I am having trouble configuring NXlog Enterprise to forward Windows Event log in the original raw XML format that is shown in the XML View in Details Tab. The required data is: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Name="Microsoft-Windows-Security-Auditing"/> <EventID>4624</EventID> <Version>2</Version> <Level>Information</Level> <Task>Logon</Task> <Opcode>Info</Opcode> <Keywords>Audit Success</Keywords> <TimeCreated SystemTime="2022-09-15T07:25:38.254241000Z"/> <EventRecordID>6733</EventRecordID> <Correlation ActivityID="{9C53E768-C82B-0003-78E7-539C2BC8D801}"/> <Execution ProcessID="772" ThreadID="19980"/> <Channel>Security</Channel> <Computer>Redacted01</Computer> <Security/> </System> <EventData> <Data Name="SubjectUserSid">NT AUTHORITY\SYSTEM</Data> <Data Name="SubjectUserName">Redacted01$</Data> <Data Name="SubjectDomainName">WORKGROUP</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="TargetUserSid">Redacted01\Redacted03</Data> <Data Name="TargetUserName">Redacted03</Data> <Data Name="TargetDomainName">Redacted01</Data> <Data Name="TargetLogonId">0x45b8d14</Data> <Data Name="LogonType">7</Data> <Data Name="LogonProcessName">User32 </Data> <Data Name="AuthenticationPackageName">Negotiate</Data> <Data Name="WorkstationName">Redacted01</Data> <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x438</Data> <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data> <Data Name="IpAddress">Redacted02</Data> <Data Name="IpPort">0</Data> <Data Name="ImpersonationLevel">Impersonation</Data> <Data Name="RestrictedAdminMode">-</Data> <Data Name="TargetOutboundUserName">-</Data> <Data Name="TargetOutboundDomainName">-</Data> <Data Name="VirtualAccount">No</Data> <Data Name="TargetLinkedLogonId">0x0</Data> <Data Name="ElevatedToken">Yes</Data> </EventData> </Event> The data I am currently receiving is the informatio in the General Tab instead. I have applied the following configuration to convert the data in XML format: define ROOT C:\Program Files\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog> Module xm_syslog </Extension> <Extension _json> Module xm_json </Extension> <Extension xml> Module xm_xml </Extension> <Input in_win> Module im_msvistalog Query <QueryList> \ <Query Id="0"> \ <Select Path="Application">*</Select> \ <Select Path="System">*</Select> \ <Select Path="Security">*</Select> \ </Query> \ </QueryList> Exec $Message=$EventXML;$log_type=$event_trace;to_xml(); </Input> <Output out_win> Module om_udp Host 192.168.108.201:514 </Output> <Route 2> Path in_win => out_win </Route> However, I am not able to get the desired output. The data I am currently receiving is: 09 15 2022 03:53:34 192.168.115.4 <USER:NOTE> <EventTime>2022-09-15 16:38:31</EventTime><Hostname>SOCJH-04.cryptogennepal.com</Hostname><Keywords>9232379236109516800</Keywords><EventType>AUDIT_SUCCESS</EventType><SeverityValue>2</SeverityValue><Severity>INFO</Severity><EventID>4624</EventID><SourceName>Microsoft-Windows-Security-Auditing</SourceName><ProviderGuid>{54849625-5478-4994-A5BA-3E3B0328C30D}</ProviderGuid><Version>2</Version><TaskValue>12544</TaskValue><OpcodeValue>0</OpcodeValue><RecordNumber>189928</RecordNumber><ExecutionProcessID>748</ExecutionProcessID><ExecutionThreadID>11540</ExecutionThreadID><Channel>Security</Channel><Message/><Category>Logon</Category><Opcode>Info</Opcode><SubjectUserSid>S-1-5-18</SubjectUserSid><SubjectUserName>SOCJH-04$</SubjectUserName><SubjectDomainName>CGN</SubjectDomainName><SubjectLogonId>0x3e7</SubjectLogonId><TargetUserSid>S-1-5-21-1983202128-2021996171-226450221-1105</TargetUserSid><TargetUserName>srijan.kafle</TargetUserName><TargetDomainName>CGN</TargetDomainName><TargetLogonId>0x1e170ee</TargetLogonId><LogonType>7</LogonType><LogonProcessName>Negotiat</LogonProcessName><AuthenticationPackageName>Negotiate</AuthenticationPackageName><WorkstationName>SOCJH-04</WorkstationName><LogonGuid>{4eaf9196-9215-5425-4e8c-729f74b2f1ce}</LogonGuid><TransmittedServices>-</TransmittedServices><LmPackageName>-</LmPackageName><KeyLength>0</KeyLength><ProcessId>0x2ec</ProcessId><ProcessName>C:\Windows\System32\lsass.exe</ProcessName><IpAddress>-</IpAddress><IpPort>-</IpPort><ImpersonationLevel>%%1833</ImpersonationLevel><RestrictedAdminMode>-</RestrictedAdminMode><TargetOutboundUserName>-</TargetOutboundUserName><TargetOutboundDomainName>-</TargetOutboundDomainName><VirtualAccount>%%1843</VirtualAccount><TargetLinkedLogonId>0x0</TargetLinkedLogonId><ElevatedToken>%%1843</ElevatedToken><EventReceivedTime>2022-09-15 16:38:33</EventReceivedTime><SourceModuleName>in_win</SourceModuleName><SourceModuleType>im_msvistalog</SourceModuleType><log_type/></Event> Requesting assistance/documentation to achieve the desired log format

Hello all, Hoping someone will be able to pinpoint the issue we're experiencing. We have deployed the latest NXLog Enterprise Edition agents (nxlog-5.5.7535) on numerous Windows servers, including multiple domain controllers (DCs). We're running into an issue where the agents on two DCs have a continuous increase in RAM usage. No other servers experience this problem. Over multiple days the memory usage by the agent slowly increases to gigabytes. This will keep increasing, but we restart the agent and we're back at ~10MB of RAM usage. The DCs with this issue run Windows Server 2012 R2. There are newer DCs in place as well, running Windows Server 2022. These new DCs do not have this problem. Does anyone have an idea as to why this is happening? If you require further information, please let me know. All the DCs have the same agent template deployed on them, see below: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <agent> <agentType>TEMPLATE</agentType> <global-config> <log-level>INFO</log-level> <is-log-to-file>true</is-log-to-file> <connection-mode>LISTEN_FROM</connection-mode> <connection-address>172.16.1.44</connection-address> <!-- IP address of NXlog Manager --> <connection-port>4041</connection-port> <verbatim></verbatim> </global-config> <route> <name>route1</name> <priority>0</priority> <module-route> <module-id>RIN</module-id> </module-route> <module-route> <module-id>eventlog</module-id> </module-route> <module-route> <module-id>dnsaudit</module-id> </module-route> </route> <module> <name>RIN</name> <module>om_tcp</module> <config xsi:type="module-connect-address-config-mapping" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <type>OUTPUT</type> <verbatim>Exec to_syslog_snare();</verbatim> <connect-address>172.16.1.43</connect-address> <!-- IP address of log collector --> <port>517</port> <!-- Port used to collect logs by collector. Traffic is syslog but we've opted to not use standard port 514 to facilitate easier splitting of collected logs. --> <output-format>LineBased</output-format> </config> </module> <module> <name>eventlog</name> <module>im_msvistalog</module> <config xsi:type="module-windows-vista-log-in-config-mapping" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <type>INPUT</type> <verbatim>&lt;QueryXML&gt; &lt;QueryList&gt; &lt;Query Id="0"&gt; &lt;Select Path="Security"&gt;*&lt;/Select&gt; &lt;/Query&gt; &lt;Query Id="1"&gt; &lt;Select Path="Application"&gt;*&lt;/Select&gt; &lt;/Query&gt; &lt;Query Id="2"&gt; &lt;Select Path="System"&gt;*&lt;/Select&gt; &lt;/Query&gt; &lt;/QueryList&gt; &lt;/QueryXML&gt;</verbatim> <savePosition>true</savePosition> <read-from-last-position>true</read-from-last-position> <query></query> <channel></channel> <remote>false</remote> <server></server> <user-name></user-name> <domain></domain> <password></password> <auth-method>Default</auth-method> </config> </module> <module> <name>dnsaudit</name> <module>im_etw</module> <config xsi:type="module-event-tracing-for-windows-in-config-mapping" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <type>INPUT</type> <verbatim></verbatim> <provider>Microsoft-Windows-DNSServer</provider> <level>Verbose</level> </config> </module> </agent>

Hi Team, Installed the "nxlog-5.4.7313_aix_ppc.rpm" package and installed on AIX device but nxloger consuming nearly 500MB RAM Can you please lett me know how to reduce the resource consumption. getting the below debug logs, please suggest to is there any issue -bash-4.3# /opt/nxlog/bin/nxlog -v 2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module 'multiline' using xm_multiline 2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module '_xml' using xm_xml 2022-08-25 16:12:59 DEBUG [CORE|main] module _xml has 1 exported functions 2022-08-25 16:12:59 DEBUG [CORE|main] registering function to_xml 2022-08-25 16:12:59 DEBUG [CORE|main] function 'to_xml' registered 2022-08-25 16:12:59 DEBUG [CORE|main] module _xml has 5 exported procedures 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure parse_xml 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'parse_xml' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure parse_xml 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'parse_xml' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure to_xml 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'to_xml' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure parse_windows_eventlog_xml 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'parse_windows_eventlog_xml' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure parse_windows_eventlog_xml 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'parse_windows_eventlog_xml' registered 2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module 'filein' using im_file 2022-08-25 16:12:59 DEBUG [CORE|main] module filein has 2 exported functions 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_name 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_name' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function record_number 2022-08-25 16:12:59 DEBUG [CORE|main] function 'record_number' registered 2022-08-25 16:12:59 DEBUG [CORE|main] module filein has 0 exported procedures 2022-08-25 16:12:59 DEBUG [CORE|main] FlowControl enabled for filein 2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module 'fim' using im_fim 2022-08-25 16:12:59 DEBUG [CORE|main] module fim has 1 exported functions 2022-08-25 16:12:59 DEBUG [CORE|main] registering function is_scanning 2022-08-25 16:12:59 DEBUG [CORE|main] function 'is_scanning' registered 2022-08-25 16:12:59 DEBUG [CORE|main] module fim has 1 exported procedures 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure start_scan 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'start_scan' registered 2022-08-25 16:12:59 DEBUG [CORE|main] FlowControl enabled for fim 2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module 'fileout' using om_tcp 2022-08-25 16:12:59 DEBUG [CORE|main] module fileout has 0 exported functions 2022-08-25 16:12:59 DEBUG [CORE|main] module fileout has 1 exported procedures 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure reconnect 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'reconnect' registered 2022-08-25 16:12:59 DEBUG [CORE|main] FlowControl enabled for fileout 2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module '_fileop' using xm_fileop 2022-08-25 16:12:59 DEBUG [CORE|main] module _fileop has 12 exported functions 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_read 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_read' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_exists 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_exists' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_basename 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_basename' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_dirname 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_dirname' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_mtime 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_mtime' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_ctime 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_ctime' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_type 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_type' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_size 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_size' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_hash 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_hash' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_inode 2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_inode' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function dir_temp_get 2022-08-25 16:12:59 DEBUG [CORE|main] function 'dir_temp_get' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering function dir_exists 2022-08-25 16:12:59 DEBUG [CORE|main] function 'dir_exists' registered 2022-08-25 16:12:59 DEBUG [CORE|main] module _fileop has 17 exported procedures 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_cycle 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_cycle' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_cycle 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_cycle' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_rename 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_rename' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_copy 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_copy' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_remove 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_remove' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_remove 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_remove' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_link 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_link' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_append 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_append' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_write 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_write' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_truncate 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_truncate' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_truncate 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_truncate' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_chown 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_chown' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_chown 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_chown' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_chmod 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_chmod' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_touch 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_touch' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure dir_make 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'dir_make' registered 2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure dir_remove 2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'dir_remove' registered 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] CONFIG: multiline 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpquote start 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [^] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] adding string [^] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [<] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [<] to [^] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [A] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [A] to [^<] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [u] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [u] to [^<A] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [d] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [d] to [^<Au] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [i] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [i] to [^<Aud] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [t] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [t] to [^<Audi] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [R] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [R] to [^<Audit] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [e] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [e] to [^<AuditR] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [c] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [c] to [^<AuditRe] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [o] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [o] to [^<AuditRec] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [r] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [r] to [^<AuditReco] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [d] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [d] to [^<AuditRecor] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [>] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [>] to [^<AuditRecord] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpquote end 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpmodifiers end with eof 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp literal 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] new regexp: /^<AuditRecord>/ 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp declared at line 42, character 32 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] literal 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] parsed expression 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpquote start 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [^] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] adding string [^] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [<] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [<] to [^] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append slash 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [/] to [^<] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [A] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [A] to [^</] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [u] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [u] to [^</A] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [d] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [d] to [^</Au] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [i] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [i] to [^</Aud] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [t] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [t] to [^</Audi] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [R] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [R] to [^</Audit] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [e] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [e] to [^</AuditR] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [c] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [c] to [^</AuditRe] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [o] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [o] to [^</AuditRec] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [r] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [r] to [^</AuditReco] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [d] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [d] to [^</AuditRecor] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [>] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [>] to [^</AuditRecord] 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpquote end 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpmodifiers end with eof 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp literal 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] new regexp: /^</AuditRecord>/ 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp declared at line 43, character 34 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] literal 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] parsed expression 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] inputreader 'multiline' registered 2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] Inputreader 'multiline' registered 2022-08-25 16:12:59 DEBUG [xm_xml|_xml] CONFIG: _xml 2022-08-25 16:12:59 DEBUG [im_file|filein] CONFIG: filein 2022-08-25 16:12:59 DEBUG [im_file|filein] adding string [/oraaud/oracle/adump/SVBO/.xml] 2022-08-25 16:12:59 DEBUG [im_file|filein] string literal declared at line 56, character 45 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] literal 2022-08-25 16:12:59 DEBUG [im_file|filein] parsed expression 2022-08-25 16:12:59 DEBUG [im_file|filein] adding string [The Raw Event is ] 2022-08-25 16:12:59 DEBUG [im_file|filein] string literal declared at line 58, character 37 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] literal 2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_field: raw_event 2022-08-25 16:12:59 DEBUG [im_file|filein] field declared at line 58, character 49 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] binary operation declared at line 58, character 50 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_procedure: log_info 2022-08-25 16:12:59 DEBUG [im_file|filein] global procedure: log_info 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_info (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] log_info declared at line 58, character 51 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] procedure 2022-08-25 16:12:59 DEBUG [im_file|filein] statement: procedure 2022-08-25 16:12:59 DEBUG [im_file|filein] finished parsing statements 2022-08-25 16:12:59 DEBUG [im_file|filein] adding string [The Source Address is ] 2022-08-25 16:12:59 DEBUG [im_file|filein] string literal declared at line 59, character 42 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] literal 2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_field: sourceaddr 2022-08-25 16:12:59 DEBUG [im_file|filein] field declared at line 59, character 56 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] binary operation declared at line 59, character 57 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_procedure: log_info 2022-08-25 16:12:59 DEBUG [im_file|filein] global procedure: log_info 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_info (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] log_info declared at line 59, character 58 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] procedure 2022-08-25 16:12:59 DEBUG [im_file|filein] statement: procedure 2022-08-25 16:12:59 DEBUG [im_file|filein] finished parsing statements 2022-08-25 16:12:59 DEBUG [im_file|filein] adding string [The Message is ] 2022-08-25 16:12:59 DEBUG [im_file|filein] string literal declared at line 60, character 35 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] literal 2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_field: Message 2022-08-25 16:12:59 DEBUG [im_file|filein] field declared at line 60, character 46 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] binary operation declared at line 60, character 47 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_procedure: log_info 2022-08-25 16:12:59 DEBUG [im_file|filein] global procedure: log_info 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_info (NULL - NULL) 2022-08-25 16:12:59 DEBUG [im_file|filein] log_info declared at line 60, character 48 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_file|filein] procedure 2022-08-25 16:12:59 DEBUG [im_file|filein] statement: procedure 2022-08-25 16:12:59 DEBUG [im_file|filein] finished parsing statements 2022-08-25 16:12:59 DEBUG [im_fim|fim] CONFIG: fim 2022-08-25 16:12:59 DEBUG [im_fim|fim] adding string [/file/path] 2022-08-25 16:12:59 DEBUG [im_fim|fim] string literal declared at line 67, character 24 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_fim|fim] literal 2022-08-25 16:12:59 DEBUG [im_fim|fim] parsed expression 2022-08-25 16:12:59 DEBUG [im_fim|fim] adding string [.bak] 2022-08-25 16:12:59 DEBUG [im_fim|fim] string literal declared at line 68, character 19 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_fim|fim] literal 2022-08-25 16:12:59 DEBUG [im_fim|fim] parsed expression 2022-08-25 16:12:59 DEBUG [im_fim|fim] adding string [/opt/nxlog/*] 2022-08-25 16:12:59 DEBUG [im_fim|fim] string literal declared at line 69, character 26 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [im_fim|fim] literal 2022-08-25 16:12:59 DEBUG [im_fim|fim] parsed expression 2022-08-25 16:12:59 DEBUG [om_tcp|fileout] CONFIG: fileout 2022-08-25 16:12:59 WARNING [om_tcp|fileout] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] CONFIG: _fileop 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] adding string [/opt/nxlog/var/log/nxlog/nxlog.log] 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] string literal declared at line 102, character 65 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] nx_expr_new_function: file_exists 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] global function: file_exists 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] file_exists declared at line 102, character 66 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] new function: file_exists 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] adding string [/opt/nxlog/var/log/nxlog/nxlog.log] 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] string literal declared at line 103, character 64 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] nx_expr_new_function: file_size 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] global function: file_size 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] file_size declared at line 103, character 65 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] new function: file_size 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal: 5M 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal declared at line 103, character 71 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] binary operation declared at line 103, character 72 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] ( expr:5 ) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] binary operation declared at line 103, character 74 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] ( expr:5 ) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] adding string [/opt/nxlog/var/log/nxlog/nxlog.log] 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] string literal declared at line 105, character 64 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal: 8 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal declared at line 105, character 67 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] nx_expr_new_procedure: file_cycle 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] global procedure: file_cycle 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_info (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_warning (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_error (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_all (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure set_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure sleep (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure drop (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure rename_field (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure rename_field (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure reroute (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_to_route (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure duplicate_guard (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_stop (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_start (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_restart (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure to_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_windows_eventlog_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_windows_eventlog_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure start_scan (fim - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure reconnect (fileout - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure file_cycle (_fileop - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure file_cycle (_fileop - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] file_cycle declared at line 105, character 69 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] procedure 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] statement: procedure 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] block declared at line 106, character 13 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] statement: block 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] if-else declared at line 106, character 13 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] if 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] finished parsing statements 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] adding string [/opt/nxlog/var/log/nxlog/nxlog.log] 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] string literal declared at line 115, character 67 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] nx_expr_new_function: file_exists 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] global function: file_exists 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] file_exists declared at line 115, character 68 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] new function: file_exists 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] adding string [/opt/nxlog/var/log/nxlog/nxlog.log] 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] string literal declared at line 115, character 116 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal: 8 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal declared at line 115, character 119 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] nx_expr_new_procedure: file_cycle 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] global procedure: file_cycle 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure debug (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_info (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_warning (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_error (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_all (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure set_var (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_stat (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure sleep (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure drop (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure rename_field (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure rename_field (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure reroute (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_to_route (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure duplicate_guard (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_stop (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_start (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_restart (NULL - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure to_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_windows_eventlog_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_windows_eventlog_xml (_xml - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure start_scan (fim - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure reconnect (fileout - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure file_cycle (_fileop - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure file_cycle (_fileop - NULL) 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] file_cycle declared at line 115, character 121 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] procedure 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] statement: procedure 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] if-else declared at line 115, character 121 in /opt/nxlog/etc/nxlog.conf 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] if 2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] finished parsing statements 2022-08-25 16:12:59 DEBUG [CORE|main] parsing path: filein => fileout 2022-08-25 16:12:59 DEBUG [CORE|main] adding module filein to route parse_xml 2022-08-25 16:12:59 DEBUG [CORE|main] adding module fileout to route parse_xml 2022-08-25 16:12:59 DEBUG [CORE|main] parsing path: fim => fileout 2022-08-25 16:12:59 DEBUG [CORE|main] adding module fim to route 3 2022-08-25 16:12:59 DEBUG [CORE|main] adding module fileout to route 3 2022-08-25 16:12:59 INFO [CORE|main] configuration OK 2022-08-25 16:12:59 DEBUG [CORE|main] nxlog_shutdown() enter 2022-08-25 16:12:59 DEBUG [CORE|main] stopping INPUT modules 2022-08-25 16:12:59 DEBUG [CORE|main] stopping module fim 2022-08-25 16:12:59 DEBUG [CORE|main] stopping module filein 2022-08-25 16:12:59 DEBUG [CORE|main] stopping PROCESSOR modules 2022-08-25 16:12:59 DEBUG [CORE|main] stopping OUTPUT modules 2022-08-25 16:12:59 DEBUG [CORE|main] stopping module fileout 2022-08-25 16:12:59 DEBUG [CORE|main] stopping EXTENSION modules 2022-08-25 16:12:59 DEBUG [CORE|main] stopping module _fileop 2022-08-25 16:12:59 DEBUG [CORE|main] stopping module _xml 2022-08-25 16:12:59 DEBUG [CORE|main] stopping module multiline 2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: INPUT 2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (filein) : 0x1100f3358 2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (fim) : 0x110105a38 2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: PROCESSOR 2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: OUTPUT 2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (fileout) : 0x110118178 2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: EXTENSION 2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (multiline) : 0x1100ed0b8 2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (_xml) : 0x1100f0cf8 2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (_fileop) : 0x11012a918 2022-08-25 16:12:59 DEBUG [CORE|main] no entries found, not writing configcache.dat 2022-08-25 16:12:59 DEBUG [CORE|main] nxlog_shutdown() leave 2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: INPUT 2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: PROCESSOR 2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: OUTPUT 2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: EXTENSION 2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (CORE) : 0x10029B78

Hi Team, Nxlogger is installed on the IBM AIX, but am not able to find the nxlogger version with the below command. nxlog -v nxlog -V

Hello! I would execute an simple powershell script that only creates a folder, at every incoming ERROR message. But can not running powershell script! My config file is as follows: <Input 1> Module im_tcp host 0.0.0.0 Port 514 Exec parse_syslog(); </Input> <Output out> Module om_file Module xm_exec File &quot;C:\\NXlogs\\Test_Log.log&quot; exec if $raw_event =~ /ERROR/ exec_async(&quot;C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe&quot;, &quot;-ExecutionPolicy&quot;, &quot;Bypass&quot;, &quot;-command&quot;, &quot;‪‪C:\\NXlogs\\test.ps1&quot;); </Output> <Route > Path 1 => out </Route> After running it got error message like: 2022-09-07 15:21:22 ERROR subprocess 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe' was terminated by a signal. Even running notpad.exe or a batch script have got same error like: ERROR subprocess ................. was terminated by a signal. Does anyone know what is the reason?

In a heavily loaded environment, around 250K values per minute using python modules, causes memory leaks and out of memory errors. Checked on: Ubuntu 20 LTS, Centos 8 Stream. After 15-20 minutes of working (Kafka python script) nxlog eats over 8 GB of RAM + 3G swap and crush. Every restart or reload service clean the memory. Using the perl module is not the solution. Anyone has the same? Maybe any tips to resolve it.

Hi, we have a problem with nxlog cpu usage after it loses connection to syslog-server. After losing connection the cpu usage peaks to 100% until nxlog is stopped. We are using om_ssl module and the problem only happens on rhel 8-computers. All the other computers with windows/rhel 7 are working fine with same configurations. I have tried without om_ssl-module, then it works just fine. Our system: Rocky Linux 8.6 Nxlog version ce-3.0.2272_rhel8.x86_64 As my syslog-server, i am using graylog. Is anyone else having this problem?

I have never had to parse XML files with NxLog so I am new at this process. This config file grabs Windows Event logs and some trace files from XML files. The Windows Event logs works as it should. The XML, I cannot get to work. I am not getting any output from the XML. Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _gelf> Module xm_gelf ShortMessageLength 500 </Extension> <Extension xml> Module xm_xml </Extension> <Input EventLog_In> # Use 'im_mseventlog' for Windows XP, 2000 and 2003 Module im_msvistalog # Uncomment the following to collect specific event logs only Query <QueryList> <Query Id="0"> <Select Path="Application"></Select> <Select Path="System"></Select> <Select Path="Security">*</Select> </Query> </QueryList> </Input> <Input IISTrace_In> Module im_file File 'F:\Fileshare\Infrastructure Department\Logs\W3SVC1\fr001307.xml' Exec parse_xml(); </Input> <Output EventLog_Out> Module om_tcp Host IP SCRUBBED Port 12201 Exec to_syslog_snare(); OutputType GELF_TCP </Output> <Output IISTrace_Out> Module om_file File 'F:\Fileshare\Infrastructure Department\Logs\NxLog\Test\Test.log' </Output> <Route EventLog> Path EventLog_In => EventLog_Out </Route> <Route IISTrace> Path IISTrace_In => IISTrace_Out </Route>

Has anyone else noticed that the source code package says version nxlog-ce-3.0.2272.tar.gz and when you decompress the package it says version nxlog-ce-3.0.14 and the compiled version is nxlog-ce-3.0.14 I really appreciate nxlog-ce being free and available. Thumbs up to the developers.

Hello Team, I would like to read multiple types of CSV files from a share folder. Is it possible? Could you please share some sample?

Hi! We have nxlog ce running in a Windows machine. It works ok. If time is changed to the future, it continues forwarding logs. However, if time is changed to the past, logs are not forwarded anymore. This affects to logs from windows events, from a text file, etc. It seems that nxlog is filtering the logs and that logs with a previous time than others received are discarded. Logs are forwarded again if nxlog service is restarted (this seems to be doing a 'reset' on expected time) Do you know how could we avoid this?

Hello nxlog community, :-) we're currently in the preparation process of analyzing nxlog as potential logging software for our company and while doing so we were looking for a nxlog community edition that supports our SLES operating systems. The official download page does not list versions for any SUSE operating system. We know that SLES is supported by the enterprise edition, but for testing purposes we would like to use the community edition to get started. We've successfully compiled the community edition's source code and installed it on SLES via ... zypper in gcc apr-devel pcre-devel libopenssl-devel libexpat-devel ./configure make make install ... but doing so lacks a lot of other things (which must be taken care of manually) like creating nxlog user and group, assigning its GID, creating config files, systemd units, directories in /usr/local/etc ... What are we missing? What is the best way to get nxlog-ce installed on SLES 15 SP3? Thank you in advance. Best regards Dennis

Hello, We are using nxlog-ce 3.0.2284 on Windows 2016 to collect event logs and forward them to our new SIEM. We experience an increasing delay in the reception of these events by the SIEM. It starts with a few seconds delay and after a moment, the delay has progressively increased to hours. We collect all the event logs, without any filter and the observed throughput is around 150eps, with peaks at 700eps. The output is om_tcp with TLS. Last, we disabled the buffer processor to see if it helps, but with no improvement. The server does not seem to be very loaded in terms of RAM, CPU and disk. Are we reaching nxlog maximum performance ? Looking at the docs, it seems and the default values for BatchSize is 31 and PollInterval is 1 second. Does it mean that the maximum input thoughput is 31eps ? Lowering the PollInterval to 0.1 seconds seems to help, but is it the recommended strategy to improve performance ? How can we configure nxlog to improve the performance ? Thank you for your help ! David

Tổ hợp Sun Riverpolis Đà Nẵng Đà Nẵng sẵn sàng tâm thế đón làn sóng đầu tư mới. Phát biểu tại Diễn đàn, chủ toạ UBND thị thành Lê Trung Chinh cho biết, dù gặp nhiều khó khăn và chịu ảnh hưởng của đại dịch COVID-19, song thành thị luôn có sự chủ động và sẵn sàng để chuẩn bị đón các làn sóng dịch chuyển đầu tư mới. "Việc phủ rộng tiêm phòng vaccine cho toàn thể người dân, trong đấy mang những nhà đầu tư, các chuyên gia nước ngoài; việc thành lập những tổ công tác xúc tiến, dỡ gỡ khó khăn gặp khó khăn cho doanh nghiệp, nhà đầu tư do những đồng chí lãnh đạo của thị thành chủ trì để khai triển những dự án… đã khẳng định sự cam kết đồng hành của đô thị trong quyết tâm kiến lập niềm tin trong cộng đồng công ty và nhà đầu tư đối sở hữu môi trường đầu cơ của tỉnh thành Đà Nẵng", chủ tịch UBND thành thị Lê Trung Chinh nhấn mạnh. với chủ đề năm 2022 là “Năm thích nghi an toàn, cởi mở, kiểm soát hiệu quả dịch bệnh và hồi phục, phát triển kinh tế - phường hội” cùng những cơ chế, định hướng to đối mang sự trở thành xã trong khoảng Trung ương cộng mang sự kiểm soát tốt dịch bệnh COVID-19 thì đây chính là thời khắc phù hợp để Đà Nẵng đẩy nhanh tốc độ khai triển những Dự án và thu hút đầu cơ mạnh mẽ. Xem thêm: bán đất đầm sen nam hòa xuân. “Thành phường kỳ vọng Diễn đàn lần này sẽ thúc đẩy công tác thu hút đầu tư; tạo ra bước chuyển trong việc hiện thực hóa những Công trình động lực, trọng tâm ủ ấp trong suốt thời gian qua của đô thị. cùng lúc, được thấu hiểu và lắng nghe các quan niệm, yêu cầu từ toàn thể quý vị về các biện pháp khắc phục các rào cản, hạn chế; phát huy những lợi thế, tiềm năng và đón đầu hiệu quả các làn sóng chuyển dịch đầu tư đối sở hữu thị thành Đà Nẵng. trong khoảng đấy, chúng ta cùng chung tay để từng bước hiện thực hóa mục tiêu xây dựng một đô thị Đà Nẵng - đáng sống, đáng khiến cho việc và đáng đầu tư”, chủ tịch UBND tỉnh thành Lê Trung Chinh san sớt. Để đạt được những mục tiêu đề ra, theo chủ toạ UBND thị thành Lê Trung Chinh, trong khoảng lãnh đạo tới công chức của thị thành phải đổi mới tư duy, xác định những bí quyết làm cho mới 1 cách cụ thể, thích hợp mang quy định pháp lý và thực tế đặt ra; cũng như đặt người dân và doanh nghiệp ở vị trí đẹp của mỗi chính sách. đồng thời, rất cần sự dai sức, thông minh và sáng láng trong hồ hết hệ thống chính trị của thành phố; sự san sớt, đồng thuận từ phía người dân, cùng đồng công ty, nhà đầu tư; và đặc thù là sự định hướng, chỉ đạo kịp thời của lãnh đạo Chính phủ cùng những bộ lĩnh vực Trung ương. chủ tịch UBND thị thành Lê Trung Chinh thông tin, trong phạm vi của Diễn đàn đầu tư Đà Nẵng năm 2022 sẽ công khai thông tin về kế hoạch, tiến độ hoàn tất việc lập quy hoạch những phân khu chức năng theo Đồ án điều chỉnh quy hoạch chung Đà Nẵng tới năm 2030, tầm nhìn đến năm 2045 đã được Thủ tướng Chính phủ phê duyệt; thông tin quỹ đất và những Công trình trọng điểm để kêu gọi đầu cơ trên khu vực tỉnh thành để các nhà đầu cơ quan tâm Nhận định và khai triển thực hiện; song song sẽ bàn luận 1 số giải pháp trọng tâm đẩy mạnh công việc thu hút đầu tư chỉ cần khoảng tới. ngoài ra người mua sở hữu thể tham khảo thêm về Công trình bất động sản ở đà nẵng.

I have problem with use xm_python module. All works fine, but when add into config directive with xm_python module, I get ERROR Failed to load module from C:\Program Files\nxlog\modules\extension\xm_python.dll, The specified module could not be found. ; The specified module could not be found. This issue I have on three computers with different Windows system.

The following config file works in Ubuntu 14.04, but throws an error when used on an 18.04 server. Am I using the to_syslog_ietf() function incorrectly? ######################################## # Global directives # ######################################## User nxlog Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ##### Logging ##### <Input messages> Module im_file File "/var/log/syslog" </Input> <Input audit> Module im_file File "/var/log/audit/audit.log" # Exec $Message = $Hostname + ' ' + $raw_event; </Input> <Input auth> Module im_file File "/var/log/auth.log" </Input> <Input eve> Module im_file File "/var/log/suricata/eve.json" </Input> <Output tcp> Module om_tcp Host 10.10.10.33 Port 514 </Output> <Output tcp_audit> Module om_tcp Host 10.10.10.33 Port 514 Exec to_syslog_ietf(); </Output> <Output tcp_eve> Module om_tcp Host 10.10.10.33 Port 10002 </Output> <Route messages_to_tcp> Path messages, auth => tcp </Route> <Route messages_to_tcp_audit> Path audit => tcp_audit </Route> <Route eve_to_tcp> Path eve => tcp_eve </Route>

Hello Team, We are using below nxlog config to parse one application log file to Graylog. Nxlog is properly parsing file line by line to Graylog. But we are observing mismatch in timestamp (in 500 to 900 milliseconds) for actual event and showing in Graylog. Please let us know how to fix this issue. ===================================================================== <Input itmlog> Module im_file File "/opt/bin/applogs2*.txt" SavePos TRUE ReadFromLast FALSE InputType multiline PollInterval 1 Exec if $raw_event =~ /^(\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}\d{2}.\d{3})/ $EventTime = parsedate($1 + "Z"); Exec if $raw_event =~ /^.([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})|([^|])|([^|]+)|([\S\s])/ { $UUID = $1; $Plugin = $2; $Severity = $3; $Message = $4; } else if $raw_event =~ /^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}[.\d] ([^|]+)|([^|]+)|([\S\s]*)/ { $Plugin = $1; $Severity = $2; $Message = $3; } else { $Message = $raw_message; } Exec $facility = 'APP_UAT'; #Exec $EventTime = strftime($EventTime, "%Y-%m-%dT%H:%M:%SZ"); Exec $Hostname = %IP%; #Exec $FullMessage = ''; </Input> ========================================================================================

Looking for a Windows version 2.8.1248 of NXLog. I am stuck trying to remove this application from a Windows machine but a system cleanup was performed so the cache of the installer is missing. Add remove programs is requesting my .msi file to continue removing. I tried going to the downloads page and altering the URL for the latest version to include an old version but it has been removed from the website.

I am setting up NXLog Community Edition in an environment with multiple devices I want to monitor. I have already set up multiple routes of single inputs and outputs that does the job adequately, but I have a feeling I can get more complex and have less Routes to perform the same action. I have looked around the documentation and played with some prototypes but cannot find anything that works. So are any of the following ideas viable or does the Language prohibit them? Input Branching. Is it possible to route specific incoming logs to specific outputs or routes based in properties (For me it is $MessageSourceAddress)? Either by tagging the data, manipulating route data, etc. Processor Branching. Similar to #1, Is it possible to route or send logs to specific outputs based on properties (I am not sure if $MessageSourceAddress is usable in the processor or output modules). For example: Output Filtering. Is it possible to choose output destination (for me it will be a file) based on log parameters (again $MessageSourceAddress)? I think is my best option. For example: <Output Output_file> Module om_file <Exec> If $MessageSourceAddress = X.X.X.X { File '\TestLogs\Test\ test.log' … } else If $MessageSourceAddress = Y.Y.Y.Y { File '\TestLogs\Test2\ test2.log' … } else If $MessageSourceAddress = Z.Z.Z.Z { File '\TestLogs\Test3\ test3.log' … } </Exec> </Output> Thanks in advance!

I am using nx log IETF ( i.e. to_syslog_ietf() ) format to write logs. But in Wireshark (Packet Detail Window)the message is shown as following . Message [truncated]: 1 2022-08-11T10:45:38.152473+05:30 LINL190403680 NCM 0 - [NXLOG@14506 Keywords="36028797018963968" EventType="INFO" EventID="0" Version="0" Task="0" OpcodeValue="0" RecordNumber="24530" ThreadID="0" Channel="Applicati Syslog version: 1 Syslog timestamp: Aug 11, 2022 10:45:38.000000000 UTC Syslog hostname: LINL190403680 Syslog app name: NCM Syslog process id: 0 Syslog message id [truncated]: - [NXLOG@14506 Keywords="36028797018963968" EventType="INFO" EventID="0" Version="0" Task="0" OpcodeValue="0" RecordNumber="24530" ThreadID="0" Channel="Application" Opcode="Info" EventReceivedTime="2022-08- whereas using BSD format not causing this issue. Required format is shown below Priority (enclosed in < >) representing both facility and severity <30> Syslog Version: 1 Syslog timestamp: 2022-08-11T10:45:38.152473+05:30 Syslog hostname: LINL190403680 Syslog app name: NCM Syslog Process id: 0 Message identifier: Optional message specific properties (structured data) (enclosed in [ ]) : [NXLOG@14506 Keywords="36028797018963968" EventType="INFO" EventID="0" Version="0" Task="0" OpcodeValue="0" RecordNumber="24530" ThreadID="0" Channel="Application" Opcode="Info" EventReceivedTime="2022-08-11 10:45:38" SourceModuleName="ExtendedWindowsToCollect" SourceModuleType="im_msvistalog"] a human readable message (encoded in UTF-8 and starting with BOM, or ASCII 7 only bytes) : [CB-002] Application is stopped sucessfully.