Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
Is there a way to set ShortMessageLength other than in the extension definition?
clintmaples created
So normally I'd define ShortMessageLength during the extension definition part of my configuration file like so:
<Extension gelf>
Module xm_gelf
ShortMessageLength -1
</Extension>
Unfortunately, there are other issues preventing me from doing that. Is there a way to define ShortMessageLength in the input or output areas instead? When I try to like so:
<Input win_dns_logs_in>
Module im_file
File 'C:\\dns.txt'
ShortMessageLength -1
InputType LineBased
</Input>
I get the following error: "invalid keyword: ShortMessageLength"
Thanks,
clintmaples created
Transparent NXLog Relay for syslog B
fbrollo created
Hi everyone,
Here is a brief overview of what I'm trying to do:
+----------+ tcp1514 +-----+ tcp514 +---------+
|Originator|---->----|Relay|---->----|Collector|
+----------+ +-----+ syslog +---------+
192.168.56.10 192.168.56.18 192.168.56.14
Here is the message I get in RSA:
ReceivedTimeStamp RelayHostname [LogMessage]
I would like to have this
ReceivedTimeStamp OriginatorHostname [LogMessage]
I think I'm supposed to throw in an Exec: $Hostname=hostname(); somewhere, but where exactly ?
Here is what my conf files look like:
Originator:
<Input in>
Module im_file
Recursive TRUE
File 'C:\\IIS\\*.log'
</Input>
<Output out>
Module om_tcp
Host 192.168.56.18
Port 1514
</Output>
<Route 1>
Path in => out
</Route>
Relay:
<Extension syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_tcp
Port 1514
Host 0.0.0.0
</Input>
<Output out>
Module om_tcp
Host 192.168.56.14
Port 514
Exec to_syslog_bsd();
</Output>
<Route 1>
Path in => out
</Route>
Thanks for your help.
fbrollo created
issue with multilining with empty line as header
_asp_ created
Hi,
I have following log:
23.08.2016 22:00:00: [20740] INFO: Line 1
23.08.2016 22:00:00: [20740] Line 2
23.08.2016 22:00:00: [20740] Line 3
23.08.2016 22:00:00: [20740] Line 4
23.08.2016 22:00:00: [20740] Line 5
23.08.2016 22:00:00: [20745] INFO: Line 1
23.08.2016 22:00:00: [20745] Line 2
23.08.2016 22:00:00: [20745] Line 3
23.08.2016 22:00:00: [20745] Line 4
23.08.2016 22:00:00: [20745] Line 5
Each multiline log line is beginning with an empty line. So I tried to use the empty line as header:
<Extension multilineEmtpyLine>
Module xm_multiline
HeaderLine /^$/
</Extension>
<Input foo>
Module im_file
File "C:/logfile/foo.log"
#enabling multilining
InputType multilineEmtpyLine
SavePos TRUE
Exec $Message = $raw_event;
</Input>
<Output localTCP>
Module om_tcp
Host localhost
Port 5544
Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();
# Uncomment for debug output
Exec file_write('c:\nxlog\nxlog_localtcp_debug_output.log', $raw_event + "\n");
</Output>
<Route nxlogLocal>
#Path topbeat_debug, ttp_debug => localTCP
Path foo=> localTCP
</Route>
As I see in debug output and logstash each source line will be transmitted as single line. Multilining is not working.
How can I get it work?
thanks, Andreas
_asp_ created
NXLOG-CE v2.9.1716 with a certificate built with a ECDSA key
D.LEC created
Hello,
Extract of nxlog.log :
2016-08-24 08:58:30 INFO nxlog-ce-2.9.1716 started
2016-08-24 09:01:24 INFO SSL connection accepted from 172.25.20.35:51694
2016-08-24 09:01:24 ERROR SSL error, SSL_ERROR_SSL: retval -1, no shared cipher,
2016-08-24 09:01:24 WARNING SSL connection closed from 172.25.20.35:51694
My question : SSL libraries (libeay32.dll and ssleay32.dll) used by NXLOG-CE are they compatible with use of a certificate built with a ECDSA key ?
Thanks for your help.
D.LEC created
Amazon Linux AMI support
peter.wong@searchoptics.com created
I'm getting Segmentation fault when trying to run nxlog under Amazon Linux AMI 2015 or 2016.
My configuration file is ok and nxlog is installed from nxlog-ce-2.9.1716-1_rhel6.x86_64.rpm
[root@feeds ~]# /usr/bin/nxlog -v -c /etc/graylog/collector-sidecar/generated/nxlog.conf
2016-08-22 20:49:50 INFO configuration OK
[root@feeds ~]# /usr/bin/nxlog -f -c /etc/graylog/collector-sidecar/generated/nxlog.conf
2016-08-22 20:41:50 WARNING already running as gid 0
2016-08-22 20:41:50 WARNING already running as uid 0
peter.wong@searchoptics.com created
file_remove : unexpected TOKEN_INTEGER - ce - 2.9.1716
karrakis created
I'm trying to remove log files older than 48hours.
I read that i should use now()-seconds as the datetime, so i'll try
file_remove('filepath',now() - 172800) ;
file_remove(filepath, (now()-172800)) ;
boh failed with message : nxlog.conf; syntax error, unexpected TOKEN_INTEGER
in the doc, it's specified that datetime-integer return a datetime, but when i check with
file_remove('filepath',now()) ;
i don't get the syntax error.
then, i used
file_remove('filepath', datetime(now()-172800)); i also get the syntax error unexpected TOKEN_INTEGER.
How can i specify to file_remove the 'older' parameter to "48h" ?
karrakis created
Add a filter in nxlog
albamv created
Hello, i Want to change the value of the syslog severity level depending on the contain of the message.
somethin like..
if message contains the word INFO
syslog_severity_code=10
albamv created
Making sure that conf file will send all logs to graylog
Selmack created
Hello,
I am rather new to nxlog and really enjoy the product so far. My question is, I want to ensure that ALL Windows Events on a server are being sent to my graylog server and that no logs are being omitted. This appears to be the default conf and it should work this way, but I am just being extra sure. Thanks very much in advance.
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
#<Extension _syslog>
# Module xm_syslog
#</Extension>
<Extension gelf>
Module xm_gelf
</Extension>
<Input in>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog
</Input>
<Output out>
Module om_udp
Host 192.168.1.71
Port 12201
OutputType GELF
# Exec to_syslog_snare();
</Output>
<Route 1>
Path in => out
</Route>
Selmack created
Work om_dbi with Oracle
Mikhail created
Hi all,
we used CE version Nxlog, and have some truble.
Don't insert in DB params over 4000 simbols.
Query like INSERT INTO web_log ( param) VALUES ( TO_CLOB($param)).
The '$params' sending in driver(last oracle libdbi driver 0.9.0) like a string parametr those converted as VARCHAR(4000)
How this implemented in EE version?
Mikhail created
Need to send nxlog collected windows events to sensu client
eyang@cisco.com created
I have some windows event log being collected by nxlog, I need to send this to Sensu client(using UDP port 3030) on the same machine. Do you have any experience on it?
Have you done anything simliar on it? Just want to know how to configure nxlog and sensu client to make it work.
eyang@cisco.com created
GELF timestamp field missing millisecond precision
coffee-squirrel created
We have nxlog CE pushing to a GELF TCP input in Graylog, and the timestamp field received from nxlog appears to not have the milliseconds (i.e. it ends in ".000"), resulting in out-of-order messages in Graylog within a 1-second window. Other sources (Graylog Collectors, apps pushing directly, etc.) include the original millisecond value as expected. For Graylog inputs receiving nxlog messages we've had to set up an extractor to extract the timestamp from the message itself. Are there any options to keep millisecond precision with nxlog?
coffee-squirrel created
Nxlog.conf unable to read /parse Directory or File path
Nick79 created
Hello, I am using NXLOG on Windows 2012 to get DNS logs forwarded to my syslog server. I have enabled DNS logging on the Windows server and see the dns.log file is getting created under C:\Windows\System32\DNS\ folder . However my nxlog.conf is unable to browse or parse to get to this directory. I have made sure to check the log file is dns.log and not dns.txt in Windows.
If i mention the below in my nxlog.conf file, i get an error " WARNING input file does not exist: C:\Windows\System32\dns\dns.log"
<Input in>
Module im_file
File "C:\\Windows\\System32\\dns\\dns.log"
SavePos TRUE
InputType LineBased
</Input>
If i mention the below File path in my nxlog.conf then i get an error : "ERROR failed to open directory: C:\Windows\System32\dns: The system cannot find the path specified."
<Input in>
Module im_file
File "C:\\Windows\\System32\\dns\\dns*"
SavePos TRUE
InputType LineBased
</Input>
Same thing, even if i use single quotes & single \ i get the same error - " WARNING input file does not exist: C:\Windows\System32\dns\dns.log
<Input in>
Module im_file
File 'C:\Windows\System32\dns\dns.log'
SavePos TRUE
InputType LineBased
</Input>
Can someone plss help ? This is drving me crazy
Nick79 created
Pass the value of the variable in nxlog from perl script
toreno93 created
Hello!
I want pass value a variable from NxLog in Perl script, and pass variable in nxlog after running the script.
how do I do this ?
Thank
toreno93 created
the perl interpreter failed to parse /tmp/nxlog/Perl/perl.pl
toreno93 created
Hello.
Help me please, i beginner in NxLog. I use NxLog on Unix and use Perl module, and script perl.pl
What this error ERROR the perl interpreter failed to parse /tmp/nxlog/Perl/perl.pl??
How do i fix this??
beginner
toreno93 created
[patch] Stop to_syslog_ietf() from incorrectly escaping carriage return and newline characters
ron-macneil-ice created
Hi,
RFC5424 and all transports (except obsolete non-octet-counted TCP) can handle MSG containing ANY character including newlines and carriage returns.
In violation of the above, NxLog's to_syslog_ietf() function backslash-escapes these two characters. Furthermore, the escaping scheme is broken because it doesn't also escape the escape character itself (the backslash) so there's no way to reliably un-escape the MSG on the receiving end.
The correct behaviour is to stop escaping these characters altogether. In the rare case that someone needs to send multiline messages over non-octet-counted TCP, they can escape/unescape the $Message themselves using NxLog's replace() function.
Patch below.
RFC References:
https://tools.ietf.org/html/rfc5424#section-6.4
https://tools.ietf.org/html/rfc6587#section-3.4
Regards,
Ron MacNeil
--- src/modules/extension/syslog/syslog.c.orig 2014-07-19 23:52:06.000000000 +1000
+++ src/modules/extension/syslog/syslog.c 2016-07-26 14:01:57.296175500 +1000
@@ -1321,16 +1321,8 @@
nx_syslog_add_structured_data(logdata);
// Append message
i = (int) logdata->raw_event->len;
nx_string_append(logdata->raw_event, " ", 1);
nx_string_append(logdata->raw_event, msg.string->buf, (int) msg.string->len);
for ( ; i < (int) logdata->raw_event->len; i++ )
{ // replace linebreaks with space
if ( (logdata->raw_event->buf[i] == '\n') || (logdata->raw_event->buf[i] == '\r') )
{
logdata->raw_event->buf[i] = ' ';
}
}
if (tmpmsg != NULL)
{ // clean up temp copy
ron-macneil-ice created
Same processor on multi routes
Popote created
Hi,
I want to use buffer (disk and memory) before sending my data to a TCP syslog, for that I create 2 processors (diskBuffer and memoryBuffer) that I use in a route : IN => diskBuffer => memoryBuffer => out.
When i try to create another route with one or more different process but which also uses buffers (IN2 => P1 => P2 => diskBuffer => memoryBuffer => out), i have an error message on log :
2016-07-23 13:28:51 ERROR cannot add processor module 'diskBuffer' to route 'XXX' because it is already added to route 'YYYY'
2016-07-23 13:28:51 ERROR cannot add processor module 'memoryBuffer' to route 'XXX' because it is already added to route 'YYYY'
This concept is not really explain in the community documentation and suggest to think of the opposite with the example given in page 18 :
Example 4.14 Different routes
<Input in1>
Module im_null
</Input>
<Input in2>
Module im_null
</Input>
<Processor p1>
Module pm_null
</Processor>
<Processor p2>
Module pm_null
</Processor>
<Output out1>
Module om_null
</Output>
<Output out2>
Module om_null
</Output>
<Route 1>
# no processor modules
Path in1 => out1
</Route>
<Route 2>
# one processor module
Path in1 => p1 => out1
</Route>
<Route 3>
# multiple modules
Path in1, in2 => p1 => p2 => out1, out2
</Route>
We have the same error: 2016-07-23 13:36:09 ERROR cannot add processor module 'p1' to route '3' because it is already added to route '2'.
Why a processor is limited on one route ? Is it a bug or a mistake in documentation ?
I use the latest version of nxlog-ce : V2.9.1716.
Best regards
Popote created
Is there any way to enable serialization of underscore prefixed fields by to_json or xm_gelf
dls314 created
Hi,
I'm trying to fit output into the GELF format and I'd like to preserve their specification that user fields have underscore prefixes. From what I read in the nxlog docs, any fields with underscore prefix wouldn't be preserved by xm_json or xm_gelf
Is that true?
Is there any way around this?
dls314 created
Issues With "Multi-line message parser (xm_multiline)"
gmelasecca created
My company is looking to setup NxLog. We are having issues reading in multiline exception logs from applications such as Tomcat, Java, Apache etc. I am able to read in the files but unfortunately the output in our GrayLog application is showing every event as one line. I tried to implement the xm_multiline module but i seem to be having issues getting it to work.
installed NxLog and checked my configuration to the following below. restarted the services, let the service run all night and still the output is the same as shown below.
Sample Input Log:
07/07/2016 13:35:11.654 [tomcat-http--43] [ERROR] [4114723 ms] Warning - unprocessed rows in esolutions.care.assess.WeAssessment
esolutions.EsolutionsException: There were 83 unprocessed rows out of 84
at esolutions.base.WeObject.sleep(WeObject.java:2767)
at esolutions.base.WeObject.clear(WeObject.java:3250)
at esolutions.care.assess.WeAssessment.clear(WeAssessment.java:7699)
at esolutions.base.WeObject.close(WeObject.java:2815)
at esolutions.util.WeHTMLTable.getTableHTML(WeHTMLTable.java:541)
at esolutions.util.WeHTMLTable.toHTML(WeHTMLTable.java:508)
at org.apache.jsp.admin.client.cp_005fassessment_jsp._jspService(cp_005fassessment_jsp.java:4412)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
07/07/2016 13:36:21.828 [tomcat-http--26] [ERROR] [4184897 ms] Warning - unprocessed rows in esolutions.care.assess.WeAssessment
esolutions.EsolutionsException: There were 82 unprocessed rows out of 83
at esolutions.base.WeObject.sleep(WeObject.java:2767)
at esolutions.base.WeObject.clear(WeObject.java:3250)
at esolutions.care.assess.WeAssessment.clear(WeAssessment.java:7699)
at esolutions.base.WeObject.close(WeObject.java:2815)
at esolutions.util.WeHTMLTable.getTableHTML(WeHTMLTable.java:541)
at esolutions.util.WeHTMLTable.toHTML(WeHTMLTable.java:508)
at org.apache.jsp.admin.client.cp_005fassessment_jsp._jspService(cp_005fassessment_jsp.java:4412)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
Sample Output From GrayLog in CSV format. The output in the webui is each event as it shows in the "message" column.
timestamp
source
EventReceivedTime
level
message
SourceModuleName
SourceModuleType
2016-07-19T21:27:08.000Z
GDPCCA02
07/19/16 17:27
6
2016/07/19 17:27:08.032 | srvmain | INFO | 07/19/2016 17:27:08
pcc-wrapper-log
im_file
2016-07-19T21:27:08.000Z
GDPCCA02
07/19/16 17:27
6
2016/07/19 17:27:08.032 | srvmain | INFO | java.lang.NumberFor
pcc-wrapper-log
im_file
2016-07-19T21:27:08.000Z
GDPCCA02
07/19/16 17:27
6
2016/07/19 17:27:08.032 | srvmain | INFO | at com.pointclickc
pcc-wrapper-log
im_file
2016-07-19T21:27:08.000Z
GDPCCA02
07/19/16 17:27
6
2016/07/19 17:27:08.032 | srvmain | INFO | at org.apache.cata
pcc-wrapper-log
im_file
Configuration File. I tried multiple regular expressions with no success.
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension gelf>
Module xm_gelf
</Extension>
<Extension fileop>
Module xm_fileop
</Extension>
<Extension multiline>
Module xm_multiline
HeaderLine /^\d{0,2}\/\d{0,2}\/\d{0,4}/
# HeaderLine '^\d{0,2}\/\d{0,2}\/\d{0,4}\ \d{0,3}\:\d{0,3}\:\d{0,3}\.\d{0,4}\ \['
</Extension>
<Input pcc-wrapper-log>
Module im_file
File "C:\\pivotal-tc-server-standard-3.1.0.RELEASE\\pccweb\\logs\\wrapper.log"
SavePos TRUE
InputType multiline
</Input>
<Input pcc-mdstrace-log>
Module im_file
File "C:\\pivotal-tc-server-standard-3.1.0.RELEASE\\pccweb\\logs\\mdstrace.log"
SavePos TRUE
InputType multiline
</Input>
<Input pcc-exceptionHidingUtil-log>
Module im_file
File "C:\\pivotal-tc-server-standard-3.1.0.RELEASE\\pccweb\\logs\\exceptionHidingUtil.log"
SavePos TRUE
InputType multiline
</Input>
<Input pcc-esolutions-log>
Module im_file
File "C:\\pivotal-tc-server-standard-3.1.0.RELEASE\\pccweb\\logs\\esolutions.log"
SavePos TRUE
InputType multiline
</Input>
#<Input pcc-localHostAccess-log>
# Module im_file
# File "C:\\pivotal-tc-server-standard-3.1.0.RELEASE\\pccweb\\logs\\localhost_access_log.*"
# SavePos TRUE
# InputType multiline
#</Input>
<Output graylog>
Module om_udp
Host graylog.genesishcc.com
Port 12201
OutputType GELF
</Output>
<Route PCC>
Path pcc-wrapper-log => pcc-mdstrace-log => pcc-exceptionHidingUtil-log => pcc-esolutions-log => graylog
## Path pcc-wrapper-log => pcc-mdstrace-log => pcc-exceptionHidingUtil-log => pcc-esolutions-log => pcc-localHostAccess-log => graylog
</Route>
gmelasecca created
Сollect events from the database use Time-based (Not Id)
toreno93 created
Hello
Help me please.
I want collect events from the database use Time-based (Not Id)
What can i do?
Thank
toreno93 created