Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
README: how to ask questions effectively
gahorvathDeactivated Nxlog ✓ created
Hi All,please adhere to the guidelines below to get faster responses to your queries.1 State the problem clearly:I am trying to collect logs from a log file using im_file and NXLog reads the whole file after each restart.2 Provide your configurationin a code block:
```
configuration text
```3 provide the contents of nxlog.log in a code block2023-04-12 08:00:27 INFO [CORE|main] configuration OK
2023-04-12 08:00:27 INFO [CORE|main] nxlog-5.7.7898 (68bb24e7e@REL_v5.7) started on Linux
2023-04-12 08:00:27 INFO [om_batchcompress|to_relay] connecting to lab1.home(192.168.14.52):2514
2023-04-12 08:00:27 INFO [om_batchcompress|to_relay] tcp connection established with lab1.home(192.168.14.52):2514
2023-04-12 08:00:27 INFO [xm_admin|admin] connecting to lab1.home(192.168.14.52):4041
2023-04-12 08:00:27 INFO [xm_admin|admin] tcp connection established with lab1.home(192.168.14.52):4041
2023-04-12 08:00:28 INFO [im_fim|fim] Module 'fim': FIM scan started
2023-04-12 08:00:28 ERROR [im_fim|fim] Module 'fim' could not open file '/opt/nxlog/bin/upgrade-nxsec.sh': Permission denied
2023-04-12 08:00:28 INFO [im_fim|fim] Module 'fim': FIM scan finished in 0.05 seconds. Scanned folders: 15 Scanned files: 102 Read file bytes: 156746314 provide environment descriptionNXLog CE is running on Windows 2022 server Package version is 3.2.23295 provide relevant detailsThis configuration has been working before we updated from version 2.11Now it does not6 if your problem involves parsing data provide samples of your input and expected output as well as what you actually getMy data looks like this:{"message": “message1”, "time": Thu 20 Apr 10:48:43 CEST 2023}I am getting an error:> error message hereI would like to receive the time in UNIX time (seconds since Epoch)Using this format enables us to get started much faster, and perhaps address your issue in the very first response we writeWould that not be great? :) Thanks for your cooperation!Gabor
gahorvathDeactivated Nxlog ✓ created
Wrong character encodings in localized windows events
Thorsten1 created
I am trying to collect Windows 11 events on a localized system (in my case: German) and send them to Logstash.Sometimes there are German umlauts within the value fields that are converted wrongly.This means that the JSON is no longer valid and Logstash cannot parse it.In example, the “Domain” key contains the German word NT-AUTORITÄT (umlaut before the last T). This is translated to “AUTORIT0xC4T”, where 0xc4 seems to be a part of U+00C4. This is the unicode expression of Ä. The correct UTF-8 character is 0xC3C4. Interestingly, lower case umlauts are translated correctly. At least in the “message” field.Because 0xC4 alone is not a valid UTF-8 character, this cannot work. The parser in Logstash is then missing a byte and fails.I played around with “AutodetectCharsets” of xm_charconv in the nxlog.conf file: nothing changedThen I set "convert_fields("auto", "utf-8");" within the <input> block: did not change anything, too.An then I set "convert_fields("utf-8", "utf-8");" within the <input> block. That fixed the wrong Ä in AUTORITÄT, but broke all small umlauts.This is my nxLog configuration:<Extension json_encoder>
Module xm_json
</Extension>
<Input eventlog>
Module im_msvistalog
Exec $Message = replace($Message, "\r\n", " ");
<QueryXML>
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*</Select>
</Query>
<Query Id="1" Path="System">
<Select Path="System">*</Select>
</Query>
<Query Id="2" Path="Security">
<Select Path="Security">*</Select>
</Query>
<Query Id="3" Path="Setup">
<Select Path="Setup">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output out>
Module om_tcp
Host 10.10.2.10
Port 5000
Exec to_json();
</Output>
<Output localfile>
Module om_file
File 'C:\nxlog.txt'
Exec to_json();
</Output>
<Route route1>
Path eventlog => localfile
</Route>
And this is an example of a faulty line in c:\nxlog.txt{"EventTime":"2025-05-05 18:27:39","Hostname":"Frodo","Keywords":-9223372036854775808,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":37,"SourceName":"Microsoft-Windows-Time-Service","ProviderGuid":"{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":163093,"ProcessID":17416,"ThreadID":9680,"Channel":"System","Domain":"NT-AUTORITĔ","AccountName":"Lokaler Dienst","UserID":"S-1-5-19","AccountType":"Well Known Group","Message":"Der Zeitanbieter \"NtpClient\" empfängt derzeit gültige Zeitdaten von pool.ntp.org,0x9 (ntp.m|0x9|0.0.0.0:123->194.164.164.175:123).","Opcode":"Info","TimeSource":"pool.ntp.org,0x9 (ntp.m|0x9|0.0.0.0:123->194.164.164.175:123)","EventReceivedTime":"2025-05-05 18:27:41","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"}It is not such easy to post encoding problems. But in Notepad++ the output is shown as this:And as you can see, there are valid lower case umlauts in the message field: “empfängt derzeit gültige”How can I fix this? :( Thank you very much! Thorsten
Thorsten1 created
Framing Error in received TCP message
Yima created
Hi All,I installed nxlog on my windows server 2003 and send logs to the rsyslog server but it gives error logs like belowApr 29 16:23:06 log-collector rsyslogd[658]: imtcp imtcp: Framing Error in received TCP message from peer: (hostname) <ip>, (ip) <ip>: delimiter is not SP but has ASCII value 68. [v8.2112.0]"}here <ip> = server names and I have basic conf, Please help me these.
Yima created
Handling Escape Characters in Log Data
Caleb created
I'm collecting log data using im_file that includes “domain\username” in a field. I run it through xm_csv to parse the csv formatted data into fields, then I extract that data with regex into a domain field and a username field, which works for all but those usernames that start with escape characters, n r t and b. I had been tweaking the regex at first thinking it was failing for some reason, but it really seems like the field is double quoted and is allowing escape characters to exist, even though I have it set to use a single quote when I parse the csv data.Windows Server 2019 Standard, NXLog CE version 3.2.2329.Input/Output exampleInput
2025/04/14,10:21:18,Disconnect,01DB045CCE64165800505699187E001,CD-PL-22-0030,domain\raymondc,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,50,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,
Output
{"version":"v1","authentication_target":"vpn01","time":"2025-04-14 10:21:18","DeviceName":"CD-PL-22-0030","account":"domain\raymondc","event_type":"VPN_SESSION_TERMINATION"}
ConfigPanic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _json>
Module xm_json
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Extension csv>
Module xm_csv
Fields Date,Time,Event,DeviceID,DeviceName,UserName,POPAddress,VirtualAddress,Status_TimeConnected(sec),Status_BatteryRemaining(%),Status_CompressionState,Interface_Name,Interface_MACAddress,Interface_Reserved,Interface_Speed,Interface_SignalStrength,AP_NetworkName(SSID),AP_MACAddress(BSSID),AP_Vendor,AP_SecurityType,AP_Subnet,AP_RadioChannel,Location_Latitude,Location_Longitude,Location_Altitude,Status_EncryptionState,Reserved,Flags_NetMotion,Flags_Custom,Networking_TotalInTCPBytes,Networking_TotalOutTCPBytes,Networking_TotalInUDPBytes,Networking_TotalOutUDPBytes,Networking_TotalInBytes,Networking_TotalOutBytes,Networking_IMPReceives,Networking_IMPDelivers,Networking_IMPInDuplicateFrames,Networking_IMPOutPeerRetransmittedFrames,Networking_IMPInDuplicateBytes,Networking_IMPOutRetransmittedBytes,Networking_IMPOutRequests,Networking_IMPOutRetransmittedFrames,Status_TerminateReason,Status_TerminateStatus,Networking_IMPInCompressedFrames,Networking_IMPInDecompressibleBytes,Networking_IMPInDecompressedBytes,Networking_IMPOutCompressedFrames,Networking_IMPOutCompressibleBytes,Networking_IMPOutCompressedBytes,Networking_IMPInDataFrames,Networking_IMPInFragmentedFrames,Networking_IMPFragmentedFramesReassemblyReq'd,Networking_IMPFragmentedFramesReassemblyOK,Networking_IMPFragmentedFramesReassemblyTimeouts,Networking_IMPFragmentedFramesReassemblyFailures,Networking_IMPInSyncFrames,Networking_IMPInEstablishedFrames,Networking_IMPInAbortFrames,Networking_IMPInMortisFrames,Networking_IMPInPostMortemFrames,Networking_IMPInEchoRequests,Networking_IMPInEchoResponses,Networking_IMPInBroadcastFrames,Networking_IMPOutDataFrames,Networking_IMPOutFragmentedFrames,Networking_IMPOutFragmentCreates,Networking_IMPOutFragmentOKs,Networking_IMPOutFragmentFailures,Networking_IMPOutSyncFrames,Networking_IMPOutEstablishedFrames,Networking_IMPOutAbortFrames,Networking_IMPOutMortisFrames,Networking_IMPOutPostMortemFrames,Networking_IMPOutEchoRequests,Networking_IMPOutEchoResponses,Networking_IMPOutBroadcastFrames,Errors_InFrameHeader,Errors_InFrameAddress,Errors_InUnknownProtocols,Errors_InFramesDiscarded,Errors_OutFramesDiscarded,Errors_OutFramesNoRoute,EntityID,AuthenticationMode,DeviceAuthIdentity
QuoteMethod String
QuoteChar '
</Extension>
<Input in>
Module im_file
File 'C:\Program Files\NetMotion Server\logs\nmact*.log'
ActiveFiles 2
ReadOrder MTimeNewestFirst
InputType LineBased
CloseWhenIdle True
PollInterval 30
<Exec>
Add basic fields and drop unwanted lines.
if (
($raw_event =~ /Connect,/i)
)
{
$version = ("v1");
$authentication_target = "vpn01";
}
else
{
drop();
}
Regex to pull out the date and time and parse it into a datetime field.
if (
($raw_event =~ /^(\S{4})/(\S{2})/(\S{2}),(\S{2}):(\S{2}):(\S{2})/)
)
{
$EventTime = ($1 + "-" + $2 + "-" + $3 + " " + $4 + ":" + $5 + ":" + $6 + "-07:00");
$EventTime = parsedate($EventTime);
}
csv->parse_csv();
Extract domain+username and normalize to lower case.
if ($UserName =~ /([\w-]+)\b\{1}\b([\w-]+)/)
{
log_info("captured: " + $1 + " and " + $2);
$account_domain = lc($1);
$UserName = lc($2);
}
else if ($UserName =~ /^(\w*)@(\S*)$/)
{
log_info("captured: " + $1 + " and " + $2);
$account_domain = lc($2);
$UserName = lc($1);
}
else
{
log_warning("unable to capture username: " + $UserName);
}
Set username to devicename for unattended authentication.
if ($AuthenticationMode == "8") $UserName = $DeviceName;
Update blank username to device name
if (not defined($UserName)) $UserName = $DeviceName;
Assign event type and authentication result.
if (
($Event =~ /Connect/)
)
{
$event_type = "VPN_SESSION_IP_ASSIGNED";
$authentication_result = "SUCCESS";
}
else
{
$event_type = "VPN_SESSION_TERMINATION";
}
Convert terminate reason to integer and check against list.
$Status_TerminateReason = integer($Status_TerminateReason);
if ($Status_TerminateReason IN (122, 113)) $UserName = $DeviceName;
Keep version, authentication_target, EventTime, DeviceName, UserName, event_type, account_domain, VirtualAddress, POPAddress, authentication_result
rename_field("EventTime", "time");
rename_field("UserName", "account");
rename_field("VirtualAddress", "assigned_ip");
rename_field("POPAddress", "source_ip");
delete($DeviceAuthIdentity);
delete($SourceModuleName);
delete($SourceModuleType);
delete($Date);
delete($Time);
delete($EventReceivedTime);
delete($Event);
delete($DeviceID);
delete($AuthenticationMode);
delete($EntityID);
delete($Status_TerminateStatus);
Future enhancement could be to mark logs with terminate reasons, especially for logon failures.
delete($Status_TerminateReason);
if (
($source_ip =~ /^(\S{7,15}):(\d{1,5})/)
)
{
$source_ip = $1;
}
to_json();
</Exec>
</Input>
<Output resultfile_out>
Module om_file
file 'C:\Windows\Temp\nxlog-results.json'
</Output>
<Route 1>
Path in=> resultfile_out
</Route>My log shows the field captured, but with a semicolon instead of “raymondc”.2025-04-14 10:19:47 WARNING stopping nxlog service
2025-04-14 10:19:47 WARNING nxlog-ce received a termination request signal, exiting...
2025-04-14 10:19:49 WARNING not starting unused module out
2025-04-14 10:19:49 INFO nxlog-ce-3.2.2329 started
2025-04-14 10:21:49 WARNING unable to capture username: domain;aymondc
2025-04-14 10:25:22 WARNING stopping nxlog service
2025-04-14 10:25:23 WARNING nxlog-ce received a termination request signal, exiting...
2025-04-14 10:25:24 WARNING not starting unused module out
2025-04-14 10:25:24 INFO nxlog-ce-3.2.2329 started
Caleb created
Help converting Windows Event to JSON
Ryan1234 created
Hi,I’m leveraging the to_json() function to convert Windows Events to JSON before sending them. This generally works well, and most of the log is converted to JSON correctly. However, there’s a portion of the log where NXLog doesn’t format the data into proper JSON, instead inserting control characters like \r\n. This breaks the JSON formatting and results in an undesirable output.Here’s an example of a Windows Event that’s been converted to JSON. As you can see, the Message field includes control characters and retains the original structure of the event rather than being properly formatted as JSON:{"Channel":"Security","Message": "System audit policy was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tclient01$\r\n\tAccount Domain:\t\tmydomain\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAudit Policy Change:\r\n\tCategory:\t\tAccount Logon\r\n\tSubcategory:\t\tKerberos Service Ticket Operations\r\n\tSubcategory GUID:\t{foo}\r\n\tChanges:\t\tSuccess removed, Failure removed","Category":"Audit Policy Change"}Here’s an example of the output I’d like to achieve:{"Channel":"Security","Message":"System audit policy was changed.", "Subject":{"Security ID": "S-1-5-18","Account Name":"client01$","Account Domain":"mydomain","Logon ID":"0x3E7"},"Audit Policy Change":{"Category":"Account Logon","Subcategory":"Kerberos Service Ticket Operations","Subcategory GUID":"{foo}","Changes":"Success removed, Failure removed"},"Category":"Audit Policy Change"}Does anyone know if and how I can achieve this?NXLog CE is running on Windows Server 2022. Package version is 3.2.2329.
Ryan1234 created
libssl vulnerability
cschelin created
We're showing that NXLog CE has a DLL, libssl-1_1-x64.dll, that is using OpenSSL version 1.1.1q, which is vulnerable to CVE-2022-2097. Is there any plan to move to a newer version, or are there decent instructions for compiling the source code for Windows?
cschelin created
Using @startup or @reboot in a schedule
Tony Curoso created
Hello. I am using nxlog community edition 3.2.2329_ubuntu20_amd64.deb on ubuntu 20.04.6. I am trying to rotate and purge logs on a daily basis. This is a dev environment that shuts down from 6pm to 7am daily. I tried using a Schedule block with a directive of When to @startup but that throws an error when starting nxlog. Also tried @reboot and got the same error. Here are snippets of the nxlog.conf with @reboot. <Output fileout1> Module om_file File "/var/log/nxlog/syslog.txt" Exec if $Message =~ /error/ $SeverityValue = syslog_severity_value("error"); Exec to_syslog_bsd();<Schedule> # This can likewise be used for `@weekly` or `@monthly` time periods. When @reboot # The following crontab-style is the same as `@daily` above. # When "0 0 * * *" # The `Every` directive could also be used in this case. #Every @startup Exec rotate_to(file_name() + strftime(now(), '_%Y-%m-%d')); </Schedule></Output>…<Output fileout2> Module om_file File "/var/log/nxlog/logmsg2.txt"</Output><Extension fileop>Module xm_fileop<Schedule> When @reboot # Delete logs older than 14 days (24x60x60x30) Exec file_remove('/var/log/nxlog/*.txt*', now() - 1209600);</Schedule></Extension> Here is the output from console when I try to start nxlogubuntu@ip-172-31-17-93:~$ sudo systemctl restart nxlogJob for nxlog.service failed because the control process exited with error code.See "systemctl status nxlog.service" and "journalctl -xe" for details.ubuntu@ip-172-31-17-93:~$ sudo systemctl status nxlog.service● nxlog.service - NXLog daemon Loaded: loaded (/lib/systemd/system/nxlog.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Fri 2025-02-28 09:49:47 PST; 29s ago Process: 2821 ExecStartPre=/usr/bin/nxlog -v (code=exited, status=1/FAILURE)Feb 28 09:49:47 ip-172-31-17-93 systemd[1]: Starting NXLog daemon...Feb 28 09:49:47 ip-172-31-17-93 nxlog[2821]: 2025-02-28 09:49:47 ERROR couldn't parse value for directive 'When': @reboot not supported at /etc/nxlog/nxlog.conf:43Feb 28 09:49:47 ip-172-31-17-93 systemd[1]: nxlog.service: Control process exited, code=exited, status=1/FAILUREFeb 28 09:49:47 ip-172-31-17-93 systemd[1]: nxlog.service: Failed with result 'exit-code'.Feb 28 09:49:47 ip-172-31-17-93 systemd[1]: Failed to start NXLog daemon. Seems like it does not like the When directive, but not sure why since it is in the documentation. nxlog starts fine if I use @daily, but since the system is shut down during the day change, the operations are not performed. Thanks!
Tony Curoso created
Windows 10 11 Server 2022 nxlog community edition missing events in syslog
Andreas created
Hello I startet central logging with nxlog community edition on windows most works finefinding a working nxlog.conf to graylog needs a lot of oursso I hope to find better help here in the community forum but missing several events in syslogfor exampleDns Client Events Event ID 1014AppCrash Outlook Exe Event ID 1001 At the Moment i need to send all Windows events to the graylog syslog server can you give me an example config file for logging all Windows events ? thanks my config file ++++++++++Panic Soft#NoFreeOnExit TRUEdefine ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\data# define Application Crash Eventsdefine AppCrashes 1000, 1001, 1002include %CONFDIR%\\*.confdefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data<Extension _syslog> Module xm_syslog</Extension><Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec> Module xm_exec</Extension><Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule></Extension><Extension _gelf> Module xm_gelf</Extension><Input win> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Application">*</Select>\ <Select Path="System">*</Select>\ <Select Path="Security">*</Select>\ </Query>\ </QueryList></Input><Output graylog> Module om_tcp Host syslog.geodata.local Port 3515 OutputType GELF</Output><Route graylog_route>Path win => graylog</Route>
Andreas created
Securonix SIEM ( NXLOG CE) Delay in Ingestion
L2.cdc@valuepointsystems.com created
Hi All,We are using NXlog CE to forward from windows server to SIEM. But we are facing issue in delay of ingestion of events. Error of NXlog file details is given. Please assist.
L2.cdc@valuepointsystems.com created
Is src/utils/csed used?
Raymond1 created
Is the binary src/utils/csed built or otherwise incorporated into the build?It doesn't look like it when I built it from source because the binary wasn't built by default, but I wanted to confirm.There is a buffer overflow in csed.c, and I need to make sure it doesn't find its way into the build.Thanks.
Raymond1 created
The NXLOG Process 100% CPU Load after Server restart.
Wolfgang E created
Hi NXLOG Community,the NXLOG Process 100% CPU Load after Server restart on Windows Systems.The Problemcause is simple but i dont understand why.A Handfull of Servers whit much logfiles (nxlogconfiguration use Wildcard for logfolder(s)).The Logfiles are written in the Cachefile and looks okay. But it feels like digs through all log files.Small footage of a Configuration:<Input catalina>
Module im_file
File 'C:\Tomcat\logs\\catalina*.log'
Recursive True
PollInterval 30
SavePos True
CloseWhenIdle True
<Exec>
#parse date
if $raw_event =~ /(\d\d\-\S\S\S-\d\d\d\d \d\d:\d\d:\d\d)/ $EventTime = strptime($1, '%d-%b-%Y%t%H:%M:%S');
# Now set the severity to something custom. This defaults to 'INFO' if unset.
if $raw_event =~ /\sSEVERE\s/ $Severity = 'CRITICAL';
else if $raw_event =~ /\sERROR\s/ $Severity = 'ERROR';
else if $raw_event =~ /\sWARN\s/ $Severity = 'WARNING';
else $Severity = 'INFO';
# The facility can be also set, otherwise the default value is 'USER'.
$SyslogFacility = 'AUDIT';
</Exec>
</Input>We use the Last CE Version.: nxlog-ce-3.2.2329Thanks, regards Wolfgang
Wolfgang E created
Insert custom text into log (raw event)
MAXIMUSLOLOL created
Hi,I am trying to insert a custom, static text into the raw event (so that the output has the custom text + the log). However, it refuses to work. The log output is the same whether I add or remove my exec $raw_event My config input and output look like this:
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='System'></Select>
<Select Path='Application'></Select>
<Select Path='Security'>*</Select>
</Query>
</QueryList>
</QueryXML>
Exec $raw_event = "STATIC CONTENT" + $raw_event;
</Input>
<Output out>
Module om_udp
Host XX.XX.XX.XX
Port 514
Exec to_syslog_snare();
</Output>
<Route 1>
Path in => out
</Route>
Logs:2025-02-12 11:09:20 INFO nxlog-ce-3.2.2329 started
MAXIMUSLOLOL created
QRadar NXlog windows configuration for forward events coming as host events not from actual system
vk245@outlook.com created
Hello All, In NXlog Qradar windows configuration , we have setup forwarded events as well but the for the forwarded events the source is coming as host instead of client meachine or actual source. I would request your help in fixing this. I am using the below configuration define ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data<Extension _syslog> Module xm_syslog</Extension><Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec> Module xm_exec</Extension><Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule></Extension># Snare compatible example configuration# Collecting event log<Input in> Module im_msvistalog<QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'>*</Select> <Select Path='Security'>*[System/Level<4]</Select> <Select Path='System'>*</Select> <Select Path='ForwardedEvents'>*</Select> </Query> </QueryList> </QueryXML> <Exec> if $Category == undef $Category = 0; if $EventType == 'CRITICAL' { $EventTypeNum = 1; $EventTypeStr = "Critical"; } else if $EventType == 'ERROR' { $EventTypeNum = 2; $EventTypeStr = "Error"; } else if $EventType == 'INFO' { $EventTypeNum = 4; $EventTypeStr = "Informational"; } else if $EventType == 'WARNING' { $EventTypeNum = 3; $EventTypeStr = "Warning"; } else if $EventType == 'VERBOSE' { $EventTypeNum = 5; $EventTypeStr = "Verbose"; } else { $EventTypeNum = 0; $EventTypeStr = "Audit"; } if $OpcodeValue == 0 $Opcode = "Info"; if $TaskValue == 0 $TaskValue = "None"; $EpochTime = string(integer($EventTime)); $EpochTime =~ /^(?<sec>\d+)(?<ms>\d{6})$/; $EpochTime = $sec; if $TaskValue == 12288 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSTATECHANGE"; } else if $TaskValue == 12289 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSUBSYSTEMEXTENSION"; } else if $TaskValue == 12290 { $TaskStr = "SE_ADT_SYSTEM_INTEGRITY"; } else if $TaskValue == 12291 { $TaskStr = "SE_ADT_SYSTEM_IPSECDRIVEREVENTS"; } else if $TaskValue == 12292 { $TaskStr = "SE_ADT_SYSTEM_OTHERS"; } else if $TaskValue == 12544 { $TaskStr = "SE_ADT_LOGON_LOGON"; } else if $TaskValue == 12545 { $TaskStr = "SE_ADT_LOGON_LOGOFF"; } else if $TaskValue == 12546 { $TaskStr = "SE_ADT_LOGON_ACCOUNTLOCKOUT"; } else if $TaskValue == 12547 { $TaskStr = "SE_ADT_LOGON_IPSECMAINMODE"; } else if $TaskValue == 12548 { $TaskStr = "SE_ADT_LOGON_SPECIALLOGON"; } else if $TaskValue == 12549 { $TaskStr = "SE_ADT_LOGON_IPSECQUICKMODE"; } else if $TaskValue == 12550 { $TaskStr = "SE_ADT_LOGON_IPSECUSERMODE"; } else if $TaskValue == 12551 { $TaskStr = "SE_ADT_LOGON_OTHERS"; } else if $TaskValue == 12552 { $TaskStr = "SE_ADT_LOGON_NPS"; } else if $TaskValue == 12553 { $TaskStr = "SE_ADT_LOGON_CLAIMS"; } else if $TaskValue == 12554 { $TaskStr = "SE_ADT_LOGON_GROUPS"; } else if $TaskValue == 12800 { $TaskStr = "SE_ADT_OBJECTACCESS_FILESYSTEM"; } else if $TaskValue == 12801 { $TaskStr = "SE_ADT_OBJECTACCESS_REGISTRY"; } else if $TaskValue == 12802 { $TaskStr = "SE_ADT_OBJECTACCESS_KERNEL"; } else if $TaskValue == 12803 { $TaskStr = "SE_ADT_OBJECTACCESS_SAM"; } else if $TaskValue == 12804 { $TaskStr = "SE_ADT_OBJECTACCESS_OTHER"; } else if $TaskValue == 12805 { $TaskStr = "SE_ADT_OBJECTACCESS_CERTIFICATIONAUTHORITY"; } else if $TaskValue == 12806 { $TaskStr = "SE_ADT_OBJECTACCESS_APPLICATIONGENERATED"; } else if $TaskValue == 12807 { $TaskStr = "SE_ADT_OBJECTACCESS_HANDLE"; } else if $TaskValue == 12808 { $TaskStr = "SE_ADT_OBJECTACCESS_SHARE"; } else if $TaskValue == 12809 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLPACKETDROPS"; } else if $TaskValue == 12810 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLCONNECTION"; } else if $TaskValue == 12811 { $TaskStr = "SE_ADT_OBJECTACCESS_DETAILEDFILESHARE"; } else if $TaskValue == 12812 { $TaskStr = "SE_ADT_OBJECTACCESS_REMOVABLESTORAGE"; } else if $TaskValue == 12813 { $TaskStr = "SE_ADT_OBJECTACCESS_CBACSTAGING"; } else if $TaskValue == 13056 { $TaskStr = "SE_ADT_PRIVILEGEUSE_SENSITIVE"; } else if $TaskValue == 13057 { $TaskStr = "SE_ADT_PRIVILEGEUSE_NONSENSITIVE"; } else if $TaskValue == 13058 { $TaskStr = "SE_ADT_PRIVILEGEUSE_OTHERS"; } else if $TaskValue == 13312 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSCREATION"; } else if $TaskValue == 13313 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSTERMINATION"; } else if $TaskValue == 13314 { $TaskStr = "SE_ADT_DETAILEDTRACKING_DPAPIACTIVITY"; } else if $TaskValue == 13315 { $TaskStr = "SE_ADT_DETAILEDTRACKING_RPCCALL"; } else if $TaskValue == 13316 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PNPACTIVITY"; } else if $TaskValue == 13317 { $TaskStr = "SE_ADT_DETAILEDTRACKING_TOKENRIGHTADJ"; } else if $TaskValue == 13568 { $TaskStr = "SE_ADT_POLICYCHANGE_AUDITPOLICY"; } else if $TaskValue == 13569 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHENTICATIONPOLICY"; } else if $TaskValue == 13570 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHORIZATIONPOLICY"; } else if $TaskValue == 13571 { $TaskStr = "SE_ADT_POLICYCHANGE_MPSSCVRULEPOLICY"; } else if $TaskValue == 13572 { $TaskStr = "SE_ADT_POLICYCHANGE_WFPIPSECPOLICY"; } else if $TaskValue == 13573 { $TaskStr = "SE_ADT_POLICYCHANGE_OTHERS"; } else if $TaskValue == 13824 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_USERACCOUNT"; } else if $TaskValue == 13825 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_COMPUTERACCOUNT"; } else if $TaskValue == 13826 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP"; } else if $TaskValue == 13827 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_DISTRIBUTIONGROUP"; } else if $TaskValue == 13828 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_APPLICATIONGROUP"; } else if $TaskValue == 13829 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_OTHERS"; } else if $TaskValue == 14080 { $TaskStr = "SE_ADT_DSACCESS_DSACCESS"; } else if $TaskValue == 14081 { $TaskStr = "SE_ADT_DSACCESS_DSCHANGES"; } else if $TaskValue == 14082 { $TaskStr = "SE_ADT_DS_REPLICATION"; } else if $TaskValue == 14083 { $TaskStr = "SE_ADT_DS_DETAILED_REPLICATION"; } else if $TaskValue == 14336 { $TaskStr = "SE_ADT_ACCOUNTLOGON_CREDENTIALVALIDATION"; } else if $TaskValue == 14337 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBEROS"; } else if $TaskValue == 14338 { $TaskStr = "SE_ADT_ACCOUNTLOGON_OTHERS"; } else if $TaskValue == 14339 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBCREDENTIALVALIDATION"; } else if $TaskValue == 65280 { $TaskStr = "SE_ADT_UNKNOWN_SUBCATEGORY"; } else { $TaskStr = "Unknown[" + $taskValue + "]"; } if $KeywordsStr == undef { if $TaskValue == 0 { $KeywordsStr = 'None'; } else { $KeywordsStr = '0'; } } if $TaskStr == undef { $TaskStr = $TaskValue; } if $EventType == 'AUDIT_SUCCESS' { $KeywordsStr = "Audit Success"; $EventTypeNum = 8; } else { $KeywordsStr = "Audit Failure"; $EventTypeNum = 16; } $Message = "AgentDevice=WindowsLog" + "\tAgentLogFile=" + $Channel + "\tSource=" + $SourceName + "\tComputer=" + hostname_fqdn() + "\tOriginatingComputer=" + host_ip() + "\tUser=" + $AccountName + "\tDomain=" + $Domain + "\tEventIDCode=" + $EventID + "\tEventType=" + $EventTypeNum + "\tEventCategory=" + $TaskValue + "\tRecordNumber=" + $RecordNumber + "\tTimeGenerated=" + $EpochTime + "\tTimeWritten=" + $EpochTime + "\tLevel=" + $EventTypeStr + "\tKeywords=" + $KeywordsStr + "\tTask=" + $TaskStr + "\tOpcode=" + $Opcode + "\tMessage=" + $Message; $Hostname = host_ip(); delete($SourceName); delete($Severity); delete($SeverityValue); to_syslog_bsd(); </Exec></Input>
vk245@outlook.com created
nxlog inserts #011 and #015 in logs
Engel created
Dear Community,I am using NXlog community edition and am experiencing the problem that using the following configuration, the log sent to rsyslog arrives with the characters #011 as tab and #015 as carriage return: <Extension _syslog> Module xm_syslog</Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension> <Extension _exec> Module xm_exec</Extension> <Extension json> Module xm_json</Extension> <Input internal> Module im_internal</Input> <Input eventlog> Module im_msvistalogQuery <QueryList>\ <Query Id="0">\ <Select Path="Application">*</Select>\ <Select Path="System">*</Select>\ <Select Path="Security">*</Select>\</Query>\</QueryList> Exec if ($EventID == 5156) OR ($EventID == 5158) drop(); Exec $HOSTNAME=hostname(); Exec $Message = replace($Message, "#011", " "); Exec $raw_event = replace($raw_event, "#011", " ");# Exec $Message =~ s/(\t|\R)/ /g;# Exec $Message =~ s/(\t|\R|\011|\015)/ /g;</Input> <Output out> Module om_tcp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $Message = replace($Message, "#011", " "); Exec $raw_event = replace($raw_event, "#011", " "); Exec to_syslog_snare(); Exec $Message = replace($Message, "#011", " "); Exec $raw_event = replace($raw_event, "#011", " ");</Output> <Route 1> Path eventlog, internal => out</Route> Can you tell me how to solve the problem? It seems not to remove the tab and carriage return characters.Thank you very much.
Engel created
Ubuntu 24.04 LTS Support
prot-jsalens created
Good day,I was wondering if the CE will be releasing a version for Ubuntu 24.04 since this is a LTS release.Thanks,Jesse
prot-jsalens created
Nxlog stops sending data to a route if another route is actively rejecting connections
kond_nxlog created
Nxlog stops sending data to a route if another route is actively rejecting connections.The other output stops sending data after a while (from a few minutes to a day), although TCP-connection is supported.We use 2 routes at the same time with 1 input.There is our nxlog config: “The in1 module is used by both routes. ”Planforms: Windows 2016/2019 and Windows 2022nxlog.conf<Route r1>
Path in => out1
</Route>
<Route r2>
Path in => out2
</Route>Logs:2024-11-21 13:28:53 INFO nxlog-ce-3.2.2329 started
2024-11-21 13:28:53 INFO connecting to Graylogserver:12523
2024-11-21 13:28:53 INFO connecting to Graylogserver:12527
2024-11-21 13:28:54 INFO reconnecting in 1 seconds
2024-11-21 13:28:54 ERROR couldn't connect to tcp socket on Graylogserver:12523; No connection could be made because the target machine actively refused it.
2024-11-21 13:28:55 INFO connecting to Graylogserver:12523
2024-11-21 13:28:56 INFO reconnecting in 2 seconds
2024-11-21 13:28:56 ERROR couldn't connect to tcp socket on Graylogserver:12523; No connection could be made because the target machine actively refused it.
2024-11-21 13:28:58 INFO connecting to Graylogserver:12523
kond_nxlog created
Sumo Logic Integration
A1 created
Hello!I am working on integrating NXLog with Sumo Logic. I followed the instructions on how to integrate with Sumo Logic in the setup documentation, but the logs are not being forwarded to Sumo Logic correctly, even though I receive the INFO successfully connected message. I believe it may be related to the token. My input is from an SSL connection (which is successfully connecting, I tested by diverting it to a file which I'm currently using as an intermediary until I figure this out). I have tried both options below. Module om_ssl Host syslog.collection.us1.sumologic.com Port 6514 CAFile %CERTDIR%\digicert_ca.crt Exec to_syslog_ietf(); Exec $raw_event =~ s/(\[.*])//g; \ $raw_event = replace($raw_event, \ '{', '[%SUMO_TOKEN%] {', 1); Module om_ssl Host syslog.collection.us1.sumologic.com Port 6514 CAFile %CERTDIR%\digicert_ca.crt Exec to_syslog_ietf(); Exec $raw_event =~ s/(\[NXLOG@14506.*?\])//g; \ $raw_event = replace($raw_event, \ '{', '[%SUMO_TOKEN%] {', 1);
A1 created
NXLog and local mail server (postfix) issues
Konstantinos12 created
Hello everyone,New to NXlog, doing the trial now and on setup I have encountered an issue with setting up the mail server and stuck there… It is a ubuntu server (AWS EC2) with postfix installed that relays to google.Postfix works as when trying: echo "This is the body of the email" | mail -s "This is the subject line" user@ourdomain.com -r nxlog@ourdomain.com - I get the email, not an issue.When I go to the mail server config of the web UI I always get “Failed to send email”, also the same when I try to change the email or password. I see nothing in the mail log so it seems it is not even trying to send the email?The settings I try are:Host: 127.0.0.1Port: 25Sender: nxlog@ourdomain.comUsername/Password: (empty) - as we don't auth for the local interface, this is just a local relay Any advice on how to proceed since I'm stuck on this step… :( Thank you!
Konstantinos12 created
exclude in im_file
HenkPuister created
I'm trying to configure an Exclude in im_file. I want to exclude logs with a date and number at the end of the filename. These files are already processed.Config:<Input PPS> Module im_file InputType multi_PPS File '%LOGDIR%\\*.log' # PPSPortaalManager_24-05-24_2.log Exclude '*_??-??-??_*.log' #. I've tried several notations, eg. double quotes instead of single, escaping the questionmarks. But none of them work. Searching for examples leads to 1 of 2 examples, which are very common examples, and none of them with wildcards.Using nxlog-ce-3.2.2329 .Has anyone a good, and working, example how to user Exclude in im_file?
HenkPuister created