Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
Logging in UTF8 not working
Carsten_Radke created
I installed nxlog with the config below, but the logs I receive with my SysLogServer are not in UTF8 ?The Windowssystem is a german Windows 11, on this machine nxlog ist installed and running. Here is a sample output on the syslog server ( KiwiSyslog ) :10-31-2023 15:37:05 User.Info 192.168.75.20 Oct 31 15:37:04 PC-01 MSWinEventLog 1 Microsoft-Windows-PushNotification-Platform/Operational 1469 Tue Oct 31 15:37:04 2023 1025 Microsoft-Windows-PushNotifications-Platform SYSTEM User Information PC-01 N/A Ein Stromversorgungsereignis wurde ausgel”st: MonitorSettingChange [PowerEventType] true [Enabled] 1846You can see that there are the german Umlaut are not displayed, ‘ausgel”st:’ have to diplay as 'ausgelöst:' Hope someone can help me.here is the nxlog.log:Panic Soft#NoFreeOnExit TRUEdefine ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data<Extension _syslog> Module xm_syslog</Extension><Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec> Module xm_exec</Extension><Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule></Extension># Snare compatible example configuration# Collecting event log<Input in> Module im_msvistalog</Input># # Converting events to Snare format and sending them out over TCP syslog<Output out> Module om_tcp Host 192.168.75.20 Port 514 Exec to_syslog_snare();</Output># # Connect input 'in' to output 'out'<Route 1> Path in => out</Route>
Carsten_Radke created
No download possible
Carsten_Radke created
Hi all, I tried to download the installer Windows, Ubuntu or all, but no download is able.internal Server Error !I need the Windows installer, could someone provide it here ?
Carsten_Radke created
Many files sending logs to a Rsyslog server
Adrien-10 created
Hi all,I am currently using Nxlog CE v3.2.2329 in a Virtual Machine Windows 10 21H2 for sending logs to a Rsyslog server using Syslog RFC5424 version.For this configuration, i use im_msvistalog for input and om_tcp with Exec to_syslog_ietf(); command to send them to the rsyslog server.<Input Source_Eventlogs>
Module im_msvistalog
</Input>
<Output Dest_LogServer>
Module om_tcp
Host 192.168.1.1
Port 514
Exec to_syslog_ietf();
</Output>
<Route send>
Path Source_Eventlogs => Dest_LogServer
</Route>In the rsyslog server i receipt logs using a template who send logs to the right folder and then the right file log$template DynamicFile,"/var/log/rsyslog/%HOSTNAME%/%syslogseverity-text%.log"
*.info -?DynamicFileI met a first issue with security logs who where sent to a folder using the IP address. I assumed the issue was due to a failed resolving name and after adding the Nxlog client name to the /etc/hosts file and it solved the first issue.I met a second issue with Eventlogs who create many folder in the rsyslog folder because the logs are sent without hostname.For example i receive logs in a folder name VMICTimeProvider and when i look to the notice.log file i can see that there is no hostnamecat VMICTimeProvider/notice.log
2023-07-22T09:18:39.022270+00:00. VMICTimeProvider (Local)
2023-07-23T09:40:51.040169+00:00. VMICTimeProvider (Local)
2023-07-24T08:03:51.264202+00:00. VMICTimeProvider (Local) i tried to correct the receipt in the rsyslog side with receipt conditions like if $fromhost-ip=='1.2.3.4'
then {
actions
}
. -?WindowsLogs
$template WindowsLogs,"/var/log/rsyslog/Windows/Windows/log" But I have to do a line for any Windows collection in the file, and i think if i want to transfert the logs to another file server i will have the logs lines with missing hostname and i will met the same problem. Thank you for your help. Kind regards. Adrien
Adrien-10 created
nxlog embedding carriage returns and newlines in IETF syslog
roadgeek created
Hello, I am using nxlog-ce 3.2.2329 on a Windows 10 system to forward logs to a syslog-ng server over TCP using the to_syslog_ietf() procedure. This is working well for most logs, but I am occasionally seeing logs being generated with carriage returns and newlines in the syslog structured data element. Here is an example captured from tcpdump. Note that this is just the beginning of the message, enough to show you where the cr lf's are in the PrivilegeList element:<14>1 2023-10-18T16:23:21.669254-04:00 SteveAcer Microsoft-Windows-Security-Auditing 952 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="4672" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="0" Task="12548" OpcodeValue="0" RecordNumber="2053808" ActivityID="{FE9334EF-0152-0002-AD35-93FE5201DA01}" ThreadID="30200" Channel="Security" Category="Special Logon" Opcode="Info" SubjectUserSid="S-1-5-18" SubjectUserName="SYSTEM" SubjectDomainName="NT AUTHORITY" SubjectLogonId="0x3e7" PrivilegeList="SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeDelegateSessionUserImpersonatePrivilege" EventReceivedTime="2023-10-18 16:23:23"The body of the message has cr lf's converted to spaces. In the documentation, I see reference to a ReplaceLineBreaks directive that defaults to converting the cr lfs to spaces, but that doesn't appear to apply to the syslog structured data. Is there a way I can remove these cr lfs from the PrivilegeList, or any element? My nxlog.conf is below:<Input eventlog>
Module im_msvistalog
</Input>
<Output tcp>
Module om_tcp
Host 172.16.200.1
Exec to_syslog_ietf();
Port 514
</Output>
<Route 1>
Path eventlog => tcp
</Route>Thanks,Steve
roadgeek created
NXLOG - Integer line throws an error
siem_20 created
Hi All,I am collecting and sending logs from a Windows Domain Controller (only security events). When I start the nxlog service, it shows an error related to the integer function. The agent appears to continue working normally, and the error does not appear again (unless I restart the service). What could be the reason for this error?Configurationdefine ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _json>
Module xm_json
</Extension>
<Input windows_security_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Security">*</Select>
</Query>
</QueryList>
</QueryXML>
ReadFromLast True
SavePos True
</Input>
<Output out_chronicle_windevents>
Module om_tcp
Host 172.16.94.69
Port 41001
Exec $EventTime = integer($EventTime) / 1000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000;
Exec to_json();
</Output>
<Route r2>
Path windows_security_eventlog => out_chronicle_windevents
</Route> 2023-10-05 10:53:15 INFO nxlog-ce-3.2.2329 started
2023-10-05 10:53:15 INFO connecting to 172.16.94.69:41001
2023-10-05 10:53:15 ERROR assignment failed at line 30, character 56 in C:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; binary operation failed at line 30, character 56 in C:\Program Files\nxlog\conf\nxlog.conf. expression evaluation has been aborted; function 'integer' failed at line 30, character 48 in C:\Program Files\nxlog\conf\nxlog.conf. expression evaluation has been aborted; 'integer' type argument is invalid
Environment descriptionNXLog CE is running on Windows 2022 server Package version is 3.2.2329
siem_20 created
Adding field as source IP gateway address
JustasS created
Hello,
I need to add extra field to send External/gateway IP address to Graylog.
Using output UDP:
<Output out>
Module om_udp
Host ***
Port 4514
OutputType GELF
Exec $hostname = 'test_SRV';
</Output>
Its even posible?
JustasS created
configuring integration of SentinelOne to NXLog via SSL/TLS
jake created
Hi we wanted to send logs coming from SentinelOne to Google Chronicle using SSL/TLS NXlog. We are just using the Community Edition and based on the documentation SSL/TLS is supported for CE. But we are not sure if this is going to work or how to configure the “CAFile", “CertFile”, “CertKeyFile” thing for this to work or how do we install it? Is it free or paid? Please check the configuration we wanted to implement below. <Input ssl> Module im_ssl Host localhost Port 6514 CAFile %CERTDIR%/ca.pem CertFile %CERTDIR%/client-cert.pem CertKeyFile %CERTDIR%/client-key.pem KeyPass secret InputType Syslog_TLS Exec parse_syslog_ietf(); </Input>
jake created
Looking for solution for x86 Windows 10
CHris84nu created
Hello,i have the problem, that i need to save eventlogs from 32Bit Windows 10 machine to a central logging solution (Graylog 5.1). This works great with x64 Windows 10 systems, but i don‘t find a solution with nxlog and 32Bit systems. Are there any previous versions available with x86 support or do i need to look for an other product? Thanks in advance!
CHris84nu created
receipt of special characters in logs
Adrien-10 created
Hi all,I am currently using Nxlog CE v3.2.2329 in a Virtual Machine Windows 10 21H2 for sending logs to a Rsyslog server using Syslog RFC5424 version.For this configuration, i use im_msvistalog for input and om_tcp with Exec to_syslog_ietf(); command to send them to the rsyslog server.<Input Source_Eventlogs>
Module im_msvistalog
</Input>
<Output Dest_LogServer>
Module om_tcp
Host 192.168.1.1
Port 514
Exec to_syslog_ietf();
</Output>
<Route send>
Path Source_Eventlogs => Dest_LogServer
</Route>In the rsyslog server i receipt logs using a template who send logs to the right folder and then the right file log$template DynamicFile,"/var/log/rsyslog/%HOSTNAME%/%syslogseverity-text%.log"
*.info -?DynamicFileWhen i receive the logs, they have some replacement caracters like #015 or #011.I tried to do the setup with this exec command at the input and at the output and it doesn't convert the logsExec $raw_event = replace($raw_event, "\t", " ");Kind regardsAdrien
Adrien-10 created
Nxlog Error 1067: the process terminated unexpectedly
parint@lhbank.co.th created
We have the issue Nxlog Error 1067: the process terminated unexpectedly.Is there a way to fix this without reinstalling?Does re-installation require a reboot?
parint@lhbank.co.th created
nxlog does not send log file to graylog
Tadeusz created
Hi, can you help with the problem of nxlog not sending loose txt files to graylog?My nxlog.conf snippet about sending loose txt files<Input zpliku>Module im_fileFile "D:\file.log"</Input><Route messages_to_udp>Path zpliku => out</Route I have output defined for Graylog as GELF and the other section sending eventlog works correctly. Only sending loose files doesn't work here
Tadeusz created
Integrate Windows NXLog Agent with google Chronicle
rodrigo1413 created
I need help to integrate my Windows Server with Nxlog Agent installed to forward events/logs to Google Chronicle. I read the documentation of NxLog of this integrations, but the topic that explains how to use nxlog to direct structure logs to chronicle, he talk to edit a XML file, but i dont know what file I need to edit.
rodrigo1413 created
Not enough fields in CSV input
rico.mueller created
Hello,im currently try to send logs from our Exchange Server to a log Collector.Sadly when i check the NXlogs i see the error not enough fields in CSV Input. Dose anyone know what do in this case? ERROR if-else failed at line 43, character 3 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 39, character 35 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 30, got 1 in input Configuration Code:<Extension MessageTrackingLog> Module xm_csvFields $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version Delimiter QuoteMethod None Thanks a lot :)
rico.mueller created
Not enough fields in CSV input
rico.mueller created
Hello,im currently try to send logs from our Exchange Server to a log Collector.Sadly when i check the NXlogs i see the error not enough fields in CSV Input. Dose anyone know what do in this case? ERROR if-else failed at line 43, character 3 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 39, character 35 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 30, got 1 in input Configuration Code:<Extension MessageTrackingLog> Module xm_csvFields $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version Delimiter QuoteMethod None#This sample nxlog.conf file can be used to collect the Exchange Message Tracking Log and send it to Cybereason XDRf.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
define CertDir C:\Program Files (x86)\nxlog\cert
#Define the modules that will be used by nxlog.
<Extension json>
Module xm_json
</Extension>
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension MessageTrackingLog>
Module xm_csv
Fields $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version
Delimiter
QuoteMethod None
</Extension>
<Input in_MessageTrackingLog>
Module im_file
File 'C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG'
InputType LineBased
SavePos TRUE
PollInterval 1
<Exec>
if $raw_event =~ /^#/ drop();
else
{
MessageTrackingLog->parse_csv();
$EventTime = parsedate($date + " " + $time);
$SourceName = "MessageTrackingLog";
$raw_event = to_json();
}
</Exec>
</Input>
<Output out_MesssageTrackingLog>
Module om_udp
#This is the IP address of the Cybereason XDR Collector
Host X.X.X.X
#This is the port configured on the Universal Event Source
Port XXXX
</Output>
<Route 1>
Path in_MessageTrackingLog=>out_MesssageTrackingLog
</Route>Thanks a lot :)
rico.mueller created
nxlog-ce invalid keyword ListenAddrer with im_ssl
tbernhar@sunmaid.com created
Attempting to configure an SSL Listener with nxlog-ce-3.21.2329 and getting ERROR invalid keyword: ListenAddr at /etc/nxlog/nxlog.d/dhcplogs.conf:10Input portion of dhcplogs.conf file<Input SSL> Module im_ssl Port 2048 ListenAddr 0.0.0.0 CAFile %CERTDIR%/myca.pem CertFile %CERTDIR%/user-cert.pem CertKeyFile %CERTDIR%/user-key.pem InputType Binary</Input> I've initially had Port after ListenAddr but all it did was change which line the error was reported on.Everything I've read and seen says it is supported and should work, does anyone have any ideas or pointers on why this isn't working?This is on Ubuntu 22.04 LTS Server if that makes any difference.TIA Tim
tbernhar@sunmaid.com created
Need help understanding the use of the buffer module in the TCP module of NXLog Community Edition
Prakash created
Dear Team, Issue :I'm trying to use NXLog Community Edition to send logs to Kiwi Syslog. I'm using the TCP connection method. I noticed that when I disconnect the destination for some period of time, after turning it back up after some hours, I can still see the logs that were generated during the destination downtime. This is happening even without the buffer module.I'm wondering what the use of the buffer module in the TCP module is. Is it necessary to use the buffer module to ensure that all logs are sent to the destination, even if the destination is temporarily unavailable?2. From the below configuration file, if we use a memory and disk-based buffer, how will the logs be allocated? And if it creates a buffer logs.q file, what is the maximum size of each file? =========================Configuration:## Please set the ROOT to your nxlog installation directory#define ROOT C:\Program Files\nxlogdefine ROOT C:\Program Files (x86)\nxlogModuledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\dataLogFile %ROOT%\data\nxlog.log<Extension syslog> Module xm_syslog</Extension><Input generate_data> Module im_testgen #Maxcount 100 Exec to_syslog_bsd();</Input># Monitor Windows event logs#<Input eventlog># Module im_msvistalog#</Input><Processor buffer> Module pm_buffer #10 MB buffer MaxSize 10000 Type Disk MEM #warn at 5MB WarnLimit 5000</Processor><Output logs_output> Module om_file File "C:\Users\test\output_logs.log"</Output><Output tcp> Module om_tcp Host 192.168.x.x Port 1514</Output><Route 1> Path generate_data => buffer => logs_output => tcp</Route> (for testing I'm using test gen module)provide environment descriptionwindows 10 IOT EnterpriseVersionNxlog community latest version
Prakash created
IIS logs in Graylog
Nunzio Brandi created
hello everyone,I am configuring nxlog to send IIS logs to Graylog.I managed to configure everything correctly but I would like to make the logs more readable on Graylog.I currently display them like this:would it be possible to somehow get the login name and ip of the user who logged in out of the “message” field?my current nxlog configuration is this: Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Extension _gelf>
Module xm_gelf
</Extension>
<Extension _json>
Module xm_json
</Extension>
#######################################################################
IIS NXLOG
#######################################################################
<Extension w3c>
Module xm_csv
Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken
FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>
<Input iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC*\u_ex*"
SavePos TRUE
Exec $ShortMessage = $raw_event;
Exec if $raw_event =~/^#/ drop();\
else\
{\
w3c->parse_csv();\
$EventTime = parsedate($date + " " + $time);\
$EventTime = parsedate($date + " " + $time + "Z");\
$SourceName = "IIS";\
$raw_event = to_json();\
}
</Input>
#######################################################################
/IIS NXLOG
#######################################################################
Snare compatible example configuration
Collecting event log
<Input in>
Module im_msvistalog
</Input>
Converting events to Snare format and sending them out over TCP syslog
<Output out>
Module om_tcp
Host ha-centlog-vip.xxxxxxxx
Port 12201
Exec to_json();
OutputType GELF_TCP
Exec $Hostname = hostname_fqdn();
Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event;
#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\Program Files (x86)\nxlog\data\nxlog_output.log", $raw_event);
</Output>
<Route iis-to-graylog>
Path iis => out
</Route>
Connect input 'in' to output 'out'
<Route 1>
Path in => outThanks
Nunzio Brandi created
Unable to add additional exec statements
Justin Courtney created
We have the following filter applied to our ms_vistalog_filtered.conf, which is working: Exec if $EventID NOT IN (%MonitoredEventIds%) drop();
<Exec>
$Hostname = hostname_fqdn();
to_json();
</Exec> If I attempt to add anything to this filter, logs stop coming in entirely. I have tried using a single block, multiple exec commands, and multiple exec blocks. I ultimately I need to filter out EventID 4663 for some of our noisy applications. My single block filter looks like this: <Exec> if
($EventID NOT IN (%MonitoredEventIds%)
or (($EventID == 4663)
and ($raw_event =~ /c:\\\\program\sfiles\\\\java\\\\jre1\.8\.0_92\\\\bin\\\\java\.exe/i
or $raw_event =~ /c:\\\\programdata\\\\oracle\\\\java\\\\javapath_target_185880968\\\\java\.exe/i
or $raw_event =~ /c:\\\\program\sfiles\\\\java\\\\jdk1\.8\.0_92\\\\bin\\\\java\.exe/i
or $raw_event =~ /d:\\\\java\\\\jdk1\.8\.0_181\\\\jre\\\\bin\\\\java\.exe/i
or $raw_event =~ /c:\\\\program\sfiles\\\\git\\\\mingw64\\\\bin\\\\git\.exe/i
or $raw_event =~ /c:\\\\programdata\\\\oracle\\\\java\\\\javapath_target_1471633062\\\\java\.exe/i
or $raw_event =~ /c:\\\\windows\\\\system32\\\\netstat\.exe/i))
) drop();
$Hostname = hostname_fqdn();
to_json();
</Exec>I have also tried something as simple as: Exec if $EventID NOT IN (%MonitoredEventIds%) drop();
Exec if $raw_event =~ /c:\\windows\\system32\\netstat.exe/i drop();
<Exec>
$Hostname = hostname_fqdn();
to_json();
</Exec> There are many other iterations, but these I think illustrate the simplest filters we've tried. Any change to the filter and restart of nxlog service results in all logs being dropped. not just eid 4663. Is there something wrong in my syntax or some other issue I am missing?
Justin Courtney created
NXLog - read logs from a local .csv file on Windows Server
aleksta created
Hi!I would like to have some help with my NXLog confiugration. I dont get any errors or so but in the SIEM I don't receive any logs at all from the source. So I'm guessing that there Is some issues reading logs from the .csv file. Or It could be something else. So my purpose with this Is to ship logs in a local .csv file to a SIEM. My thought was that NXLog should be a great solutions with this due to all extensions and so on. My NXLog configuration file Is based on these modules,xm_csvxm_syslogxm_jsonim_file (pointing out the local .csv file)out_ssl (for shipping logs through tls encryption)Been following along with this guide, Delimiter-Separated Values (xm_csv) | NXLog DocsHas anyone done this before? Thanks
aleksta created
Config file to extract MS Exchange logs to syslog format over TCP
loghero created
Hi there ,I am stranded with a problem of sending exchange server logs in syslog format over TCP. I performed a trial for fetching connect logs and using the csv module and send them over syslog format over TCP.Once I run the service , I dont get any output over TCP , nor any errors. I wanted to know what im doing wrong. Please help !(((PS I removed my destination IP and port )))define ROOT C:\Program Files\nxlog#define ROOT C:\Program Files (x86)\nxlogModuledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\dataLogFile %ROOT%\data\nxlog.log<Extension syslog> Module xm_syslog</Extension><Extension _exec> Module xm_exec</Extension><Extension csv> Module xm_csv Fields date-time, connector-id, session-id, sequence-number, \ local-endpoint, remote-endpoint, event, data, context</Extension><Input in>Module im_fileFile "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\Connectivity\CONNECTLOG*.LOG" <Exec> csv->parse_csv(); to_syslog_ietf();</Exec></Input><Output out> Module om_tcp Host #### Port #### Exec to_syslog_bsd();</Output><Route 1> Path in => out</Route>
loghero created