Hello I startet central logging with nxlog community edition on windows most works finefinding a working nxlog.conf to graylog needs a lot of oursso I hope to find better help here in the community forum but missing several events in syslogfor exampleDns Client Events Event ID 1014AppCrash Outlook Exe Event ID 1001 At the Moment  i need to send all Windows events to the graylog syslog server can you give me an example config file for logging all Windows events ? thanks my config file ++++++++++Panic Soft#NoFreeOnExit TRUEdefine ROOT     C:\Program Files\nxlogdefine CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\data# define Application Crash Eventsdefine AppCrashes               1000, 1001, 1002include %CONFDIR%\\*.confdefine LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data<Extension _syslog>   Module      xm_syslog</Extension><Extension _charconv>   Module      xm_charconv   AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec>   Module      xm_exec</Extension><Extension _fileop>   Module      xm_fileop   # Check the size of our log file hourly, rotate if larger than 5MB   <Schedule>       Every   1 hour       Exec    if (file_exists('%LOGFILE%') and \                  (file_size('%LOGFILE%') >= 5M)) \                   file_cycle('%LOGFILE%', 8);   </Schedule>   # Rotate our log file every week on Sunday at midnight   <Schedule>       When    @weekly       Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);   </Schedule></Extension><Extension _gelf> Module  xm_gelf</Extension><Input win>  Module   im_msvistalog  Query <QueryList>\   <Query Id="0">\   <Select Path="Application">*</Select>\   <Select Path="System">*</Select>\   <Select Path="Security">*</Select>\   </Query>\   </QueryList></Input><Output  graylog>  Module om_tcp  Host  syslog.geodata.local  Port  3515  OutputType GELF</Output><Route graylog_route>Path win => graylog</Route>    

Hi All,We are using NXlog CE to forward from windows server to SIEM. But we are facing issue in delay of ingestion of events.  Error of NXlog file details is given. Please assist.

Hello. I am using nxlog community edition 3.2.2329_ubuntu20_amd64.deb on ubuntu 20.04.6. I am trying to rotate and purge logs on a daily basis. This is a dev environment that shuts down from 6pm to 7am daily. I tried using a Schedule block with a directive of When to @startup but that throws an error when starting nxlog. Also tried @reboot and got the same error. Here are snippets of the  nxlog.conf with @reboot. <Output fileout1>   Module om_file   File "/var/log/nxlog/syslog.txt"   Exec if $Message =~ /error/ $SeverityValue = syslog_severity_value("error");   Exec to_syslog_bsd();<Schedule>        # This can likewise be used for `@weekly` or `@monthly` time periods.         When @reboot        # The following crontab-style is the same as `@daily` above.        # When "0 0 * * *"         # The `Every` directive could also be used in this case.         #Every @startup        Exec    rotate_to(file_name() + strftime(now(), '_%Y-%m-%d'));    </Schedule></Output>…<Output fileout2>   Module om_file   File "/var/log/nxlog/logmsg2.txt"</Output><Extension fileop>Module xm_fileop<Schedule> When @reboot # Delete logs older than 14 days (24x60x60x30)        Exec    file_remove('/var/log/nxlog/*.txt*', now() - 1209600);</Schedule></Extension> Here is the output from console when I try to start nxlogubuntu@ip-172-31-17-93:~$ sudo systemctl restart nxlogJob for nxlog.service failed because the control process exited with error code.See "systemctl status nxlog.service" and "journalctl -xe" for details.ubuntu@ip-172-31-17-93:~$ sudo systemctl status nxlog.service● nxlog.service - NXLog daemon    Loaded: loaded (/lib/systemd/system/nxlog.service; enabled; vendor preset: enabled)    Active: failed (Result: exit-code) since Fri 2025-02-28 09:49:47 PST; 29s ago   Process: 2821 ExecStartPre=/usr/bin/nxlog -v (code=exited, status=1/FAILURE)Feb 28 09:49:47 ip-172-31-17-93 systemd[1]: Starting NXLog daemon...Feb 28 09:49:47 ip-172-31-17-93 nxlog[2821]: 2025-02-28 09:49:47 ERROR couldn't parse value for directive 'When': @reboot not supported at /etc/nxlog/nxlog.conf:43Feb 28 09:49:47 ip-172-31-17-93 systemd[1]: nxlog.service: Control process exited, code=exited, status=1/FAILUREFeb 28 09:49:47 ip-172-31-17-93 systemd[1]: nxlog.service: Failed with result 'exit-code'.Feb 28 09:49:47 ip-172-31-17-93 systemd[1]: Failed to start NXLog daemon. Seems like it does not like the When directive, but not sure why since it is in the documentation. nxlog starts fine if I use @daily, but since the system is shut down during the day change, the operations are not performed. Thanks!

Is the binary src/utils/csed built or otherwise incorporated into the build?It doesn't look like it when I built it from source because the binary wasn't built by default, but I wanted to confirm.There is a buffer overflow in csed.c, and I need to make sure it doesn't find its way into the build.Thanks.

Hi NXLOG Community,the NXLOG Process 100% CPU Load after Server restart on Windows Systems.The Problemcause is simple but i dont understand why.A Handfull of Servers whit much logfiles (nxlogconfiguration use Wildcard for logfolder(s)).The Logfiles are written in the Cachefile and looks okay. But it feels like digs through all log files.Small footage of a Configuration:<Input catalina> Module im_file File 'C:\Tomcat\logs\\catalina*.log' Recursive True PollInterval 30 SavePos True CloseWhenIdle True &lt;Exec&gt; #parse date if $raw_event =~ /(\d\d\-\S\S\S-\d\d\d\d \d\d:\d\d:\d\d)/ $EventTime = strptime($1, '%d-%b-%Y%t%H:%M:%S'); # Now set the severity to something custom. This defaults to 'INFO' if unset. if $raw_event =~ /\sSEVERE\s/ $Severity = 'CRITICAL'; else if $raw_event =~ /\sERROR\s/ $Severity = 'ERROR'; else if $raw_event =~ /\sWARN\s/ $Severity = 'WARNING'; else $Severity = 'INFO'; # The facility can be also set, otherwise the default value is 'USER'. $SyslogFacility = 'AUDIT'; &lt;/Exec&gt; </Input>We use the Last CE Version.: nxlog-ce-3.2.2329Thanks, regards Wolfgang 

Hi,I am trying to insert a custom, static text into the raw event (so that the output has the custom text + the log). However, it refuses to work. The log output is the same whether I add or remove my exec $raw_event My config input and output look like this: <Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='System'></Select> <Select Path='Application'></Select> <Select Path='Security'>*</Select> </Query> </QueryList> </QueryXML> Exec $raw_event = "STATIC CONTENT" + $raw_event; </Input> <Output out> Module om_udp Host XX.XX.XX.XX Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path in => out </Route>   Logs:2025-02-12 11:09:20 INFO nxlog-ce-3.2.2329 started

Hello  community, 

Hi,I’m leveraging the to_json() function to convert Windows Events to JSON before sending them. This generally works well, and most of the log is converted to JSON correctly. However, there’s a portion of the log where NXLog doesn’t format the data into proper JSON, instead inserting control characters like \r\n. This breaks the JSON formatting and results in an undesirable output.Here’s an example of a Windows Event that’s been converted to JSON. As you can see, the Message field includes control characters and retains the original structure of the event rather than being properly formatted as JSON:{"Channel":"Security","Message": "System audit policy was changed.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tclient01$\r\n\tAccount Domain:\t\tmydomain\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAudit Policy Change:\r\n\tCategory:\t\tAccount Logon\r\n\tSubcategory:\t\tKerberos Service Ticket Operations\r\n\tSubcategory GUID:\t{foo}\r\n\tChanges:\t\tSuccess removed, Failure removed","Category":"Audit Policy Change"}Here’s an example of the output I’d like to achieve:{"Channel":"Security","Message":"System audit policy was changed.", "Subject":{"Security ID": "S-1-5-18","Account Name":"client01$","Account Domain":"mydomain","Logon ID":"0x3E7"},"Audit Policy Change":{"Category":"Account Logon","Subcategory":"Kerberos Service Ticket Operations","Subcategory GUID":"{foo}","Changes":"Success removed, Failure removed"},"Category":"Audit Policy Change"}Does anyone know if and how I can achieve this?NXLog CE is running on Windows Server 2022. Package version is 3.2.2329.

We're showing that NXLog CE has a DLL, libssl-1_1-x64.dll, that is using OpenSSL version 1.1.1q, which is vulnerable to CVE-2022-2097. Is there any plan to move to a newer version, or are there decent instructions for compiling the source code for Windows?

Hello All, In NXlog Qradar windows configuration , we have setup forwarded events as well but the for the forwarded events the source is coming as host instead of client meachine or actual source. I would request your help in fixing this. I am using the below configuration define ROOT     C:\Program Files\nxlogdefine CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data<Extension _syslog>   Module      xm_syslog</Extension><Extension _charconv>   Module      xm_charconv   AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec>   Module      xm_exec</Extension><Extension _fileop>   Module      xm_fileop   # Check the size of our log file hourly, rotate if larger than 5MB   <Schedule>       Every   1 hour       Exec    if (file_exists('%LOGFILE%') and \                  (file_size('%LOGFILE%') >= 5M)) \                   file_cycle('%LOGFILE%', 8);   </Schedule>   # Rotate our log file every week on Sunday at midnight   <Schedule>       When    @weekly       Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);   </Schedule></Extension># Snare compatible example configuration# Collecting event log<Input in>    Module      im_msvistalog<QueryXML>       <QueryList>           <Query Id='0'>               <Select Path='Application'>*</Select>               <Select Path='Security'>*[System/Level<4]</Select>               <Select Path='System'>*</Select>   <Select Path='ForwardedEvents'>*</Select>                                </Query>       </QueryList>   </QueryXML>   <Exec>       if $Category == undef $Category = 0;       if $EventType == 'CRITICAL'       {           $EventTypeNum = 1;           $EventTypeStr = "Critical";       }       else if $EventType == 'ERROR'       {           $EventTypeNum = 2;           $EventTypeStr = "Error";       }       else if $EventType == 'INFO'       {           $EventTypeNum = 4;           $EventTypeStr = "Informational";       }       else if $EventType == 'WARNING'       {           $EventTypeNum = 3;           $EventTypeStr = "Warning";       }       else if $EventType == 'VERBOSE'       {           $EventTypeNum = 5;           $EventTypeStr = "Verbose";       }       else       {           $EventTypeNum = 0;           $EventTypeStr = "Audit";       }       if $OpcodeValue == 0 $Opcode = "Info";       if $TaskValue == 0 $TaskValue = "None";       $EpochTime = string(integer($EventTime));       $EpochTime =~ /^(?<sec>\d+)(?<ms>\d{6})$/;       $EpochTime = $sec;       if $TaskValue == 12288 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSTATECHANGE"; }       else if $TaskValue == 12289 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSUBSYSTEMEXTENSION"; }       else if $TaskValue == 12290 { $TaskStr = "SE_ADT_SYSTEM_INTEGRITY"; }       else if $TaskValue == 12291 { $TaskStr = "SE_ADT_SYSTEM_IPSECDRIVEREVENTS"; }       else if $TaskValue == 12292 { $TaskStr = "SE_ADT_SYSTEM_OTHERS"; }       else if $TaskValue == 12544 { $TaskStr = "SE_ADT_LOGON_LOGON"; }       else if $TaskValue == 12545 { $TaskStr = "SE_ADT_LOGON_LOGOFF"; }       else if $TaskValue == 12546 { $TaskStr = "SE_ADT_LOGON_ACCOUNTLOCKOUT"; }       else if $TaskValue == 12547 { $TaskStr = "SE_ADT_LOGON_IPSECMAINMODE"; }       else if $TaskValue == 12548 { $TaskStr = "SE_ADT_LOGON_SPECIALLOGON"; }       else if $TaskValue == 12549 { $TaskStr = "SE_ADT_LOGON_IPSECQUICKMODE"; }       else if $TaskValue == 12550 { $TaskStr = "SE_ADT_LOGON_IPSECUSERMODE"; }       else if $TaskValue == 12551 { $TaskStr = "SE_ADT_LOGON_OTHERS"; }       else if $TaskValue == 12552 { $TaskStr = "SE_ADT_LOGON_NPS"; }       else if $TaskValue == 12553 { $TaskStr = "SE_ADT_LOGON_CLAIMS"; }       else if $TaskValue == 12554 { $TaskStr = "SE_ADT_LOGON_GROUPS"; }       else if $TaskValue == 12800 { $TaskStr = "SE_ADT_OBJECTACCESS_FILESYSTEM"; }       else if $TaskValue == 12801 { $TaskStr = "SE_ADT_OBJECTACCESS_REGISTRY"; }       else if $TaskValue == 12802 { $TaskStr = "SE_ADT_OBJECTACCESS_KERNEL"; }       else if $TaskValue == 12803 { $TaskStr = "SE_ADT_OBJECTACCESS_SAM"; }       else if $TaskValue == 12804 { $TaskStr = "SE_ADT_OBJECTACCESS_OTHER"; }       else if $TaskValue == 12805 { $TaskStr = "SE_ADT_OBJECTACCESS_CERTIFICATIONAUTHORITY"; }       else if $TaskValue == 12806 { $TaskStr = "SE_ADT_OBJECTACCESS_APPLICATIONGENERATED"; }       else if $TaskValue == 12807 { $TaskStr = "SE_ADT_OBJECTACCESS_HANDLE"; }       else if $TaskValue == 12808 { $TaskStr = "SE_ADT_OBJECTACCESS_SHARE"; }       else if $TaskValue == 12809 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLPACKETDROPS"; }       else if $TaskValue == 12810 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLCONNECTION"; }       else if $TaskValue == 12811 { $TaskStr = "SE_ADT_OBJECTACCESS_DETAILEDFILESHARE"; }       else if $TaskValue == 12812 { $TaskStr = "SE_ADT_OBJECTACCESS_REMOVABLESTORAGE"; }       else if $TaskValue == 12813 { $TaskStr = "SE_ADT_OBJECTACCESS_CBACSTAGING"; }       else if $TaskValue == 13056 { $TaskStr = "SE_ADT_PRIVILEGEUSE_SENSITIVE"; }       else if $TaskValue == 13057 { $TaskStr = "SE_ADT_PRIVILEGEUSE_NONSENSITIVE"; }       else if $TaskValue == 13058 { $TaskStr = "SE_ADT_PRIVILEGEUSE_OTHERS"; }       else if $TaskValue == 13312 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSCREATION"; }       else if $TaskValue == 13313 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSTERMINATION"; }       else if $TaskValue == 13314 { $TaskStr = "SE_ADT_DETAILEDTRACKING_DPAPIACTIVITY"; }       else if $TaskValue == 13315 { $TaskStr = "SE_ADT_DETAILEDTRACKING_RPCCALL"; }       else if $TaskValue == 13316 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PNPACTIVITY"; }       else if $TaskValue == 13317 { $TaskStr = "SE_ADT_DETAILEDTRACKING_TOKENRIGHTADJ"; }       else if $TaskValue == 13568 { $TaskStr = "SE_ADT_POLICYCHANGE_AUDITPOLICY"; }       else if $TaskValue == 13569 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHENTICATIONPOLICY"; }       else if $TaskValue == 13570 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHORIZATIONPOLICY"; }       else if $TaskValue == 13571 { $TaskStr = "SE_ADT_POLICYCHANGE_MPSSCVRULEPOLICY"; }       else if $TaskValue == 13572 { $TaskStr = "SE_ADT_POLICYCHANGE_WFPIPSECPOLICY"; }       else if $TaskValue == 13573 { $TaskStr = "SE_ADT_POLICYCHANGE_OTHERS"; }       else if $TaskValue == 13824 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_USERACCOUNT"; }       else if $TaskValue == 13825 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_COMPUTERACCOUNT"; }       else if $TaskValue == 13826 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP"; }       else if $TaskValue == 13827 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_DISTRIBUTIONGROUP"; }       else if $TaskValue == 13828 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_APPLICATIONGROUP"; }       else if $TaskValue == 13829 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_OTHERS"; }       else if $TaskValue == 14080 { $TaskStr = "SE_ADT_DSACCESS_DSACCESS"; }       else if $TaskValue == 14081 { $TaskStr = "SE_ADT_DSACCESS_DSCHANGES"; }       else if $TaskValue == 14082 { $TaskStr = "SE_ADT_DS_REPLICATION"; }       else if $TaskValue == 14083 { $TaskStr = "SE_ADT_DS_DETAILED_REPLICATION"; }       else if $TaskValue == 14336 { $TaskStr = "SE_ADT_ACCOUNTLOGON_CREDENTIALVALIDATION"; }       else if $TaskValue == 14337 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBEROS"; }       else if $TaskValue == 14338 { $TaskStr = "SE_ADT_ACCOUNTLOGON_OTHERS"; }       else if $TaskValue == 14339 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBCREDENTIALVALIDATION"; }       else if $TaskValue == 65280 { $TaskStr = "SE_ADT_UNKNOWN_SUBCATEGORY"; }       else { $TaskStr = "Unknown[" + $taskValue + "]"; }   if $KeywordsStr == undef {       if $TaskValue == 0 {           $KeywordsStr = 'None';       } else {           $KeywordsStr = '0';       }   }   if $TaskStr == undef {       $TaskStr = $TaskValue;   }   if $EventType == 'AUDIT_SUCCESS' {       $KeywordsStr = "Audit Success";       $EventTypeNum = 8;   } else {       $KeywordsStr = "Audit Failure";       $EventTypeNum = 16;   }       $Message = "AgentDevice=WindowsLog" +           "\tAgentLogFile=" + $Channel +           "\tSource=" + $SourceName +           "\tComputer=" + hostname_fqdn() +           "\tOriginatingComputer=" + host_ip() +           "\tUser=" + $AccountName +           "\tDomain=" + $Domain +           "\tEventIDCode=" + $EventID +           "\tEventType=" + $EventTypeNum +           "\tEventCategory=" + $TaskValue +           "\tRecordNumber=" + $RecordNumber +           "\tTimeGenerated=" + $EpochTime +           "\tTimeWritten=" + $EpochTime +           "\tLevel=" + $EventTypeStr +           "\tKeywords=" + $KeywordsStr +           "\tTask=" + $TaskStr +           "\tOpcode=" + $Opcode +           "\tMessage=" + $Message;       $Hostname = host_ip();       delete($SourceName);       delete($Severity);       delete($SeverityValue);       to_syslog_bsd();   </Exec></Input>

Dear Community,I am using NXlog community edition and am experiencing the problem that using the following configuration, the log sent to rsyslog arrives with the characters #011 as tab and #015 as carriage return: <Extension _syslog>    Module      xm_syslog</Extension> <Extension _charconv>    Module xm_charconv    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension> <Extension _exec>    Module xm_exec</Extension> <Extension json>    Module xm_json</Extension> <Input internal>    Module im_internal</Input> <Input eventlog>    Module im_msvistalogQuery <QueryList>\    <Query Id="0">\    <Select Path="Application">*</Select>\    <Select Path="System">*</Select>\    <Select Path="Security">*</Select>\</Query>\</QueryList>    Exec if ($EventID == 5156) OR ($EventID == 5158) drop();    Exec $HOSTNAME=hostname();    Exec $Message = replace($Message, "#011", " ");    Exec $raw_event = replace($raw_event, "#011", " ");#    Exec $Message =~ s/(\t|\R)/ /g;#    Exec $Message =~ s/(\t|\R|\011|\015)/ /g;</Input> <Output out>    Module om_tcp    Host %OUTPUT_DESTINATION_ADDRESS%    Port %OUTPUT_DESTINATION_PORT%    Exec $Message = replace($Message, "#011", " ");    Exec $raw_event = replace($raw_event, "#011", " ");    Exec to_syslog_snare();    Exec $Message = replace($Message, "#011", " ");    Exec $raw_event = replace($raw_event, "#011", " ");</Output> <Route 1>    Path eventlog, internal => out</Route> Can you tell me how to solve the problem? It seems not to remove the tab and carriage return characters.Thank you very much.

Good day,I was wondering if the CE will be releasing a version for Ubuntu 24.04 since this is a LTS release.Thanks,Jesse

Nxlog stops sending data to a route if another route is actively rejecting connections.The other output stops sending data after a while (from a few minutes to a day), although TCP-connection is supported.We use 2 routes at the same time with 1 input.There is our nxlog config: “The in1 module is used by both routes. ”Planforms: Windows 2016/2019 and Windows 2022nxlog.conf<Route r1> Path in => out1 </Route> <Route r2> Path in => out2 </Route>Logs:2024-11-21 13:28:53 INFO nxlog-ce-3.2.2329 started 2024-11-21 13:28:53 INFO connecting to Graylogserver:12523 2024-11-21 13:28:53 INFO connecting to Graylogserver:12527 2024-11-21 13:28:54 INFO reconnecting in 1 seconds 2024-11-21 13:28:54 ERROR couldn't connect to tcp socket on Graylogserver:12523; No connection could be made because the target machine actively refused it. 2024-11-21 13:28:55 INFO connecting to Graylogserver:12523 2024-11-21 13:28:56 INFO reconnecting in 2 seconds 2024-11-21 13:28:56 ERROR couldn't connect to tcp socket on Graylogserver:12523; No connection could be made because the target machine actively refused it. 2024-11-21 13:28:58 INFO connecting to Graylogserver:12523

Hello!I am working on integrating NXLog with Sumo Logic. I followed the instructions on how to integrate with Sumo Logic in the setup documentation, but the logs are not being forwarded to Sumo Logic correctly, even though I receive the INFO successfully connected message. I believe it may be related to the token. My input is from an SSL connection (which is successfully connecting, I tested by diverting it to a file which I'm currently using as an intermediary until I figure this out). I have tried both options below.    Module         om_ssl   Host              syslog.collection.us1.sumologic.com   Port               6514   CAFile           %CERTDIR%\digicert_ca.crt   Exec             to_syslog_ietf();    Exec             $raw_event =~ s/(\[.*])//g; \                        $raw_event = replace($raw_event, \                        '{', '[%SUMO_TOKEN%] {', 1); Module           om_ssl   Host                syslog.collection.us1.sumologic.com   Port                 6514   CAFile             %CERTDIR%\digicert_ca.crt   Exec                to_syslog_ietf();    Exec                $raw_event =~ s/(\[NXLOG@14506.*?\])//g; \                           $raw_event = replace($raw_event, \                           '{', '[%SUMO_TOKEN%] {', 1);

Hello everyone,New to NXlog, doing the trial now and on setup I have encountered an issue with setting up the mail server and stuck there… It is a ubuntu server (AWS EC2) with postfix installed that relays to google.Postfix works as when trying: echo "This is the body of the email" | mail -s "This is the subject line" user@ourdomain.com -r nxlog@ourdomain.com - I get the email, not an issue.When I go to the mail server config of the web UI I always get “Failed to send email”, also the same when I try to change the email or password. I see nothing in the mail log so it seems it is not even trying to send the email?The settings I try are:Host: 127.0.0.1Port: 25Sender: nxlog@ourdomain.comUsername/Password: (empty) - as we don't auth for the local interface, this is just a local relay Any advice on how to proceed since I'm stuck on this step… :( Thank you!

I'm trying to configure an Exclude in im_file. I want to exclude logs with a date and number at the end of the filename. These files are already processed.Config:<Input PPS>  Module im_file  InputType multi_PPS  File '%LOGDIR%\\*.log'  # PPSPortaalManager_24-05-24_2.log  Exclude '*_??-??-??_*.log'  #. I've tried several notations, eg. double quotes instead of single, escaping the questionmarks. But none of them work. Searching for examples leads to 1 of 2 examples, which are very common examples, and none of them with wildcards.Using nxlog-ce-3.2.2329 .Has anyone a good, and working, example how to user Exclude in im_file?

 Hello there i try to forward logs radius to my elastic siem , i got this error when executing nxlog.exe -f  :2024-10-07 11:16:37 INFO nxlog-ce-3.2.2329 started2024-10-07 11:16:37 INFO reconnecting in 1 seconds2024-10-07 11:16:37 ERROR apr_sockaddr_info failed for 172.19.14.51  # IP du serveur distant:514; Unknow Host. Here is the config (without ip for privacy) : <Extension _syslog>   Module      xm_syslog</Extension><Extension xml>   Module      xm_xml</Extension><Input radius_log>        Module      im_file      File        "D:\NPS\NPS Logs\IN2410.log"     SavePos     TRUE       ReadFromLast TRUE       PollInterval 1       Exec        parse_xml("/Event"); </Input><Output remote_syslog>        Module      om_udp   Host         # IP SRV FORWARD        Port        514</Output><Route radius_to_remote>     Path        radius_log => remote_syslog</Route> Is it possible to get everything in the source folder not just one ? Because the name change everymonth , example : october  :IN2410.logNovember: IN2411.log December: IN2412.log   etc Please  Thnaks a lot

Hi Team,Need help!We're unable to ingest the logs from the file ‘output.json,’ which is 150MB in size. But i am able to send the logs from file ‘output.json’ which is 10MB in size to the forwarder.Below is the NXLog Community Edition Config file. Please help me is there anything to modify the Config file.define ROOT C:\Program Files\nxlogdefine ADCONTEXT_OUTPUT_DESTINATION_ADDRESS <Forwarder IP>define ADCONTEXT_OUTPUT_DESTINATION_PORT <Port>Moduledir   %ROOT%\modulesCacheDir    %ROOT%\dataPidfile         %ROOT%\data\nxlog.pidSpoolDir     %ROOT%\dataLogFile       %ROOT%\data\nxlog.log<Extension json>    Module  xm_json</Extension><Input in_adcontext>   Module    im_file   File         "C:\AD\output.json"   DirCheckInterval 3600   PollInterval 3600</Input><Output out_chronicle_adcontext>   Module    om_tcp   Host       %ADCONTEXT_OUTPUT_DESTINATION_ADDRESS%   Port        %ADCONTEXT_OUTPUT_DESTINATION_PORT%</Output><Route ad_context_to_chronicle>    Path in_adcontext => out_chronicle_adcontext</Route>

Hi folks,We have an NXLog CE 3.2.2329 configuration using im_tcp with InputType LineBased, receiving blobs of JSON separated by newlines. The received data is passed to xm_perl and then relayed to an output.Under some conditions where there may be thousands of events per second, there is a very rare chance for one event to be truncated at the end yielding an incomplete json blob.  We've verified that the input data coming from upstream is valid, fully formed JSON - the emitter encoding logs look OK. The preceeding and following lines are also received and parsed successfully. Has anybody else experienced similar behavior? At this point we suspect a bug in NXLog, considering that it occurs very infrequently (2-3 days between recurrences) and it only occurs during periods of relatively high load (normal load is ~150 events per second, load when issue occurs is ~800/s+)Relevant configuration: <Extension gelf>Module      xm_gelf</Extension><Extension perl>Module      xm_perlPerlCode    /etc/nxlog/scripts/parse_mist.pl</Extension><Input mist_tcp>Module      im_tcpHost        0.0.0.0Port        32768InputType   LineBased<Exec>perl_call("parse_mist");if $nxlog_internal_drop_log drop();</Exec></Input><Output graylog>Module      om_udpHost        xPort        12201OutputType  GELF</Output><Route graylog>Path       mist_tcp => graylog</Route>