Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

Exclude event logs for a particular application.
<p>Hi</p>

<p>Please help to exclude/ignore logs for a particular application</p>

<p>&nbsp;</p>

<p>Thanks</p>

<p>Virender</p>


logsec
Replies: 1
View post »
adm
Large eventlog entries makes nxlog "hang"
<p>We are using nxlog to collect eventlog information. Some entries can be large, in fact some message are split over several entries as a workaround for the maximum eventlog entry size. However, these large entries seem to hang nxlog so that it stops processing new entries. Typical error messages are:</p>

<p>---------------------------------------</p>

<p>2014-10-27 17:10:32 ERROR EvtNext failed with error 1734: The array bounds are invalid. &nbsp;<br />
2014-10-27 17:10:33 ERROR EvtUpdateBookmark failed: The handle is invalid.</p>

<p>----------------------------------------</p>

<p>Why is this? Is there any workaround?</p>

<p>&nbsp;</p>


MagnusBjarnlid
Replies: 2
View post »
Ivan.Akcheurov
IIS log & bad characters causes NXlog crash causing random event dump
<p>We are using NXlog to send Windows EventLogs and IIS logs to Logstash (ELK). &nbsp;It works very well indeed with only one problem - at 2am (we suspect IIS log rotation, or maybe weird Netscaler packet) every day the NXlog service crashes on ALL servers that are sending IIS logs. &nbsp;We have some other servers only sending EventLogs -&nbsp;no crashing occurs. &nbsp;I have set the Windows NXlog service to restart on a crash, so service is only interrupted for a minute, but here's the weird part - NXlog re-sends a (random?) huge chunk of messages. &nbsp;I say 'random', because check out this list of time received vs. event time: (these are all from the same server)</p>

<ul>
    <li><span style="color: rgb(85, 85, 85); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; line-height: 20px; white-space: pre-wrap; background-color: rgb(249, 249, 249);">2014-10-28T06:00:54.074Z</span>&nbsp;&amp;&nbsp;<span style="color: rgb(85, 85, 85); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; line-height: 20px; white-space: pre-wrap; background-color: rgb(238, 238, 238);">2014-10-25 04:18:08</span></li>
    <li><span style="color: rgb(85, 85, 85); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; line-height: 20px; white-space: pre-wrap; background-color: rgb(249, 249, 249);">2014-10-28T06:00:54.074Z</span>&nbsp;&amp;&nbsp;<span style="color: rgb(85, 85, 85); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; line-height: 20px; white-space: pre-wrap; background-color: rgb(238, 238, 238);">2014-10-25 03:58:08</span></li>
    <li><span style="color: rgb(85, 85, 85); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; line-height: 20px; white-space: pre-wrap; background-color: rgb(249, 249, 249);">2014-10-28T06:00:54.072Z</span>&nbsp;&amp;&nbsp;<span style="color: rgb(85, 85, 85); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; line-height: 20px; white-space: pre-wrap; background-color: rgb(249, 249, 249);">2014-10-25 03:20:02</span></li>
    <li><span style="color: rgb(85, 85, 85); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; line-height: 20px; white-space: pre-wrap; background-color: rgb(249, 249, 249);">2014-10-28T06:00:54.058Z</span>&nbsp;&amp;&nbsp;<span style="color: rgb(85, 85, 85); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; line-height: 20px; white-space: pre-wrap; background-color: rgb(249, 249, 249);">2014-10-25 03:10:33</span></li>
    <li><span style="color: rgb(85, 85, 85); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; line-height: 20px; white-space: pre-wrap; background-color: rgb(249, 249, 249);">2014-10-28T06:00:54.058Z</span>&nbsp;&amp;&nbsp;<span style="color: rgb(85, 85, 85); font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; line-height: 20px; white-space: pre-wrap; background-color: rgb(238, 238, 238);">2014-10-25 03:18:10</span></li>
</ul>

<p>The weird time received jumping forward/backward in time continues (perhaps it's an ELK stack processing oddity)...keeping in mind we're talking hundreds of entries over a 1-2 minute period. &nbsp;<span style="line-height: 1.6em;">On our UAT servers I observed that this large chunk of logs contains logs from the last week or more - but it's not consistent enough to say 'it's re-sending everything from the last week'.</span></p>

<p>Anyways - what causes the crash is bad input, like weird bad characters...I am sure the following copy/paste won't do it justice. &nbsp;</p>

<p><span style="line-height: 1.6em;">If anyone has ideas, I'm open!! &nbsp;Happy to either fix the weird log dumps, or fix the bad input data. &nbsp;We're continuing to investigate, but I thought it important (and not Google-friendly) enough to post here. &nbsp;A number of Google hits for questions like mine&nbsp;with no answers (or 'no bad input filtering,&nbsp;is a bug, sorry').</span></p>

<p><em>(disregard the timestamp)</em></p>

<pre>
2014-10-22 02:51:39  Not enough fields in CSV input, expected 22, got 1 in input 'PK</pre>

<div>
<hr align="left" size="1" width="33%" /></div>

<div>
<hr align="left" size="1" width="100%" /></div>

<pre>
'

2014-10-22 02:51:39  Not enough fields in CSV input, expected 22, got 1 in input 'U@¦Ä-*¸H¶
ÜH—ÙùPÜÙ¡žŒÛŠ”¹‘ðè²Þè'

2014-10-22 02:51:39  Not enough fields in CSV input, expected 22, got 2 in input '¹'O‚¨ˆÌ(ˆÌÈF&amp;È”™™ØÌDEéA3)B3éA3±¡é#eEff63AO‚È,ŠÈ,‚È,zÈ,ŠÈ,ld¢Ùé1³g3³&amp;ŸI™½ 2:2KBõÔPD2£F‚³ËäL¡¢PÜÙÁ¢'

2014-10-22 02:51:39  cannot parse integer, invalid modifier: '+'

2014-10-22 02:51:39  Not enough fields in CSV input, expected 22, got 1 in input '%6»Ô^È=ùÙý™y¨(wv°(#2Ñ¡³%ÍdlhúH±ýŽ•         .ê13'

2014-10-22 02:51:39  Not enough fields in CSV input, expected 22, got 2 in input '2³Éòì'

2014-10-22 02:51:39  cannot parse integer, invalid modifier: '³'

2014-10-22 02:51:39  Not enough fields in CSV input, expected 22, got 2 in input 'zÈ</pre>

<div>
<hr align="left" size="1" width="100%" /></div>

<pre>
‘©¨€Ê È́ÍLž'

2014-10-22 02:51:39  Not enough fields in CSV input, expected 22, got 1 in input 'PY°‘                zb'ETè[1]ÈÏNÏÿºÿA£Ó@….€þ‹Ô~WO÷?G÷7]'

2014-10-22 02:51:39  Not enough fields in CSV input, expected 22, got 1 in input 'ß;º'

2014-10-22 02:51:39  Not enough fields in CSV input, expected 22, got 1 in input 'ŠÌlº…;;X”q‹'

2014-10-22 02:51:39  Not enough fields in CSV input, expected 22, got 1 in input '&gt;›™5LEptzÌ\(2sÁf&amp;*Jš•'

2014-10-22 02:51:39  Not enough fields in CSV input, expected 22, got 1 in input 'M°xU™•ÍL”‰'

2014-10-22 02:51:39  Not enough fields in CSV input, expected 22, got 5 in input 'M´xUš•MMwóÀ†fM&gt;“‑3-è1ÓL™fzÌ4Óc¦™ 3Íô˜i¦ÇÌÈf&amp;š]dCô$ÈÌ$ÈÌ$ÈÌ$È̤ÈÌ$ÈÌÄf&amp;È$h,ë13
2SQ[1]YaC3øH‚̤K °v…L?:º</pre>

<div>
<hr align="left" size="1" width="33%" /></div>

<pre>


&nbsp;</pre>

<p>&nbsp;</p>


chris.trotter.sci
Replies: 1
View post »
adm
Load Balanced Output Config
<p>Trying to configure the NXLog forwarder to load balance it's output stream. I tried creating 2 output stanzas out1 and out2 with the appropriate IPs and then routed as Path&nbsp;&nbsp; eventlog =&gt; out1, out2.</p>

<p>This seemed to clone the output stream as logs were going to both receivers. What would be the proper way to tell NXLog to use one IP if available, else another IP?</p>


FormerSplunk
Replies: 1
View post »
adm
Routing messages based on type and source in a client server configuration
<p>Currently process and transform the windows event/iis logs on the client, however as I have more servers I am wondering about routing everything to a central point using the binary format and then processing them into the relevant tables in to a mysql db. I am struggling with at which stage this filtering and tansforming is done and what the route should look like. Do I use the patern filter in a process stage and then use and if statement in the route based on the patern id?</p>

<p>Clients</p>

<p>im_msvistalog =&gt; om_tcp (binary)</p>

<p>w3c extension(im_file) =&gt; om_tcp (binary)</p>

<p>Server</p>

<p>im_tcp =&gt; ?????????? =&gt; ?????? (om_dbi but based on source message type evntlog table |syslog table |iis log table|apache log table|security log table)</p>

<p>Can you point me in the right direction?</p>


imperimus
Replies: 1
View post »
adm
xm_perl.dll is not present in extension directory
<p>I am trying to use the perl extension in Windows, but nxlog complains that it cannot find the xm_perl.dll. The complaint is correct, the file is not there. My question is why? Does the windows version not support using perl?</p>


MagnusBjarnlid
Replies: 1
View post »
framold
Windows Nxlog creating multiple dyn$ folders
<p>Hi,&nbsp;</p>

<p>I really would like some assistance in the forum -&nbsp;</p>

<p>Here is the scenario:</p>

<p>Installed nxlog.c.e in Windows 2008 R2</p>

<p>Used the query list -to get security logs</p>

<p>Added that in the module - started the server - everything is fine.</p>

<p>I tested this in my Windows mahcine - to my Redhat server.</p>

<p>Works.</p>

<p>The issue happens when the Windows machine is registered to the domain.</p>

<p>Once the service is started in windows, the syslog server creates host folders which include the Windows client name &nbsp;as well as a bunch of other stuff.</p>

<p>Such as Authlite, Process, 0 00 1 &nbsp;etc etc.. list goes on.</p>

<p>Has anyone encountered this issue? &nbsp;Kindly advise. &nbsp;</p>

<p>Additional information:&nbsp;</p>

<p><span style="line-height: 1.6em;">This issue only occurs with windows client - registered in the domain. &nbsp;</span><span style="line-height: 1.6em;">&nbsp; &nbsp;</span></p>

<p>When the nxlog forwards information to my rsyslog server - (which uses the template dyn$ to create host folders) &nbsp;I get folders with 0 00 Authlite ... etc etc.</p>

<p>&nbsp;Is there anyway to stop this of fix it. &nbsp;Again it only happens with Windows client registered in the domain. &nbsp;</p>


lucaspro
Replies: 1
View post »
adm
Upgrade to 2.8 on Debian Wheezy
I am unable to find the dependencies for wheezy.
apt-get -f install simply removes nxlog.

My version of debian is :
Linux chis-logcollector 2.6.32-5-amd64 #1 SMP Sun Sep 23 10:07:46 UTC 2012 x86_64 GNU/Linux

Install pkg: nxlog-ce_2.8.1248_amd64.debian-wheezy.deb

Is there a plan to include dependencies as this is a rather flaky way of installation?

Thanks

Ash Kumar


akumar
Replies: 1
View post »
adm
Issue with nxlog Windows service
<p>Hello,</p>

<p>It seems that there is some kind of conflict or bug in nxlog-ce-2.8.1248 (I'm not sure about earlier versions) where, <u>upon boot</u>, nxlog gets stuck in a loop initiating connections to a remote machine (Logstash in my case using om_tcp).</p>

<p>I only became aware of this after installing nxlog on server that had the group policy "<code>Audit Filtering Platform Connection</code>" enabled on successful connections; this actually generated so many events that it filled up my elasticsearch cluster (I've attached a sample of the event the filled the cluster).</p>

<p>The issue doesn't happen when nxlog service is configured for "Automatic (Delayed Start)".</p>

<p>I hope this helps.</p>

<p>Thanks</p>


dev667
Replies: 4
View post »
dev667