Hi all,I am currently using Nxlog CE v3.2.2329 in a Virtual Machine Windows 10 21H2 for sending logs to a Rsyslog server using Syslog RFC5424 version.For this configuration, i use im_msvistalog for input and om_tcp with Exec to_syslog_ietf(); command to send them to the rsyslog server.<Input Source_Eventlogs> Module im_msvistalog </Input> <Output Dest_LogServer> Module om_tcp Host 192.168.1.1 Port 514 Exec to_syslog_ietf(); </Output> <Route send> Path Source_Eventlogs => Dest_LogServer </Route>In the rsyslog server i receipt logs using a template who send logs to the right folder and then the right file log$template DynamicFile,"/var/log/rsyslog/%HOSTNAME%/%syslogseverity-text%.log" *.info -?DynamicFileWhen i receive the logs, they have some replacement caracters like #015 or #011.I tried to do the setup with this exec command at the input and at the output and it doesn't convert the logsExec $raw_event = replace($raw_event, "\t", " ");Kind regardsAdrien

Hello,im currently try to send logs from our Exchange Server to a log Collector.Sadly when i check the NXlogs i see the error not enough fields in CSV Input. Dose anyone know what do in this case? ERROR if-else failed at line 43, character 3 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 39, character 35 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 30, got 1 in input Configuration Code:<Extension MessageTrackingLog>   Module      xm_csvFields   $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version    Delimiter   QuoteMethod None Thanks a lot :)

Hello,im currently try to send logs from our Exchange Server to a log Collector.Sadly when i check the NXlogs i see the error not enough fields in CSV Input. Dose anyone know what do in this case? ERROR if-else failed at line 43, character 3 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; procedure 'parse_csv' failed at line 39, character 35 in C:\Program Files (x86)\nxlog\conf\nxlog.conf. statement execution has been aborted; Not enough fields in CSV input, expected 30, got 1 in input Configuration Code:<Extension MessageTrackingLog>   Module      xm_csvFields   $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version    Delimiter   QuoteMethod None#This sample nxlog.conf file can be used to collect the Exchange Message Tracking Log and send it to Cybereason XDRf. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log define CertDir C:\Program Files (x86)\nxlog\cert #Define the modules that will be used by nxlog. <Extension json> Module xm_json </Extension> <Extension _syslog> Module xm_syslog </Extension> <Extension MessageTrackingLog> Module xm_csv Fields $date-time,$client-ip,$client-hostname,$server-ip,$server-hostname,$source-context,$connector-id,$source,$event-id,$internal-message-id,$message-id,$network-message-id,$recipient-address,$recipient-status,$total-bytes,$recipient-count,$related-recipient-address,$reference,$message-subject,$sender-address,$return-path,$message-info,$directionality,$tenant-id,$original-client-ip,$original-server-ip,$custom-data,$transport-traffic-type,$log-id,$schema-version Delimiter QuoteMethod None </Extension> <Input in_MessageTrackingLog> Module im_file File 'C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG' InputType LineBased SavePos TRUE PollInterval 1 <Exec> if $raw_event =~ /^#/ drop(); else { MessageTrackingLog->parse_csv(); $EventTime = parsedate($date + " " + $time); $SourceName = "MessageTrackingLog"; $raw_event = to_json(); } </Exec> </Input> <Output out_MesssageTrackingLog> Module om_udp #This is the IP address of the Cybereason XDR Collector Host X.X.X.X #This is the port configured on the Universal Event Source Port XXXX </Output> <Route 1> Path in_MessageTrackingLog=>out_MesssageTrackingLog </Route>Thanks a lot :)

Attempting to configure an SSL Listener with nxlog-ce-3.21.2329 and getting ERROR invalid keyword: ListenAddr at /etc/nxlog/nxlog.d/dhcplogs.conf:10Input portion of dhcplogs.conf file<Input SSL>  Module               im_ssl  Port                 2048  ListenAddr           0.0.0.0  CAFile               %CERTDIR%/myca.pem  CertFile             %CERTDIR%/user-cert.pem  CertKeyFile          %CERTDIR%/user-key.pem  InputType            Binary</Input> I've initially had Port after ListenAddr but all it did was change which line the error was reported on.Everything I've read and seen says it is supported and should work, does anyone have any ideas or pointers on why this isn't working?This is on Ubuntu 22.04 LTS Server if that makes any difference.TIA Tim

Dear Team, Issue :I'm trying to use NXLog Community Edition to send logs to Kiwi Syslog. I'm using the TCP connection method. I noticed that when I disconnect the destination for some period of time, after turning it back up after some hours, I can still see the logs that were generated during the destination downtime. This is happening even without the buffer module.I'm wondering what the use of the buffer module in the TCP module is. Is it necessary to use the buffer module to ensure that all logs are sent to the destination, even if the destination is temporarily unavailable?2. From the below configuration file, if we use a memory and disk-based buffer, how will the logs be allocated? And if it creates a buffer logs.q file, what is the maximum size of each file? =========================Configuration:## Please set the ROOT to your nxlog installation directory#define ROOT C:\Program Files\nxlogdefine ROOT C:\Program Files (x86)\nxlogModuledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\dataLogFile %ROOT%\data\nxlog.log<Extension syslog> Module xm_syslog</Extension><Input generate_data>   Module      im_testgen   #Maxcount 100   Exec        to_syslog_bsd();</Input># Monitor Windows event logs#<Input eventlog>#  Module im_msvistalog#</Input><Processor buffer>  Module      pm_buffer   #10 MB buffer   MaxSize  10000   Type   Disk MEM   #warn at 5MB  WarnLimit   5000</Processor><Output logs_output>   Module  om_file   File    "C:\Users\test\output_logs.log"</Output><Output tcp> Module om_tcp Host 192.168.x.x Port 1514</Output><Route 1> Path generate_data => buffer => logs_output => tcp</Route> (for testing I'm using test gen module)provide environment descriptionwindows 10 IOT EnterpriseVersionNxlog community latest version 

Hi all,I am currently using Nxlog CE v3.2.2329 in a Virtual Machine Windows 10 21H2 for sending logs to a Rsyslog server using Syslog RFC5424 version.For this configuration, i use im_msvistalog for input and om_tcp with Exec to_syslog_ietf(); command to send them to the rsyslog server.<Input Source_Eventlogs> Module im_msvistalog </Input> <Output Dest_LogServer> Module om_tcp Host 192.168.1.1 Port 514 Exec to_syslog_ietf(); </Output> <Route send> Path Source_Eventlogs => Dest_LogServer </Route>In the rsyslog server i receipt logs using a template who send logs to the right folder and then the right file log$template DynamicFile,"/var/log/rsyslog/%HOSTNAME%/%syslogseverity-text%.log" *.info -?DynamicFileI met a first issue with security logs who where sent to a folder using the IP address. I assumed the issue was due to a failed resolving name and after adding the Nxlog client name to the /etc/hosts file and it solved the first issue.I met a second issue with Eventlogs who create many folder in the rsyslog folder because the logs are sent without hostname.For example i receive logs in a folder name VMICTimeProvider and when i look to the notice.log file i can see that there is no hostnamecat VMICTimeProvider/notice.log 2023-07-22T09:18:39.022270+00:00. VMICTimeProvider (Local) 2023-07-23T09:40:51.040169+00:00. VMICTimeProvider (Local) 2023-07-24T08:03:51.264202+00:00. VMICTimeProvider (Local) i tried to correct the receipt in the rsyslog side with receipt conditions like if $fromhost-ip=='1.2.3.4' then { actions } . -?WindowsLogs $template WindowsLogs,"/var/log/rsyslog/Windows/Windows/log" But I have to do a line for any Windows collection in the file, and i think if i want to transfert the logs to another file server i will have the logs lines with missing hostname and i will met the same problem. Thank you for your help. Kind regards. Adrien

We have the following filter applied to our ms_vistalog_filtered.conf, which is working:  Exec if $EventID NOT IN (%MonitoredEventIds%) drop(); <Exec> $Hostname = hostname_fqdn(); to_json(); </Exec> If I attempt to add anything to this filter, logs stop coming in entirely.  I have tried using a single block, multiple exec commands, and multiple exec blocks.  I ultimately I need to filter out EventID 4663 for some of our noisy applications.  My single block filter looks like this: <Exec> if ($EventID NOT IN (%MonitoredEventIds%) or (($EventID == 4663) and ($raw_event =~ /c:\\\\program\sfiles\\\\java\\\\jre1\.8\.0_92\\\\bin\\\\java\.exe/i or $raw_event =~ /c:\\\\programdata\\\\oracle\\\\java\\\\javapath_target_185880968\\\\java\.exe/i or $raw_event =~ /c:\\\\program\sfiles\\\\java\\\\jdk1\.8\.0_92\\\\bin\\\\java\.exe/i or $raw_event =~ /d:\\\\java\\\\jdk1\.8\.0_181\\\\jre\\\\bin\\\\java\.exe/i or $raw_event =~ /c:\\\\program\sfiles\\\\git\\\\mingw64\\\\bin\\\\git\.exe/i or $raw_event =~ /c:\\\\programdata\\\\oracle\\\\java\\\\javapath_target_1471633062\\\\java\.exe/i or $raw_event =~ /c:\\\\windows\\\\system32\\\\netstat\.exe/i)) ) drop(); $Hostname = hostname_fqdn(); to_json(); </Exec>I have also tried something as simple as: Exec if $EventID NOT IN (%MonitoredEventIds%) drop(); Exec if $raw_event =~ /c:\\windows\\system32\\netstat.exe/i drop(); <Exec> $Hostname = hostname_fqdn(); to_json(); </Exec> There are many other iterations, but these I think illustrate the simplest filters we've tried.  Any change to the filter and restart of nxlog service results in all logs being dropped. not just eid 4663.  Is there something wrong in my syntax or some other issue I am missing? 

Hi there ,I am stranded with a problem of sending exchange server logs in syslog format over TCP. I performed a trial for fetching connect logs and using the csv module and send them over syslog format over TCP.Once I run the service , I dont get any output over TCP , nor any errors. I wanted to know what im doing wrong. Please help !(((PS I removed my destination IP and port )))define ROOT C:\Program Files\nxlog#define ROOT C:\Program Files (x86)\nxlogModuledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\dataLogFile %ROOT%\data\nxlog.log<Extension syslog>   Module  xm_syslog</Extension><Extension _exec>   Module  xm_exec</Extension><Extension csv>   Module    xm_csv   Fields    date-time, connector-id, session-id, sequence-number, \             local-endpoint, remote-endpoint, event, data, context</Extension><Input in>Module im_fileFile "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\Connectivity\CONNECTLOG*.LOG"       <Exec> csv->parse_csv(); to_syslog_ietf();</Exec></Input><Output out>   Module    om_tcp   Host      ####    Port      ####          Exec      to_syslog_bsd();</Output><Route 1>   Path      in => out</Route> 

I have a very small (Read - no budget) project that NXlog would be a perfect fit for. Parsing, reformatting, and moving logs from a third party app to our Splunk server. I have a config that is simple and would work perfectly - except I did not realize until today that the CE does not support HTTP headers. (I had been using the EE documentation apparently) I found this out via google search on this old thread:https://nxlog.co/community-forum/t/648-adding-custom-header-om-httpWhich was 4 years ago, and mentioned that HTTP header support is not in the CE yet. Are there any plans to add this? I seems like pretty basic HTTP functionality, even more so than HTTPS/SSL support (which must have been far more involved to implement). Without any idea on pricing at all on the EE (again, zero or close to it budget) and no “in between” edition, it seems like a shame that I cannot make this work with the CE.Any ideas? An alternate way to get logs into Splunk using the CE would also work for me. Any help greatly appreciated!

We have a Linux host we have installed nxlog-ce-3.2.2329_rhel7.x86_64.rpm with yum on. The install did not create the modules folder and it seems we have none of the required files. Is there a way that this all needs to be separately installed? Is it possible this nxlog-ce-3.2.2329_rhel7.x86_64.rpm package did not install fully?

Hi All,We would like to check what could be the cause when getting the below error message in nxlog.log when using port 514?ERROR couldn't connect to tcp socket on logs-01.loggly.com:514; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. INFO connecting to 192.168.1.1:514 INFO reconnecting in 2 secondsWe are from SolarWinds Loggly and helping a customer to identify the cause as to why they are getting the above error message. From our documentation, we already advised them in editing the configuration file as "Administrator", this means that you should actually open up text editor as Administrator, but the issue still persists. Reference: https://documentation.solarwinds.com/en/success_center/loggly/content/admin/troubleshooting-nxlog.htm#Check-Connection The customer is using a latest version of NXLog Community Edition (nxlog-ce-3.2.2329). Is this a bug?  

Is it possible to perform a file deletion on the end of the file in the community edition with something like the below configuration?<Input csv>     Module          im_file    ReadFromLast    True    SavePos         True    PollInterval    300    File        'file/location'    # Parse the CSV events     <Exec>             csv->parse_csv();     </Exec>      <OnEOF>         <Exec>             file_remove(file_name());         </Exec>         GraceTimeout  10     </OnEOF></Input>

I have a setup with nxlog to collect audit log files that come to me daily. Each day the file name changes.I noticed that the incoming files are not sent to my remote SIEM, only the first one after restarting the NXLOG service.Below is my NXLOG configuration using the im_file and on_tcp modules.Would anyone have an idea how to resolve this? define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO ####################################################################### EXTENTIONS ####################################################################### <Extension _gelf> Module xm_gelf </Extension> <Extension _json> Module xm_json </Extension> <Input auditoria> Module im_file File "E:\Dataside\SIEM*.json" ReadFromLast False SavePos False </Input> <Output graylog> Module om_tcp Host 10.100.8.113 Port 5555 </Output> <Route auditoria-to-graylog> Path auditoria => graylog </Route>

Which version of the SUSE distribution supports the available NXLog CE package?The following message appears during the download:

I am trying to migrate our functional Enterprise config to Community on other devices.Thanks,Paul 

Hello There,We're in the process of collecting SQL server logs and followed instructions in this link (Example 2)https://nxlog.co/documentation/nxlog-user-guide/mssql.htmlWe are having the following error message:ERROR if-else failed at line 73, character 9 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; if-else failed at line 73, character 9 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; assignment failed at line 53, character 47 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; function 'parsedate' failed at line 53, character 46 in c:\Program Files\nxlog\conf\nxlog.conf. expression evaluation has been aborted; 'unknown' type argument is invalid ERROR if-else failed at line 73, character 9 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; if-else failed at line 73, character 9 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; assignment failed at line 53, character 47 in c:\Program Files\nxlog\conf\nxlog.conf. statement execution has been aborted; function 'parsedate' failed at line 53, character 46 in c:\Program Files\nxlog\conf\nxlog.conf. expression evaluation has been aborted; 'unknown' type argument is invalid ERROR last message repeated 2 timesWe're using the latest version of the community edition. Here is a snippet from the config file, including the lines numbers as reference to the error above. Let us know if you need further information. Many thanks.

Hi,i am using CE edition and looking for a setup which will find ceertain files and zip it using gzip. the below command runs successfully on CLI,"find /home/syslog_admin/*.log -daystart -mtime +0 -print -exec gzip -f {} \;how do run execute the above using nxlog.conf?exec_async("/usr/bin/gzip", "/home/syslog_admin/*.log"  -daystart -mtime +0 -print -exec "/usr/bin/gzip -f {} \; but not working.aslo tried below but no luck,  exec_async("/usr/bin/find", "/home/syslog_admin/*.log","-daystart", "-mtime", "+0", "-print", "-exec", "/usr/bin/gzip", "-f", "{}", "\;"); 

I originally asked about symlinks in a thread https://nxlog.co/community-forum/t/1518-wildcard-paths-not-working-with-symlinks, but was told that symlinks just didn't work. Pity. But I had a working config which worked around the issue. I'll reproduce the file structure here:/opt/tomcat-onesite/bin | /logs | /etc.... |-/tomcat-anothersite/bin | /logs | /etc.... |-/tomcat-somewhereelse/bin | /logs | /etc.... |-/tomcat-etc... |-/tomcat-logs/onesite -> /opt/tomcat-onesite/logs /anothersite -> /opt/tomcat-anothersite/logs /somewhereelse -> /opt/tomcat-somewhereelse/logs /etc ....Now, with nxlog-ce-2.9.x or 2.10.x, I could define a path of /opt/tomcat-logs/* and nxlog would start. It wouldn't read any symlinks under it but it would start. Now with any of the 3.x series, nxlog won't even start if there is a symlink directly in /opt/tomcat-logs. I can sort of get by with /opt/tomcat-logs/*/* in that particular case but it doesn't help with another part of the set of the setup where there are valid files in the equivalent or /opt/tomcat-logs at the same time. How or where can I report bugs or regressions?

Hi, I have a very strange question to askWhen collecting windows exchange tracking log, I encountered a strange problemIf you delete files older than 7 days in the tracking log folder, nxlog will generate an error, and at the same time the exchange system will also be affected and cannot operate======================================================================error log2023-02-15 10:39:04 INFO nxlog-ce-3.1.2319 started2023-02-15 10:44:31 ERROR apr_stat() failed on file E:\Log\IIS\W3SVC2\u_ex230207.log; 存取被拒。  2023-02-15 10:44:31 WARNING input file was deleted: E:\Log\IIS\W3SVC1\u_ex230207.log2023-02-15 10:44:33 WARNING input file was deleted: E:\Log\IIS\W3SVC2\u_ex230207.log2023-02-15 11:00:01 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-4.LOG; 存取被拒。  2023-02-15 11:00:03 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-4.LOG2023-02-15 11:32:02 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-5.LOG; 存取被拒。  2023-02-15 11:32:04 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-5.LOG2023-02-15 12:00:01 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-6.LOG; 存取被拒。  2023-02-15 12:00:03 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-6.LOG2023-02-15 13:43:11 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-7.LOG; 存取被拒。  2023-02-15 13:43:13 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-7.LOG2023-02-15 14:00:02 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-8.LOG; 存取被拒。  2023-02-15 14:00:04 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-8.LOG2023-02-15 14:32:56 ERROR apr_stat() failed on file E:\Log\MessageTracking\MSGTRK2023021005-9.LOG; 存取被拒。  2023-02-15 14:32:58 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-9.LOG2023-02-15 15:00:02 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-10.LOG2023-02-15 15:31:04 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-11.LOG2023-02-15 16:00:02 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021005-12.LOG2023-02-15 16:33:08 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021006-1.LOG2023-02-15 17:00:02 WARNING input file was deleted: E:\Log\MessageTracking\MSGTRK2023021006-2.LOG2023-02-15 17:12:10 WARNING stopping nxlog service2023-02-15 17:12:10 WARNING nxlog-ce received a termination request signal, exiting...============================================================================nxlog config## Please set the ROOT to the folder your nxlog was installed into, otherwise it will not start.define NCloud  172.21.30.1define MailLog E:\Log\MessageTrackingdefine IISLog  E:\Log\IISdefine ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\confdefine LOGDIR  %ROOT%\datadefine LOGFILE %LOGDIR%\nxlog.logLogFile  %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data## Load the modules needed by the outputs<Extension syslog> Module xm_syslog</Extension>## For Exchange Message Tracking log file use the following:<Input in_maillog> Module im_file File '%MailLog%\MSGTRK*.LOG' ReadFromLast TRUE SavePos TRUE</Input><Output out_maillog> Module om_udp Host %NCloud% Port 514 Exec $SyslogFacilityValue = 2; Exec $SourceName = 'Exchange'; Exec to_syslog_bsd();</Output><Route maillog> Path in_maillog => out_maillog</Route>## For Windows Event log use the following:<Input in_eventlog> Module im_msvistalog ReadFromLast TRUE SavePos TRUE Query  <QueryList> \           <Query Id="0"> \               <Select Path="Security">*[System[(EventID=4624 or EventID=4625 or EventID=4626 or EventID=4627 or EventID=4634 or EventID=4646 or EventID=4647 or EventID=4648 or EventID=4649 or EventID=4672 or EventID=4675)]]</Select> \               <Select Path="Security">*[System[(EventID=4778 or EventID=4779 or EventID=4800 or EventID=4801 or EventID=4802 or EventID=4803 or EventID=4964 or EventID=4976 or EventID=5378 or EventID=5632 or EventID=5633)]]</Select> \               <Select Path="Security">*[System[(EventID=4768 or EventID=4769 or EventID=4770 or EventID=4771 or EventID=4772 or EventID=4773 or EventID=4774 or EventID=4775 or EventID=4776 or EventID=4777 or EventID=4820)]]</Select> \               <Select Path="Security">*[System[(EventID=4720 or EventID=4722 or EventID=4723 or EventID=4724 or EventID=4725 or EventID=4726 or EventID=4727 or EventID=4731 or EventID=4732 or EventID=4733 or EventID=4734)]]</Select> \               <Select Path="Security">*[System[(EventID=4735 or EventID=4738 or EventID=4739 or EventID=4740 or EventID=4749 or EventID=4750 or EventID=4751 or EventID=4752 or EventID=4753 or EventID=4764 or EventID=4765)]]</Select> \               <Select Path="Security">*[System[(EventID=4766 or EventID=4767 or EventID=4780 or EventID=4781 or EventID=4782 or EventID=4793 or EventID=4794 or EventID=4797 or EventID=4798 or EventID=4799 or EventID=5376 or EventID=5377)]]</Select> \               <Select Path="Security">*[System[(EventID=4608 or EventID=4610 or EventID=4611 or EventID=4612 or EventID=4614 or EventID=4615 or EventID=4616 or EventID=4618 or EventID=4621 or EventID=4622 or EventID=4697)]]</Select> \               <Select Path="Security">*[System[(EventID=5024 or EventID=5025 or EventID=5027 or EventID=5028 or EventID=5029 or EventID=5030 or EventID=5032 or EventID=5033 or EventID=5034 or EventID=5035 or EventID=5037)]]</Select> \               <Select Path="Security">*[System[(EventID=5038 or EventID=5056 or EventID=5058 or EventID=5059 or EventID=5061 or EventID=5890 or EventID=6281 or EventID=6400 or EventID=6401 or EventID=6402 or EventID=6403)]]</Select> \               <Select Path="Security">*[System[(EventID=6404 or EventID=6405 or EventID=6406 or EventID=6407 or EventID=6408 or EventID=6409 or EventID=6410)]]</Select> \           </Query> \        </QueryList> </Input><Output out_eventlog> Module om_udp Host %NCloud% Port 514 Exec $SyslogFacilityValue = 17; Exec $Message = string($SourceName) + ": " + string($EventID) + ": " + $Message; Exec if ($EventType == 'ERROR' or $EventType == 'AUDIT_FAILURE') { $SyslogSeverityValue = 3; } \         else if ($EventType == 'WARNING')  { $SyslogSeverityValue = 4; } \         else if ($EventType == 'INFO' or $EventType == 'AUDIT_SUCCESS')  { $SyslogSeverityValue = 5; }  Exec to_syslog_bsd();</Output><Route eventlog> Path in_eventlog => out_eventlog</Route>## For Microsoft IIS(Internet Information Server) log file use the following:<Input in_iislog> Module im_file File '%IISLog%\u_ex*.log' ReadFromLast TRUE Recursive TRUE SavePos TRUE</Input><Output out_iislog> Module om_udp Host %NCloud% Port 514 Exec $SyslogFacilityValue = 22; Exec $raw_event = "IIS [info]: " + $raw_event ; Exec to_syslog_bsd();</Output><Route iislog> Path in_iislog => out_iislog</Route> ======================================================================Please how can I deal with this problem?