Hi!
I'm using nxlog to parse a json file and transfer it to Graylog. When it transfer to Graylog the format of a timestamp is changed.
How can i prevent nxlog to change the timestamp format ?
Thanks in advance
Johan.THOMAS created
Hello,
I'm new with NXLOG and I don't know how to configure the nxlog.conf file when having many IP entries from UDP sources.
I heritated an implementation that has too many ef and else because the IPs sources. I have some errors and with all those if and elses is pretty difficult to correct the problem.
Then I was wondering if ther is a way to separate the entries to avoid using if else if if else if every where.
I saw this option for outputs, but not sure if that works in the same way with inputs.
Thank you very much for your help and support. It will be really appreciated.
Cordially,
clombo
Ana created
I'm setting up a new server for the first time with Enterprise Edition. Where does NXLog keep its data and can I move it to a different partition?
amani created
using om_tcp is there a way to define a sequence of destination IP's such that the list is used in sequence if 1st IP fails to complete 3-way handshake, and then re-check the 1st IP to see if it came back.
simple scenario, admin reboots dest IP #1, or the FW admin deletes a FW rule thus blocking IP #1, NXlog could recognize IP #1 is down and then send to IP #2 in the list.
in general, its a failover mechanism. can it be done?
chuck1234 created
we are using nxlog to collect logs. there are 30 locations, where each location has a log collection servers. when users will travel, we are trying to make them send logs to their closest available log collection server. is there a way to do this with nxlog?
bhr created
So normally I'd define ShortMessageLength during the extension definition part of my configuration file like so:
<Extension gelf>
Module xm_gelf
ShortMessageLength -1
</Extension>
Unfortunately, there are other issues preventing me from doing that. Is there a way to define ShortMessageLength in the input or output areas instead? When I try to like so:
<Input win_dns_logs_in>
Module im_file
File 'C:\\dns.txt'
ShortMessageLength -1
InputType LineBased
</Input>
I get the following error: "invalid keyword: ShortMessageLength"
Thanks,
clintmaples created
Hi everyone,
Here is a brief overview of what I'm trying to do:
+----------+ tcp1514 +-----+ tcp514 +---------+
|Originator|---->----|Relay|---->----|Collector|
+----------+ +-----+ syslog +---------+
192.168.56.10 192.168.56.18 192.168.56.14
Here is the message I get in RSA:
ReceivedTimeStamp RelayHostname [LogMessage]
I would like to have this
ReceivedTimeStamp OriginatorHostname [LogMessage]
I think I'm supposed to throw in an Exec: $Hostname=hostname(); somewhere, but where exactly ?
Here is what my conf files look like:
Originator:
<Input in>
Module im_file
Recursive TRUE
File 'C:\\IIS\\*.log'
</Input>
<Output out>
Module om_tcp
Host 192.168.56.18
Port 1514
</Output>
<Route 1>
Path in => out
</Route>
Relay:
<Extension syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_tcp
Port 1514
Host 0.0.0.0
</Input>
<Output out>
Module om_tcp
Host 192.168.56.14
Port 514
Exec to_syslog_bsd();
</Output>
<Route 1>
Path in => out
</Route>
Thanks for your help.
fbrollo created
Hi,
I have following log:
23.08.2016 22:00:00: [20740] INFO: Line 1
23.08.2016 22:00:00: [20740] Line 2
23.08.2016 22:00:00: [20740] Line 3
23.08.2016 22:00:00: [20740] Line 4
23.08.2016 22:00:00: [20740] Line 5
23.08.2016 22:00:00: [20745] INFO: Line 1
23.08.2016 22:00:00: [20745] Line 2
23.08.2016 22:00:00: [20745] Line 3
23.08.2016 22:00:00: [20745] Line 4
23.08.2016 22:00:00: [20745] Line 5
Each multiline log line is beginning with an empty line. So I tried to use the empty line as header:
<Extension multilineEmtpyLine>
Module xm_multiline
HeaderLine /^$/
</Extension>
<Input foo>
Module im_file
File "C:/logfile/foo.log"
#enabling multilining
InputType multilineEmtpyLine
SavePos TRUE
Exec $Message = $raw_event;
</Input>
<Output localTCP>
Module om_tcp
Host localhost
Port 5544
Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();
# Uncomment for debug output
Exec file_write('c:\nxlog\nxlog_localtcp_debug_output.log', $raw_event + "\n");
</Output>
<Route nxlogLocal>
#Path topbeat_debug, ttp_debug => localTCP
Path foo=> localTCP
</Route>
As I see in debug output and logstash each source line will be transmitted as single line. Multilining is not working.
How can I get it work?
thanks, Andreas
_asp_ created
Hello,
Extract of nxlog.log :
2016-08-24 08:58:30 INFO nxlog-ce-2.9.1716 started
2016-08-24 09:01:24 INFO SSL connection accepted from 172.25.20.35:51694
2016-08-24 09:01:24 ERROR SSL error, SSL_ERROR_SSL: retval -1, no shared cipher,
2016-08-24 09:01:24 WARNING SSL connection closed from 172.25.20.35:51694
My question : SSL libraries (libeay32.dll and ssleay32.dll) used by NXLOG-CE are they compatible with use of a certificate built with a ECDSA key ?
Thanks for your help.
D.LEC created
I'm getting Segmentation fault when trying to run nxlog under Amazon Linux AMI 2015 or 2016.
My configuration file is ok and nxlog is installed from nxlog-ce-2.9.1716-1_rhel6.x86_64.rpm
[root@feeds ~]# /usr/bin/nxlog -v -c /etc/graylog/collector-sidecar/generated/nxlog.conf
2016-08-22 20:49:50 INFO configuration OK
[root@feeds ~]# /usr/bin/nxlog -f -c /etc/graylog/collector-sidecar/generated/nxlog.conf
2016-08-22 20:41:50 WARNING already running as gid 0
2016-08-22 20:41:50 WARNING already running as uid 0
peter.wong@searchoptics.com created
I'm trying to remove log files older than 48hours.
I read that i should use now()-seconds as the datetime, so i'll try
file_remove('filepath',now() - 172800) ;
file_remove(filepath, (now()-172800)) ;
boh failed with message : nxlog.conf; syntax error, unexpected TOKEN_INTEGER
in the doc, it's specified that datetime-integer return a datetime, but when i check with
file_remove('filepath',now()) ;
i don't get the syntax error.
then, i used
file_remove('filepath', datetime(now()-172800)); i also get the syntax error unexpected TOKEN_INTEGER.
How can i specify to file_remove the 'older' parameter to "48h" ?
karrakis created
Hello, i Want to change the value of the syslog severity level depending on the contain of the message.
somethin like..
if message contains the word INFO
syslog_severity_code=10
albamv created
Hello,
I am rather new to nxlog and really enjoy the product so far. My question is, I want to ensure that ALL Windows Events on a server are being sent to my graylog server and that no logs are being omitted. This appears to be the default conf and it should work this way, but I am just being extra sure. Thanks very much in advance.
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
#<Extension _syslog>
# Module xm_syslog
#</Extension>
<Extension gelf>
Module xm_gelf
</Extension>
<Input in>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog
</Input>
<Output out>
Module om_udp
Host 192.168.1.71
Port 12201
OutputType GELF
# Exec to_syslog_snare();
</Output>
<Route 1>
Path in => out
</Route>
Selmack created
Hi all,
we used CE version Nxlog, and have some truble.
Don't insert in DB params over 4000 simbols.
Query like INSERT INTO web_log ( param) VALUES ( TO_CLOB($param)).
The '$params' sending in driver(last oracle libdbi driver 0.9.0) like a string parametr those converted as VARCHAR(4000)
How this implemented in EE version?
Mikhail created
I have some windows event log being collected by nxlog, I need to send this to Sensu client(using UDP port 3030) on the same machine. Do you have any experience on it?
Have you done anything simliar on it? Just want to know how to configure nxlog and sensu client to make it work.
eyang@cisco.com created
We have nxlog CE pushing to a GELF TCP input in Graylog, and the timestamp field received from nxlog appears to not have the milliseconds (i.e. it ends in ".000"), resulting in out-of-order messages in Graylog within a 1-second window. Other sources (Graylog Collectors, apps pushing directly, etc.) include the original millisecond value as expected. For Graylog inputs receiving nxlog messages we've had to set up an extractor to extract the timestamp from the message itself. Are there any options to keep millisecond precision with nxlog?
coffee-squirrel created
Hello, I am using NXLOG on Windows 2012 to get DNS logs forwarded to my syslog server. I have enabled DNS logging on the Windows server and see the dns.log file is getting created under C:\Windows\System32\DNS\ folder . However my nxlog.conf is unable to browse or parse to get to this directory. I have made sure to check the log file is dns.log and not dns.txt in Windows.
If i mention the below in my nxlog.conf file, i get an error " WARNING input file does not exist: C:\Windows\System32\dns\dns.log"
<Input in>
Module im_file
File "C:\\Windows\\System32\\dns\\dns.log"
SavePos TRUE
InputType LineBased
</Input>
If i mention the below File path in my nxlog.conf then i get an error : "ERROR failed to open directory: C:\Windows\System32\dns: The system cannot find the path specified."
<Input in>
Module im_file
File "C:\\Windows\\System32\\dns\\dns*"
SavePos TRUE
InputType LineBased
</Input>
Same thing, even if i use single quotes & single \ i get the same error - " WARNING input file does not exist: C:\Windows\System32\dns\dns.log
<Input in>
Module im_file
File 'C:\Windows\System32\dns\dns.log'
SavePos TRUE
InputType LineBased
</Input>
Can someone plss help ? This is drving me crazy
Nick79 created
Hello!
I want pass value a variable from NxLog in Perl script, and pass variable in nxlog after running the script.
how do I do this ?
Thank
toreno93 created
Hello.
Help me please, i beginner in NxLog. I use NxLog on Unix and use Perl module, and script perl.pl
What this error ERROR the perl interpreter failed to parse /tmp/nxlog/Perl/perl.pl??
How do i fix this??
beginner
toreno93 created
Hi,
RFC5424 and all transports (except obsolete non-octet-counted TCP) can handle MSG containing ANY character including newlines and carriage returns.
In violation of the above, NxLog's to_syslog_ietf() function backslash-escapes these two characters. Furthermore, the escaping scheme is broken because it doesn't also escape the escape character itself (the backslash) so there's no way to reliably un-escape the MSG on the receiving end.
The correct behaviour is to stop escaping these characters altogether. In the rare case that someone needs to send multiline messages over non-octet-counted TCP, they can escape/unescape the $Message themselves using NxLog's replace() function.
Patch below.
RFC References: https://tools.ietf.org/html/rfc5424#section-6.4 https://tools.ietf.org/html/rfc6587#section-3.4
Regards, Ron MacNeil
--- src/modules/extension/syslog/syslog.c.orig 2014-07-19 23:52:06.000000000 +1000 +++ src/modules/extension/syslog/syslog.c 2016-07-26 14:01:57.296175500 +1000 @@ -1321,16 +1321,8 @@ nx_syslog_add_structured_data(logdata);
// Append message
-
i = (int) logdata->raw_event->len; nx_string_append(logdata->raw_event, " ", 1); nx_string_append(logdata->raw_event, msg.string->buf, (int) msg.string->len);
-
for ( ; i < (int) logdata->raw_event->len; i++ )
-
{ // replace linebreaks with space
-
if ( (logdata->raw_event->buf[i] == '\n') || (logdata->raw_event->buf[i] == '\r') )
-
{
-
logdata->raw_event->buf[i] = ' ';
-
}
-
}
if (tmpmsg != NULL) { // clean up temp copy
ron-macneil-ice created