Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

Buffering not working
Hi,I had this situation whereby when I unplugged the cable of the outgoing interface of the nxlog server, the logs went into the cache folder. When I connected back to the interface, the new logs continues to flow to the external logger,  but the cached logs remain inside the cache folder and do not forward out to the external logger.below is my configuration.  Looking forward to any help, please. thank youUser rootGroup rootPanic Soft##modify change# default values:# PidFile   /opt/nxlog/var/run/nxlog/nxlog.pid# CacheDir  /opt/nxlog/var/spool/nxlog# ModuleDir /opt/nxlog/lib/nxlog/modules# SpoolDir /opt/nxlog/var/spool/nxlogCacheDir /data/nxlogcachedefine CERTDIR /opt/nxlog/var/lib/nxlog/certdefine CONFDIR /opt/nxlog/var/lib/nxlog# Note that these two lines define constants only; the log file location# is ultimately set by the `LogFile` directive (see below). The# `MYLOGFILE` define is also used to rotate the log file automatically# (see the `_fileop` block).define LOGDIR /opt/nxlog/var/log/nxlogdefine MYLOGFILE %LOGDIR%/nxlog.log# By default, `LogFile %MYLOGFILE%` is set in log4ensics.conf. This# allows the log file location to be modified via NXLog Manager. If you# are not using NXLog Manager, you can instead set `LogFile` below and# disable the `include` line.LogFile %MYLOGFILE%#include %CONFDIR%/log4ensics.conf<Extension _syslog>   Module  xm_syslog</Extension><Extension exec>        Module  xm_exec</Extension><Extension _leef>Module xm_leef</Extension><Output Egress_To_xxx>       Module om_tcp       Port    1524       Host    xxx.xxx.xxx.xxx</Output># Set port and Ip Address to listen to traffic<Input External_Ingress>       Module im_tcp       Port    1524       Host    0.0.0.0</Input><Output External_Log_Locally>       Module om_file       File    '/data/store/External/External_logs.txt'#Set log rotation to run daily and keep 90 days worth of logs               <Schedule>               when    @daily               <Exec>                       # Create year/month directories if necessary                                               dir_make('/data/store/External/' + strftime(now() - 86400, '%Y-%m'));                                               # Rotate current file into the correct directory                                               rotate_to('/data/store/External/' + strftime(now() - 86400, '%Y-%m/External_logs_%Y-%m-%d.txt'));                                               #Remove files older than 90 days                                               exec_async("/usr/bin/find", "/data/store/External", "-mtime", "+90", "-type", "f", "-delete");                                                              </Exec>       </Schedule></Output><Processor External_To_xxx_Buffer>       Module  pm_buffer       Type    Disk       #130MiB buffer       MaxSize 130000000       WarnLimit       100000000</Processor><Route External_To_xxx_Path>       Path    External_Ingress => External_To_xxx_Buffer => Egress_To_xxx</Route><Route External_To_Local>       Path    External_Ingress => External_Log_Locally</Route><Input Internal_Ingress>       Module im_tcp       Port    2524       Host    0.0.0.0       <Exec>           # edit syslog header for xxxx           if $raw_event =~ /\d\d:\d\d:\d\d\s+(xxxx)\s+/           {               $Hostname = $1;               to_syslog_bsd();           }       </Exec></Input><Output Internal_Log_Locally>        Module om_file        File   '/data/store/Internal/Internal_logs.txt'                #Set log rotation to run daily and keep 90 days worth of logs       <Schedule>               when    @daily               <Exec>                       # Create year/month directories if necessary                       dir_make('/data/store/Internal/' + strftime(now() - 86400, '%Y-%m'));                       # Rotate current file into the correct directory                       rotate_to('/data/store/Internal/' + strftime(now() - 86400, '%Y-%m/Internal_logs_%Y-%m-%d.txt'));                       #Remove files older than 90 days                       exec_async("/usr/bin/find", "/data/store/Internal", "-mtime", "+90", "-type", "f", "-delete");               </Exec>       </Schedule></Output><Processor Internal_To_xxx_Buffer>        Module pm_buffer        Type   Disk        #130MiB buffer        MaxSize        130000000        WarnLimit      100000000</Processor><Route Internal_To_xxx_Path>       Path    Internal_Ingress => Internal_To_xxx_Buffer => Egress_To_xxx</Route><Route Internal_To_Local>       Path    Internal_Ingress => Internal_Log_Locally</Route><Input xxx_UDP_Ingress>       Module im_udp       Port   514       Host   0.0.0.0<Exec> # edit syslog header for xxx else if $MessageSourceAddress == 'xx.xxx.x.x' {  $Hostname = 'xxx';  to_syslog_bsd(); } # edit syslog header for xxx else if $MessageSourceAddress == 'xx.xxx.xx.xx' {  $Hostname = 'xxx';  to_syslog_bsd(); }              # edit syslog header for xxx               else if $MessageSourceAddress == 'xx.xx.xx'               {                       $Hostname = 'xxx';                       to_syslog_bsd();               }</Exec></Input><Output xxx_UDP_Log_Locally>        Module om_file        File   '/data/store/UDP/xxx_UDP_logs.txt'                #Set log rotation to run daily and keep 90 days worth of logs               <Schedule>               when    @daily               <Exec>                       # Create year/month directories if necessary                                               dir_make('/data/store/UDP/' + strftime(now() - 86400, '%Y-%m'));                                               # Rotate current file into the correct directory                                               rotate_to('/data/store/UDP/' + strftime(now() - 86400, '%Y-%m/xxxx_UDP_logs_%Y-%m-%d.txt'));                                               #Remove files older than 90 days                                               exec_async("/usr/bin/find", "/data/store/UDP", "-mtime", "+90", "-type", "f", "-delete");               </Exec>       </Schedule></Output><Processor xxx_UDP_To_xxx_Buffer>        Module pm_buffer        Type   Disk        #130MiB buffer        MaxSize        130000000        WarnLimit      100000000</Processor><Route xxx_UDP_To_xxx_Path>       Path    xxx_UDP_Ingress => xxx_UDP_To_xxx_Buffer => Egress_To_xxx</Route><Route xxx_UDP_To_Local>       Path    xxx_UDP_Ingress => xxx_UDP_Log_Locally</Route><Input audit_log>       Module im_file       File    '/var/log/secure'       <Exec>               to_syslog_bsd();       </Exec></Input><Processor xxx_Audit_To_xxx_Buffer>        Module pm_buffer        Type   Disk        #130MiB buffer        MaxSize        130000000        WarnLimit      100000000</Processor><Route xx_Audit_To_xx_Path>       Path    audit_log => xxx_Audit_To_xxx_Buffer => Egress_To_xxx</Route><Input audit_log_2>       Module im_file       File    '/var/log/audit/audit.log'       <Exec>               to_syslog_bsd();       </Exec></Input><Processor xxx_Audit_2_To_xxx_Buffer>        Module pm_buffer        Type   Disk        #130MiB buffer        MaxSize        130000000        WarnLimit      100000000</Processor><Route xxx_Audit2_To_xxxx_Path>       Path    audit_log_2 => xxxx_Audit_2_To_xxxx_Buffer => Egress_To_xxxx</Route># This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`# is changed in log4ensics.conf via NXLog Manager, rotation of the new# file should also be configured there.<Extension _fileop>   Module  xm_fileop   # Check the size of our log file hourly, rotate if larger than 5MB   <Schedule>       Every   1 hour       <Exec>           if ( file_exists('%MYLOGFILE%') and                (file_size('%MYLOGFILE%') >= 5M) )           {                file_cycle('%MYLOGFILE%', 8);           }       </Exec>   </Schedule>   # Rotate our log file every week on Sunday at midnight   <Schedule>       When    @weekly       Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);   </Schedule></Extension>

billychua
Replies: 0
View post »
billychua
Does the parser quit after not matching x amount of logs?
I am having issues where when I try to parse a big file ~1500 lines the regexp doesn't find any lines that match and then eventually “gives up”. There is no ERROR log in the nxlog.log saying that it essentially stopped but it never writes anything to my output file. In the input file I have 6 lines that match my parser though.<Exec> if $raw_event =~ /srv_name="([^"]+).+?user_auth_entr="([^"]+)/ { $event_type = 'VPN_SESSION_IP_ASSIGNED'; $version = 'v1'; $time = 'test'; $account = $2; $account_domain = 'null'; $assigned_ip = 'null'; $source_ip = 'null'; $authentication_result = 'FAILURE'; $authentication_target = $1; } </Exec>I was confused at first and thought there was an issue with my statement but it checks out.  When I specifically grabbed only those 6 log lines that would match and ran the service against ONLY those logs, everything parsed and worked just fine giving my the 6 new log lines in my output file.So this leads me to believe that the only reason it didn't work the first time is because the first time it actually matches those log lines is the 112th line. So my assumption is that it tries to process the incoming log lines against my regex and after so many not matching it just stops. Can anyone confirm if this is accurate and if so, how can I increase the threshold and/or remove this dependency?

jhartman
Replies: 1
View post »
NenadM
IF statements for varying values
I am trying to parse some logs coming in and trying to figure out the proper way to build the nxlog.conf when specifying what to do depending on the conditions met in the parser. I have a working conf file that can read all the logs from a file and parse them into one set of conditions but how do I add multiple IF statements in a single Exec block?<Input NetMotion> Module im_file File "C:\Testing-logs\NetMotion.txt" <Exec> if $raw_event =~ /m_user="([^"]+).+?pop_ip_srv="([^"]+).+?ses_start="([^"]+).+?ses_state="([^"]+).+?vip="([^"]+)/ { if $4 = 'Connected' $event_type = 'VPN_SESSION_IP_ASSIGNED'; { $version = 'v1'; $time = $3; $account = $1; $assigned_ip = $6; $source_ip = $2; $authentication_result = 'SUCCESS'; $authentication_target = $5; } if $3 == 'Disconnected' $event_type = 'VPN_SESSION_IP_TERMINATION'; { $version = 'v1'; $time = $2; $account = $1; } } </Exec> </Input>The above code works in the fact that it doesn't give me any errors in the NXLog log file however the actual log lines are mixed up. If the events match 'VPN_SESSION_IP_ASSIGNED'  then it all works just fine. This gives me the order of event_type, version, time, account, assigned_ip, source_ip, authentication_result, authentication_target which is exactly what I need. However for the lines where it doesn't match, it messes up the order and puts version first, and then tacks on the event_type = 'VPN_SESSION_IP_TERMINATION' at the end.How do I get it so that when the $event_type = 'VPN_SESSION_IP_TERMINATION' the log format only shows the fields I want e.g. event_type, version, time, account. I tried a different method where I put the second if statement directly after the first and it worked to keep the order but I still don't know how to drop the unnecessary fields from the termination events.<Input NetMotion> Module im_file File "C:\Testing-logs\NetMotion.txt" <Exec> if $raw_event =~ /m_user="([^"]+).+?pop_ip_srv="([^"]+).+?ses_start="([^"]+).+?ses_state="([^"]+).+?vip="([^"]+)/ { if $4 = 'Connected' $event_type = 'VPN_SESSION_IP_ASSIGNED'; if $3 == 'Disconnected' $event_type = 'VPN_SESSION_IP_TERMINATION'; $version = 'v1'; $time = $3; $account = $1; $assigned_ip = $6; $source_ip = $2; $authentication_result = 'SUCCESS'; $authentication_target = $5; } </Exec> </Input>Would I do an additional if statement after that to basically say, if $event_type == 'VPN_SESSION_IP_TERMINATION' { delete($assigned_ip); delete($source_ip); delete($authentication_result); delete($authentication_target); }Any and all help is appreciated!

jhartman
Replies: 1
View post »
NenadM
NXlog Enterprise Edition Licenses
Hi All,We have purchased 100 NXLog Enterprise Edition Annual Licenses (node based). Can anybody let us know how we update the license when we install the NXLog Enterprise Edition to a windows server?Regards,Valuepoint Team

L2.cdc@valuepointsystems.com
Replies: 2
View post »
L2.cdc@valuepointsystems.com
Some error about getting data from chrome history log
I want collect chrome histroy log, follow the https://docs.nxlog.co/userguide/integrate/browser-history.html#google-chrome-history-location-and-details guide on windows terminal, because the http://www.ch-werner.de/ site is down, so I can't download “SQLite ODBC Driver”,but i found another substitution  https://www.devart.com/odbc/sqlite/download.html , I don't know if this driver is not as same as  “SQLite ODBC Driver”. But when I run nxlog, I got some error info.2023-02-14 11:23:25 INFO [im_odbc|odbc] im_odbc successfully connected to the database2023-02-14 11:23:25 WARNING [im_odbc|odbc] im_odbc detected a disconnection, attempting to reconnect in 10 seconds2023-02-14 11:23:25 ERROR [im_odbc|odbc] SQLExecute failed, 22001:2:390:[Devart][ODBC]String data, right-truncated (odbc error code: -1) my input conf like below<Input odbc>   Module              im_odbc   PollInterval        1200   ConnectionString    DRIVER=Devart ODBC Driver for SQLite; Database=D:\ProgramFiles\logs\History_Chrome;Version=3;   SQL               Select visits.id AS id,urls.url AS URL,urls.title AS Title FROM visits INNER JOIN urls ON visits.url = urls.id WHERE visits.id > ?   Exec                $Hostname = hostname();   Exec                to_json();</Input>I want to know what's wrong with my config ,or how to fix it. 

lida02@megvii.com
Replies: 1
View post »
gahorvath
ERROR [om_file|file] failed to open C:\Users\Administrator\Documents\Data; Access is denied.
Hi,I get the above error when I tried to start nxlog server. Below is my config file. Please assists. thank you Panic Softdefine INSTALLDIR C:\Program Files\nxlog#ModuleDir %INSTALLDIR%\modules#CacheDir  %INSTALLDIR%\data#SpoolDir  %INSTALLDIR%\datadefine CERTDIR %INSTALLDIR%\certdefine CONFDIR %INSTALLDIR%\conf\nxlog.d# Note that these two lines define constants only; the log file location# is ultimately set by the `LogFile` directive (see below). The# `MYLOGFILE` define is also used to rotate the log file automatically# (see the `_fileop` block).define LOGDIR c:\datadefine MYLOGFILE %INSTALLDIR%\data\nxlog.log# If you are not using NXLog Manager, disable the `include` line# and enable LogLevel and LogFile.#include %CONFDIR%\*.confLogLevel    INFOLogFile     %MYLOGFILE%<Extension exec>   Module        xm_exec</Extension><Extension _syslog>   Module  xm_syslog</Extension><Extension fileop>   Module      xm_fileop</Extension># This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`# is changed in managed.conf via NXLog Manager, rotation of the new# file should also be configured there.<Extension _fileop>   Module  xm_fileop   # Check the size of our log file hourly, rotate if larger than 5MB   <Schedule>       Every   1 hour       <Exec>           if ( file_exists('%MYLOGFILE%') and                (file_size('%MYLOGFILE%') >= 5M) )           {                file_cycle('%MYLOGFILE%', 8);           }       </Exec>   </Schedule>   # Rotate our log file every week on Sunday at midnight   <Schedule>       When    @weekly       Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);   </Schedule></Extension><Input tcp>   Module      im_tcp   ListenAddr  0.0.0.0:514</Input>define LOCALFILE  'C:\Users\Administrator\Documents\Data'<Output file>   Module  om_file   File    %LOCALFILE%</Output><Route tcp_to_file>   Path    tcp => file</Route> Error Message:2023-02-06 00:41:43 INFO [CORE|main] nxlog-5.6.7727 (50b2a4353@REL_v5.6) started on Windows2023-02-06 00:41:43 ERROR [om_file|file] failed to open C:\Users\Administrator\Documents\Data; Access is denied.  2023-02-06 00:41:43 INFO [im_tcp|tcp] listening on 0.0.0.0:514 Regards, Billy

billychua
Replies: 1
View post »
gahorvath
License true-up
If a customer purchases 100 NXLog Enterprise licenses and needs more six months later, do they place an order for the additional licenses separately or increase the original order? Are they able to deploy and then true-up, or do they need a unique key for each before deploying?

TS_521115
Replies: 2
View post »
RadBak
extraspaces added after ; converting messages with multiline parser
Hi team, i have converted auit messages in multiline to singleline using multiline parser. problem is two spaces are added instead of one space after semicolon. message1;message2; single line: message1;. message2; There is two space first simicolon and message2 instead of one how to remove extra space

Dileep Nannapaneni
Replies: 6
View post »
gahorvath
NX LOG Newbie Question
Good Afternoon.I currently run a NX log solution that was setup by the vendor of our cloud IDS. I do know that we have a collection of logs coming from workstations to a central server and that server uploads the logs to the IDS. That being said, I have set up a gray log server on an Ubuntu box and I want to send my Windows DNS logs to that server so that I have a way to search DNS queries made by workstations should on of them become compromised. (via malware, ransomware, etc) I realize that there is already a config fiile for nx log that sends the event viewer logs so I am assuming that I would have to use that same file to have nx send dns logs to a different location (if that is even possible).   So my questions are, Is it possible to do that? If so, is the collection service that has to be stopped in order to edit the config file?I would send these logs to the same online IDS service but we are already going over our quota every month and management doesn't see the need to upgrade our service. Therefore, I am left to figure out another way to stay on top of DNS threat hunting. Any input will be greatly appreciated.

jrpayne
Randomly TCP Output
Hi Folks,I have a tcp output that has 3 hosts in sequence to send to graylog (failover), but I would like to "randomly" switch the ouputs to better distribute the load on the nodes. In my config example, 'graylog_1' will always receive all events. Is there a bultin solution for processor/output to send randomly to the multiple nodes?Config example:<Output out_graylog>   Module om_tcp     FlowControl False      Host 192.168.0.10:514 # graylog_1      Host 192.168.0.11:514 # graylog_2      Host 192.168.0.12:514 # graylog_3 </Output>A viP/loadbalancer for graylog is not the solution I'm looking for, I want to understand the power of nxlog and its customization.

Tulio Gomes
Replies: 3
View post »
gahorvath
Eliminate scrolling with wrapping
It would be nice if you eliminate scrolling with wrapping in this forum posts.

TestNXLogQA_01
Replies: 0
View post »
TestNXLogQA_01
Unable to forward the windows logs to QRadar SIEM
Hi All,I have requirement to forward the windows logs to QRadar using NX . Below is my config file , I am unable to receive the log in my SIEM platform. I could encounter the error : ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found. Check channel configuration.Panic Soft#NoFreeOnExit TRUEdefine ROOT     C:\Program Files\nxlogdefine CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data<Extension _syslog>   Module      xm_syslog</Extension># Snare compatible example configuration# Collecting event log<Input eventlog>   Module    im_msvistalog   <QueryXML>       <QueryList>           <Query Id='0'>               <Select Path='Application'>*</Select>               <Select Path='Security'>*[System/Level<4]</Select>               <Select Path='System'>*</Select>               <Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select>               <Select Path='Microsoft-Windows-PowerShell/Operational'>*</Select>               <Select Path='Windows PowerShell'>*</Select>           </Query>       </QueryList>   </QueryXML>   <Exec>       if $Category == undef $Category = 0;       if $EventType == 'CRITICAL'       {           $EventTypeNum = 1;           $EventTypeStr = "Critical";       }       else if $EventType == 'ERROR'       {           $EventTypeNum = 2;           $EventTypeStr = "Error";       }       else if $EventType == 'INFO'       {           $EventTypeNum = 4;           $EventTypeStr = "Informational";       }       else if $EventType == 'WARNING'       {           $EventTypeNum = 3;           $EventTypeStr = "Warning";       }       else if $EventType == 'VERBOSE'       {           $EventTypeNum = 5;           $EventTypeStr = "Verbose";       }       else       {           $EventTypeNum = 0;           $EventTypeStr = "Audit";       }       if $OpcodeValue == 0 $Opcode = "Info";       if $TaskValue == 0 $TaskValue = "None";       $EpochTime = string(integer($EventTime));       $EpochTime =~ /^(?<sec>\d+)(?<ms>\d{6})$/;       $EpochTime = $sec;       if $TaskValue == 12288 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSTATECHANGE"; }       else if $TaskValue == 12289 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSUBSYSTEMEXTENSION"; }       else if $TaskValue == 12290 { $TaskStr = "SE_ADT_SYSTEM_INTEGRITY"; }       else if $TaskValue == 12291 { $TaskStr = "SE_ADT_SYSTEM_IPSECDRIVEREVENTS"; }       else if $TaskValue == 12292 { $TaskStr = "SE_ADT_SYSTEM_OTHERS"; }       else if $TaskValue == 12544 { $TaskStr = "SE_ADT_LOGON_LOGON"; }       else if $TaskValue == 12545 { $TaskStr = "SE_ADT_LOGON_LOGOFF"; }       else if $TaskValue == 12546 { $TaskStr = "SE_ADT_LOGON_ACCOUNTLOCKOUT"; }       else if $TaskValue == 12547 { $TaskStr = "SE_ADT_LOGON_IPSECMAINMODE"; }       else if $TaskValue == 12548 { $TaskStr = "SE_ADT_LOGON_SPECIALLOGON"; }       else if $TaskValue == 12549 { $TaskStr = "SE_ADT_LOGON_IPSECQUICKMODE"; }       else if $TaskValue == 12550 { $TaskStr = "SE_ADT_LOGON_IPSECUSERMODE"; }       else if $TaskValue == 12551 { $TaskStr = "SE_ADT_LOGON_OTHERS"; }       else if $TaskValue == 12552 { $TaskStr = "SE_ADT_LOGON_NPS"; }       else if $TaskValue == 12553 { $TaskStr = "SE_ADT_LOGON_CLAIMS"; }       else if $TaskValue == 12554 { $TaskStr = "SE_ADT_LOGON_GROUPS"; }       else if $TaskValue == 12800 { $TaskStr = "SE_ADT_OBJECTACCESS_FILESYSTEM"; }       else if $TaskValue == 12801 { $TaskStr = "SE_ADT_OBJECTACCESS_REGISTRY"; }       else if $TaskValue == 12802 { $TaskStr = "SE_ADT_OBJECTACCESS_KERNEL"; }       else if $TaskValue == 12803 { $TaskStr = "SE_ADT_OBJECTACCESS_SAM"; }       else if $TaskValue == 12804 { $TaskStr = "SE_ADT_OBJECTACCESS_OTHER"; }       else if $TaskValue == 12805 { $TaskStr = "SE_ADT_OBJECTACCESS_CERTIFICATIONAUTHORITY"; }       else if $TaskValue == 12806 { $TaskStr = "SE_ADT_OBJECTACCESS_APPLICATIONGENERATED"; }       else if $TaskValue == 12807 { $TaskStr = "SE_ADT_OBJECTACCESS_HANDLE"; }       else if $TaskValue == 12808 { $TaskStr = "SE_ADT_OBJECTACCESS_SHARE"; }       else if $TaskValue == 12809 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLPACKETDROPS"; }       else if $TaskValue == 12810 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLCONNECTION"; }       else if $TaskValue == 12811 { $TaskStr = "SE_ADT_OBJECTACCESS_DETAILEDFILESHARE"; }       else if $TaskValue == 12812 { $TaskStr = "SE_ADT_OBJECTACCESS_REMOVABLESTORAGE"; }       else if $TaskValue == 12813 { $TaskStr = "SE_ADT_OBJECTACCESS_CBACSTAGING"; }       else if $TaskValue == 13056 { $TaskStr = "SE_ADT_PRIVILEGEUSE_SENSITIVE"; }       else if $TaskValue == 13057 { $TaskStr = "SE_ADT_PRIVILEGEUSE_NONSENSITIVE"; }       else if $TaskValue == 13058 { $TaskStr = "SE_ADT_PRIVILEGEUSE_OTHERS"; }       else if $TaskValue == 13312 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSCREATION"; }       else if $TaskValue == 13313 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSTERMINATION"; }       else if $TaskValue == 13314 { $TaskStr = "SE_ADT_DETAILEDTRACKING_DPAPIACTIVITY"; }       else if $TaskValue == 13315 { $TaskStr = "SE_ADT_DETAILEDTRACKING_RPCCALL"; }       else if $TaskValue == 13316 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PNPACTIVITY"; }       else if $TaskValue == 13317 { $TaskStr = "SE_ADT_DETAILEDTRACKING_TOKENRIGHTADJ"; }       else if $TaskValue == 13568 { $TaskStr = "SE_ADT_POLICYCHANGE_AUDITPOLICY"; }       else if $TaskValue == 13569 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHENTICATIONPOLICY"; }       else if $TaskValue == 13570 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHORIZATIONPOLICY"; }       else if $TaskValue == 13571 { $TaskStr = "SE_ADT_POLICYCHANGE_MPSSCVRULEPOLICY"; }       else if $TaskValue == 13572 { $TaskStr = "SE_ADT_POLICYCHANGE_WFPIPSECPOLICY"; }       else if $TaskValue == 13573 { $TaskStr = "SE_ADT_POLICYCHANGE_OTHERS"; }       else if $TaskValue == 13824 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_USERACCOUNT"; }       else if $TaskValue == 13825 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_COMPUTERACCOUNT"; }       else if $TaskValue == 13826 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP"; }       else if $TaskValue == 13827 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_DISTRIBUTIONGROUP"; }       else if $TaskValue == 13828 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_APPLICATIONGROUP"; }       else if $TaskValue == 13829 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_OTHERS"; }       else if $TaskValue == 14080 { $TaskStr = "SE_ADT_DSACCESS_DSACCESS"; }       else if $TaskValue == 14081 { $TaskStr = "SE_ADT_DSACCESS_DSCHANGES"; }       else if $TaskValue == 14082 { $TaskStr = "SE_ADT_DS_REPLICATION"; }       else if $TaskValue == 14083 { $TaskStr = "SE_ADT_DS_DETAILED_REPLICATION"; }       else if $TaskValue == 14336 { $TaskStr = "SE_ADT_ACCOUNTLOGON_CREDENTIALVALIDATION"; }       else if $TaskValue == 14337 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBEROS"; }       else if $TaskValue == 14338 { $TaskStr = "SE_ADT_ACCOUNTLOGON_OTHERS"; }       else if $TaskValue == 14339 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBCREDENTIALVALIDATION"; }       else if $TaskValue == 65280 { $TaskStr = "SE_ADT_UNKNOWN_SUBCATEGORY"; }       else { $TaskStr = "Unknown[" + $taskValue + "]"; }   if $KeywordsStr == undef {       if $TaskValue == 0 {           $KeywordsStr = 'None';       } else {           $KeywordsStr = '0';       }   }   if $TaskStr == undef {       $TaskStr = $TaskValue;   }   if $EventType == 'AUDIT_SUCCESS' {       $KeywordsStr = "Audit Success";       $EventTypeNum = 8;   } else {       $KeywordsStr = "Audit Failure";       $EventTypeNum = 16;   }       $Message = "AgentDevice=WindowsLog" +           "\tAgentLogFile=" + $Channel +           "\tSource=" + $SourceName +           "\tComputer=" + hostname_fqdn() +           "\tOriginatingComputer=" + host_ip() +           "\tUser=" + $AccountName +           "\tDomain=" + $Domain +           "\tEventIDCode=" + $EventID +           "\tEventType=" + $EventTypeNum +           "\tEventCategory=" + $TaskValue +           "\tRecordNumber=" + $RecordNumber +           "\tTimeGenerated=" + $EpochTime +           "\tTimeWritten=" + $EpochTime +           "\tLevel=" + $EventTypeStr +           "\tKeywords=" + $KeywordsStr +           "\tTask=" + $TaskStr +           "\tOpcode=" + $Opcode +           "\tMessage=" + $Message;       $Hostname = host_ip();       delete($SourceName);       delete($Severity);       delete($SeverityValue);       to_syslog_bsd();   </Exec></Input># # Converting events to Snare format and sending them out over TCP syslog<Output out>    Module      om_tcp    Host        10.x.x.x    Port        514    Exec        to_syslog_bsd();</Output># # Connect input 'in' to output 'out'<Route 1>    Path        eventlog => out</Route>  

Venky
Replies: 1
View post »
gahorvath
IM_ETW Module
Can anyone tell me for certain if this module is only included in the Enterprise version? If so, where does one buy the Enterprise Version and what is it's approximate cost? (USD)

jrpayne
Replies: 2
View post »
jrpayne
How to get NXLog Manager license
Hello team,How to get NXLog Manager license?Thank you Klevin

klevintest2
Replies: 2
View post »
gahorvath
nxlog-ce-3.1.2319.msi vs windows 2008 R2
HiIs it possible to install nxlog-ce-3.1.2319.msi on Windows 2008 R2?Regards.

egas84
Replies: 1
View post »
gahorvath
Update required of a specific windows EventID
Hi, Doing my first steps with NXlog.I have managed to collect all “Security” windows event log and also managed to update the “Version” parameter to my own parameter - Just for a test purposes Now I need to perform 3 tasks Collect all “Security” windows event log - DoneUpdate the “Version” parameter from int to string - Done Update the “Hostname” parameter of specific event ID (for example EventID":4656) to “test”  - Please advice Thank you <Input eventlog>   Module  im_msvistalog   <QueryXML>       <QueryList>           <Query Id='0'>    <Select Path='Security'>*</Select>           </Query>       </QueryList>   </QueryXML><Exec>       $Hostname = "test" ;      # This task should be only for eventID 4656       $Version = string($Version);       to_json();   </Exec></Input> 

dudu.confirm@gmail.com
Replies: 1
View post »
gahorvath
Memory leak in NXLog 5 (include latest v5.6.7727)
Hello! We have permanent memory leaks on Windows Event Collect server with any 5 version NXLog. If we install any 4 version - it work without memory leak, but very slowly - it's accumulating queue on single filter for windows events. How we can help to fix it in next release?

Roman_Andreev
Replies: 1
View post »
jeffron
using CE and EE in a same machine
Hi, I'm using EE trial edition now in my machine but i need to use CE edition as well for testing. Can I use both in same machine? will I lose my EE trial if i download CE now?

Sangeetha
Replies: 1
View post »
Zhengshi
Cost of Enterprise Edition
Hi, I would like to know the cost of enterprise edition. Also, I would like to know whether we could use the purchased nxlog EE package in more than one server to collect logs?

Sangeetha
Replies: 1
View post »
Sangeetha
Large eventlog entries makes nxlog "hang"
We are using nxlog to collect eventlog information. Some entries can be large, in fact some message are split over several entries as a workaround for the maximum eventlog entry size. However, these large entries seem to hang nxlog so that it stops processing new entries. Typical error messages are: --------------------------------------- 2014-10-27 17:10:32 ERROR EvtNext failed with error 1734: The array bounds are invalid.   2014-10-27 17:10:33 ERROR EvtUpdateBookmark failed: The handle is invalid. ---------------------------------------- Why is this? Is there any workaround?  

MagnusBjarnlid
Replies: 2
View post »
Ivan.Akcheurov