Hi, please advise me how to configure the following setup: several inputs (UDP, TCP, internal) joined into common path (i_udp, i_tcp, i_internal => p_pattern ...), one global processor (pattern, filter)  module, several outputs (file, UDP, TCP), every message is delivered to one of outputs according to processor's decision. I call it "route branching". The solutions I have come to so far: "broadcast": p_pattern => o_file, o_udp, o_tcp -- every output having an Exec filter to drop() messages that should be sent via another output, "reroute": i_null => o_file; i_null => o_udp; i_null => o_tcp and use Exec reroute() in p_pattern. The (1) is very inefficient. Otoh, (2) introduces problems with flow control, as the flow control is disabled when using reroute() (a new "feature" of 2.9.1504). So is there an efficient way with flow control enabled? ;-) Milan 

Hello, will you, please, publish recent source code, the one the latest CE packages were built from? I made quite a few tests with 2.9.1504 on Debian and now would like to patch some minor problems of pm_pattern (and contributing back), but last published sources are 2.8.1248. And I can not get a changelog between theese two versions either (the changelog packaged in the binary package, as mentioned in the previous post, is too brief): nxlog-ce (2.9.1504) unstable; urgency=low SVN snapshot release. -- Botond Botyanszki <boti@nxlog.org> Tue, 08 Dec 2015 14:02:37 +0100 nxlog-ce (0.1-1) unstable; urgency=low Initial Release. -- Botond Botyanszki <boti@nxlog.org> Sat, 06 Nov 2010 18:24:10 +0200 Local variables: mode: debian-changelog End:  

Where can I find the NXLOG code history for the various releases? I am currently on NXLOG 2.9.1347 and need to know what's new and fixed in 2.9.1504 but cannot locate where this information is. Thank You,

Hi  I'm recently tried to use NXLog community edition to maintain log files. Basically the idea is to rewrite log files one to one from many services on many hosts to one centralized server.  In my test scenario I've created 3 services on one host and started propagate logs. Logs were rewriten succesfully but what I observed: - It took 40 minutes to rewrite 1GB of logs (1GB connection with 60MB transfer between hosts) - NXLog CPU usage on host where the logs were stored was about 10% (Intel Core i7) - In Sysinternals ProcessMonitor I've observed that for one data read (65000 bytes) 16:02:26,4218297 nxlog.exe 12884 ReadFile D:\app\Logs\service1.service\Logs_151130_12.log SUCCESS Offset: 490 945 000, Length: 65 000 there is about 450 partial data writes by 30/90/120 bytes which makes write process high ineffective 16:02:26,4219115 nxlog.exe 12884 LockFile \\192.168.199.46\Shared\logs\service1\Logs_151130_12.log SUCCESS Exclusive: True, Offset: 0, Length: 4 294 967 295, Fail Immediately: False 16:02:26,4219594 nxlog.exe 12884 QueryStandardInformationFile \\192.168.199.46\Shared\logs\service1\Logs_151130_12.log SUCCESS AllocationSize: 490 930 673, EndOfFile: 490 930 673, NumberOfLinks: 1, DeletePending: False, Directory: False 16:02:26,4219996 nxlog.exe 12884 WriteFile \\192.168.199.46\Shared\logs\service1\Logs_151130_12.log SUCCESS Offset: 490 930 673, Length: 84, Priority: Normal 16:02:26,4228112 nxlog.exe 12884 UnlockFileSingle \\192.168.199.46\Shared\logs\service1\Logs_151130_12.log SUCCESS Offset: 0, Length: 4 294 967 295 Is that lack of performance or do I have missed something. Usage of NXLog with such results is unacceptable for me. My config file: #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log define LOG_SERVER \\\\192.168.199.46 define LOGS_PATH d:\\App\\Logs\\\\*.log <Extension _syslog> Module xm_fileop Module xm_exec </Extension> <Input logs> Module im_file File "%LOGS_PATH%" InputType LineBased PollInterval 15 SavePos TRUE CloseWhenIdle TRUE Recursive TRUE Exec $fileName = file_basename(file_name()); Exec if file_name() =~ /^.*Logs\\(.*?)\.service/ \ { \ $serviceName = $1; \ } </Input> <Output out> Module om_file CreateDir TRUE OutputType LineBased File "%LOG_SERVER%\\Shared\\Logs\\" + $serviceName + "\\" + $fileName </Output> <Route 1> Path logs => out </Route>

Hi all, I tried to use the gelf extension with the tcp module, but it doesn't work. I saw tht the commercial version includes a special tcp gelf enxtension. Supports the community edition the usage of GELF over TCP? Kind regards Michael

Hello, nxlog was sending to nagios log server just fine for a few days and then all of a sudden we started seeing the below errors in the nxlog.log file that are preventing logs from being sent. ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host. ERROR couldn't connect to tcp socket on xx.xx.xxx.xx:3515; No connection could be made because the target machine actively refused it. Is this something that you would support or would we need to go through Nagios support instead? We have already tried restarting the nxlog service but the issue remains.   Thank you 

Hello When I call sql_exec with a bind parameter if (sql_exec("INSERT INTO Events (Id) VALUES(?)", $ID) == TRUE) {} I get the following error: INFO SQLBindParam failed; HY104:1:0:[Microsoft][ODBC SQL Server Driver] Invalid precision value Same commnad using string concatenatiion works fine: if (sql_exec("INSERT INTO Events (Id) VALUES(" + $ID +")") == TRUE) {} Could you help me with it?

Hello, I have the following config file. What i want it to do is not send anything that has the word error in it.   <Input watchfile_m_NAME1>   Module im_file   File 'LOGLOCATION'   Exec $Message = $raw_event;   Exec if $raw_event !~ /ERROR/ drop();   #Exec $SyslogSeverityValue = 6;   Exec if file_name() =~ /.*\\(.*)/ $SourceName = $1;    #Exec if $raw_event =~ /ERROR/ $SyslogSeverityValue = 3;   The issue I am having is that it still sends the lines that say the word ERROR, but it sends them as an info message.  I wan them to not send them at all.  What am I doing wrong?

Hi, We are trying to connect NXLog with Logmatic.io with a SSL connection. The certificate provided by Logmatic is valid and works with Rsyslog, Syslog-NG or Open-SSL. However, no matter how hard we try to connect NXLog we have no success and not enough debugging information to troubleshoot it ourselves. Here is our config: <Output out> Module om_ssl Host api.logmatic.io Port 10515 CAFile <path_to_your_.crt_file> ####Add the API key before the event Exec $raw_event="<your_api_key> "+$raw_event; </Output> We tried a lot more configuration with AllowUntrusted TRUE/FALSE, CertFile, etc... But the result is always the same: 2015-12-18 18:25:39 INFO connecting to api.logmatic.io:10515 2015-12-18 18:25:39 INFO successfully connected to api.logmatic.io:10515 2015-12-18 18:25:39 INFO reconnecting in 1 seconds 2015-12-18 18:25:40 INFO connecting to api.logmatic.io:10515 2015-12-18 18:25:40 INFO successfully connected to api.logmatic.io:10515 2015-12-18 18:25:41 INFO reconnecting in 1 seconds 2015-12-18 18:25:42 INFO connecting to api.logmatic.io:10515 2015-12-18 18:25:42 INFO successfully connected to api.logmatic.io:10515   Do you have any idea about what it could be? You can find the certificate here: http://doc.logmatic.io/docs/logging-from-windows#section-enabling-security Sorry to bother you with that but we spent a lot of time doing our homework before asking this question. Thanks!!  

I have a fairly simple question regarding sending an XML file to my SysLog Receiver (Nitro box).  Currently, I'm attempting to send this file to my Nitro box, but I'm not actually seeing the Syslog being sent to Nitro.  I have tcpdump watching for the packets being sent and I'm not getting any information across.  I verified that packets were being sent and captured to the Nitro box with a generic Syslog generator.  Here is my current .conf file. ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog>  Module xm_syslog </Extension> <Extension xm_xml>  Module xm_xml </Extension> <Input in> Module im_file File "C:\\Users\\Administrator\\Desktop\\NXLogTest\\test.xml" </Input> <Output out>      Module om_udp      Host xxx.xxx.xxx.xxx  Port 514  Exec to_syslog_bsd(); </Output> <Route 1>     Path        in => out </Route>   After saving this file, I restart the service, but nothing is being sent.  I also checked the logs and there was no error or warnings, the service stops, exits, and restarts nicely.  I'd appreciate some help so I have a clear path moving forward.   Thanks!

Hi,  I'm using im_file module to read windows log file to elasticsearch, and I need to get source file name and some fix string like log type to elastic search as well. I used below configuration, but i couldn't find the FileName in elasticsearch, can someone help? thanks a lot! <Input TestFileInput>     Module          im_file     File              'E:\test\app*.log'     Exec            $FileName = file_name(); </Input>

Hi, I can't find the changelog for the community version: nxlog-ce-2.9.1504. Where is it published? thanks and br, Patrick

Hi, I have a system that produces logs files. I send them via tcp to specific port.  Directory path with logs looks like:  C:\Logs\<ID>\*.log Where ID is the unique 3-digit identifier. How to get this ID and send it with every log event? My current config:  define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Input logs>       Module    im_file     File    'C:\\Logs\\*\\*.log'     ReadFromLast True     SavePos True     Recursive True     Exec    if $raw_event =~ /^#/ drop(); </Input>  <Processor buffer_logs>     Module      pm_buffer     MaxSize    102400     Type    Mem     WarnLimit    51200 </Processor> <Output out_logs>       Module  om_tcp     Host    localhost     Port    10010     OutputType  LineBased </Output>  <Route r_logs>       Path    logs => buffer_logs => out_logs </Route>  

Hi, I was just wondering whether you intend to publish the source code for the current (2.9.1347) version? Regards, Al

Hi! I have more than 5000 Handles in nxlog.exe I analysed with Sysinternals Process Explorer. Most of Handles are from Type Thread. When i look at threads i only see 10 threads in nxlog.exe but 5000 Thread Handles. Can you verify that issue? Version: nxlog-ce-2.9.1347

nxlog file has an error , but it's work ok, There is something wrong with the error ？？？ 2015-12-01 13:37:21 INFO nxlog-ce-2.9.1347 started 2015-12-01 13:37:21 INFO connecting to 10.58.8.216:5000 2015-12-01 15:05:07 ERROR if-else failed at line 45, character 244 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 45, character 101 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer, invalid modifier: ';' 2015-12-01 15:27:39 ERROR if-else failed at line 45, character 244 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 45, character 101 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer, invalid modifier: ';' 2015-12-01 17:21:17 ERROR if-else failed at line 45, character 244 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 45, character 101 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer, invalid modifier: ';' 2015-12-01 17:22:36 ERROR if-else failed at line 45, character 244 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 45, character 101 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer, invalid modifier: ';' 2015-12-01 17:54:05 ERROR if-else failed at line 45, character 244 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 45, character 101 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer, invalid modifier: ';' 2015-12-01 19:14:30 ERROR if-else failed at line 45, character 244 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 45, character 101 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; cannot parse integer, invalid modifier: ';' nxlog config file:---------------- ## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension json>     Module      xm_json </Extension> <Extension syslog>     Module      xm_syslog </Extension> <Extension w3c>     Module xm_csv     Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-referrer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken     FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer     Delimiter ' '     QuoteChar   '"'     UndefValue  - </Extension> <Input in> #    Module      im_msvistalog # For windows 2003 and earlier use the following: #   Module      im_mseventlog     Module    im_file     File    "C:\\inetpub\\logs\\LogFiles\\W3SVC3\\\u_ex*.log"     SavePos  TRUE     Exec if $raw_event =~ /^#/ drop();                    \        else                            \        {                            \             w3c->parse_csv();                    \             $EventTime = parsedate($date + " " + $time);    \             $SourceName = "IIS";                \             $Message = to_json();            \        }   </Input> <Output out>     Module      om_tcp     Host        10.58.8.111     Port        5002 #    Exec        to_syslog_snare(); </Output> <Route 1>     Path        in => out </Route>  

hi, we have here some ipv6 only networks where we tried nxlog CE agent for windows. Seems that there is no ipv6 support for log targets. Ic there support planed for ipv6?

Hi, I have installed NXLog on Windows server 2003 with this configuration (example from NXLog reference manual) <Input in> #    Module      im_msvistalog # For windows 2003 and earlier use the following: Module      im_mseventlog  Query <QueryList> <Query Id="0"> <Select Path="Security">*</Select> </Query> </Querylist>  </Input> I received "ERROR invalid keyword: Query" in nxlog.log : 2015-11-27 10:57:38 ERROR invalid keyword: Query at C:\Program Files\nxlog\conf\nxlog.conf:21 This configuration is working fine with "Module      im_msvistalog" on Windows Server 2008 and later. (http://www.developpez.net/forums/d1545842/systemes/windows/windows-serveur/solution-nxlog-graylog/) How can I  fix this problem ?   Thank you,  

2015-11-25 12:47:03 INFO nxlog-ce-2.9.1347 started 2015-11-25 12:47:03 INFO connecting to 10.1.252.239:5000 2015-11-25 12:47:03 ERROR if-else failed at line 45, character 241 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 45, character 98 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 15, got 12 in input '192.168.2.xx GET /page/v1/chengjiao/index.aspx placeholder=b1m8u8z2g7 80 - 220.181.108.81 Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html) 200 0 0 328'  

I am new and I apologies in advance if this question has been asked already. Problem: I am us nxlog to forward windows eventlogs (json format) to central logging system. Not all object are resolved in the message … example. Object: Object Server: DS Object Type: %{e0fa1e8c-9b45-11d0-afdd-00c04fd930c9} Object Name: %{cc0985a1-b646-4957-bb95-ac8fe9ad147a} Question: Is that normal or is there something I can do to resolve those references?