Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

parse_json, GELF and date conversion

Hi!

I'm using nxlog to parse a json file and transfer it to Graylog. When it transfer to Graylog the format of a timestamp is changed.

How can i prevent nxlog to change the timestamp format ?

Thanks in advance


Johan.THOMAS created
Replies: 5
View post »
last updated
Many IPs on input - How to avoid using if else chains?

Hello,

 

I'm new with NXLOG and I don't know how to configure the nxlog.conf file when having many IP entries from UDP sources.

 

I heritated an implementation that has too many ef and else because the IPs sources. I have some errors and with all those if and elses is pretty difficult to correct the problem.

Then I was wondering if ther is a way to separate the entries to avoid using if else if if else if every where.

I saw this option for outputs, but not sure if that works in the same way with inputs.

Thank you very much for your help and support. It will be really appreciated.

Cordially,

 

clombo


Ana created
Replies: 1
View post »
last updated
New Installation

I'm setting up a new server for the first time with Enterprise Edition. Where does NXLog keep its data and can I move it to a different partition?


amani created
Replies: 1
View post »
last updated
Is there a way to do native failover

using om_tcp is there a way to define a sequence of destination IP's such that the list is used in sequence if 1st IP fails to complete 3-way handshake, and then re-check the 1st IP to see if it came back.

simple scenario, admin reboots dest IP #1, or the FW admin deletes a FW rule thus blocking IP #1, NXlog could recognize IP #1 is down and then send to IP #2 in the list.

in general, its a failover mechanism. can it be done?


chuck1234 created
Replies: 1
View post »
last updated
Is there a way to use geolocalization on the nxlog file

we are using nxlog to collect logs. there are 30 locations, where each location has a log collection servers. when users will travel, we are trying to make them send logs to their closest available log collection server. is there a way to do this with nxlog?

 


bhr created
Replies: 1
View post »
last updated
Is there a way to set ShortMessageLength other than in the extension definition?

So normally I'd define ShortMessageLength during the extension definition part of my configuration file like so:

<Extension gelf>
  Module xm_gelf
  ShortMessageLength -1
</Extension>

Unfortunately, there are other issues preventing me from doing that. Is there a way to define ShortMessageLength in the input or output areas instead? When I try to like so:

<Input win_dns_logs_in>
    Module im_file
    File 'C:\\dns.txt'
    ShortMessageLength -1
    InputType LineBased
</Input>

 

I get the following error: "invalid keyword: ShortMessageLength"

Thanks,

 

 

 


clintmaples created
Replies: 1
View post »
last updated
Transparent NXLog Relay for syslog B

Hi everyone,

Here is a brief overview of what I'm trying to do:

​
            +----------+ tcp1514 +-----+  tcp514 +---------+
            |Originator|---->----|Relay|---->----|Collector|
            +----------+         +-----+  syslog +---------+
           192.168.56.10      192.168.56.18     192.168.56.14 

Here is the message I get in RSA:

​ReceivedTimeStamp RelayHostname [LogMessage]

I would like to have this

​ReceivedTimeStamp OriginatorHostname [LogMessage]

I think I'm supposed to throw in an Exec: $Hostname=hostname(); somewhere, but where exactly ?

Here is what my conf files look like:

Originator:

​
<Input in>
    Module    im_file
    Recursive    TRUE
    File    'C:\\IIS\\*.log'
</Input>

<Output out>
    Module  om_tcp
    Host    192.168.56.18
    Port    1514
</Output>

<Route 1>
    Path    in => out
</Route>

Relay:

​
<Extension syslog>
    Module    xm_syslog
</Extension>

<Input in>
    Module im_tcp
    Port 1514
    Host 0.0.0.0
</Input>

<Output out>
    Module  om_tcp
    Host    192.168.56.14
    Port    514
    Exec    to_syslog_bsd();
</Output>
    
<Route 1>
    Path    in => out
</Route>

Thanks for your help.


fbrollo created
Replies: 1
View post »
last updated
issue with multilining with empty line as header

Hi,

 

I have following log:

 

23.08.2016 22:00:00: [20740] INFO: Line 1
23.08.2016 22:00:00: [20740] Line 2
23.08.2016 22:00:00: [20740] Line 3
23.08.2016 22:00:00: [20740] Line 4
23.08.2016 22:00:00: [20740] Line 5

23.08.2016 22:00:00: [20745] INFO: Line 1
23.08.2016 22:00:00: [20745] Line 2
23.08.2016 22:00:00: [20745] Line 3
23.08.2016 22:00:00: [20745] Line 4
23.08.2016 22:00:00: [20745] Line 5

 

Each multiline log line is beginning with an empty line. So I tried to use the empty line as header:

<Extension multilineEmtpyLine>
    Module xm_multiline
    HeaderLine /^$/
</Extension>

<Input foo>
    Module im_file
    File "C:/logfile/foo.log"
    
    #enabling multilining
    InputType multilineEmtpyLine
    SavePos TRUE
    Exec $Message = $raw_event;
</Input>

<Output localTCP>
    Module om_tcp
    Host localhost
    Port 5544
   
    Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
    Exec $raw_event = to_json();
  
    # Uncomment for debug output
    Exec file_write('c:\nxlog\nxlog_localtcp_debug_output.log', $raw_event + "\n");
</Output>

<Route nxlogLocal>
    #Path topbeat_debug, ttp_debug => localTCP
    Path foo=> localTCP
</Route>

As I see in debug output and logstash each source line will be transmitted as single line. Multilining is not working.

How can I get it work?

thanks, Andreas


_asp_ created
Replies: 1
View post »
last updated
NXLOG-CE v2.9.1716 with a certificate built with a ECDSA key

Hello,

Extract of nxlog.log :

2016-08-24 08:58:30 INFO nxlog-ce-2.9.1716 started
2016-08-24 09:01:24 INFO SSL connection accepted from 172.25.20.35:51694
2016-08-24 09:01:24 ERROR SSL error, SSL_ERROR_SSL: retval -1, no shared cipher,
2016-08-24 09:01:24 WARNING SSL connection closed from 172.25.20.35:51694

 

My question : SSL libraries (libeay32.dll and ssleay32.dll) used by NXLOG-CE are they compatible with use of a certificate built with a ECDSA key ?

Thanks for your help.

 

 


D.LEC created
Replies: 1
View post »
last updated
Amazon Linux AMI support

I'm getting Segmentation fault when trying to run nxlog under Amazon Linux AMI 2015 or 2016.

My configuration file is ok and nxlog is installed from nxlog-ce-2.9.1716-1_rhel6.x86_64.rpm

 

[root@feeds ~]#  /usr/bin/nxlog -v -c /etc/graylog/collector-sidecar/generated/nxlog.conf
2016-08-22 20:49:50 INFO configuration OK

 

[root@feeds ~]#  /usr/bin/nxlog -f -c /etc/graylog/collector-sidecar/generated/nxlog.conf
2016-08-22 20:41:50 WARNING already running as gid 0
2016-08-22 20:41:50 WARNING already running as uid 0

 


peter.wong@searchoptics.com created
Replies: 1
View post »
last updated
file_remove : unexpected TOKEN_INTEGER - ce - 2.9.1716

I'm trying to remove log files older than 48hours.

I read that i should use now()-seconds as the datetime, so i'll try

file_remove('filepath',now() - 172800) ;

file_remove(filepath, (now()-172800)) ;

boh failed with message : nxlog.conf; syntax error, unexpected TOKEN_INTEGER

in the doc, it's specified that datetime-integer return a datetime, but when i check with

file_remove('filepath',now()) ;

i don't get the syntax error. 

then, i used 

file_remove('filepath', datetime(now()-172800)); i also get the syntax error unexpected TOKEN_INTEGER.

How can i specify to file_remove the 'older' parameter to "48h" ?

 

 


karrakis created
Replies: 1
View post »
last updated
Add a filter in nxlog

Hello, i Want to change the value of the syslog severity level depending on the contain of the message.

somethin like..

if message contains the word INFO

                    syslog_severity_code=10


albamv created
Replies: 1
View post »
last updated
Making sure that conf file will send all logs to graylog

Hello,

I am rather new to nxlog and really enjoy the product so far.  My question is, I want to ensure that ALL Windows Events on a server are being sent to my graylog server and that no logs are being omitted.  This appears to be the default conf and it should work this way, but I am just being extra sure.  Thanks very much in advance.

 

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

#<Extension _syslog>
#    Module      xm_syslog
#</Extension>

<Extension gelf>
    Module      xm_gelf
</Extension>

<Input in>
    Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
</Input>

<Output out>
    Module      om_udp
    Host        192.168.1.71
    Port        12201
    OutputType  GELF
#   Exec        to_syslog_snare();
</Output>

<Route 1>
    Path        in => out
</Route>


Selmack created
Replies: 2
View post »
last updated
Work om_dbi with Oracle

Hi all,

we used CE version Nxlog, and have some truble.

Don't insert in DB params over 4000 simbols.
Query like INSERT INTO web_log ( param) VALUES ( TO_CLOB($param)).

The '$params' sending in driver(last oracle libdbi driver 0.9.0) like a string parametr those converted as VARCHAR(4000)

How this implemented in EE version?


Mikhail created
Need to send nxlog collected windows events to sensu client

I have some windows event log being collected by nxlog, I need to send this to Sensu client(using UDP port 3030) on the same machine. Do you have any experience on it?

Have you done anything simliar on it? Just want to know how to configure nxlog and sensu client to make it work.


eyang@cisco.com created
GELF timestamp field missing millisecond precision

We have nxlog CE pushing to a GELF TCP input in Graylog, and the timestamp field received from nxlog appears to not have the milliseconds (i.e. it ends in ".000"), resulting in out-of-order messages in Graylog within a 1-second window.  Other sources (Graylog Collectors, apps pushing directly, etc.) include the original millisecond value as expected.  For Graylog inputs receiving nxlog messages we've had to set up an extractor to extract the timestamp from the message itself.  Are there any options to keep millisecond precision with nxlog?


coffee-squirrel created
Replies: 1
View post »
last updated
Nxlog.conf unable to read /parse Directory or File path

Hello, I am using NXLOG on Windows 2012 to get DNS logs forwarded to my syslog server.  I have enabled DNS logging on the Windows server and see the dns.log file is getting created under C:\Windows\System32\DNS\ folder .   However my nxlog.conf is unable to browse or parse to get to this directory.   I have made sure to check the log  file is dns.log and not dns.txt in Windows.

If i mention the below in my nxlog.conf file, i get an error "   WARNING input file does not exist: C:\Windows\System32\dns\dns.log"

<Input in>
    Module  im_file
    File  "C:\\Windows\\System32\\dns\\dns.log"
    SavePos TRUE
    InputType LineBased
</Input>

 

If i mention the below File path in my nxlog.conf then i get an error : "ERROR failed to open directory: C:\Windows\System32\dns: The system cannot find the path specified."

<Input in>
    Module  im_file
    File  "C:\\Windows\\System32\\dns\\dns*"
    SavePos TRUE
    InputType LineBased
</Input>

Same thing, even if i use single quotes & single \  i get the same error -   "  WARNING input file does not exist: C:\Windows\System32\dns\dns.log

<Input in>
    Module  im_file
    File  'C:\Windows\System32\dns\dns.log'
    SavePos TRUE
    InputType LineBased
</Input>

 

Can someone plss help ? This is drving me crazy

 


Nick79 created
Replies: 1
View post »
last updated
Pass the value of the variable in nxlog from perl script

Hello!

I want pass value a variable from NxLog in Perl script, and pass variable in nxlog after running the script.

how do I do this ?

Thank


toreno93 created
Replies: 1
View post »
last updated
the perl interpreter failed to parse /tmp/nxlog/Perl/perl.pl

Hello.

Help me please, i beginner in NxLog. I use NxLog on Unix and use Perl module, and script perl.pl

What this error ERROR the perl interpreter failed to parse /tmp/nxlog/Perl/perl.pl??

How do i fix this??

 

 

beginner

 


toreno93 created
Replies: 1
View post »
last updated
[patch] Stop to_syslog_ietf() from incorrectly escaping carriage return and newline characters

Hi,

RFC5424 and all transports (except obsolete non-octet-counted TCP) can handle MSG containing ANY character including newlines and carriage returns.

In violation of the above, NxLog's to_syslog_ietf() function backslash-escapes these two characters. Furthermore, the escaping scheme is broken because it doesn't also escape the escape character itself (the backslash) so there's no way to reliably un-escape the MSG on the receiving end.

The correct behaviour is to stop escaping these characters altogether. In the rare case that someone needs to send multiline messages over non-octet-counted TCP, they can escape/unescape the $Message themselves using NxLog's replace() function.

Patch below.

RFC References: https://tools.ietf.org/html/rfc5424#section-6.4 https://tools.ietf.org/html/rfc6587#section-3.4

Regards, Ron MacNeil

--- src/modules/extension/syslog/syslog.c.orig 2014-07-19 23:52:06.000000000 +1000 +++ src/modules/extension/syslog/syslog.c 2016-07-26 14:01:57.296175500 +1000 @@ -1321,16 +1321,8 @@ nx_syslog_add_structured_data(logdata);

 // Append message
  • i = (int) logdata->raw_event->len; nx_string_append(logdata->raw_event, " ", 1); nx_string_append(logdata->raw_event, msg.string->buf, (int) msg.string->len);

  • for ( ; i < (int) logdata->raw_event->len; i++ )

  • { // replace linebreaks with space

  •   if ( (logdata-&gt;raw_event-&gt;buf[i] == '\n') || (logdata-&gt;raw_event-&gt;buf[i] == '\r') )
    
  •   {
    
  •       logdata-&gt;raw_event-&gt;buf[i] = ' ';
    
  •   }
    
  • }

    if (tmpmsg != NULL) { // clean up temp copy


ron-macneil-ice created
Replies: 1
View post »
last updated