Does it work to send IIS logs in snare format ???
when i use the "Exec to_syslog_snare();" option in output, it sends logs like they are MSWinEvents...
<13>Oct 21 06:26:36 SRV-00-20-21 MSWinEventLog 1 N/A 17 Fri Oct 21 06:26:36 2016 N/A N/A N/A N/A N/A N/A N/A N/A N/A
enekoas created
I was reading the Enterprise Edition documentation on Check Point OPSEC LEA. Can this be done on a Windows server or do I need to use a Linux server?
amani created
I have
<Extension w3c>
Module xm_csv
Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-Referer, $cs-host, $sc-status, $sc-substatus, $sc-win32-status, $time-taken
FieldTypes string, string, string, string, string, string, integer, string, string, string, string, string, integer, integer, integer, integer
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>
And i have
<Input iis>
Module im_file
File "C:\\inetpub\\logs\\LogFiles\\u_ex*.log"
SavePos TRUE
Exec \
if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); \
$SourceName = "IIS"; \
}
</Input>
When im trying to add something like if $raw_event =~ /^#/ or $sc-status == 101 drop(); \
I am getting error in log like that:
couldn't parse statement at line 91, character 46 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; syntax error, unexpected -, expecting (
I have tried to use similar options, but it doesnt works.
What im doing wrong, help me please. Thanks.
V_Vorobey created
I'm attempting to use nxlog to pull in audit files from ModSecurity the root of the log files reside at /var/log/modsec_audit/. The actual log files are two folders lower, as modsecurity creates the folders that are timestamped by day and then minute.
Inside my nxlog input config, I have my logfile path as /var/log/modsec_audit/*, and I have enabled recursive file lookup, but to this point, no modsecurity logs are being picked up. The same sidecar instance is grabbing apache logs perfectly fine, however. I feel like the issue is related to the directory structure, but I'm not seeing an issue with my config. Any thoughts?
<Input 579d7bd625b5bc05cc7f1614>
Module im_file
File "/var/log/modsec_audit/*"
PollInterval 5
SavePos True
ReadFromLast True
Recursive True
RenameCheck False
Exec $FileName = file_name(); # Send file name with each message
</Input>
jason.mull created
All,
I'm somewhat new to Netwrix, and I need some help understanding how I can send ONLY specific logs up to our SEIM. I've dug through the documentation a bit, and will continue to do so. I'm sure someone on here can whip up a quick response...
Here is my config file, please help me with mocking up a config that will only send up events 4648 and 4624...
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
<Input eventlog>
Module im_msvistalog
</Input>
<Output out>
Module om_udp
Host xx.yy.zz.xyz
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path eventlog, internal => out
</Route>
jborn2305 created
What is the best way to do a log rotation?
I'm using fileop and I wanted log rotation at midnight, but it hasn't been working. Would it be better to move the Schedule to the Output section?
<Extension fileop>
Module xm_fileop
# Check the size of our log file every hour and rotate if it is larger than 1Mb
<Schedule>
Every 1 hour
Exec if (file_size('%LOGFILE%') >= 1M) file_cycle('%LOGFILE%', 500);
</Schedule>
# Rotate our log file every week on sunday at midnight
<Schedule>
When @midnight
Exec file_cycle('%LOGFILE%', 500);
</Schedule>
</Extension>
amani created
Two related threads I found on this
- https://nxlog.co/question/2029/logon-vs-logoff-events-seim
- https://nxlog.co/question/1711/configuration-send-windows-security-logs-only
Posted a question the Windows forums as well
- https://social.technet.microsoft.com/Forums/windowsserver/en-US/f70aa0fd-9f59-470a-bafe-47c82f4a7151/broken-xml-for-eventid-4624?forum=winserver8gen
There are domain controllers that a logging server connects to using Windows Eventlog Forwarding (poll).
In the eventlog eventid 4624 comes in but in the message field its all % placeholders but the XML data is correct. Before some patching the xml data was broken.
The Data fields looked like this
<Data Name="AuthenticationPackageName">Kerberos</Data> <Data Name="WorkstationName"> <Data Name="LogonGuid">{B3A61084-7036-1568-AFB2-3290B7F943F9}</Data> </Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data>
But now are more correct and look like this
<Data Name="AuthenticationPackageName">Kerberos</Data> <Data Name="WorkstationName" /> <Data Name="LogonGuid">{B3A61084-7036-1568-AFB2-3290B7F943F9}</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data>
The issue is only when nothing is in the WorktationName field.
NXlog reads this and converts to JSON and thats where NXlog is obviosly having problems
The JSON looks like this
"AuthenticationPackageName":"Kerberos","WorkstationName' /> <Data Name='LogonGuid":"{B3A6.....
So at the workstation name it fails to parse the XML, possibly because the XML field is closed with /> instead of a full </Data>
Another issue is that the Message field does not come through NXlog at all.
Would love to get some help debugging this.
Elvar.Böðvarsson created
All,
I'm struggling with NXLOG forwarding events to our SEIM. I'm able to see Logoff (4647) events, but not Logon (4624) events. Under the WIndows Event Log, we see both events occuring as expected, but our SEIM is only getting Logoffs...
Our config file is standard, but here it is below...
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
<Input eventlog>
Module im_msvistalog
</Input>
<Output out>
Module om_udp
Host xx.yy.zz.xyz
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path eventlog, internal => out
</Route>
jborn2305 created
I am unable to replace \r\n and \t when using to_json. When using to_syslog_bsd I can replace them, but not with JSON. Do I have an error in my config or is this a bug?
Please set the ROOT to the folder your nxlog was installed into,
otherwise it will not start.
#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
<Extension syslog> Module xm_syslog </Extension>
<Extension json> Module xm_json </Extension>
<Input internal> Module im_internal </Input>
<Input eventlog> Module im_msvistalog
For windows 2003 and earlier use the following:
Module im_mseventlog
</Input>
<Input mark> Module im_mark MarkInterval 60 Mark 226d61792074686520666f726365206265207769746820796f7522 </Input>
<Output out> Module om_udp Host logspot.server.org Port 514 Exec $raw_event = replace($raw_event, "\r\n", " "); Exec $raw_event = replace($raw_event, "\t", " "); Exec to_json(); </Output>
<Route 1> Path eventlog, internal, mark => out </Route>
drtrry5 created
With the latest release of nxlog-ce the gelf output module via udp creates an malfomed zlib that is not detected by gelfd ruby module is there a way to force also on udp gelf to send uncompressed.
Mario.Fetka created
Hi,
I am using disk buffer. There is limit when using memory or desk ?
I am using nxlog with graylog to forward log. For the disk buffer, the file never gets empty even after the connexion is back between nxlog and graylog?
Thanks
SM created
Hello All,
I am planning to use nxlog client as syslog agent forwarder to my syslog server on remote location. I have various devices whcih can create 20 -500 Events per seconds. I want to collect all thsoe events on one of the system with nxlog and then forward it to remove server.
I am looking for system requirement to ensure system is up and running all time with nxlog client in it.
Regards,
Gaurang
GaurangMaru created
Hi, how can I truncate message to custom fields? For example:
I have:
message: 2016-09-26 12:58:54 ru1-t001-web01 INFO "\Processor(_Total)\% Processor Time"="50.762249"
I need:
message: 2016-09-26 12:58:54 ru1-t001-web01 INFO "\Processor(_Total)\% Processor Time"="50.762249"
processorTime: 50.762249
Is it possible? Thank you.
A.Ivanov created
I'm attemping to install nxlog on a fresh Ubuntu 16.04 machine from nxlog-ce_2.9.1716_ubuntu_1604_amd64.deb. It seems to install correctly, however I get an error from the post-installation script.
Relevant output from 'dpkg -i nxlog-ce_2.9.1716_ubuntu_1604_amd64.deb':
Preparing to unpack nxlog-ce_2.9.1716_ubuntu_1604_amd64.deb ... Unpacking nxlog-ce (2.9.1716) ... Setting up nxlog-ce (2.9.1716) ... [....] Starting nxlog (via systemctl): nxlog.serviceFailed to start nxlog.service: Unit nxlog.service not found. failed! dpkg: error processing package nxlog-ce (--install): subprocess installed post-installation script returned error exit status 5
Running the dpkg command again, or just ignoring that it "failed" and running '/etc/init.d/nxlog start' afterwards both are successful.
Any idea why this is happening?
The dpkg command returning an error status is causing issues when performing the installation via an automation script.
mattn created
Hi
I installed NXLog Enterprise Edition v3.0.1775 on a Windows Server 2012 R2 Standard. For about about 5 days, NXLog was running fine on this server.
I needed to reboot the server and now the NXLog service doesn't start. I'm getting an Error 1053:
The nxlog service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
Any thoughts on what the cause is?
Thank you in advance.
amani created
I have the following configuration:
define DEFAULT_OUTPUTS null_output
include c:/Program Files (x86)/nxlog/conf/nxlog.conf.d/\\*.default
<Extension app_log_multiline>
Module xm_multiline
HeaderLine /^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3}/
</Extension>
<Input app_logs>
Module im_file
InputType app_log_multiline
RenameCheck true
File "C:\\ProgramData\\App\\EventLog\\TestFile.log"
Exec $type = 'windows_log_files';
Exec $Message = $raw_event;
Exec $file_path = file_name();
</Input>
<Route r_app_logs>
Path app_logs => testfile
</Route>
and
<Output testfile>
Module om_file
Exec to_json();
File "C:\\testlogoutput.txt"
</Output>
If the log file contains the following lines:
2016-09-15 02:00:37.906 TestEvent
2016-09-15 02:00:42.251 TestEvent2
with an empty line after the second log line, the output is correct:
{
"EventReceivedTime":"2016-09-19 22:35:32",
"SourceModuleName":"app_logs",
"SourceModuleType":"im_file",
"type":"windows_log_files",
"Message":"2016-09-15 02:00:37.906 TestEvent",
"file_path":"C:\\ProgramData\\App\\EventLog\\TestFile.log"
}
{
"EventReceivedTime":"2016-09-19 22:35:32",
"SourceModuleName":"app_logs",
"SourceModuleType":"im_file",
"type":"windows_log_files",
"Message":"2016-09-15 02:00:42.251 TestEvent2",
"file_path":"C:\\ProgramData\\App\\EventLog\\TestFile.log"
}
However, if the log file contains the same two lines as above, without an empty line after the second log line, the output becomes:
{
"EventReceivedTime":"2016-09-19 22:40:59",
"SourceModuleName":"app_logs",
"SourceModuleType":"im_file",
"type":"windows_log_files",
"Message":"2016-09-15 02:00:37.906 TestEvent\r\n2016-09-15 02:00:42.251 TestEvent2",
"file_path":"C:\\ProgramData\\App\\EventLog\\TestFile.log"
}
Basically, unless there is an empty line after the final log event, it seems that multiline is combining the last two lines into one, even though the HeaderLine is matched correctly.
Did I configure something wrong?
scalesleaf created
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
#to enable syslog format
#<Extension _syslog>
# Module xm_syslog
#</Extension>
<Extension fileop>
Module xm_fileop
</Extension>
<Input read_file>
Module im_file
File "C:\\exnxlog.log"
InputType LineBased
SavePos TRUE
Exec $Message = $raw_event;
</Input>
<Output out_debug>
Module om_file
File "C:\\log_debug.txt"
</Output>
<Route 1>
Path read_file=> out_debug
</Route>
Nala created
Hi,
I'd like to collect windows additional logs to check error of synchronisation on users computer.
So, I activated "Synclog" with this command : "wevtutil.exe sl Microsoft-Windows-OfflineFiles/SyncLog /e:true /l:3"
I added this query in my nxlog configuration file : <Select Path="Microsoft-Windows-OfflineFiles/SyncLog">*</Select>
NXLog failed to start with this error :
ERROR failed to subscribe to msvistalog events,the Query is invalid: [error code: 50]
However my query seems valid, I've build it from XML query in custom view builder on the windows event manager.
If I delete this line in my configuration file I've no problem so my problem is here.
Have you an idea please ?
Thank you
MatthGyver created
Hello everyone,
I would like to catch a log from windows network drives, but I cannot did it.
May I know it is supported by nxlog? Would you please advise, thank you.
<Input filelogs>
Module im_file
File "\\\\192.168.1.1\\test\*"
SavePos TRUE
ReadFromLast TRUE
PollInterval 5
Exec $Message = $raw_event;
</Input>
NXLog.log:
2016-09-14 18:16:53 INFO nxlog-ce-2.8.1248 started
2016-09-14 18:16:53 ERROR failed to open \\192.168.1.1\test\*; Access is denied.
2016-09-14 18:17:03 ERROR apr_stat failed on file \\192.168.1.1\test\*; Access is denied.
2016-09-14 18:17:13 ERROR apr_stat failed on file \\192.168.1.1\test\*; Access is denied.
2016-09-14 18:17:23 ERROR apr_stat failed on file \\192.168.1.1\test\*; Access is denied.
2016-09-14 18:17:33 ERROR apr_stat failed on file \\192.168.1.1\test\*; Access is denied.
2016-09-14 18:17:53 ERROR apr_stat failed on file \\192.168.1.1\test\*; The filename, directory name, or volume label syntax is incorrect.
2016-09-14 18:18:33 ERROR apr_stat failed on file \\192.168.1.1\test\*; The filename, directory name, or volume label syntax is incorrect.
2016-09-14 18:19:43 ERROR apr_stat failed on file \\192.168.1.1\test\*; The filename, directory name, or volume label syntax is incorrect.
The share drvice is able to access by everyone, or guest.
jasonkwwong created
