Hi All,We would like to check what could be the cause when getting the below error message in nxlog.log when using port 514?ERROR couldn't connect to tcp socket on logs-01.loggly.com:514; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. INFO connecting to 192.168.1.1:514 INFO reconnecting in 2 secondsWe are from SolarWinds Loggly and helping a customer to identify the cause as to why they are getting the above error message. From our documentation, we already advised them in editing the configuration file as "Administrator", this means that you should actually open up text editor as Administrator, but the issue still persists. Reference: https://documentation.solarwinds.com/en/success_center/loggly/content/admin/troubleshooting-nxlog.htm#Check-Connection The customer is using a latest version of NXLog Community Edition (nxlog-ce-3.2.2329). Is this a bug?  

Is it possible to perform a file deletion on the end of the file in the community edition with something like the below configuration?<Input csv>     Module          im_file    ReadFromLast    True    SavePos         True    PollInterval    300    File        'file/location'    # Parse the CSV events     <Exec>             csv->parse_csv();     </Exec>      <OnEOF>         <Exec>             file_remove(file_name());         </Exec>         GraceTimeout  10     </OnEOF></Input>

I have a setup with nxlog to collect audit log files that come to me daily. Each day the file name changes.I noticed that the incoming files are not sent to my remote SIEM, only the first one after restarting the NXLOG service.Below is my NXLOG configuration using the im_file and on_tcp modules.Would anyone have an idea how to resolve this? define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO ####################################################################### EXTENTIONS ####################################################################### <Extension _gelf> Module xm_gelf </Extension> <Extension _json> Module xm_json </Extension> <Input auditoria> Module im_file File "E:\Dataside\SIEM*.json" ReadFromLast False SavePos False </Input> <Output graylog> Module om_tcp Host 10.100.8.113 Port 5555 </Output> <Route auditoria-to-graylog> Path auditoria => graylog </Route>

Would like to check where should i change the file for RHEL 8? I found the below link but doesn't work for rhel 8. Common issues :: NXLog Documentation This scenario requires edits to the service file or an override. To check NXLog system limits, use the following command:$ cat /proc/$(cat /opt/nxlog/var/run/nxlog/nxlog.pid)/limitsOn Systems not using /proc, check the system’s open file limit:$ sysctl kern.maxfilesTo adjust limits for nxlog, create /etc/systemd/system/nxlog.service.d/override.conf and add the following definition:[Service] LimitNOFILE=100000Update the service settings with:$ systemctl daemon-reload

I am trying to migrate our functional Enterprise config to Community on other devices.Thanks,Paul 

Hi I'm working on a setup for collecting IIS logs and send them to Graylog. Here I stumbled into a problem with refering to fields with a dash in the field name. I would really like the fields to have prober w3c names in greylog, so I dont wanna remove those dashes. In the CSV module I have: <Extension w3c> Module xm_csv Fields $date, $time, $s-ip, $cs-method, $cs-uri-stem, $cs-uri-query, $s-port, $cs-username, $c-ip, $csUser-Agent, $cs-referer, $sc-status, $sc-substatus, $sc-win32-status, $time-taken, $X-Forwarded-For FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer, string Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> And in my input def i have: <Input iis_dodpdownload> Module im_file .... Exec if $raw_event =~ /(^#)|((keepalive.html).*(\s-\s200\s0\s))/ \ { \ drop(); \ } \ else \ { \ w3c-&gt;parse_csv(); \ $EventTime = parsedate($date + &quot;T&quot; + $time + &quot;+00:00&quot;); \ $SourceName = &quot;IIS&quot;; \ $Message = $cs-method + &quot; &quot; + $cs-uri-stem + &quot; &quot; + $sc-status; \ } </Input> The line $Message = $cs-method + " " + $cs-uri-stem + " " + $sc-status; results in a parser error. If I change field names to not contain dash character then it works. I also tried to surround with curly braces but it just returns a new parse error. How can i refer to those fields/vars or escape them? Hope someone knows:-) Best regards, Peter Meldgaard

Hi, I have a problem trying to send the raw event of Windows Server 2016. I have this configuration in nxlog.conf: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _leef> Module xm_leef </Extension> <Extension xml> Module xm_xml </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension rewrite> Module xm_rewrite Keep EventXML </Extension> <Input argentina> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[band(Keywords,13510798882111488)]]</Select> </Query> </QueryList> </QueryXML> </Input> <Processor buffer1> Module pm_buffer MaxSize 102400 Type Mem </Processor> <Output qradar> Module om_tcp Host XXX.XXX.XXX.XXX:514 Exec $raw_event = $EventXML; Exec delete_all(); </Output> <Route r1> Path argentina => buffer1 => qradar </Route>but in our SIEM i see this output (every line is a diferent log):I used "tcpdump" to saw if every log are diferent packets but i saw that it's only one packet but it has a special character that separete the line (i thought) .Could someone help to solve this? maybe using “replace” or changing the encoding. Thanks

Hello There,We're in the process of collecting SQL server logs and followed instructions in this link (Example 2)https://nxlog.co/documentation/nxlog-user-guide/mssql.htmlWe are having the following error message:ERROR if-else failed at line 73, character 9 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; if-else failed at line 73, character 9 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; assignment failed at line 53, character 47 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; function 'parsedate' failed at line 53, character 46 in c:\Program Files\nxlog\conf\nxlog.conf. expression evaluation has been aborted; 'unknown' type argument is invalid ERROR if-else failed at line 73, character 9 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; if-else failed at line 73, character 9 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; assignment failed at line 53, character 47 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; function 'parsedate' failed at line 53, character 46 in c:\Program Files\nxlog\conf\nxlog.conf. expression evaluation has been aborted; 'unknown' type argument is invalid ERROR last message repeated 2 timesWe're using the latest version of the community edition. Here is a snippet from the config file, including the lines numbers as reference to the error above. Let us know if you need further information. Many thanks.

Anyone has encounter error before or have issue when doing multiple input and output for chronicle.If i list 1 chronicle setting and with the below configuration will have no error. define BASE_URL           https://abc.defgh.ijkhlmndefine ENDPOINT           unstructuredlogentriesdefine API_KEY            key=ABCdefghiJKLNMOP<Input listener1>       Module im_tcp       Host    1.1.1.1:10000</Input><Output to_chronicle_out>   Module                om_chronicle   URL                   %BASE_URL%%ENDPOINT%?%API_KEY%   HTTPSCAFile           \opt\cert.crt   LogType               WINEVTLOG   ChronicleBatchSize    1024</Output><Route route_chronicle>   Path listener1 => to_chronicle_out</Route> If i list 2 or more chronicle setting and i do encounter errordefine BASE_URL           https://abc.defgh.ijkhlmndefine ENDPOINT           unstructuredlogentriesdefine API_KEY            key=ABCdefghiJKLNMOP<Input listener1>       Module im_tcp       Host   1.1.1.1:10000</Input><Input listener2>       Module im_tcp       Host    1.1.1.1:10001</Input><Output to_chronicle_out>   Module                om_chronicle   URL                   %BASE_URL%%ENDPOINT%?%API_KEY%   HTTPSCAFile           \opt\cert.crt   LogType               WINEVTLOG   ChronicleBatchSize    1024</Output><Output to_chronicle_out1>   Module                om_chronicle   URL                   %BASE_URL%%ENDPOINT%?%API_KEY%   HTTPSCAFile           \opt\cert.crt   LogType               WINEVTLOG   ChronicleBatchSize    1024</Output><Route route_chronicle>   Path listener1 => to_chronicle_out</Route><Route route_chronicle1>   Path listener2 => to_chronicle_out1</Route>The error i'm getting is.  ERROR [CORE|main] can't initialize logger: already initialized  

Hi, I have the following error. I'm using agent to manager using agent-ca.pem. I have encounter error when trying to push down the managed.conf file. Below is the error. Would like to check can i just do agent-ca.pem for manager and agent communication or i need to use mutual authentication in order to push down the managed.conf file?2023-06-28 17:37:08,547 INFO  1.1.1.17 unknown [c.n.l.s.a.AgentManagementService] - Reloading agent: Server1 2023-06-28 17:37:08,549 INFO  1.1.1.17 unknown [c.n.l.s.a.AgentManagementService] - Agent configuration exported: Server1 2023-06-28 17:37:08,551 ERROR 1.1.1.17 unknown [c.n.l.s.a.AgentManagementService] - Failed to reconfigure agent: Server1 [Unable to perform requested lazy initialization [com.nxsec.log4ensics.data.model.certdb.Certificate.cer] - no session and settings disallow loading outside the Session] 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.c.s.CommAgents] - Agent Server1 set to OFFLINE state 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.c.s.CommAgents] - Agent Server1 removed from opened connections 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.c.CommAgent] - Closing the socket for agent Server1: Unable to perform requested lazy initialization [com.nxsec.log4ensics.data.model.certdb.Certificate.cer] - no session and settings disallow loading outside the Session 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.c.s.CommAgents] - Agent Server1's connection closed 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.c.CommAgent] - Agent Server1 connection has been reset until execute 'putFile' 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.AgentManagementService] - Agent reconfigured: Server1 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.c.s.CommAgents] - Agent Server1 connection has been reset until execute RestartServerTask 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.AgentManagementService] - Agent restarted: Server1 2023-06-28 17:37:08,563 INFO  1.1.1.17 unknown [c.n.l.s.a.AgentManagementService] - Agent reloaded: Server1 2023-06-28 17:37:08,568 INFO  1.1.1.17 unknown [c.n.l.s.a.s.n.MultiReactor] - Agent manager accepted agent connection Server1 from 1.1.1.48 2023-06-28 17:37:15,812 INFO  1.1.1.17 unknown [c.n.l.s.a.c.CommAgent] - getServerInfo from agent server2 succeeded. 2023-06-28 17:37:15,812 INFO  1.1.1.17 unknown [c.n.l.s.a.c.CommAgent] - getServerInfo from agent server3 succeeded. 2023-06-28 17:37:16,618 WARN  1.1.1.17 unknown [c.n.l.s.a.s.AgentSslVerifier] - Agent manager failed to accept agent connection from 1.1.1.25 [EOF during handshake with peer 1.1.1.205/Server1] 

I am receiving some logs from network devices that don't include the source IP or host in the log message. How do I add $MessageSourceAddress to the message so I can identify its source?I've tried Exec $raw_event = $raw_event +$MessageSourceAddress;But that does nothing. What is the correct syntax for this?

I have encountered an issue that in nxlog agent i can connected to the nxlog manager. But in the nxlog manager i couldn't see any agent in the list. 

Hello there, We are currently getting PowerShell transcript logs in one of our Windows WEF Collectors. Each log is been generated as a .txt file following the following naming convention: PowerShell_transcript.$deviceName.$RandownNumber.txt. For example this is how the folder looks like: G:/PowerShell_logs/ PowerShell_transcript.device1.qww.txt PowerShell_transcript.device2.fgd.txt PowerShell_transcript.device3.hjj.txt The issue I am having is that the content of each .txt file is arriving to the SIEM at one line at the time instead of arriving all the lines on the same event. This is the content of one of the PowerShell transcript file. Windows PowerShell transcript start Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\temp\reset-password_1.2.ps1' Process ID: 19236 PSVersion: 5.1.18362.1714 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.18362.1714 BuildVersion: 10.0.18362.1714 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 Windows PowerShell transcript end End time: 20210920120413 This is the "nxlog.conf" I am using: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension syslog> Module xm_syslog </Extension> <Input in> Module im_file File "G:\PowerShell_logs\PowerShell_transcript*.txt" </Input> <Output out1> Module om_tcp Host SIEM-FDQN-domain.com Port 514 Exec to_syslog_bsd(); </Output> <Route 1> Path in => out1 </Route> #----------------------------------------------------------------------------------- END nxlog.conf------------------------------------------------------ The question is: How to configure the "nxlog.conf" so the entire content of each PowerShell_transcript.device1.qww.txt is been sent to the SIEM as one event and not multiples ones?

I have install the amzon linux2 agent into EC2. After that we realized the om_chronicle is not available in the /opt/nxlog/modules/output/ directory. We copy the om_chronicle from Redhat and place it into the below directory. When restart the service and it have the below error.Error [Core|main] Failed to load module from /opt/nxlog/modules/output/om_chronicle.so, libssl.so.1.1: cannot open shared object file. No such file or directory; DSO load/failed

Hi,i am using CE edition and looking for a setup which will find ceertain files and zip it using gzip. the below command runs successfully on CLI,"find /home/syslog_admin/*.log -daystart -mtime +0 -print -exec gzip -f {} \;how do run execute the above using nxlog.conf?exec_async("/usr/bin/gzip", "/home/syslog_admin/*.log"  -daystart -mtime +0 -print -exec "/usr/bin/gzip -f {} \; but not working.aslo tried below but no luck,  exec_async("/usr/bin/find", "/home/syslog_admin/*.log","-daystart", "-mtime", "+0", "-print", "-exec", "/usr/bin/gzip", "-f", "{}", "\;"); 

I originally asked about symlinks in a thread https://nxlog.co/community-forum/t/1518-wildcard-paths-not-working-with-symlinks, but was told that symlinks just didn't work. Pity. But I had a working config which worked around the issue. I'll reproduce the file structure here:/opt/tomcat-onesite/bin | /logs | /etc.... |-/tomcat-anothersite/bin | /logs | /etc.... |-/tomcat-somewhereelse/bin | /logs | /etc.... |-/tomcat-etc... |-/tomcat-logs/onesite -> /opt/tomcat-onesite/logs /anothersite -> /opt/tomcat-anothersite/logs /somewhereelse -> /opt/tomcat-somewhereelse/logs /etc ....Now, with nxlog-ce-2.9.x or 2.10.x, I could define a path of /opt/tomcat-logs/* and nxlog would start. It wouldn't read any symlinks under it but it would start. Now with any of the 3.x series, nxlog won't even start if there is a symlink directly in /opt/tomcat-logs. I can sort of get by with /opt/tomcat-logs/*/* in that particular case but it doesn't help with another part of the set of the setup where there are valid files in the equivalent or /opt/tomcat-logs at the same time. How or where can I report bugs or regressions?

Hi, I have a very strange question to askWhen collecting windows exchange tracking log, I encountered a strange problemIf you delete files older than 7 days in the tracking log folder, nxlog will generate an error, and at the same time the exchange system will also be affected and cannot operate======================================================================error log2023-02-15 10:39:04 INFO nxlog-ce-3.1.2319 started2023-02-15 10:44:31 ERROR apr_stat() failed on file E:\Log\IIS\W3SVC2\u_ex230207.log; 存取被拒。  2023-02-15 10:44:31 WARNING input file was deleted: E:\Log\IIS\W3SVC1\u_ex230207.log2023-02-15 10:44:33 WARNING input file was deleted: E:\Log\IIS\W3SVC2\u_ex230207.log2023-02-15 11:00:01 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-4.LOG; 存取被拒。  2023-02-15 11:00:03 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-4.LOG2023-02-15 11:32:02 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-5.LOG; 存取被拒。  2023-02-15 11:32:04 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-5.LOG2023-02-15 12:00:01 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-6.LOG; 存取被拒。  2023-02-15 12:00:03 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-6.LOG2023-02-15 13:43:11 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-7.LOG; 存取被拒。  2023-02-15 13:43:13 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-7.LOG2023-02-15 14:00:02 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-8.LOG; 存取被拒。  2023-02-15 14:00:04 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-8.LOG2023-02-15 14:32:56 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-9.LOG; 存取被拒。  2023-02-15 14:32:58 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-9.LOG2023-02-15 15:00:02 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-10.LOG2023-02-15 15:31:04 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-11.LOG2023-02-15 16:00:02 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-12.LOG2023-02-15 16:33:08 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021006-1.LOG2023-02-15 17:00:02 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021006-2.LOG2023-02-15 17:12:10 WARNING stopping nxlog service2023-02-15 17:12:10 WARNING nxlog-ce received a termination request signal, exiting...============================================================================nxlog config## Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start.define NCloud  172.21.30.1define MailLog E:\Log\MessageTrackingdefine IISLog  E:\Log\IISdefine ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\confdefine LOGDIR  %ROOT%\datadefine LOGFILE %LOGDIR%\nxlog.logLogFile  %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data## Load the modules needed by the outputs<Extension syslog> Module xm_syslog</Extension>## For Exchange Message Tracking log file use the following:<Input in_maillog> Module im_file File '%MailLog%\MSGTRK*.LOG' ReadFromLast TRUE SavePos TRUE</Input><Output out_maillog> Module om_udp Host %NCloud% Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'Exchange'; Exec to_syslog_bsd();</Output><Route maillog> Path in_maillog => out_maillog</Route>## For Windows Event log use the following:<Input in_eventlog> Module im_msvistalog ReadFromLast TRUE SavePos TRUE Query  <QueryList> \           <Query Id="0"> \               <Select Path="Security">*[System[(EventID=4624 or EventID=4625 or EventID=4626 or EventID=4627 or EventID=4634 or EventID=4646 or EventID=4647 or EventID=4648 or EventID=4649 or EventID=4672 or EventID=4675)]]</Select> \               <Select Path="Security">*[System[(EventID=4778 or EventID=4779 or EventID=4800 or EventID=4801 or EventID=4802 or EventID=4803 or EventID=4964 or EventID=4976 or EventID=5378 or EventID=5632 or EventID=5633)]]</Select> \               <Select Path="Security">*[System[(EventID=4768 or EventID=4769 or EventID=4770 or EventID=4771 or EventID=4772 or EventID=4773 or EventID=4774 or EventID=4775 or EventID=4776 or EventID=4777 or EventID=4820)]]</Select> \               <Select Path="Security">*[System[(EventID=4720 or EventID=4722 or EventID=4723 or EventID=4724 or EventID=4725 or EventID=4726 or EventID=4727 or EventID=4731 or EventID=4732 or EventID=4733 or EventID=4734)]]</Select> \               <Select Path="Security">*[System[(EventID=4735 or EventID=4738 or EventID=4739 or EventID=4740 or EventID=4749 or EventID=4750 or EventID=4751 or EventID=4752 or EventID=4753 or EventID=4764 or EventID=4765)]]</Select> \               <Select Path="Security">*[System[(EventID=4766 or EventID=4767 or EventID=4780 or EventID=4781 or EventID=4782 or EventID=4793 or EventID=4794 or EventID=4797 or EventID=4798 or EventID=4799 or EventID=5376 or EventID=5377)]]</Select> \               <Select Path="Security">*[System[(EventID=4608 or EventID=4610 or EventID=4611 or EventID=4612 or EventID=4614 or EventID=4615 or EventID=4616 or EventID=4618 or EventID=4621 or EventID=4622 or EventID=4697)]]</Select> \               <Select Path="Security">*[System[(EventID=5024 or EventID=5025 or EventID=5027 or EventID=5028 or EventID=5029 or EventID=5030 or EventID=5032 or EventID=5033 or EventID=5034 or EventID=5035 or EventID=5037)]]</Select> \               <Select Path="Security">*[System[(EventID=5038 or EventID=5056 or EventID=5058 or EventID=5059 or EventID=5061 or EventID=5890 or EventID=6281 or EventID=6400 or EventID=6401 or EventID=6402 or EventID=6403)]]</Select> \               <Select Path="Security">*[System[(EventID=6404 or EventID=6405 or EventID=6406 or EventID=6407 or EventID=6408 or EventID=6409 or EventID=6410)]]</Select> \           </Query> \        </QueryList> </Input><Output out_eventlog> Module om_udp Host %NCloud% Port 514 Exec $SyslogFacilityValue = 17; Exec $Message = string($SourceName) + ": " + string($EventID) + ": " + $Message; Exec if ($EventType == 'ERROR' or $EventType == 'AUDIT_FAILURE') { $SyslogSeverityValue = 3; } \         else if ($EventType == 'WARNING')  { $SyslogSeverityValue = 4; } \         else if ($EventType == 'INFO' or $EventType == 'AUDIT_SUCCESS')  { $SyslogSeverityValue = 5; }  Exec to_syslog_bsd();</Output><Route eventlog> Path in_eventlog => out_eventlog</Route>## For Microsoft IIS(Internet Information Server) log file use the following:<Input in_iislog> Module im_file File '%IISLog%\u_ex*.log' ReadFromLast TRUE Recursive TRUE SavePos TRUE</Input><Output out_iislog> Module om_udp Host %NCloud% Port 514 Exec $SyslogFacilityValue = 22; Exec $raw_event = "IIS [info]: " + $raw_event ; Exec to_syslog_bsd();</Output><Route iislog> Path in_iislog => out_iislog</Route> ======================================================================Please how can I deal with this problem?

Hi. Will there be a Nxlog EE for Parrot OS? If so are there an expected date.RegardsRoland

Hi all, I'm using CE edition and sending logs to Taegis XDR, I've followed the instructions at this page:  Microsoft IIS (secureworks.com)Configured IIS per these instructions: https://docs.ctpx.secureworks.com/integration/connectEndpoint/microsoft_iis_connect/#configuring-microsoft-iis-logging Configured nxlog.conf per these instructions:  https://docs.ctpx.secureworks.com/integration/connectEndpoint/microsoft_iis_connect/#configuring-nxlog Logs are still not showing up, and I think I have this section in the nxlog.conf IIS config misconfigured with the IP of my Taegis CDR collecter. I've got the IP of my host entered into the HOST line, and the port entered into the PORT line. Am I supposed to comment out any of the ‘Module’ lines? Do I have it misconfigured below? Any help is appreciated, thank you in advance. <Output W3SVCOUT>   Module      om_udp   Module      om_tcp### Guidance on TLS/SSL configuration - https://nxlog.co/documentation/nxlog-user-guide/om_ssl.html   Module    om_ssl   Host        x.x.x.x   Port        601   CAFile    %CERTDIR%\CA.cer   CertFile    %CERTDIR%\winhost.cer   CertKeyFile    %CERTDIR%\winhost.key   AllowUntrusted    FALSE

Hello there! I was wondering how one can forward the raw XML events (open Event Viewer, double click an event, click Details, then XML View) from the Windows Event Log to a SIEM/log file using nxlog EE. Currently, if I don't specify any options, it ends up in a log format that isn't XML, and if I use Exec $Message = to_xml(); to_syslog_bsd(); then I get an XML that isn't formatted the same way as the Windows Event XML, which confuses the SIEM. Thank you! As an aside, this is what I want: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" /> <EventID Qualifiers="16384">7036</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2021-06-25T08:54:27.604250100Z" /> <EventRecordID>718</EventRecordID> <Correlation /> <Execution ProcessID="592" ThreadID="3300" /> <Channel>System</Channel> <Computer>Lab-NXServer</Computer> <Security /> </System> <EventData> <Data Name="param1">Client License Service (ClipSVC)</Data> <Data Name="param2">running</Data> <Binary>43006C00690070005300560043002F0034000000</Binary> </EventData> </Event>