Community Forum | Log collection solutions

README: how to ask questions effectively

Hi All,please adhere to the guidelines below to get faster responses to your queries.1 State the problem clearly:I am trying to collect logs from a log file using im_file and NXLog reads the whole file after each restart.2 Provide your configurationin a code block: ``` configuration text ```3 provide the contents of nxlog.log in a code block2023-04-12 08:00:27 INFO [CORE|main] configuration OK 2023-04-12 08:00:27 INFO [CORE|main] nxlog-5.7.7898 (68bb24e7e@REL_v5.7) started on Linux 2023-04-12 08:00:27 INFO [om_batchcompress|to_relay] connecting to lab1.home(192.168.14.52):2514 2023-04-12 08:00:27 INFO [om_batchcompress|to_relay] tcp connection established with lab1.home(192.168.14.52):2514 2023-04-12 08:00:27 INFO [xm_admin|admin] connecting to lab1.home(192.168.14.52):4041 2023-04-12 08:00:27 INFO [xm_admin|admin] tcp connection established with lab1.home(192.168.14.52):4041 2023-04-12 08:00:28 INFO [im_fim|fim] Module 'fim': FIM scan started 2023-04-12 08:00:28 ERROR [im_fim|fim] Module 'fim' could not open file '/opt/nxlog/bin/upgrade-nxsec.sh': Permission denied 2023-04-12 08:00:28 INFO [im_fim|fim] Module 'fim': FIM scan finished in 0.05 seconds. Scanned folders: 15 Scanned files: 102 Read file bytes: 156746314 provide environment descriptionNXLog CE is running on Windows 2022 server Package version is 3.2.23295 provide relevant detailsThis configuration has been working before we updated from version 2.11Now it does not6 if your problem involves parsing data provide samples of your input and expected output as well as what you actually getMy data looks like this:{"message": “message1”, "time": Thu 20 Apr 10:48:43 CEST 2023}I am getting an error:> error message hereI would like to receive the time in UNIX time (seconds since Epoch)Using this format enables us to get started much faster, and perhaps address your issue in the very first response we writeWould that not be great? :) Thanks for your cooperation!Gabor

gahorvath Nxlog ✓ created 1 year ago

Pinned Replies: 0

View post »
last updated 1 year ago

NXLog Community Edition

nxlog inserts #011 and #015 in logs

Dear Community,I am using NXlog community edition and am experiencing the problem that using the following configuration, the log sent to rsyslog arrives with the characters #011 as tab and #015 as carriage return: <Extension _syslog> Module xm_syslog</Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension> <Extension _exec> Module xm_exec</Extension> <Extension json> Module xm_json</Extension> <Input internal> Module im_internal</Input> <Input eventlog> Module im_msvistalogQuery <QueryList>\ <Query Id="0">\ <Select Path="Application">*</Select>\ <Select Path="System">*</Select>\ <Select Path="Security">*</Select>\</Query>\</QueryList> Exec if ($EventID == 5156) OR ($EventID == 5158) drop(); Exec $HOSTNAME=hostname(); Exec $Message = replace($Message, "#011", " "); Exec $raw_event = replace($raw_event, "#011", " ");# Exec $Message =~ s/(\t|\R)/ /g;# Exec $Message =~ s/(\t|\R|\011|\015)/ /g;</Input> <Output out> Module om_tcp Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% Exec $Message = replace($Message, "#011", " "); Exec $raw_event = replace($raw_event, "#011", " "); Exec to_syslog_snare(); Exec $Message = replace($Message, "#011", " "); Exec $raw_event = replace($raw_event, "#011", " ");</Output> <Route 1> Path eventlog, internal => out</Route> Can you tell me how to solve the problem? It seems not to remove the tab and carriage return characters.Thank you very much.

Engel created 1 week ago

Replies: 0

View post »
last updated 1 week ago

NXLog Community Edition

exclude in im_file

I'm trying to configure an Exclude in im_file. I want to exclude logs with a date and number at the end of the filename. These files are already processed.Config:<Input PPS> Module im_file InputType multi_PPS File '%LOGDIR%\\*.log' # PPSPortaalManager_24-05-24_2.log Exclude '*_??-??-??_*.log' #. I've tried several notations, eg. double quotes instead of single, escaping the questionmarks. But none of them work. Searching for examples leads to 1 of 2 examples, which are very common examples, and none of them with wildcards.Using nxlog-ce-3.2.2329 .Has anyone a good, and working, example how to user Exclude in im_file?

HenkPuister created 5 months ago

Replies: 1

View post »
last updated 1 month ago

NXLog Community Edition

apr_sockaddr_info failed

Hello there i try to forward logs radius to my elastic siem , i got this error when executing nxlog.exe -f :2024-10-07 11:16:37 INFO nxlog-ce-3.2.2329 started2024-10-07 11:16:37 INFO reconnecting in 1 seconds2024-10-07 11:16:37 ERROR apr_sockaddr_info failed for 172.19.14.51 # IP du serveur distant:514; Unknow Host. Here is the config (without ip for privacy) : <Extension _syslog> Module xm_syslog</Extension><Extension xml> Module xm_xml</Extension><Input radius_log> Module im_file File "D:\NPS\NPS Logs\IN2410.log" SavePos TRUE ReadFromLast TRUE PollInterval 1 Exec parse_xml("/Event"); </Input><Output remote_syslog> Module om_udp Host # IP SRV FORWARD Port 514</Output><Route radius_to_remote> Path radius_log => remote_syslog</Route> Is it possible to get everything in the source folder not just one ? Because the name change everymonth , example : october :IN2410.logNovember: IN2411.log December: IN2412.log etc Please Thnaks a lot

NOurdine created 1 month ago

Replies: 1

View post »
last updated 1 month ago

NXLog Community Edition

QRadar NXlog windows configuration for forward events coming as host events not from actual system

Hello All, In NXlog Qradar windows configuration , we have setup forwarded events as well but the for the forwarded events the source is coming as host instead of client meachine or actual source. I would request your help in fixing this. I am using the below configuration define ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data<Extension _syslog> Module xm_syslog</Extension><Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec> Module xm_exec</Extension><Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule></Extension># Snare compatible example configuration# Collecting event log<Input in> Module im_msvistalog<QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'>*</Select> <Select Path='Security'>*[System/Level<4]</Select> <Select Path='System'>*</Select> <Select Path='ForwardedEvents'>*</Select> </Query> </QueryList> </QueryXML> <Exec> if $Category == undef $Category = 0; if $EventType == 'CRITICAL' { $EventTypeNum = 1; $EventTypeStr = "Critical"; } else if $EventType == 'ERROR' { $EventTypeNum = 2; $EventTypeStr = "Error"; } else if $EventType == 'INFO' { $EventTypeNum = 4; $EventTypeStr = "Informational"; } else if $EventType == 'WARNING' { $EventTypeNum = 3; $EventTypeStr = "Warning"; } else if $EventType == 'VERBOSE' { $EventTypeNum = 5; $EventTypeStr = "Verbose"; } else { $EventTypeNum = 0; $EventTypeStr = "Audit"; } if $OpcodeValue == 0 $Opcode = "Info"; if $TaskValue == 0 $TaskValue = "None"; $EpochTime = string(integer($EventTime)); $EpochTime =~ /^(?<sec>\d+)(?<ms>\d{6})$/; $EpochTime = $sec; if $TaskValue == 12288 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSTATECHANGE"; } else if $TaskValue == 12289 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSUBSYSTEMEXTENSION"; } else if $TaskValue == 12290 { $TaskStr = "SE_ADT_SYSTEM_INTEGRITY"; } else if $TaskValue == 12291 { $TaskStr = "SE_ADT_SYSTEM_IPSECDRIVEREVENTS"; } else if $TaskValue == 12292 { $TaskStr = "SE_ADT_SYSTEM_OTHERS"; } else if $TaskValue == 12544 { $TaskStr = "SE_ADT_LOGON_LOGON"; } else if $TaskValue == 12545 { $TaskStr = "SE_ADT_LOGON_LOGOFF"; } else if $TaskValue == 12546 { $TaskStr = "SE_ADT_LOGON_ACCOUNTLOCKOUT"; } else if $TaskValue == 12547 { $TaskStr = "SE_ADT_LOGON_IPSECMAINMODE"; } else if $TaskValue == 12548 { $TaskStr = "SE_ADT_LOGON_SPECIALLOGON"; } else if $TaskValue == 12549 { $TaskStr = "SE_ADT_LOGON_IPSECQUICKMODE"; } else if $TaskValue == 12550 { $TaskStr = "SE_ADT_LOGON_IPSECUSERMODE"; } else if $TaskValue == 12551 { $TaskStr = "SE_ADT_LOGON_OTHERS"; } else if $TaskValue == 12552 { $TaskStr = "SE_ADT_LOGON_NPS"; } else if $TaskValue == 12553 { $TaskStr = "SE_ADT_LOGON_CLAIMS"; } else if $TaskValue == 12554 { $TaskStr = "SE_ADT_LOGON_GROUPS"; } else if $TaskValue == 12800 { $TaskStr = "SE_ADT_OBJECTACCESS_FILESYSTEM"; } else if $TaskValue == 12801 { $TaskStr = "SE_ADT_OBJECTACCESS_REGISTRY"; } else if $TaskValue == 12802 { $TaskStr = "SE_ADT_OBJECTACCESS_KERNEL"; } else if $TaskValue == 12803 { $TaskStr = "SE_ADT_OBJECTACCESS_SAM"; } else if $TaskValue == 12804 { $TaskStr = "SE_ADT_OBJECTACCESS_OTHER"; } else if $TaskValue == 12805 { $TaskStr = "SE_ADT_OBJECTACCESS_CERTIFICATIONAUTHORITY"; } else if $TaskValue == 12806 { $TaskStr = "SE_ADT_OBJECTACCESS_APPLICATIONGENERATED"; } else if $TaskValue == 12807 { $TaskStr = "SE_ADT_OBJECTACCESS_HANDLE"; } else if $TaskValue == 12808 { $TaskStr = "SE_ADT_OBJECTACCESS_SHARE"; } else if $TaskValue == 12809 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLPACKETDROPS"; } else if $TaskValue == 12810 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLCONNECTION"; } else if $TaskValue == 12811 { $TaskStr = "SE_ADT_OBJECTACCESS_DETAILEDFILESHARE"; } else if $TaskValue == 12812 { $TaskStr = "SE_ADT_OBJECTACCESS_REMOVABLESTORAGE"; } else if $TaskValue == 12813 { $TaskStr = "SE_ADT_OBJECTACCESS_CBACSTAGING"; } else if $TaskValue == 13056 { $TaskStr = "SE_ADT_PRIVILEGEUSE_SENSITIVE"; } else if $TaskValue == 13057 { $TaskStr = "SE_ADT_PRIVILEGEUSE_NONSENSITIVE"; } else if $TaskValue == 13058 { $TaskStr = "SE_ADT_PRIVILEGEUSE_OTHERS"; } else if $TaskValue == 13312 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSCREATION"; } else if $TaskValue == 13313 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSTERMINATION"; } else if $TaskValue == 13314 { $TaskStr = "SE_ADT_DETAILEDTRACKING_DPAPIACTIVITY"; } else if $TaskValue == 13315 { $TaskStr = "SE_ADT_DETAILEDTRACKING_RPCCALL"; } else if $TaskValue == 13316 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PNPACTIVITY"; } else if $TaskValue == 13317 { $TaskStr = "SE_ADT_DETAILEDTRACKING_TOKENRIGHTADJ"; } else if $TaskValue == 13568 { $TaskStr = "SE_ADT_POLICYCHANGE_AUDITPOLICY"; } else if $TaskValue == 13569 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHENTICATIONPOLICY"; } else if $TaskValue == 13570 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHORIZATIONPOLICY"; } else if $TaskValue == 13571 { $TaskStr = "SE_ADT_POLICYCHANGE_MPSSCVRULEPOLICY"; } else if $TaskValue == 13572 { $TaskStr = "SE_ADT_POLICYCHANGE_WFPIPSECPOLICY"; } else if $TaskValue == 13573 { $TaskStr = "SE_ADT_POLICYCHANGE_OTHERS"; } else if $TaskValue == 13824 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_USERACCOUNT"; } else if $TaskValue == 13825 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_COMPUTERACCOUNT"; } else if $TaskValue == 13826 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP"; } else if $TaskValue == 13827 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_DISTRIBUTIONGROUP"; } else if $TaskValue == 13828 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_APPLICATIONGROUP"; } else if $TaskValue == 13829 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_OTHERS"; } else if $TaskValue == 14080 { $TaskStr = "SE_ADT_DSACCESS_DSACCESS"; } else if $TaskValue == 14081 { $TaskStr = "SE_ADT_DSACCESS_DSCHANGES"; } else if $TaskValue == 14082 { $TaskStr = "SE_ADT_DS_REPLICATION"; } else if $TaskValue == 14083 { $TaskStr = "SE_ADT_DS_DETAILED_REPLICATION"; } else if $TaskValue == 14336 { $TaskStr = "SE_ADT_ACCOUNTLOGON_CREDENTIALVALIDATION"; } else if $TaskValue == 14337 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBEROS"; } else if $TaskValue == 14338 { $TaskStr = "SE_ADT_ACCOUNTLOGON_OTHERS"; } else if $TaskValue == 14339 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBCREDENTIALVALIDATION"; } else if $TaskValue == 65280 { $TaskStr = "SE_ADT_UNKNOWN_SUBCATEGORY"; } else { $TaskStr = "Unknown[" + $taskValue + "]"; } if $KeywordsStr == undef { if $TaskValue == 0 { $KeywordsStr = 'None'; } else { $KeywordsStr = '0'; } } if $TaskStr == undef { $TaskStr = $TaskValue; } if $EventType == 'AUDIT_SUCCESS' { $KeywordsStr = "Audit Success"; $EventTypeNum = 8; } else { $KeywordsStr = "Audit Failure"; $EventTypeNum = 16; } $Message = "AgentDevice=WindowsLog" + "\tAgentLogFile=" + $Channel + "\tSource=" + $SourceName + "\tComputer=" + hostname_fqdn() + "\tOriginatingComputer=" + host_ip() + "\tUser=" + $AccountName + "\tDomain=" + $Domain + "\tEventIDCode=" + $EventID + "\tEventType=" + $EventTypeNum + "\tEventCategory=" + $TaskValue + "\tRecordNumber=" + $RecordNumber + "\tTimeGenerated=" + $EpochTime + "\tTimeWritten=" + $EpochTime + "\tLevel=" + $EventTypeStr + "\tKeywords=" + $KeywordsStr + "\tTask=" + $TaskStr + "\tOpcode=" + $Opcode + "\tMessage=" + $Message; $Hostname = host_ip(); delete($SourceName); delete($Severity); delete($SeverityValue); to_syslog_bsd(); </Exec></Input>

vk245@outlook.com created 1 month ago

Replies: 0

View post »
last updated 1 month ago

NXLog Community Edition

Unable to ingest logs from file having 150MB

Hi Team,Need help!We're unable to ingest the logs from the file ‘output.json,’ which is 150MB in size. But i am able to send the logs from file ‘output.json’ which is 10MB in size to the forwarder.Below is the NXLog Community Edition Config file. Please help me is there anything to modify the Config file.define ROOT C:\Program Files\nxlogdefine ADCONTEXT_OUTPUT_DESTINATION_ADDRESS <Forwarder IP>define ADCONTEXT_OUTPUT_DESTINATION_PORT <Port>Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\dataLogFile %ROOT%\data\nxlog.log<Extension json> Module xm_json</Extension><Input in_adcontext> Module im_file File "C:\AD\output.json" DirCheckInterval 3600 PollInterval 3600</Input><Output out_chronicle_adcontext> Module om_tcp Host %ADCONTEXT_OUTPUT_DESTINATION_ADDRESS% Port %ADCONTEXT_OUTPUT_DESTINATION_PORT%</Output><Route ad_context_to_chronicle> Path in_adcontext => out_chronicle_adcontext</Route>

krishnap created 2 months ago

Replies: 1

View post »
last updated 1 month ago

NXLog Community Edition

The NXLOG Process 100% CPU Load after Server restart.

Hi NXLOG Community,the NXLOG Process 100% CPU Load after Server restart on Windows Systems.The Problemcause is simple but i dont understand why.A Handfull of Servers whit much logfiles (nxlogconfiguration use Wildcard for logfolder(s)).The Logfiles are written in the Cachefile and looks okay. But it feels like digs through all log files.Small footage of a Configuration:<Input catalina> Module im_file File 'C:\Tomcat\logs\\catalina*.log' Recursive True PollInterval 30 SavePos True CloseWhenIdle True <Exec> #parse date if $raw_event =~ /(\d\d\-\S\S\S-\d\d\d\d \d\d:\d\d:\d\d)/ $EventTime = strptime($1, '%d-%b-%Y%t%H:%M:%S'); # Now set the severity to something custom. This defaults to 'INFO' if unset. if $raw_event =~ /\sSEVERE\s/ $Severity = 'CRITICAL'; else if $raw_event =~ /\sERROR\s/ $Severity = 'ERROR'; else if $raw_event =~ /\sWARN\s/ $Severity = 'WARNING'; else $Severity = 'INFO'; # The facility can be also set, otherwise the default value is 'USER'. $SyslogFacility = 'AUDIT'; </Exec> </Input>We use the Last CE Version.: nxlog-ce-3.2.2329Thanks, regards Wolfgang

Wolfgang E created 4 months ago

Replies: 2

View post »
last updated 1 month ago

NXLog Community Edition

im_tcp with InputType LineBased occasional truncated lines

Hi folks,We have an NXLog CE 3.2.2329 configuration using im_tcp with InputType LineBased, receiving blobs of JSON separated by newlines. The received data is passed to xm_perl and then relayed to an output.Under some conditions where there may be thousands of events per second, there is a very rare chance for one event to be truncated at the end yielding an incomplete json blob. We've verified that the input data coming from upstream is valid, fully formed JSON - the emitter encoding logs look OK. The preceeding and following lines are also received and parsed successfully. Has anybody else experienced similar behavior? At this point we suspect a bug in NXLog, considering that it occurs very infrequently (2-3 days between recurrences) and it only occurs during periods of relatively high load (normal load is ~150 events per second, load when issue occurs is ~800/s+)Relevant configuration: <Extension gelf>Module xm_gelf</Extension><Extension perl>Module xm_perlPerlCode /etc/nxlog/scripts/parse_mist.pl</Extension><Input mist_tcp>Module im_tcpHost 0.0.0.0Port 32768InputType LineBased<Exec>perl_call("parse_mist");if $nxlog_internal_drop_log drop();</Exec></Input><Output graylog>Module om_udpHost xPort 12201OutputType GELF</Output><Route graylog>Path mist_tcp => graylog</Route>

sgcaveney created 3 months ago

Replies: 4