Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

Vulnerabilities in NXLog libraries "libcrypto-1_1-x64.dll" and "libssl-1_1-x64.dll, related to "OpenSSL, Version: 1.1.1q" - deleting the files?
Vulnerability scanner has discovered a number of vulnerabilities (CVE-2022-4450, CVE-2023-0215, CVE-2023-4807) related to “OpenSSL, version 1.1.1q” in NXLog libraries "libcrypto-1_1-x64.dll" and "libssl-1_1-x64.dll:If we are using the following modules: im_msvistalog, im_file, om_tcp;and we are NOT using the following modules: im_ssl, om_ssl;would simply deleting the following files from the system: “C:\ProgramFiles\nxlog\libcrypto-1_1-x64.dll”, “C:\ProgramFiles\nxlog\libssl-1_1-x64.dll” (which solves the problem with the vulnerability scanner alerts) affect functionality of NXLog?

Djordje created
Replies: 2
View post »
last updated
How to transfert Windows EventLog by choosing the severity level.
Hello,I'm using an older version of the NXLog agent (ce-2.0.1716) on Windows Server 2016, and I want to import only EventLogs that correspond to a severity level between 1 and 3 but I really have no idea how to do it. Despite my research and testing, nothing seems to work.Below, you can see the original “nxlog.conf” configuration file for my DC server:define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog #011Information Exec if ($Severity == 'INFO' and $SourceName == 'CxAudioSvcSource') drop(); Exec if ($Severity == 'INFO' and ($EventId == 0)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 1001)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 107)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 112)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 129)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 146)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 1)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 2000)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 2002)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 200)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 201)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 2024)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 20)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 2415)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 3)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4006)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4007)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4017)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4126)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4257)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 4326)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5017)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 505)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5126)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5257)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5308)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5309)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5310)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5311)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5312)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5313)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5314)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5315)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5320)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5326)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5327)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 5340)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 600)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 6115)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 62170)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 62171)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 7036)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 8006)) drop(); Exec if ($Severity == 'INFO' and ($EventId == 8007)) drop(); #011Warning Exec if ($Severity == 'WARNING' and ($EventId == 200)) drop(); Exec if ($Severity == 'WARNING' and ($EventId == 202)) drop(); Exec if ($Severity == 'WARNING' and ($EventId == 61)) drop(); Exec if ($Severity == 'WARNING' and ($EventId == 1112)) drop(); Exec if ($Severity == 'WARNING' and ($EventId == 1002)) drop(); #011Success Exec if ($Severity == 'SUCCESS' and ($EventId == 4672)) drop(); Exec if ($Severity == 'SUCCESS' and ($EventId == 4799)) drop(); #011Error Exec if ($Severity == 'ERROR' and ($EventId == 2028)) drop(); Exec if ($Severity == 'ERROR' and ($EventId == 6113)) drop(); </Input> <Output out> Module om_tcp Host supervision Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path in => out </Route>Below, you can see my new “nxlog.conf” configuration file for my DC server:define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0' Path='Application'> <Select Path='Application'>[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='Security'>[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='Setup'>[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='System'>[System[(Level=1 or Level=2 or Level=3)]]</Select> </Query> </QueryList> </QueryXML> </Input> <Output out> Module om_tcp Host supervision Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path in => out </Route>Below, you can see an extract of the log file for the NXLog agent for my DC server:2023-12-11 13:42:40 INFO nxlog-ce-2.9.1716 started 2023-12-11 13:42:40 INFO connecting to supervision:514 2023-12-11 14:00:21 WARNING stopping nxlog service 2023-12-11 14:00:21 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:00:23 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:00:25 INFO connecting to supervision:514 2023-12-11 14:00:49 WARNING stopping nxlog service 2023-12-11 14:00:49 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:00:50 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:00:50 INFO connecting to supervision:514 2023-12-11 14:05:41 WARNING stopping nxlog service 2023-12-11 14:05:41 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:05:43 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:05:45 INFO connecting to supervision:514 2023-12-11 14:14:38 WARNING stopping nxlog service 2023-12-11 14:00:21 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:16:24 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:16:27 INFO connecting to supervision:514 2023-12-11 14:19:51 WARNING stopping nxlog service 2023-12-11 14:19:52 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:19:53 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:19:53 INFO connecting to supervision:514 2023-12-11 14:21:53 WARNING stopping nxlog service 2023-12-11 14:21:53 WARNING nxlog-ce received a termination request signal, exiting... 2023-12-11 14:21:54 INFO nxlog-ce-2.9.1716 started 2023-12-11 14:21:54 INFO connecting to supervision:514I also tried options such as:Exec if ($Severity == 'INFO') drop();And I tried by modifying th “input” field with different values below, but nothing seems to work.<Select Path='Application'>[System/Level<3]</Select> <Select Path='Security'>[System/Level<3]</Select> <Select Path='System'>[System/Level<3]</Select><Select Path='Application'>[System[Level=3]]</Select> <Select Path='System'>[System[Level=3]]</Select> <Select Path='Security'>[System[Level=3]]</Select><Select Path='Application'>[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='System'>[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path='Security'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>Unfortunaltely, I'm far from being a specialist in log processing and management, so if you you had an idea to suggest to help mesolve my problem, I would be very gratful.Thank you in advance,Arn_no

iris created
Replies: 2
View post »
last updated
ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.
Got this error while trying to forward windows 11 event logs to SIEM:ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.my  nxlog config is heredefine ROOT C:\Program Files\nxlog #define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension json> Module xm_json </Extension> <Extension fileop> Module xm_fileop </Extension> Nxlog internal logs <Input internal> Module im_internal Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json(); </Input> Win Event Log - Security <Input inSecurityEvent> Module im_msvistalog Query <QueryList> <Query Id=""><Select Path="Security">*</Select></Query></QueryList> Exec $Message = to_json(); </Input> <Output outSecurityEvent> Module om_tcp Host X.X.X.X Port 5060 Exec $EventTime = strftime($EventTime, '%Y-%m-%dT%H:%M:%SZ'); to_json(); Exec to_json(); Exec file_write("C:\Program Files\nxlog\data\SecurityEvents_output.log", $raw_event); </Output> <Route 1> Path inSecurityEvent => outSecurityEvent </Route>This works fine on other version of windows. the problem is windows 11

shahpasandi created
Replies: 1
View post »
last updated
Om_azuremonitor module
Hi.. anybody can clarify if om_azuremonitor work in air gap environment  Thx for your inputs

mdekshinsg created
Replies: 1
View post »
last updated
NXLog CE 3.0.2272 - im_systemd
I have enabled the im_systemd module now included in the community version and i have noticed that every time the nxlog service is started, a huge amount of data is sent. I have configured an output to log these data in file and i get 20M of data every at each restart. Has anyone ever encountered this behaviour ?

cm created
Replies: 2
View post »
last updated
om_azuremonitor output module resolve URI through DNS
The objective is to configure the Nxlog to send logs to Sentinel LAW. The output module used is om_azuremonitor. The DCE URI directive depends on DNS resolution to resolve the url to ip. We added entry in the local /etc/hosts filleBut nslookup on the URI fails.Any inputs how the DNS can be resolved.There is no specific DNS server configured

mdekshinsg created
Replies: 3
View post »
last updated
I would like to collect log with parameters only from one type of log
Hi,I have the configuration below in which I would like to collect data from “Security" and from ”ForwardedEvents".I would like the data from the Security to be with specific values (e.g. $TaskValue, $Version) while ForwardedEvents ignore them. How can I configure it?

Avi Israelov created
Replies: 1
View post »
last updated
DNS resolution in Nxlog
Hi! Can somebody help me with how DNS resolution works in Nxlog configuration?Thx !

mdekshinsg created
Replies: 1
View post »
last updated
sending logs between 2 nxlog-ce
Hey i try to send logs in TCP from nxlog instance to another to make kind of a proxy so i can set the parse of logs from one place and easier time to configure TLS rather than in my syslog server. But i receive a “end of file” error when the tcp connection is trying to be made between the 2 nxlog-ce instances. So i think i might using the nxlog-ce in a way its not designed to, am i right? Thank you.

idan_am created
Replies: 1
View post »
last updated
ERROR with modules xm_resolver.dll & xm_admin.dll
Hello everyone,I need your help with my issue.I use the CE version and restarting the nxlog service, I receive errors loading the xm_resolver.dll & xm_admin.dll modules in the log file. After checking, I noticed that these DLLs are not present on my machine.2023-12-27 17:48:27 ERROR Failed to load module from C:\Program Files\nxlog\modules\extension\xm_resolver.dll, The specified module could not be found. ; 2023-12-27 17:48:27 ERROR Failed to load module from C:\Program Files\nxlog\modules\extension\xm_admin.dll, The specified module could not be found. ; Do you have any idea on how to solve this issue and how can I get these DLLs?Thanks in advance,

Siaka TRAORE created
Replies: 2
View post »
last updated
Sample "Sending emails with Python" not working in Windows
Hi, I am unable to run your basic example “Sending emails with Python”  because nxlog is unable to load the required module.Reducing the code to a minimal set, I found that nxlog is unable to load some basic Python modules that come bundled with the Python installation.Following are some modules that nxlog is unable to load:smtplibsocketsslemail.mime.textwindows_tools.users (after installing with "pip install windows_tools.users")Same file modified to be executed directly from python.exe in same machine, runs correctlynxlog.conf:Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data include %CONFDIR%\*.conf define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension python> Module xm_python PythonCode 'c:\Program Files\nxlog\modules\extension\python\py\send_email.py' </Extension> <Input in> Module im_null </Input> <Output out> Module om_null </Output> <Processor myprocessor> Module pm_null <Exec> python_call('main'); </Exec> </Processor> <Route myroute> Path in => myprocessor => out </Route>send_email.py:import smtplib #import socket #import ssl #import email.mime.text pip install windows_tools.users #import windows_tools.users as users import json import nxlog #def main(): def main(event): # Body that does nothing print("Hello from Main()")nxlog.log:2023-12-28 11:45:26 ERROR Python ERROR: ImportError('DLL load failed while importing _socket: Impossibile trovare il modulo specificato.') 2023-12-28 11:45:26 ERROR #0 in <module> (...) at: C:\Program Files\Python310\Lib\socket.py:51; 2023-12-28 11:45:26 ERROR #1 in _call_with_frames_removed (...) at: <frozen importlib._bootstrap>:241; 2023-12-28 11:45:26 ERROR #2 in exec_module (...) at: <frozen importlib._bootstrap_external>:882; 2023-12-28 11:45:26 ERROR #3 in _load_unlocked (...) at: <frozen importlib._bootstrap>:685; 2023-12-28 11:45:26 ERROR #4 in _find_and_load_unlocked (...) at: <frozen importlib._bootstrap>:999; 2023-12-28 11:45:26 ERROR #5 in _find_and_load (...) at: <frozen importlib._bootstrap>:1025; 2023-12-28 11:45:26 ERROR #6 in <module> (...) at: C:\Program Files\Python310\Lib\smtplib.py:44; 2023-12-28 11:45:26 ERROR #7 in _call_with_frames_removed (...) at: <frozen importlib._bootstrap>:241; 2023-12-28 11:45:26 ERROR #8 in exec_module (...) at: <frozen importlib._bootstrap_external>:882; 2023-12-28 11:45:26 ERROR #9 in _load_unlocked (...) at: <frozen importlib._bootstrap>:685; 2023-12-28 11:45:26 ERROR #10 in _find_and_load_unlocked (...) at: <frozen importlib._bootstrap>:999; 2023-12-28 11:45:26 ERROR #11 in _find_and_load (...) at: <frozen importlib._bootstrap>:1025; 2023-12-28 11:45:26 ERROR #12 in <module> (...) at: C:\Program Files\nxlog\modules\extension\python\py\send_email.py:1; 2023-12-28 11:45:26 ERROR #13 in _call_with_frames_removed (...) at: <frozen importlib._bootstrap>:241; 2023-12-28 11:45:26 ERROR #14 in exec_module (...) at: <frozen importlib._bootstrap_external>:882; 2023-12-28 11:45:26 ERROR #15 in _load_unlocked (...) at: <frozen importlib._bootstrap>:685; 2023-12-28 11:45:26 ERROR #16 in _find_and_load_unlocked (...) at: <frozen importlib._bootstrap>:999; 2023-12-28 11:45:26 ERROR #17 in _find_and_load (...) at: <frozen importlib._bootstrap>:1025; 2023-12-28 11:45:26 ERROR Couldn't import python module 'send_email' 2023-12-28 11:45:26 INFO nxlog-ce-3.2.2329 started 2023-12-28 11:45:26 ERROR ### ASSERTION FAILED at line 503 in libnxpython.c/nx_python_init(): "conf->thread_state_key == NULL" ###The environment is:Windows Server 2022nxlog-ce-3.2.2329python-3.10.8-amd64.exe 

cmarsura created
Replies: 0
View post »
last updated
Does NXLog support tamper-proof logging?
Hi Support,I would like to inquire whether NXLog supports tamper-proofing for syslog received and stored in the NXLog Relay Server.Thank you.Regards,Billy

billychua created
Replies: 2
View post »
last updated
Webpage Error
I had to restart the VM running our NXLog Manager (CentOS7).Now I'm getting the following message when attempting to access our NXLog Manager URL: HTTP ERROR 500Problem accessing /nxlog-manager/login.html. Reason: Server Error Caused by:org.apache.tiles.request.render.CannotRenderException: ServletException including path '/WEB-INF/layouts/default.jsp'.

ricky.ho@blackbox.com created
Replies: 3
View post »
last updated
Not in installed apps and finding out version
Hello :) I have a friend that is asking why he cant find nxlog on his pc under installed applications, When I run the .msi file I can find it easily. Did his previous security officer install it a different way? (On Windows) Also how can I see what version of nxlog is currently running? (On Windows) Thanks

populouspanda created
Replies: 2
View post »
last updated
perl_call() method is not working in windows 11
Purpose: To add geographical information (geoip) with the logs.Problem: I am trying to add geoip in the logs coming from linux and windows hosts. For that I have gone through https://docs.nxlog.co/ce/current/index.html#xm_perl. In both (windows and linux hosts). i am not able to run nxlog, after modifying the nxlog config according to the given link.Windows-11: First, I have installed perl-5.28.2.1, after that i have modified the config. When i am trying to restart nxlog service, It is showing the following error in log file:2023-12-04 07:09:22 ERROR Failed to load module from C:\Program Files\nxlog\modules\extension\xm_perl.dll, The specified module could not be found. ; The specified module could not be found. 2023-12-04 07:09:22 ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:62; couldn't parse statement at line 65, character 0 in C:\Program Files\nxlog\conf\nxlog.conf; function 'perl_call()' does not exist or takes different arguments 2023-12-04 07:09:22 ERROR module 'sys_in' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:81 2023-12-04 07:09:22 ERROR route 1 is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:81 2023-12-04 07:09:22 WARNING no routes defined! 2023-12-04 07:09:22 WARNING not starting unused module sys_in 2023-12-04 07:09:22 WARNING not starting unused module sys_outconfig is as follows:Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data include %CONFDIR%\\*.conf define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _json> Module xm_json </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension perl> Module xm_perl PerlCode C:\Program Files\nxlog\modules\extension\perl\processlogs.pl </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule> </Extension> Sending the system logs over tcp <Input sys_in> Module im_msvistalog <Exec> $raw_event = "windows " + to_json(); perl_call("process") </Exec> </Input> #setting the output to rsyslog server <Output sys_out> Module om_tcp Host <ip-address of rsyslog server> Port 514 # First we parse the input natively from nxlog Exec parse_syslog_bsd(); # Now call the 'process' subroutine defined in 'processlogs.pl' Exec to_json(); </Output> <Route 1> Path sys_in => sys_out </Route>Linux-Ubuntu(22.04): I have not installed perl as it is already installed. So i modified the config, and restarted the nxlog service, but in the logs it is showing as:2023-12-04 14:41:52 ERROR the perl interpreter failed to parse /etc/nxlog/processlogs.pl 2023-12-04 14:41:52 INFO nxlog-ce-3.2.2329 started 2023-12-04 14:41:52 INFO connecting to <ip-address of rsyslog server>:514 2023-12-04 14:41:52 ERROR the perl interpreter failed to parse /etc/nxlog/processlogs.plConfig is as follows:## This is a sample configuration file. See the nxlog reference manual about the configuration options. It should be installed locally under /usr/share/doc/nxlog-ce/ and is also available online at http://nxlog.org/docs ######################################## Global directives ######################################## User nxlog Group nxlog include /etc/nxlog/nxlog.d/*.conf LogFile /var/log/nxlog/nxlog.log LogLevel INFO ######################################## Modules ######################################## <Extension _syslog> Module xm_syslog </Extension> <Extension perl> Module xm_perl PerlCode /etc/nxlog/processlogs.pl </Extension> <Input in1> Module im_file File "/var/log/auth.log" <Exec> $raw_event = " ankurlapauthlogs " + $raw_event; </Exec> </Input> <Output fileout1> Module om_tcp Host <ip-address of rsyslog server> Port 514 Exec perl_call("process"); Exec to_syslog_bsd(); </Output> ######################################## Routes ######################################## <Route 1> Path in1 => fileout1 </Route>P.S. i am using the same processlogs.pl file as given in the refrence manual.

Ankur Gangwar created
Replies: 0
View post »
last updated
NXLog Enterprise Trial - License
Hi, Have just installed NXLog Enterprise Trial - however I cannot start the service - getting error message : nxlog[1711122]: 2022-01-20 09:19:34 ERROR [CORE|main] This NXLog version has expired. Any idea how the trial license is applied? Any assistance would be greatly appreciated. Kind regards, Liam

malizim created
Replies: 2
View post »
last updated
Problem when parsing Sysmon message Event 12
I'm using NX log enterprise to collect Sysmon logs.I have a problem with EventID 12 , In the original (Windows view ) the event type is set to EventType: CreateKeyAs part of the NXlog output, in the Metadata the Event type is set to INFO and only in the msg field i can see the EventType: CreateKey  Please advice 

dudu.zbeda@cognyte.com created
Replies: 1
View post »
last updated
drop action to forwarding logs to a remote server is not working
Good Afternoon Team.I have a nxlog service running on a windows server. It has input rule to collect syslog from several devices like this: <Input syslog514udp>Module im_udpPort 514Host 0.0.0.0<Exec> $raw_event =~ s/\r?\n/#012/g; parse_syslog_bsd();</Exec> </Input>  I am trying to forward the syslog of one specific device (10.10.10.10) to a public IP 190.20.30.40, but the filter is not working since nxlog is forwarding everything, configuration bellow: <Output OutNetomi>Exec if ($MessageSourceAddress == ‘10.10.10.10’) drop();Module  om_udpHost    190.20.30.40Port    514</Output> Do you know where the error is? Thank you.Diego.

montealegre.diego@gmail.com created
Replies: 1
View post »
last updated
Port configuration in nxlog.conf file is being appended by "514"
When I start NXlog CE, I get a socket error when tryin gto connect to  the remote Graylog servernxlog.conf...######################################### Global directives                    #########################################User nxlogGroup nxloginclude /etc/nxlog/nxlog.d/*.confLogFile /var/log/nxlog/nxlog.logLogLevel INFO######################################### Modules                              ##########################################<Extension _syslog>#    Module      xm_syslog#</Extension><Extension json>   Module         xm_json</Extension><Extension syslog>   Module         xm_syslog</Extension><Input in1>   Module      im_udp    Port        1514   Exec        parse_syslog_bsd();</Input><Input in2>   Module      im_tcp   Port        1514</Input><Input kernel>   Module         im_kernel   Exec           parse_syslog_bsd();</Input><Input systemd>   Module         im_systemd</Input><Input devlog>   Module         im_uds   UDS            /dev/log   FlowControl    FALSE   Exec           $raw_event =~ s/\s+$//;   Exec           parse_syslog_bsd();</Input><Output fileout1>   Module      om_file   File        "/var/log/nxlog/logmsg.txt"   Exec        if $Message =~ /error/ $SeverityValue = syslog_severity_value("error");   Exec        to_syslog_bsd();</Output><Output fileout2>   Module      om_file   File        "/var/log/nxlog/logmsg2.txt"</Output><Output out>   Module         om_tcp   Host           192.79.220.162:1514   Exec           $Message = to_json(); to_syslog_bsd();</Output>######################################### Routes                               #########################################<Route 1>   Path        in1 => fileout1</Route><Route tcproute>   Path        in2 => fileout2</Route><Route r>    Path           kernel, systemd, devlog => out</Route>...nxlog.log...2023-10-27 09:56:23 WARNING nxlog-ce received a termination request signal, exiting...2023-10-27 09:56:24 ERROR Couldn't get systemd cursor;Cannot assign requested address2023-10-27 09:56:24 ERROR Couldn't remove pidfile /run/nxlog/nxlog.pid: Permission denied2023-10-27 09:56:25 INFO configuration OK2023-10-27 09:56:25 INFO nxlog-ce-3.2.2329 started2023-10-27 09:56:25 ERROR couldn't bind socket /dev/log;Address already in use2023-10-27 09:56:25 INFO reconnecting in 1 seconds2023-10-27 09:56:25 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:56:26 INFO reconnecting in 2 seconds2023-10-27 09:56:26 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:56:28 INFO reconnecting in 4 seconds2023-10-27 09:56:28 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:56:32 INFO reconnecting in 8 seconds2023-10-27 09:56:32 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:56:40 INFO reconnecting in 16 seconds2023-10-27 09:56:40 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:56:56 INFO reconnecting in 32 seconds2023-10-27 09:56:56 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known2023-10-27 09:57:28 INFO reconnecting in 64 seconds2023-10-27 09:57:28 ERROR apr_sockaddr_info failed for 192.xxx.xxx.162:1514:514;Name or service not known...    environment description...nxlog-ce is running on Oracle Linux Server version 8.8Package version is -3.2.2329-1.x86_64 ...relevant details...This is a new installation. The Graylog server is not receiving any logs from this machineThis problem does not involve parsing data.The problems is that the port I identified in the nxlog.conf file "1514" is being appended by "514" so the socket connection fails to the remote server. If I remove 1514 from the nxlog.conf file, the system still tries to connect at port 514 and gets denied errors since Graylog is seutp to listen on 1514...

JackT@Boeing created
Replies: 1
View post »
last updated
Logging in UTF8 not working
I installed nxlog with the config below, but the logs I receive with my SysLogServer are not in UTF8 ?The Windowssystem is a german Windows 11, on this machine nxlog ist installed and running. Here is a sample output on the syslog server ( KiwiSyslog ) :10-31-2023 15:37:05 User.Info 192.168.75.20 Oct 31 15:37:04 PC-01 MSWinEventLog   1   Microsoft-Windows-PushNotification-Platform/Operational   1469   Tue Oct 31 15:37:04 2023   1025   Microsoft-Windows-PushNotifications-Platform   SYSTEM   User   Information   PC-01   N/A      Ein Stromversorgungsereignis wurde ausgel”st: MonitorSettingChange [PowerEventType] true [Enabled]   1846You can see that there are the german Umlaut are not displayed, ‘ausgel”st:’ have to diplay as 'ausgelöst:' Hope someone can help me.here is the nxlog.log:Panic Soft#NoFreeOnExit TRUEdefine ROOT     C:\Program Files\nxlogdefine CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data<Extension _syslog>   Module      xm_syslog</Extension><Extension _charconv>   Module      xm_charconv   AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec>   Module      xm_exec</Extension><Extension _fileop>   Module      xm_fileop   # Check the size of our log file hourly, rotate if larger than 5MB   <Schedule>       Every   1 hour       Exec    if (file_exists('%LOGFILE%') and \                  (file_size('%LOGFILE%') >= 5M)) \                   file_cycle('%LOGFILE%', 8);   </Schedule>   # Rotate our log file every week on Sunday at midnight   <Schedule>       When    @weekly       Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);   </Schedule></Extension># Snare compatible example configuration# Collecting event log<Input in>   Module      im_msvistalog</Input># # Converting events to Snare format and sending them out over TCP syslog<Output out>   Module      om_tcp   Host        192.168.75.20   Port        514   Exec        to_syslog_snare();</Output># # Connect input 'in' to output 'out'<Route 1>   Path        in => out</Route> 

Carsten_Radke created
Replies: 1
View post »
last updated