </Route> As I see in debug output and logstash each source line will be transmitted as single line. Multilining is not working. How can I get it work? thanks, Andreas

Hello, Extract of nxlog.log : 2016-08-24 08:58:30 INFO nxlog-ce-2.9.1716 started 2016-08-24 09:01:24 INFO SSL connection accepted from 172.25.20.35:51694 2016-08-24 09:01:24 ERROR SSL error, SSL_ERROR_SSL: retval -1, no shared cipher, 2016-08-24 09:01:24 WARNING SSL connection closed from 172.25.20.35:51694   My question : SSL libraries (libeay32.dll and ssleay32.dll) used by NXLOG-CE are they compatible with use of a certificate built with a ECDSA key ? Thanks for your help.