Hey all, 

I was wondering if rindex worked on nxlog, I’m not having luck getting it to work, and all my searches come up empty. I’m looking to parse a username after a "|" 

create_var('char'); \
set_var('char', '|'); \
create_var('index_num'); \
set_var('index_num', rindex($UserName, get_var('char'))); \

Hello,

Because of my lack of encryption knowledge, I search and found these instructions that I followed in order to create an SSL connection between an nxlog client (Windows server 2008 R2) and a graylog server.

So I transfered the "nxlog-ca.crt" to the client and indicated to the graylog server "nxlog-ca.key" as the TLS private key file and "nxlog-ca.crt" as the TLS cert file.

Here is the nxlog.conf :
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module      xm_gelf
</Extension>

<Input in>
    Module      im_msvistalog
        Query    <QueryList>\
            <Query Id="0">\
                <Select Path="Application">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
                <Select Path="Security">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
                <Select Path="System">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
                <Select Path="HardwareEvents">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
            </Query>\
        </QueryList>
</Input>

<Output sslout>
   Module          om_ssl
   Host            host_ip_address
   Port            12201
   CAFile          %CERTDIR%\nxlog-ca.crt
   OutputType      GELF_TCP
   AllowUntrusted  FALSE
</Output>

<Route 1>
    Path        in => sslout
</Route>

But when I launch "nxlog.exe -f" here is the error :

nxlog.exe -f

2015-08-04 12:23:05 INFO nxlog-ce-2.9.1347 started

2015-08-04 12:23:05 INFO connecting to host_ip_address:12201

2015-08-04 12:23:05 INFO successfully connect to host_ip_address:12201

2015-08-04 12:23:05 INFO remote socket was closed during SSL handshake
2015-08-04 12:23:05 INFO reconnecting in 1 seconds

And That's it. What am I missing ?

I read in the documentation that all the files about the certificates are in "pem" format but when I create it from certtool I have "crt" and "key" format files.

Thank you.

Hi,

I was wondering if anyone could help me please.

I want to use PowerShell to do a silent install of NxLog, I have tried different ways of using MSIEXEC in powershell and command line but I just can't seem to get it working.

Any advice would be great.

Thanks.

Sorry I am new to this. Where in the config file do you set it to pull from MSWinEventLog?

Thanks in advance!

We've had some clients where we install & deploy the MSI via group policy -- using the latest version 2.9.1347.

On Windows 10 -- it looks like the install succeeds (all the nx log files exist in Program Files (x86), etc.) -- but the service never gets installed. We don't see the nx log service anywhere in services.msc -- and don't see any logs saying that its install failed.

We've now seen this on multiple Windows 10 machines. Has anyone else -- and is there a workaround?

Hello

I write input module for nxlog. I have wrote function to read data but I don't know how to tranfer data further. Which function should I call? nx_logdata_set_string?

Hi,

my ODBC import won't work, checked everything but always this error occurs:

ERROR im_odbc couldn't connect to the database, IM014:1:0:[Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application

Config:

<Input ODBC>
Module im_odbc
ConnectionString DSN=S_ODBC;database=SophosSecurity;

SavePos TRUE
PollInterval 5
IdIsTimestamp FALSE
</Input>

best regards

I'm using NXLog to read log files and send to to Logstash. Normally this works fine, but I'm now trying to send logs from a file, where the new events gets added at the top of the file, not the bottom. Now it's not sending anything.

This is from my NXLog config.

<Input file>
Module  im_file
File "C:\\TEMP\\export.txt"
InputType LineBased
Exec $Message = $raw_event;
SavePos TRUE    
ReadFromLast TRUE
Exec if $raw_event =~ /^#/ drop();                    

Is it possible to read from bottom to top?

Are there any numbers about how nxLog performs when it is processing a high rate of messages being placed into a log file?

Right now we have a couple of incidents which resulted in a few thousand messages being logged per second.

I assume this is more than nxLog can handle but am wondering about any performance testing that has been run

Hi,

I need to use im_dbi import module of nxlog.

This module isn't part of actual setup, so where can I get it?

regards

Christian

Hi all,

after installd nxlog-ce-2.9.1347-1_rhe6.x86_64.rpm on Red Hat I tried to start the service "/etc/init.d/nxlog start" and I'm get the following error:

" Starting nxlog deamon...

/usr/bin/nxlog: symbol lookup error: /usr/bin/nxlog: undefiend symbol: apr_pool_create_unmanaged_ex   "

Does anyone have an idea?

Hello, I'm having trouble centralize logs because my storage system performs poorly.

I have several nxlog-ce agents sending logs with om_tcp module and server I have a nxlog-ce recording these logs with the module om_file in a shared directory on my NAS.

What recommendation for improving the performance of my solution as a whole? Use another distributed file system? Using an unstructured database? Exsitem more options?

Obs .: I need to be able to retrieve the log in its original format, I need to be fault-tolerant and I need to have high write performance.

I'm using NXLog to read a log file and send it to Logstash.  This works fine, but some of the log lines are duplicates.  They're in separate lines, but the content is exactly the same.  I can't change the way the logs are written to the log file, so the only way is to fix it either with NXLog before it gets send, or in Logstash when it arrives, which I prefer not to do.

I see NXLog does have a function for this, but it's not working for me.  I've tried this in my config file.

<Processor norepeat>
Module  pm_norepeat
</Processor>

<Route 1>
Path in => norepeat => out
</Route>

This is abviously not working for me, am I maybe missing something here?

I've seen some posts from about a year ago that NXLog is unable to parse attributes using xm_xml, I just wanted to check if this is still true?

I am running NXLog as a service on Windows machines and want to be able to parse the following message, is it possible?

<log4j:event logger="com.sentry.test.LogContextListener" timestamp="1437661699866" level="TRACE" thread="localhost-startStop-1"> <log4j:message><![CDATA[This is a trace message about how we should use C#]]></log4j:message> </log4j:event>

Hi guys,

could You please share experience on filtering windows event logs.

I have the folowing configuration in input tag:

Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>

# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
#Exec if ($raw_event =~ /INFO\s+62464/) drop();
# Query za event logove (uzima samo definirane)
#Query <QueryList>\
#<Query Id='1'>\
#<Select Path='Application'>*[System[(EventID='32068')]]</Select>\
#<Select Path='System'>*[System[(EventID='7001')]]</Select>\
#</Query>\
#</QueryList>
## Level 1 (ID=30  Critical)     severity level events
# Level 2 (ID=40  Error)        severity level events
# Level 3 (ID=50  Warning)      severity level events
# Level 4 (ID=80  Information)  severity level events
# Level 5 (ID=100 Verbose)      severity level events
# Drop 4, i 5 level severity logs

Exec if ($EventType == 'VERBOSE') OR ($EventType == 'Verbose') drop();
Exec if ($EventType == 'INFORMATION') OR ($EventType == 'Information') drop();
Exec if $raw_event =~ /INFO\s+4648/ drop();

..

I planed to filter specific events by entering name of 'eventtype' as in the example above. I would like to filter all Verbose,Information, and Warning levels. This unfortunately doesnt filter security INFORMATION level.

Could You please please give proper example of filtering logs by severity  and by specific event_ID?

Thank you very much.

Appreciate the help.

I am working in Product development company in india. I have downloaded nxlog community edition and setup to transfer our logs into logstash server.

Our environment details as below.

OS - Windows 7 Professional.

nxLog installed as service.  

Everything working as we expected.

Now what i want to ask is, can we take this setup into our production environment? 

Is Community edition fully free of cost or is there any license has to be purchase for this (nxLog Community edition)?

Please give us license details about nxLog community edtion in Production environment. 

Thanks

Sugumar J

Hi,

is it possiable to access IIS logs located on a network share? 

for example, right now I'm using:

    Module    im_file
    File    "D:\\Logs\\W3SVC1\\u_ex*"
    SavePos  TRUE

and it works.

But if i change it to:

    Module    im_file
    File    "\\netapp-ams-cifs\\IISlogs\\Trader1\\W3SVC1\\u_ex*"
    SavePos  TRUE
 

i see an error on the nxlog saying: ERROR failed to open directory: \netapp-ams-cifs\IISlogs\Trader1\W3SVC1: The system cannot find the path specified. 

Can anyone help please?

Thanks

Hey all,

I'm trying to install nxlog rpm on redhat 6.

Once I run the rpm I get error message :

 " Failed dependencies:

libdbi >= 0.8.1 is needed by nxlog-ce-2.9.1347-1.x86_64"

When I'm trying install libdbi 0.8.1 I get error on   dependencies collision with a more advanced version of libdbi.
The only way to continue the installation is to delete the newer version - and it is very problematic.

Someone experienced the problem?

Thanks a lot.