Hi, I have several routes, outputs, and inputs and would like to have a schedule block that effects all logs. Is this possible? My current implementation is to put the schedule block in each Output. It works, but I was seeing if there was a way to clean it up and get it into one scheduler. Thank you!

I'm having an alert every time the om_http sends a message to a web service. Has anyone ever experienced this? LOG: 2015-08-19 16:45:18 INFO connecting to localhost:80 2015-08-19 16:45:18 WARNING http server disconnected while reading the response 2015-08-19 16:45:18 INFO reconnecting in 0 seconds CONF: <Output outATM>     Module              om_http     URL                 http://localhost:80/modules/AtmProcessorMT/index.php </Output>

I am trying to rotate a log file in the Output module. Here is my configuration below: Easier on the eyes (pastebin) ######################################## # Global directives # ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO #SuppressRepeatingLogs FALSE define WINLOG /logserv/collections/windows-collector/windows-collector-log.log ######################################## # Modules # ######################################## <Extension fileop> Module xm_fileop </Extension> <Extension _syslog> Module xm_syslog </Extension> <Input windows-collector-log> module im_tcp host 0.0.0.0 port 524 Exec parse_syslog(); Exec log_info("Severity Windows Collector: " + $SyslogSeverity + ", Hostname: " + $Hostname); </Input> <Output windows-collector-log-out> Module om_file CreateDir true File '%WINLOG%' <Schedule> Every 30 sec Exec if (file_size('%WINLOG%') >= 100M) file_cycle('%WINLOG%',500); </Schedule> </Output> <Route 5> Path windows-collector-log => windows-collector-log-out </Route>   I am getting an error saying that the file does not exist when the rotation is executed. 2015-08-19 13:22:23 ERROR failed to determine file size of '/logserv/collections/windows-collector/windows-collector-log.log': No such file or directory

Hi,  I am writing here to inquire about nxLog for centralized logging implementation in production environment.  We have tested nxLog community edition in development environment and We're very much interested in implementing nxLog in production(US/UK client) environment too. I'd appreciate, if someone provides me a detailed product terms and purchase/subscription cost incurred for purchasing nxLog community & enterprise edition. I need to take a decision in the coming few days so it’s really very important that I receive this information as soon as possible. Awaiting reply.  Best Regards, Sreeram

Hi, is it possible to configure at the om_tcp moule  a "closewhenidle". A persistent connection to my destination ist not good when no data sent. 

Hey all,  I was wondering if rindex worked on nxlog, I’m not having luck getting it to work, and all my searches come up empty. I’m looking to parse a username after a "|"  create_var('char'); \ set_var('char', '|'); \ create_var('index_num'); \ set_var('index_num', rindex($UserName, get_var('char'))); \

Hello, Because of my lack of encryption knowledge, I search and found these instructions that I followed in order to create an SSL connection between an nxlog client (Windows server 2008 R2) and a graylog server. So I transfered the "nxlog-ca.crt" to the client and indicated to the graylog server "nxlog-ca.key" as the TLS private key file and "nxlog-ca.crt" as the TLS cert file. Here is the nxlog.conf : define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog>     Module      xm_gelf </Extension> <Input in>     Module      im_msvistalog         Query    <QueryList>\             <Query Id="0">\                 <Select Path="Application">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\                 <Select Path="Security">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\                 <Select Path="System">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\                 <Select Path="HardwareEvents">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\             </Query>\         </QueryList> </Input> <Output sslout>    Module          om_ssl    Host            host_ip_address    Port            12201    CAFile          %CERTDIR%\nxlog-ca.crt    OutputType      GELF_TCP    AllowUntrusted  FALSE </Output> <Route 1>     Path        in => sslout </Route>   But when I launch "nxlog.exe -f" here is the error : nxlog.exe -f 2015-08-04 12:23:05 INFO nxlog-ce-2.9.1347 started 2015-08-04 12:23:05 INFO connecting to host_ip_address:12201 2015-08-04 12:23:05 INFO successfully connect to host_ip_address:12201 2015-08-04 12:23:05 INFO remote socket was closed during SSL handshake 2015-08-04 12:23:05 INFO reconnecting in 1 seconds   And That's it. What am I missing ? I read in the documentation that all the files about the certificates are in "pem" format but when I create it from certtool I have "crt" and "key" format files.   Thank you.  

Hi, I was wondering if anyone could help me please. I want to use PowerShell to do a silent install of NxLog, I have tried different ways of using MSIEXEC in powershell and command line but I just can't seem to get it working. Any advice would be great.   Thanks.

Sorry I am new to this. Where in the config file do you set it to pull from MSWinEventLog?   Thanks in advance!

We've had some clients where we install & deploy the MSI via group policy -- using the latest version 2.9.1347. On Windows 10 -- it looks like the install succeeds (all the nx log files exist in Program Files (x86), etc.) -- but the service never gets installed. We don't see the nx log service anywhere in services.msc -- and don't see any logs saying that its install failed. We've now seen this on multiple Windows 10 machines. Has anyone else -- and is there a workaround?

Hello I write input module for nxlog. I have wrote function to read data but I don't know how to tranfer data further. Which function should I call? nx_logdata_set_string?

Hi, my ODBC import won't work, checked everything but always this error occurs: ERROR im_odbc couldn't connect to the database, IM014:1:0:[Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application Config: <Input ODBC> Module im_odbc ConnectionString DSN=S_ODBC;database=SophosSecurity; SavePos TRUE PollInterval 5 IdIsTimestamp FALSE </Input> best regards

I'm using NXLog to read log files and send to to Logstash. Normally this works fine, but I'm now trying to send logs from a file, where the new events gets added at the top of the file, not the bottom. Now it's not sending anything. This is from my NXLog config. <Input file> Module im_file File "C:\\TEMP\\export.txt" InputType LineBased Exec $Message = $raw_event; SavePos TRUE ReadFromLast TRUE Exec if $raw_event =~ /^#/ drop(); Is it possible to read from bottom to top?

Are there any numbers about how nxLog performs when it is processing a high rate of messages being placed into a log file? Right now we have a couple of incidents which resulted in a few thousand messages being logged per second. I assume this is more than nxLog can handle but am wondering about any performance testing that has been run

Hi, I need to use im_dbi import module of nxlog. This module isn't part of actual setup, so where can I get it? regards Christian

Hi all, after installd nxlog-ce-2.9.1347-1_rhe6.x86_64.rpm on Red Hat I tried to start the service "/etc/init.d/nxlog start" and I'm get the following error: " Starting nxlog deamon... /usr/bin/nxlog: symbol lookup error: /usr/bin/nxlog: undefiend symbol: apr_pool_create_unmanaged_ex   " Does anyone have an idea?

Hello, I'm having trouble centralize logs because my storage system performs poorly. I have several nxlog-ce agents sending logs with om_tcp module and server I have a nxlog-ce recording these logs with the module om_file in a shared directory on my NAS. What recommendation for improving the performance of my solution as a whole? Use another distributed file system? Using an unstructured database? Exsitem more options? Obs .: I need to be able to retrieve the log in its original format, I need to be fault-tolerant and I need to have high write performance.

I'm using NXLog to read a log file and send it to Logstash.  This works fine, but some of the log lines are duplicates.  They're in separate lines, but the content is exactly the same.  I can't change the way the logs are written to the log file, so the only way is to fix it either with NXLog before it gets send, or in Logstash when it arrives, which I prefer not to do. I see NXLog does have a function for this, but it's not working for me.  I've tried this in my config file. <Processor norepeat> Module pm_norepeat </Processor> <Route 1> Path in => norepeat => out </Route> This is abviously not working for me, am I maybe missing something here?

So i have configured nxlog with https to talk with logstash.  I got an error on nxlog side " ERROR unexpected data from server (64 bytes)"  I looked it up and it looks like nxlog got https://github.com/lamby/pkg-nxlog-ce/blob/master/src/modules/output/http/om_http.c#L6462  So i did check up the http input on logstash side , but i have not understand it  https://github.com/logstash-plugins/logstash-input-http#L118 Looks like logstash should send respond code, but i dont see it. Remember i dont have ruby skills.  Can someone explain to me what might be wrong here ? Or how to fix this issue ?

I've seen some posts from about a year ago that NXLog is unable to parse attributes using xm_xml, I just wanted to check if this is still true? I am running NXLog as a service on Windows machines and want to be able to parse the following message, is it possible? <log4j:event logger="com.sentry.test.LogContextListener" timestamp="1437661699866" level="TRACE" thread="localhost-startStop-1"> <log4j:message><![CDATA[This is a trace message about how we should use C#]]></log4j:message> </log4j:event>