Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.
Got this error while trying to forward windows 11 event logs to SIEM:ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.my  nxlog config is heredefine ROOT C:\Program Files\nxlog #define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension json> Module xm_json </Extension> <Extension fileop> Module xm_fileop </Extension> Nxlog internal logs <Input internal> Module im_internal Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json(); </Input> Win Event Log - Security <Input inSecurityEvent> Module im_msvistalog Query <QueryList> <Query Id=""><Select Path="Security">*</Select></Query></QueryList> Exec $Message = to_json(); </Input> <Output outSecurityEvent> Module om_tcp Host X.X.X.X Port 5060 Exec $EventTime = strftime($EventTime, '%Y-%m-%dT%H:%M:%SZ'); to_json(); Exec to_json(); Exec file_write("C:\Program Files\nxlog\data\SecurityEvents_output.log", $raw_event); </Output> <Route 1> Path inSecurityEvent => outSecurityEvent </Route>This works fine on other version of windows. the problem is windows 11

shahpasandi created
Replies: 1
View post »
last updated
Om_azuremonitor module
Hi.. anybody can clarify if om_azuremonitor work in air gap environment  Thx for your inputs

mdekshinsg created
Replies: 1
View post »
last updated
om_azuremonitor output module resolve URI through DNS
The objective is to configure the Nxlog to send logs to Sentinel LAW. The output module used is om_azuremonitor. The DCE URI directive depends on DNS resolution to resolve the url to ip. We added entry in the local /etc/hosts filleBut nslookup on the URI fails.Any inputs how the DNS can be resolved.There is no specific DNS server configured

mdekshinsg created
Replies: 3
View post »
last updated
I would like to collect log with parameters only from one type of log
Hi,I have the configuration below in which I would like to collect data from “Security" and from ”ForwardedEvents".I would like the data from the Security to be with specific values (e.g. $TaskValue, $Version) while ForwardedEvents ignore them. How can I configure it?

Avi Israelov created
Replies: 1
View post »
last updated
DNS resolution in Nxlog
Hi! Can somebody help me with how DNS resolution works in Nxlog configuration?Thx !

mdekshinsg created
Replies: 1
View post »
last updated
Does NXLog support tamper-proof logging?
Hi Support,I would like to inquire whether NXLog supports tamper-proofing for syslog received and stored in the NXLog Relay Server.Thank you.Regards,Billy

billychua created
Replies: 2
View post »
last updated
Webpage Error
I had to restart the VM running our NXLog Manager (CentOS7).Now I'm getting the following message when attempting to access our NXLog Manager URL: HTTP ERROR 500Problem accessing /nxlog-manager/login.html. Reason: Server Error Caused by:org.apache.tiles.request.render.CannotRenderException: ServletException including path '/WEB-INF/layouts/default.jsp'.

ricky.ho@blackbox.com created
Replies: 3
View post »
last updated
Problem when parsing Sysmon message Event 12
I'm using NX log enterprise to collect Sysmon logs.I have a problem with EventID 12 , In the original (Windows view ) the event type is set to EventType: CreateKeyAs part of the NXlog output, in the Metadata the Event type is set to INFO and only in the msg field i can see the EventType: CreateKey  Please advice 

dudu.zbeda@cognyte.com created
Replies: 1
View post »
last updated
drop action to forwarding logs to a remote server is not working
Good Afternoon Team.I have a nxlog service running on a windows server. It has input rule to collect syslog from several devices like this: <Input syslog514udp>Module im_udpPort 514Host 0.0.0.0<Exec> $raw_event =~ s/\r?\n/#012/g; parse_syslog_bsd();</Exec> </Input>  I am trying to forward the syslog of one specific device (10.10.10.10) to a public IP 190.20.30.40, but the filter is not working since nxlog is forwarding everything, configuration bellow: <Output OutNetomi>Exec if ($MessageSourceAddress == ‘10.10.10.10’) drop();Module  om_udpHost    190.20.30.40Port    514</Output> Do you know where the error is? Thank you.Diego.

montealegre.diego@gmail.com created
Replies: 1
View post »
last updated
Nxlog Error 1067: the process terminated unexpectedly
We have the issue Nxlog Error 1067: the process terminated unexpectedly.Is there a way to fix this without reinstalling?Does re-installation require a reboot?  

parint@lhbank.co.th created
Replies: 0
View post »
last updated
nxlog does not send log file to graylog
Hi, can you help with the problem of nxlog not sending loose txt files to graylog?My nxlog.conf snippet about sending loose txt files<Input zpliku>Module im_fileFile "D:\file.log"</Input><Route messages_to_udp>Path zpliku => out</Route I have output defined for Graylog as GELF and the other section sending eventlog works correctly. Only sending loose files doesn't work here

Tadeusz created
Replies: 0
View post »
last updated
Integrate Windows NXLog Agent with google Chronicle
I need help to integrate my Windows Server with Nxlog Agent installed to forward events/logs to Google Chronicle. I read the documentation of NxLog of this integrations, but the topic that explains how to use nxlog to direct structure logs to chronicle, he talk to edit a XML file, but i dont know what file I need to edit.  

rodrigo1413 created
Replies: 0
View post »
last updated
IIS logs in Graylog
hello everyone,I am configuring nxlog to send IIS logs to Graylog.I managed to configure everything correctly but I would like to make the logs more readable on Graylog.I currently display them like this:would it be possible to somehow get the login name and ip of the user who logged in out of the “message” field?my  current nxlog configuration is this: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data include %CONFDIR%\*.conf define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension> <Extension _gelf> Module xm_gelf </Extension> <Extension _json> Module xm_json </Extension> ####################################################################### IIS NXLOG ####################################################################### <Extension w3c> Module xm_csv Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string Delimiter ' ' QuoteChar '"' EscapeControl FALSE UndefValue - </Extension> <Input iis> Module im_file File "C:\inetpub\logs\LogFiles\W3SVC*\u_ex*" SavePos TRUE Exec $ShortMessage = $raw_event; Exec if $raw_event =~/^#/ drop();\ else\ {\ w3c-&gt;parse_csv();\ $EventTime = parsedate($date + " " + $time);\ $EventTime = parsedate($date + " " + $time + "Z");\ $SourceName = "IIS";\ $raw_event = to_json();\ } </Input> ####################################################################### /IIS NXLOG ####################################################################### Snare compatible example configuration Collecting event log <Input in> Module im_msvistalog </Input> Converting events to Snare format and sending them out over TCP syslog <Output out> Module om_tcp Host ha-centlog-vip.xxxxxxxx Port 12201 Exec to_json(); OutputType GELF_TCP Exec $Hostname = hostname_fqdn(); Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event; #Use the following line for debugging (uncomment the fileop extension above as well) #Exec file_write("C:\Program Files (x86)\nxlog\data\nxlog_output.log", $raw_event); </Output> <Route iis-to-graylog> Path iis => out </Route> Connect input 'in' to output 'out' <Route 1> Path in => outThanks

Nunzio Brandi created
Replies: 2
View post »
last updated
NXLog - read logs from a local .csv file on Windows Server
Hi!I would like to have some help with my NXLog confiugration. I dont get any errors or so but in the SIEM I don't receive any logs at all from the source. So I'm guessing that there Is some issues reading logs from the .csv file. Or It could be something else. So my purpose with this Is to ship logs in a local .csv file to a SIEM. My thought was that NXLog should be a great solutions with this due to all extensions and so on. My NXLog configuration file Is based on these modules,xm_csvxm_syslogxm_jsonim_file (pointing out the local .csv file)out_ssl (for shipping logs through tls encryption)Been following along with this guide, Delimiter-Separated Values (xm_csv) | NXLog DocsHas anyone done this before? Thanks

aleksta created
Replies: 2
View post »
last updated
Problem using im_odbc (SQLDescribeParam Invalid parameter number)
Hi I'm getting a problem were the im_odbc module connects successfully to the DB via odbc but then straight away disconnects and give the error INFO [im_odbc|sccm_alerts] im_odbc successfully connected to the databaseWARNING [im_odbc|sccm_alerts] im_odbc detected a disconnection, attempting to reconnect in 10 secondsERROR [im_odbc|sccm_alerts] SQLDescribeParam failed, 07009:2:0:[Microsoft][ODBC Driver 17 for SQL Server]Invalid parameter number (odbc error code: -1) This is running on windows server 2019 and using MS SQL server 2017 (64bit)I have tried the ODBC driver 13/17/18 and tried just basic SQL query's to retrieve a single table (of just a couple or rows and columns ) The current DSN again works with PowerShell fine I've tried making my own and using system ones All permutations work using all ODBC drivers and SQL query's with PowerShell no problem  <Extension _json> Module xm_json </Extension> <Input sccm_alerts> Module im_odbc ConnectionString DSN=test;Trusted_Connection=yes; SQL SELECT ID,TypeID,TypeInstanceID,Name,FeatureArea, ObjectWmiClass,Severity FROM V_SMS_Alert </Input> <Output outfile> Module om_file File 'C:\scripts\out.log' Exec to_json(); </Output> <Route sccm> Path sccm_alerts, sccm_alerts => outfile </Route>It was al installed as a “standard” SCCM install which is working fine  Many thanks for any help, please let me know if you needs any more information Kind regards  

Floss created
Replies: 2
View post »
last updated
NXLog Manager support for RHEL
Hi,Can check if the current NXLog Manager can support RHEL 8.8?And any roadmap to support RHEL9 in future? ThanksRegards, Billy

billychua created
Replies: 1
View post »
last updated
NXLOG for windows server 2019
hi,First of all I would like to know if NXLOG compatible with Windows server 2019. I have trouble with the performance of nxlog on windows 2019 while on 2012 everything is fine.The logs do not go up instantly even though the configuration is the same and there is no issue with the network.Does anyone knows what the issue might be?Thank you for your answers.

אסף ל created
Replies: 1
View post »
last updated
Seeking Assistance with NXLog Agent Installation aws ec2 linux instance
Hi Experts,I am reaching out to seek assistance with the installation of the NXLog Agent on my AWS EC2 Linux instance. I have encountered some challenges during the installation process and would greatly appreciate your guidance and support.The AWS EC2 instance I am using is running Amazon Linux version 2023. Here are the details of my Linux distribution:- Name: Amazon Linux- Version: 2023- ID: amzn- ID_LIKE: fedora- Version_ID: 2023- PLATFORM_ID: platform:al2023- PRETTY_NAME: Amazon Linux 2023- ANSI_COLOR: 0;33- CPE_NAME: cpe:2.3:o:amazon:amazon_linux:2023- HOME_URL: [https://aws.amazon.com/linux/](https://aws.amazon.com/linux/)- BUG_REPORT_URL: [https://github.com/amazonlinux/amazon-linux-2023](https://github.com/amazonlinux/amazon-linux-2023)- SUPPORT_END: 2028-03-01I kindly request your assistance in determining the correct RPM package I should download for this particular distribution and version of Linux.https://nxlog.co/downloads/nxlog-ce#nxlog-community-editionis there any documentation or resources that I can refer to for guidance on the installation process.Appreciate any help. 

siuolkl created
Replies: 1
View post »
last updated
Systemd and open files limit
Would like to check where should i change the file for RHEL 8? I found the below link but doesn't work for rhel 8. Common issues :: NXLog Documentation This scenario requires edits to the service file or an override. To check NXLog system limits, use the following command:$ cat /proc/$(cat /opt/nxlog/var/run/nxlog/nxlog.pid)/limitsOn Systems not using /proc, check the system’s open file limit:$ sysctl kern.maxfilesTo adjust limits for nxlog, create /etc/systemd/system/nxlog.service.d/override.conf and add the following definition:[Service] LimitNOFILE=100000Update the service settings with:$ systemctl daemon-reload

billychua created
Replies: 1
View post »
last updated
Multiple log in Windows Events Log
Hi, I have a problem trying to send the raw event of Windows Server 2016. I have this configuration in nxlog.conf: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _leef> Module xm_leef </Extension> <Extension xml> Module xm_xml </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension rewrite> Module xm_rewrite Keep EventXML </Extension> <Input argentina> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[System[band(Keywords,13510798882111488)]]</Select> </Query> </QueryList> </QueryXML> </Input> <Processor buffer1> Module pm_buffer MaxSize 102400 Type Mem </Processor> <Output qradar> Module om_tcp Host XXX.XXX.XXX.XXX:514 Exec $raw_event = $EventXML; Exec delete_all(); </Output> <Route r1> Path argentina => buffer1 => qradar </Route>but in our SIEM i see this output (every line is a diferent log):I used "tcpdump" to saw if every log are diferent packets but i saw that it's only one packet but it has a special character that separete the line (i thought) .Could someone help to solve this? maybe using “replace” or changing the encoding. Thanks

santiagonahuel.sarchetti@bbva.com created
Replies: 0
View post »
last updated