Hello, I am having an issue with the Program name not population with anything on our syslog server.  The service name is just blank.  Below is my config file.  Am I missing something?   ## Please set the ROOT to your nxlog installation directory   #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog   Moduledir %ROOT%\modules CacheDir  %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir  %ROOT%\data LogFile %ROOT%\data\nxlog.log   <Extension syslog>   Module xm_syslog   </Extension>   # Monitor application log files #<Input watchfile> #  Module im_file #  # File 'C:\\path\\to\\*.log' #  Exec $Message = $raw_event; # Exec if file_name() =~ /.*\\(.*)/ $SourceName = $1; # SavePos TRUE   #  Recursive TRUE #</Input>   # Monitor Windows event logs #<Input eventlog>   # Uncomment for Windows Vista/2008 or later  #  Module im_msvistalog      # Uncomment for Windows 2000 or later   # Module im_mseventlog #</Input>   #<Processor eventlog_transformer> #  Module pm_transformer #  Exec $Hostname = hostname(); #  OutputFormat syslog_rfc5424   #</Processor>   <Output syslogout_centreon>   Module om_udp   Host 10.10.103.112   Port 514 </Output> # Monitor CME FlatFile <Input watchfile_test>   Module im_file   File 'C:\\logs\\test.txt'   Exec $Message = $raw_event;   Exec $SyslogSeverityValue = 6;   Exec if $raw_event =~ /INFO/ drop();    Exec if file_name() =~ /.*\\(.*)/ $SourceName = $1;    Exec if $raw_event =~ /WARNING/ $SyslogSeverityValue = 4;    Exec if $raw_event =~ /ERROR/ $SyslogSeverityValue = 3;    Exec if $raw_event =~ /CRITICAL/ $SyslogSeverityValue = 2;   Exec if $raw_event =~ /ALERT/ $SyslogSeverityValue = 1;    SavePos TRUE     Recursive TRUE   PollInterval 10 </Input> <Processor filewatcher_transformer_test>   Module pm_transformer       #Uncomment to override the program name    Exec $SourceName = 'test';        Exec $Hostname = hostname();   OutputFormat syslog_rfc5424 </Processor> # Path to send Syslog message for test Flat File Generator <Route cme_flat_file_generator>   Path watchfile_test => filewatcher_transformer_test => syslogout_centreon </Route>              

I am using the following im_file configuration to try to collect Windows DHCP Server logs: ## Input module for Microsoft DHCP server audit logs <Input dhcp>     Module im_file     File "C:\\Windows\\System32\\Dhcp\\DhcpSrvLog-*.log"     SavePos TRUE     PollInterval 180     Exec to_syslog_bsd(); </Input> I also tried this without escaping the backslashes and even with "/" characters instead. I also tried using a specific filename but nothing seems to work, since I get the "input file does not exist" error. When I try the same config but with the location being at C:\Dhcp\DhcpSrvLog-*.log, everything works. nxlog service is being run as LocalSystem. Any hints on what I would need to do next to get the logs working from their native location?

Hi, We're evaluating nxlogn to forward event logs and IIS logs from same server as SYSLOG format to centralised log server. The event logs are reaching correctly, but not the IIS logs. Please see the configuration settings. Your help would be highly appreciated ============================================================ define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog>     Module      xm_syslog </Extension> <Input eventlog>     Module      im_msvistalog # For windows 2003 and earlier use the following: #   Module      im_mseventlog </Input> <Extension w3c>     Module    xm_csv     Fields    $date, $time, $site, $dstip, $HTTPMethod, $URIStem, $URIQuery, $port, $username, $srcip, $UserAgent, $HTTPStatus, $SubStatus, $win32Status     FieldTypes    string, string, string, string, string, string, string, string, string, string, string, string, string, string,     Delimiter    ' ' </Extension> <Input IIS_Log>   Module    im_file     File    "C:\WINDOWS\System32\LogFiles\W3SVC1\ex*"     ReadFromLast TRUE         #Drop info legend lines         Exec    if $raw_event =~ /^#/ drop();\         else\         {\             w3c->parse_csv();\             $EventTime = parsedate($date + " " + $time);\         } </Input> <Output out>     Module      om_udp     Host        X.X.X.X     Port        514     Exec        to_syslog_snare(); </Output> <Route 1>     Path        eventlog => out </Route> <Route 2>     Path        IIS_Log => out </Route

I'm currently using the TCP output of NXLog (v2.9.1347) to ship Windows Server 2008 R2 eventlogs to Logstash (v1.4.2) in JSON format; lately I found that NXLog crashes if Logstash has been unavailable for some time and then became available, although it ships a few logs before crashing. This event is logged in the eventlog: Faulting application name: nxlog.exe, version: 0.0.0.0, time stamp: 0x54fedd1a Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7 Exception code: 0xc0000005 Fault offset: 0x0005e8d1 Faulting process id: 0x4e4 Faulting application start time: 0x01d0a2b5080df49c Faulting application path: C:\Program Files (x86)\nxlog\nxlog.exe Faulting module path: C:\Windows\SysWOW64\ntdll.dll Report Id: 7ebdb4d7-1036-11e5-909f-005056a30012 To reproduce the issue, just have NXLog ship logs to Logstash and then stop Logstash for about an hour then start it, NXLog crashes soon after. Any idea what might be causing this?

My problem is I cannot collect ADDS or DNS events with Nxlog and send them to an ELK server. In the Nxlog config for the DC and DNS server I have the following Query <QueryList>\ <Query Id="0">\ <Select Path="Security">*</Select>\ <Suppress Path="Security">*[System[(EventID=4624 or EventID=4776 or EventID=4634 or EventID=4672 or EventID=4688 or EventID=4769)]]</Suppress>\ <Select Path="System">*[System/Level=2]</Select>\ <Select Path="Microsoft-Windows-ActiveDirectory_DomainService">*</Select>\ <Select Path="Microsoft-Windows-DNS-Server-Service">*</Select>\ </Query>\ </QueryList> The config file works correctly without the Active Directory and DNS paths. The desired Security and System logs go to ELK correctly. I have also tried leaving only the ADDS or DNS paths in the config file with no luck. I don't think I have the correct paths for ADDS and DNS in the config and that is my problem. My Google-fu and Bing-fu hasn't found any results giving me the Event ID channel for ADDS and DNS events. I've only found the Event ID channels for Application, Security, System, and Setup. Any suggestions? I'm up for any! The DC\DNS server and the ELK server are running on Windows Server 2012. ELK install is running the latest stable releases of ELK. Thanks!

I am trying out the enterprise edition, and could not find documentation for reading event logs directly from .evtx file only, can anyone help in a sample config.

Hello I don't know way to compile my input module for Oracle - need some guidance for it. I guess autogen.sh (using autotools) is designated to generate makefiles etc and configure. I made Makefile.am based on im_dbi version: if HAVE_LIBOCI im_oci_LTLIBRARIES    = im_oci.la im_oci_la_SOURCES    = im_oci.c im_oci.h im_oci_la_CFLAGS    = -rdynamic -D_XOPEN_SOURCE -std=c99 im_oci_la_LDFLAGS    = -module -no-undefined -avoid-version -ldl im_oci_la_LIBADD    = $(LIBOCI) $(LIBNX) im_ocidir        = $(NX_MODULEDIR)/input endif When I call configure or autogen.sh it gives error: ./configure: line 21597: syntax error: unexpected end of file but last lines are:   21590: #echo ---------------------------------------------------------- 21591: #echo Shared: ${BUILD_SHARED_LIBS} 21592: #echo ---------------------------------------------------------- 21593: echo 21594: echo "${PACKAGE}-${NXLOG_VERSION_STRING} configured successfully" 21595: echo "type \`${MAKE-make}' and \`${MAKE-make} install'" 21596: echo 21597: echo 21598: I don't see error here. I just placed my module in modules/input folder Should I generate some files with autotools?

Hi guys,   I need help about NXlog with graylog, on my 2008 server my nxlog send correctly log to my graylog server but i cant see lvl and facility off all logs :-(. like : facility : Unknown and level Invalid [-1] plz see my nxlog config :  <Extension gelf> Module xm_gelf </Extension>    <Extension syslog>     Module    xm_syslog </Extension> <Input eventlog> Module im_msvistalog # this kinda works for me, put * to get everything Query <QueryList>\ <Query Id="0">\ <Select Path='Application'>*[Application/Level=2][Application/Level=3][Application/Level=1]</Select>\ <Select Path='System'>*[system/Level=2][system/Level=3][system/Level=1]</Select>\ <Select Path='Security'>*</Select>\ <Select Path='Setup'>*</Select>\ </Query>\ </QueryList> </Input> <Output out>     Module      om_udp     Host        10.0.0.202     Port           9000 </Output> <Route 1>     Path        eventlog => out </Route>   btw i tried to use GELF out type but all messages in graylog was ��������������� hope u will help me Regards,   Gael

I am using om_tcp for forwarding Windows logs to a SIEM system. What will be the expected behavior of nxlog if e.g. a firewall blocks the TCP connections from the nxlog agent to the SIEM? Is there any potential danger in nxlog buffering outgoing logs so that large amounts of memory or disk space would be consumed on the sending host while the connections get blocked?

I got the error below, after a while that i begin to run the nxlog service. I use mysql database, tried postgresql as well and have the same error message. Has anyone idea how I can fix it? >>ERROR ### ASSERTION FAILED at line 205 in om_dbi.c/om_dbi_get_sql(): "len > j"

This can be seen in nxlog-ce-2.8.1248 distribution, syslog.c, line 1094 if ( (ptr[0] == 0xEF) && (ptr[0] == 0xBB) && (ptr[0] == 0xBF) ) should be if ( (ptr[0] == 0xEF) && (ptr[1] == 0xBB) && (ptr[2] == 0xBF) ) Please, fix this.

Is there any roadmap for natively including an output module to a message queue service such as Redis, 0mq etc? Alternatively how can I write out to a queue using om_http? Thanks    Ash

NxLog does not reconnect to the server once a connection is restored after a network disconnect event. Simple step to repro - Simply unplugging the ethernet cable from the back of the PC while nxlog is attempting to send data to loggly.  The error happens almost instantly after the cable is unplugged. Below is the error message 2015-05-11 13:49:56 ERROR couldn't connect to tcp socket on logs-01.loggly.com:443; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  BTW - I am using NxLog Community Edition. Is this a known issue? I dont expect such a simple feature to not work in a community edition. It should automatically reconnect

Hi, Is it possible to change NXlog Community Edition installation path on Windows platform ? (default installation path is :C:\Program Files\nxlog or  C:\Program Files (x86)\nxlog ). I want to install it to C:\nxlog for example.   Thank you,      

Hi, I setup nxlog to process log file.   Each log file got rotated by application hourly.  The original log file will rename to the same file name postfixed by timestamp, and the log messages will continue written to the new log file with the same name. I found that some of the log messages logged at the last minute or two of an hour are processed more than one time by NXLOG.  Does anyone have any idea what went wrong?   regards, Jerry   Here is my nxlog conf: <Input in2>     Module      im_file     File        "/nfs/home/jerryc/domains/smp_demo/nodes/torvm-core14/log/samp-*_svr2*"     SavePos     TRUE     ReadFromLast TRUE  

Is there a citrix module that can import logs from citrix servers? I'd like to log the following: Authentication Apps launched User Activity Directories accessed   Thanks -G

How to use NXLog to store logs in Azure Table Storage? Is there a om_azure_table_storage module out there?

From time to time on certain Windows servers nslog resends old events. The logs also there is an error "EvtNext failed with error 1717: The interface is unknown" How to fix that ?

Hi, Please advise...Thanks! is it possible to have an nxlog.conf that references other nxlog.conf files.  For example,  If I have iis.conf msevent.conf log4net.conf could I have an nxlog.conf that imports them in a componentized or modular format nxlog.conf would look something like: import  iis.conf import msevent.conf import log4net.conf I am trying to handle many different roles for servers at a big company..  Some servers just have log4net logs we want,  other servers we just want iis logs from and others iis logs and msevent logs.. There are lots of combinations. I am looking for an easy way handle all the server roles....web server, app server, DB server etc.  Each server type is going have different sets of logs processed and sent.  Nxlog is awesome...keep up the great work.  Thanks! Best Regards, Daniel                      

Hello, I am attempting to use the im_odbc module to gather table data from mssql into nagios log server. conf snippet <Input in> Module im_odbc ConnectionString DSN=mysql://USERNAME:PASSWORD@IPADDRESS:PORT;database=DATABASENAME; SQL Select RecordNumber as id, DateOccured as EventTime, data as Message from logtable WHERE RecordNumber > ? SavePos TRUE </Input>   <Output out> Module om_tcp Host IPADDRESS Port 1337 OutputType Binary </Output>   <Route 1> Path in => out </Route> Error ERROR im_odbc couldn't connect to the database, IM010:1:0:[Microsoft][ODBC Driver Manager] Data source name too long   Please Help! Thanks  GC.