Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

im_msvistalog --> Exec if or drop statement understanding problem
Hi,I am using this code snipping<Input EventLOG>Module im_msvistalogExec if ($TargetUserName == 'SYSTEM') OR ($EventType == 'VERBOSE') drop();</Input>This is working fine with my nx-Client at Windows 11. It push notification at my debian server with installed rsyslog server.But I want to have some specific ID´s from Windows Eventlog.( e.g. 5013, 10016, 4616, 6869)Can anybody point me to the right way? Thanks in Advance for every help. Heinz  

hkrischeu created
Replies: 4
View post »
last updated
im_azure using proxy to connect to Azure environment
Hello,We are setting up log collection from Azure Log Analytics workspace but the connection is not possible without B2B proxy. I see that Proxy setup is possible only with om_azure module. We need to read and collect the logs from the Azure environment and not to send it there. What should we do to make it happen? Without proxy the connection is not possible and we can't use nxlog for our new service. Is there any other module which could set the proxy by default etc. ? Thank you,Martin W.

mwaszut created
Replies: 0
View post »
last updated
One Input Multiple Outputs (AlienVault/Nxlog)
We currently have a central logging server for our Windows Servers collecting and forwarding with NXLog to AlienVault.  We have a working config file currently that I would like to modify to be able to send two of the Windows Event ID's that are being collected to our NDR (Vectra).  What is the best route to be able to configure multiple sources and/or outputs? Currently we have two working configs, one for Vectra and one for AlienVault, but I'd like to “combine” them in a way that allows us to be able to send relevant data to their needed sources.AlienVault uses a patterndb.xml file for what events it wants to collect, Vectra just needs two specific event ID's that it calls out in the log file with the below line. It then outputs to an IP.  This seems like it should be pretty straight forward but I'd like to have it sort of configured/figured out before I bring down my AlienVault feed.We are also currently using the Nxlog community edition if that matters.<Input eventlog>   Module im_msvistalog<QueryXML> <QueryList>  <Query Id="0" Path="ForwardedEvents">  <Select Path="ForwardedEvents">*[System[(EventID=4768 or EventID=4769)]]</Select> </Query></QueryList></QueryXML></Input>

seppic created
Replies: 0
View post »
last updated
Windows Event Log - Drop/Filter
All,Hopefully an easy question.I am currently collecting Windows event logs on a dedicated forwarding server (using native WEF) in a dedicated event log (named “Forwarded Events”).  I have NxLog installed on this server and logs are being sent properly to my SIEM.Currently I am having difficulties filtering events where the SubjectUserName field ends with “$” symbol (logs are still reaching my SIEM). Below is a snippet of my configuration.  I am running NXLog Enterprise version 6.2.Please advise.<Extension json> Module xm_json </Extension> <Input windows_security_eventlog> Module im_msvistalog ReadFromLast True SavePos True <QueryXML> <QueryList> <Query Id="0"> <Select Path="ForwardedEvents">*</Select> </Query> </QueryList> </QueryXML> <Exec> ################################################### # Drop noisy machine object access (4662) events.# ################################################### if $EventID == 4662 AND ($SubjectUserName =~ /(.)$/) drop(); </Exec> </Input>

jacob.omara@doubleline.com created
Replies: 0
View post »
last updated
Running Powershell script on a schedule to retrieve and format Windows Event logs and send to logstash output
I have a Powershell script that is retrieving events from Windows Event logs that are written by a certain application.  It then parses the exception info from the Event_Data portion into separate fields and combines them into JSON (the exception info is written in one big block of text, but each line has fields that we want to separate out into distinct fields so that the data is easier to filter in Kibana.  I have an input im_exec module in nxlog.conf that runs that script and a route to send that input to an om_tcp output for our logstash instance.  This works fine when you restart the service, however I'm having a problem getting this to pick up events after the initial restart.  I've tried adding a schedule both to the input module and adding an xm_exec module to restart the input module on a scheduled basis.  Anyone have any ideas on how to get this script to run repeatedly so that i can pick up and format new events?  I've looked through the schedule documentation and tried some of the suggestions on other discussions that look a bit similar, but none seem to have worked so far. This is what I have in the conf file currently:    define ROOT C:\Program Files (x86)\nxlog      Moduledir %ROOT%\modules   CacheDir %ROOT%\data   Pidfile %ROOT%\data\nxlog.pid   SpoolDir %ROOT%\data   LogFile %ROOT%\data\nxlog.log   LogLevel INFO      <Extension json>         Module xm_json   </Extension>   define LogFile %ROOT%\data\nxlog.log   <Input input_logs_powershell>   Module  im_exec   Restart true    Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"   Arg     "-ExecutionPolicy"   Arg     "Bypass"   Arg     "-NoProfile"   # This specifies the path to the PowerShell script.   Arg     "-File"   Arg     "D:\Temp\events_parser.ps1"<Exec>       # Parse JSON       parse_json();   </Exec></Input> <Output logs_to_Kibana>      Module om_tcp      Host logstash_hostname      Port 6710   exec to_json();   </Output><Route input_logs_powershell>PATH input_logs_powershell =>logs_to_Kibana</Route> 

MCon30318 created
Replies: 0
View post »
last updated
Regarding PaloAlto Panorama (syslog) Logs
New Enterprise NxLog customer here…..hopefully any easy question.Today I am ingesting syslog messages from my PaloAlto Panorama instance into a dedicated syslog (Ununtu) server running syslog-ng.  I am using syslog-ng to parse the incoming logs into 3 distinct log files (traffic, threat, and system).   I am then using “logrotate” and “cron" to rotate, gzip, and retain the logs.I figure I have 2 options in terms of the log files themselves now that I am an nxlog customer.Option 1: Keep things as-is (since it is working now) and just use “im_file”.Option 2: Use nxlog to do the same things I am with syslog-ng.  Being new to nxlog, not sure how to best do this.If I want to go with Option #2, does anyone have a working configuration they would be willing to share on how they parsed the incoming syslog messages from Palo Alto into those 3 distinct files (or came up with a better alternative)? Thank you.

jacob.omara@doubleline.com created
Replies: 0
View post »
last updated
Errors when obtaining logs from Office365.
Hello team.We have followed the steps from this link: https://docs.nxlog.co/refman/v5.10/im/ms365.html#config-certkeyfile to obtain the logs from Office365.The following permissions have been applied:However, I am encountering the following errors when trying to extract the information:  2024-05-01 18:59:31 WARNING [im_ms365|microsoft_365] Retrying request Audit.Exchange, attempt 33 failed, error: {"error":{"code":"AF20055","message":"Start time and end time must both be specified (or both omitted) and must be less than or equal to 24 hours apart, with the start time prior to end time and start time no more than 7 days in the past. StartTime:2024-05-01T22:48:58Z, EndTime:2024-05-01T21:21:47Z"}}. (Retrying in 200 seconds). 2024-05-01 18:59:34 WARNING [im_ms365|microsoft_365] Retrying request HealthOverviewsWithServiceHealthIssues, attempt 33 failed, error: {"error":{"code":"UnknownError","message":"","innerError":{"date":"2024-05-01T22:59:34","request-id":"20d6e12b-eb61-4b2b-bffa-b69f8f5c4847","client-request-id":"20d6e12b-eb61-4b2b-bffa-b69f8f5c4847"}}}. (Retrying in 200 seconds). 2024-05-01 18:59:36 WARNING [im_ms365|microsoft_365] Retrying request AuditEvents, attempt 33 failed, error: {"error":{"code":"Forbidden","message":"{\r\n \"_version\": 3,\r\n \"Message\": \"Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementApps.Read.All, DeviceManagementApps.ReadWrite.All - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: e188947b-1412-4a09-9b64-548de1c1f6a6 - Url: https://fef.amsua0602.manage.microsoft.com/StatelessAuditingFEService/deviceManagement/auditEvents?api-version=5022-08-30&$filter=activityDateTime+ge+2024-04-01T21%3a21%3a47Z+and+activityDateTime+lt+2024-05-01T21%3a21%3a47Z&$top=50\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{}\"\r\n}","innerError":{"date":"2024-05-01T22:59:36","request-id":"e188947b-1412-4a09-9b64-548de1c1f6a6","client-request-id":"e188947b-1412-4a09-9b64-548de1c1f6a 2024-05-01 18:59:44 WARNING [im_ms365|microsoft_365] Retrying request SignIns, attempt 33 failed, error: {"error":{"code":"Authentication_RequestFromNonPremiumTenantOrB2CTenant","message":"Neither tenant is B2C or tenant doesn't have premium license","innerError":{"date":"2024-05-01T22:59:44","request-id":"6eb5223c-948f-42af-b28b-bbf3fbea96fb","client-request-id":"6eb5223c-948f-42af-b28b-bbf3fbea96fb"}}}. (Retrying in 200 seconds). 2024-05-01 19:00:05 WARNING [im_ms365|microsoft_365] Retrying request ReportingWebService/MessageTrace, attempt 33 failed, error: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">; <html xmlns="http://www.w3.org/1999/xhtml">; <head>; <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>; <title>401 - Unauthorized: Access is denied due to invalid credentials.</title>; <style type="text/css">; <!--; body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}; fieldset{padding:0 15px 10px 15px;} ; h1{font-size:2.4em;margin:0;color:#FFF;}; h2{font-size:1.7em;margin:0;color:#CC0000;} ; h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ; #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;; background-color:#555555;}; #content{margin:0 0 0 2%;position:relative;}; .content-container{background:#FFF;width:96%;margin-top:8px;padding:1 Could you help me understand these errors?

oscar.cerna@threatshieldsecurity.com created
Replies: 0
View post »
last updated
nxlog could not be stopped - error during installation
I uninstalled the community version and trying to install the enterprise version, I am getting this error - Service nxlog could not be stopped, verify that you have sufficient privileges to stop system services. I am a global admin. Please help

sa250367 created
Replies: 0
View post »
last updated
Are there any sample log files for NXLog Manager available to test?
Looking to test some ingest into a data lake to test searches adn dashboards.

JW created
Replies: 0
View post »
last updated
DROP messages, if contains STRING SOMEWHERE
hi,I try  to DROP all messages, if they contains somewhere “/connection_status” or “/status”, but what ever I try, the filter won't fit on Nxlog, while it works in RegexTesterExample log:Apr 25 11:15:11 nomad-cde cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981: {"Hostname":"nomad-cde","ShortMessage":{"message":"Matched route \"status\".","context":{"route":"status","route_parameters":{"_route":"status","_controller":"App\\Controller\\Monitoring\\MonitoringController::getStatus"},"request_uri":"https://hpp.example.com/status","method":"GET"},"level":200,"level_name":"INFO","channel":"request","datetime":"2024-04-25T09:15:10.999734+00:00","extra":{}},"EventTime":"2024-04-25T11:15:11.000000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"2baaa8302059bbcb881aac339807d429b1d91e1a117659e37cb4edfb7bb1eeca","container_name":"cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981","image_id":"sha256:7ddb43de759bd8ef93975cf10b25289a4f8628587b6d31cbe3d16e8d39443572","image_name":"harbor.example.com/testing/hpp/test:433e16c7","tag":"production","EventReceivedTime":"2024-04-25T11:15:11.001689+02:00","SourceModuleName":"container","SourceName":"cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981","SyslogFacility":6}orApr 25 11:15:09 nomad-cde cde_iframes-3709bf3d-86a1-0264-fe9f-150ac2b14cdd: {"Hostname":"nomad-cde","ShortMessage":"172.16.0.40 - - [25/Apr/2024:09:15:09 +0000] \"GET /status HTTP/1.0\" 200 2 \"-\" \"-\" \"172.16.1.40\"","EventTime":"2024-04-25T11:15:09.479000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"c8b7c9357b1bc195f6d88d09e4c329627bfe165debc09cfe4bbfd556fdab966c","container_name":"cde_iframes-3709bf3d-86a1-0264-fe9f-150ac2b14cdd","image_id":"sha256:be421273041ffa5d7b8be4963f91c0376d9829ba942b86341413c59105ae671c","image_name":"harbor.example.com/testing/iframes/test:3cb57629","tag":"production","EventReceivedTime":"2024-04-25T11:15:09.524068+02:00","SourceModuleName":"container","SourceName":"cde_iframes-3709bf3d-86a1-0264-fe9f-150ac2b14cdd","SyslogFacility":6}orApr 25 11:15:09 nomad-cde cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981: {"Hostname":"nomad-cde","ShortMessage":{"message":"Matched route \"connection_status\".","context":{"route":"connection_status","route_parameters":{"_route":"connection_status","_controller":"App\\Controller\\Monitoring\\MonitoringController::getStatusDB"},"request_uri":"https://web:4433/connection_status","method":"GET"},"level":200,"level_name":"INFO","channel":"request","datetime":"2024-04-25T09:15:09.603963+00:00","extra":{}},"EventTime":"2024-04-25T11:15:09.605000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"2baaa8302059bbcb881aac339807d429b1d91e1a117659e37cb4edfb7bb1eeca","container_name":"cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981","image_id":"sha256:7ddb43de759bd8ef93975cf10b25289a4f8628587b6d31cbe3d16e8d39443572","image_name":"harbor.example.com/testing/hpp/test:433e16c7","tag":"production","EventReceivedTime":"2024-04-25T11:15:09.634920+02:00","SourceModuleName":"container","SourceName":"cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981","SyslogFacility":6}I tried in the end the simplest one:if $raw_event =~ /.*status.*/ drop(); but it does not match. The config looks like this: <Output syslog-container-server> Module om_udp Host ${user.logserver} Port 514 <Exec> if $raw_event =~ /.*status.*/ drop(); $Hostname = "nomad-cde"; $message =~ s/-p[^\s]+/-pXXX/; delete($SourceModuleType); delete($MessageSourceAddress); delete($version); delete($created); $SourceName = $container_name; $SyslogFacility = $SeverityValue; to_json(); to_syslog_bsd(); </Exec> </Output>Can someone give me an hint, where I have to look ?

denny.fuchs@inatec.com created
Replies: 0
View post »
last updated
Upgrade to NXLOG Enterprise Edition 6.0
Good Morning All,We would need to take advantage of the new features within NXLOG 6.0 EE.  Are there any instructions on to perform the upgrade from 5.0 to 6.0?  OR is this a revamp oft he whole environment and re-deployment of the agents?  I currently have 900 agents deployed and it would not make sense to re-deploy.

emerson.arcella@pediatrix.com created
Replies: 0
View post »
last updated
*SOLVED*: Input Gelf -> Output Syslog -> extract container_name from JSON and set $SourceName
Hello,we using Nomad which sends logs in GELF format. We need to forward it to Rsyslog and also to Graylog. For Syslog I want to set $SourceName, which needs to be exracted from the JSON / GELF.The config looks like this: ... <Input container> Module im_tcp ListenAddr 127.0.0.1:12202 InputType GELF_TCP </Input> ... <Output syslog-container-server> Module om_udp Host ${user.logserver} Port 514 Exec to_json(); Exec $message =~ s/-p[^\s]+/-pXXX/; Exec to_syslog_bsd(); </Output> ... <Route container-to-syslog> Path container => syslog-container-buffer => syslog-container-server </Route>And the log on the rsyslog:Apr 15 15:24:26 qh-a07-nomad-agent-03 {"version": "1.1","Hostname":"qh-a07-nomad-agent-03","ShortMessage":"[2024-04-15 13:24:26] app.DEBUG: Connected to redis...PONG [] []","EventTime":"2024-04-15T15:24:26.376000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"f1...","container_name":"iframes-c77e666c-fd39-f6f6-4d57-b416a4a7e28a","created":"2024-04-12T08:58:36.870730597Z","image_id":"sha256:2a26fed9c075899cfe86d74f8f44c2729be0f392a96d10c938795fe84036506d","image_name":"repos/production/iframes/production:68c00192","tag":"production","MessageSourceAddress":"127.0.0.1","EventReceivedTime":"2024-04-15T15:24:26.376703+02:00","SourceModuleName":"container","SourceModuleType":"im_tcp"}How can I extract container_nameand use for $SourceName = 'my_application';  so that “my_application” is replaced with the content of "container_name ?cu denny

denny.fuchs@inatec.com created
Replies: 1
View post »
last updated
AllowIP Directive Not working in EE 6.2
Hi,I am getting the following error when using the AllowIP Directive in Enterprise Edition 6.2:2024-04-02 15:17:42 ERROR [im_udp|SynologySyslog] invalid keyword: AllowIP at C:\Program Files\nxlog\conf\nxlog.conf:45The config snippit containing this is:<Input SynologySyslog> module im_udp ListenAddr 0.0.0.0:514 AllowIP 10.0.0.106 <Exec> parse_syslog_ietf(); </Exec> </Input><Input SynologySyslog>module  im_udpListenAddr 0.0.0.0:514AllowIP 10.0.0.106<Exec> parse_syslog_ietf();</Exec></Input>Any help would be greatly appreciated!! 

PHILLIPS, DALE (ext) (SMO UKI RC-GB RI PE MT 1 6 1) created
Replies: 0
View post »
last updated
ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)
Hello,I am getting the following error message with the SSL configured using om_ssl . Has anyone encountered this issue in the past? The config works without SSL but I want to make SSL to work.Please note that some information has been modified to avoid sensitive information exposure.2024-03-20 00:26:21 INFO connecting to destination_host:### 2024-03-20 00:26:21 INFO successfully connected to destination_host:### 2024-03-20 00:26:21 INFO reconnecting in 1 seconds 2024-03-20 00:26:21 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)This is my nxlog agent config code snippet:... <Output out_to_destination> Module om_ssl Host %OUTPUT_DESTINATION_HOST% Port %OUTPUT_DESTINATION_PORT% Exec $Message = to_json(); to_syslog_bsd(); CAFile %CERTDIR%\CA.pem CertFile %CERTDIR%\client-cert.pem CertKeyFile %CERTDIR%\client-key.pem AllowUntrusted TRUE </Output> ...Is there anyway to bypass verification? Is this issue on the nxlog agent side?

JLai created
Replies: 0
View post »
last updated
missing module
Hi All, I am trying to test and evaluate the NXlog for collect the dns analytical log(ETL) and forward it to splunk directly. now I am using the community version of NXlog and get below error: 2024-03-14 10:35:31 ERROR Failed to load module from C:\Program Files\nxlog\modules\input\im_etw.dll, The specified module could not be found.  ; The specified module could not be found.  2024-03-14 10:35:31 ERROR invalid keyword: HTTPHeader at C:\Program Files\nxlog\conf\nxlog.conf:902024-03-14 10:35:31 ERROR module 'out_to_splunk' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:942024-03-14 10:35:31 ERROR route 1 is not functional without output modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:942024-03-14 10:35:31 WARNING no routes defined!Could someone please help to point the error/misconfiguration from the below NXlog.conf? thanks.  nxlog.confPanic Soft#NoFreeOnExit TRUEdefine ROOT     C:\Program Files\nxlogdefine CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data<Extension _syslog>   Module      xm_syslog</Extension><Extension _charconv>   Module      xm_charconv   AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec>   Module      xm_exec</Extension><Extension _fileop>   Module      xm_fileop   # Check the size of our log file hourly, rotate if larger than 5MB   <Schedule>       Every   1 hour       Exec    if (file_exists('%LOGFILE%') and \                  (file_size('%LOGFILE%') >= 5M)) \                   file_cycle('%LOGFILE%', 8);   </Schedule>   # Rotate our log file every week on Sunday at midnight   <Schedule>       When    @weekly       Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);   </Schedule></Extension># Snare compatible example configuration# Collecting event log# <Input in>#     Module      im_msvistalog# </Input># # Converting events to Snare format and sending them out over TCP syslog# <Output out>#     Module      om_tcp#     Host        192.168.1.1#     Port        514#     Exec        to_syslog_snare();# </Output># # Connect input 'in' to output 'out'# <Route 1>#     Path        in => out# </Route><Input in_dns>   Module      im_etw   Provider    Microsoft-Windows-DNSServer</Input><Input dns_analytical_log>   Module      im_msvistalog   Query       <QueryList>\                   <Query Id="0">\                       <Select Path="Microsoft-Windows-DNS-Server/Analytical">*</Select>\                   </Query>\               </QueryList></Input> <Output out_to_splunk>   Module      om_http   URL         http://192.168.1.85:8088/services/collector   ContentType application/json   Exec        to_json();   HTTPHeader  Authorization: 6aad1862-c232-4613-a248-bc58f0885ea8</Output><Route 1>   Path        dns_analytical_log => out_to_splunk</Route>

bianmingkai created
Replies: 0
View post »
last updated
New User - would love some assistance
Hi So im a brand new user to NXLog,  and NXlog are refusing to offer me any support unless i pay for it, which i feel is a little unfair given i have literraly just purchased 8 Enterprise Editon licenses . However i have got a config file which im working with. So far i have two problems 1 - The resulting log file is empty2 - I am receiving the following errors2024-03-05 14:31:28 ERROR [im_maculs|uls] Could not get proc_info, skipping log @ 486802024-03-05 14:31:28 WARNING [im_maculs|uls] Avoided padding for log ending @ 0xBE39  I am not sure on the best course of action here, or wether i need to upload the actual config file, if anybody can offer any help or guidnace at all it would be greatly appreciated. More than happy to prove more info if it helps Thanks

Finalcut created
Replies: 0
View post »
last updated
Compression and Encryption
HiI have configured compression and encryption for locally stored logs, and it seems to be working fine. However, when I run the command c:\program files\nxlog\nxlog-processor.exe -c d:\data\decrypted.conf, I encounter an error while attempting to decrypt the currently active file. The error message reads: 'error [im_file:enc_in] Crypto SSL error: error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length.' Despite this error, the file is decrypted successfully, and we are able to read the log file clearly. Could you please advise on the meaning of this error? I have not encountered any errors for older encrypted files. Thank youOur current config is as follows:nxlog.confPanic Softdefine INSTALLDIR D:\Program Files\nxlog#ModuleDir %INSTALLDIR%\modules#CacheDir  %INSTALLDIR%\data#SpoolDir  %INSTALLDIR%\datadefine CERTDIR %INSTALLDIR%\certdefine CONFDIR %INSTALLDIR%\conf\nxlog.d# Note that these two lines define constants only; the log file location# is ultimately set by the `LogFile` directive (see below). The# `MYLOGFILE` define is also used to rotate the log file automatically# (see the `_fileop` block).define LOGDIR D:\Program Files\nxlog\datadefine MYLOGFILE %LOGDIR%/nxlog.log# If you are not using NXLog Manager, disable the `include` line# and enable LogLevel and LogFile.#include %CONFDIR%\*.confLogLevel    INFOLogFile     %MYLOGFILE%<Extension xml>   Module      xm_xml</Extension><Extension exec>   Module      xm_exec</Extension><Extension _syslog>Module xm_syslog</Extension><Extension zlib>   Module      xm_zlib</Extension><Extension crypto>   Module       xm_cryptoPasswordFile "d:\\Program Files\\nxlog\\conf\\nxlogkeyfile.pem"</Extension><Extension fileop>   Module      xm_fileop</Extension># Input from remote relay<Input nxlog_relay> Module   im_ssl ListenAddr 0.0.0.0:8514 CAFile  %CERTDIR%/root.pem CertFile %CERTDIR%/xxx..pem CertkeyFile %CERTDIR%/xxx..pem RequireCert FALSE Exec  $Hostname = hostname(); parse_syslog(); $DeviceHostname = $Hostname;</Input># This Section contains the configuration to receive logs forwarded by  Servers<Input servers_ssl> Module      im_ssl ListenAddr 0.0.0.0:7514 CAFile  %CERTDIR%/root.pem CertFile %CERTDIR%/xxx..pem CertkeyFile %CERTDIR%/xxx..pem RequireCert FALSE Exec  $Hostname = hostname(); parse_syslog(); $DeviceHostname = $Hostname; </Input><Output log_local_encrypted>Module   om_fileFile     "d:/data/nxlogstore/" + $DeviceHostname + "/" + $DeviceHostname + "-" + strftime(now(), '%Y%m%d') + ".log"CreateDir trueExec  to_syslog_ietf();OutputType zlib.compress, crypto.aes_encrypt</Output><Output log_remote_encrypted>   Module   om_fileFile     "d:/data/nxlogstore/" + $DeviceHostname + "/" + $DeviceHostname + "-" + strftime(now(), '%Y%m%d') + ".log.gz.enc"CreateDir trueExec  to_syslog_ietf();OutputType zlib.compress, crypto.aes_encrypt</Output># Path to forward logs to locally<Route Windows_Network_To_Locally>       Path    servers_ssl, network_tcp_ssl => log_local_encrypted</Route># Path to forward logs to locally<Route Remote_Windows_Network_To_Locally>       Path    nxlog_relay => log_remote_encrypted</Route># This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`# is changed in managed.conf via NXLog Manager, rotation of the new# file should also be configured there.<Extension _fileop>   Module  xm_fileop   # Check the size of our log file hourly, rotate if larger than 5MB   <Schedule>       Every   1 hour       <Exec>           if ( file_exists('%MYLOGFILE%') and                (file_size('%MYLOGFILE%') >= 5M) )           {                file_cycle('%MYLOGFILE%', 8);           }       </Exec>   </Schedule>   # Rotate our log file every week on Sunday at midnight   <Schedule>       When    @weekly       Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);   </Schedule></Extension>Regards, Billy

billychua created
Replies: 0
View post »
last updated
ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.
Got this error while trying to forward windows 11 event logs to SIEM:ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.my  nxlog config is heredefine ROOT C:\Program Files\nxlog #define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension json> Module xm_json </Extension> <Extension fileop> Module xm_fileop </Extension> Nxlog internal logs <Input internal> Module im_internal Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json(); </Input> Win Event Log - Security <Input inSecurityEvent> Module im_msvistalog Query <QueryList> <Query Id=""><Select Path="Security">*</Select></Query></QueryList> Exec $Message = to_json(); </Input> <Output outSecurityEvent> Module om_tcp Host X.X.X.X Port 5060 Exec $EventTime = strftime($EventTime, '%Y-%m-%dT%H:%M:%SZ'); to_json(); Exec to_json(); Exec file_write("C:\Program Files\nxlog\data\SecurityEvents_output.log", $raw_event); </Output> <Route 1> Path inSecurityEvent => outSecurityEvent </Route>This works fine on other version of windows. the problem is windows 11

shahpasandi created
Replies: 1
View post »
last updated
Om_azuremonitor module
Hi.. anybody can clarify if om_azuremonitor work in air gap environment  Thx for your inputs

mdekshinsg created
Replies: 1
View post »
last updated
om_azuremonitor output module resolve URI through DNS
The objective is to configure the Nxlog to send logs to Sentinel LAW. The output module used is om_azuremonitor. The DCE URI directive depends on DNS resolution to resolve the url to ip. We added entry in the local /etc/hosts filleBut nslookup on the URI fails.Any inputs how the DNS can be resolved.There is no specific DNS server configured

mdekshinsg created
Replies: 3
View post »
last updated