Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
Upgrade to NXLOG Enterprise Edition 6.0
emerson.arcella@pediatrix.com created
Good Morning All,We would need to take advantage of the new features within NXLOG 6.0 EE. Are there any instructions on to perform the upgrade from 5.0 to 6.0? OR is this a revamp oft he whole environment and re-deployment of the agents? I currently have 900 agents deployed and it would not make sense to re-deploy.
emerson.arcella@pediatrix.com created
*SOLVED*: Input Gelf -> Output Syslog -> extract container_name from JSON and set $SourceName
denny.fuchs@inatec.com created
Hello,we using Nomad which sends logs in GELF format. We need to forward it to Rsyslog and also to Graylog. For Syslog I want to set $SourceName, which needs to be exracted from the JSON / GELF.The config looks like this: ...
<Input container>
Module im_tcp
ListenAddr 127.0.0.1:12202
InputType GELF_TCP
</Input>
...
<Output syslog-container-server>
Module om_udp
Host ${user.logserver}
Port 514
Exec to_json();
Exec $message =~ s/-p[^\s]+/-pXXX/;
Exec to_syslog_bsd();
</Output>
...
<Route container-to-syslog>
Path container => syslog-container-buffer => syslog-container-server
</Route>And the log on the rsyslog:Apr 15 15:24:26 qh-a07-nomad-agent-03 {"version": "1.1","Hostname":"qh-a07-nomad-agent-03","ShortMessage":"[2024-04-15 13:24:26] app.DEBUG: Connected to redis...PONG [] []","EventTime":"2024-04-15T15:24:26.376000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"f1...","container_name":"iframes-c77e666c-fd39-f6f6-4d57-b416a4a7e28a","created":"2024-04-12T08:58:36.870730597Z","image_id":"sha256:2a26fed9c075899cfe86d74f8f44c2729be0f392a96d10c938795fe84036506d","image_name":"repos/production/iframes/production:68c00192","tag":"production","MessageSourceAddress":"127.0.0.1","EventReceivedTime":"2024-04-15T15:24:26.376703+02:00","SourceModuleName":"container","SourceModuleType":"im_tcp"}How can I extract container_nameand use for $SourceName = 'my_application'; so that “my_application” is replaced with the content of "container_name ?cu denny
denny.fuchs@inatec.com created
AllowIP Directive Not working in EE 6.2
PHILLIPS, DALE (ext) (SMO UKI RC-GB RI PE MT 1 6 1) created
Hi,I am getting the following error when using the AllowIP Directive in Enterprise Edition 6.2:2024-04-02 15:17:42 ERROR [im_udp|SynologySyslog] invalid keyword: AllowIP at C:\Program Files\nxlog\conf\nxlog.conf:45The config snippit containing this is:<Input SynologySyslog>
module im_udp
ListenAddr 0.0.0.0:514
AllowIP 10.0.0.106
<Exec>
parse_syslog_ietf();
</Exec>
</Input><Input SynologySyslog>module im_udpListenAddr 0.0.0.0:514AllowIP 10.0.0.106<Exec> parse_syslog_ietf();</Exec></Input>Any help would be greatly appreciated!!
PHILLIPS, DALE (ext) (SMO UKI RC-GB RI PE MT 1 6 1) created
ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)
JLai created
Hello,I am getting the following error message with the SSL configured using om_ssl . Has anyone encountered this issue in the past? The config works without SSL but I want to make SSL to work.Please note that some information has been modified to avoid sensitive information exposure.2024-03-20 00:26:21 INFO connecting to destination_host:###
2024-03-20 00:26:21 INFO successfully connected to destination_host:###
2024-03-20 00:26:21 INFO reconnecting in 1 seconds
2024-03-20 00:26:21 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)This is my nxlog agent config code snippet:...
<Output out_to_destination>
Module om_ssl
Host %OUTPUT_DESTINATION_HOST%
Port %OUTPUT_DESTINATION_PORT%
Exec $Message = to_json(); to_syslog_bsd();
CAFile %CERTDIR%\CA.pem
CertFile %CERTDIR%\client-cert.pem
CertKeyFile %CERTDIR%\client-key.pem
AllowUntrusted TRUE
</Output>
...Is there anyway to bypass verification? Is this issue on the nxlog agent side?
JLai created
missing module
bianmingkai created
Hi All, I am trying to test and evaluate the NXlog for collect the dns analytical log(ETL) and forward it to splunk directly. now I am using the community version of NXlog and get below error: 2024-03-14 10:35:31 ERROR Failed to load module from C:\Program Files\nxlog\modules\input\im_etw.dll, The specified module could not be found. ; The specified module could not be found. 2024-03-14 10:35:31 ERROR invalid keyword: HTTPHeader at C:\Program Files\nxlog\conf\nxlog.conf:902024-03-14 10:35:31 ERROR module 'out_to_splunk' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:942024-03-14 10:35:31 ERROR route 1 is not functional without output modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:942024-03-14 10:35:31 WARNING no routes defined!Could someone please help to point the error/misconfiguration from the below NXlog.conf? thanks. nxlog.confPanic Soft#NoFreeOnExit TRUEdefine ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data<Extension _syslog> Module xm_syslog</Extension><Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec> Module xm_exec</Extension><Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule></Extension># Snare compatible example configuration# Collecting event log# <Input in># Module im_msvistalog# </Input># # Converting events to Snare format and sending them out over TCP syslog# <Output out># Module om_tcp# Host 192.168.1.1# Port 514# Exec to_syslog_snare();# </Output># # Connect input 'in' to output 'out'# <Route 1># Path in => out# </Route><Input in_dns> Module im_etw Provider Microsoft-Windows-DNSServer</Input><Input dns_analytical_log> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Microsoft-Windows-DNS-Server/Analytical">*</Select>\ </Query>\ </QueryList></Input> <Output out_to_splunk> Module om_http URL http://192.168.1.85:8088/services/collector ContentType application/json Exec to_json(); HTTPHeader Authorization: 6aad1862-c232-4613-a248-bc58f0885ea8</Output><Route 1> Path dns_analytical_log => out_to_splunk</Route>
bianmingkai created
New User - would love some assistance
Finalcut created
Hi So im a brand new user to NXLog, and NXlog are refusing to offer me any support unless i pay for it, which i feel is a little unfair given i have literraly just purchased 8 Enterprise Editon licenses . However i have got a config file which im working with. So far i have two problems 1 - The resulting log file is empty2 - I am receiving the following errors2024-03-05 14:31:28 ERROR [im_maculs|uls] Could not get proc_info, skipping log @ 486802024-03-05 14:31:28 WARNING [im_maculs|uls] Avoided padding for log ending @ 0xBE39 I am not sure on the best course of action here, or wether i need to upload the actual config file, if anybody can offer any help or guidnace at all it would be greatly appreciated. More than happy to prove more info if it helps Thanks
Finalcut created
Compression and Encryption
billychua created
HiI have configured compression and encryption for locally stored logs, and it seems to be working fine. However, when I run the command c:\program files\nxlog\nxlog-processor.exe -c d:\data\decrypted.conf, I encounter an error while attempting to decrypt the currently active file. The error message reads: 'error [im_file:enc_in] Crypto SSL error: error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length.' Despite this error, the file is decrypted successfully, and we are able to read the log file clearly. Could you please advise on the meaning of this error? I have not encountered any errors for older encrypted files. Thank youOur current config is as follows:nxlog.confPanic Softdefine INSTALLDIR D:\Program Files\nxlog#ModuleDir %INSTALLDIR%\modules#CacheDir %INSTALLDIR%\data#SpoolDir %INSTALLDIR%\datadefine CERTDIR %INSTALLDIR%\certdefine CONFDIR %INSTALLDIR%\conf\nxlog.d# Note that these two lines define constants only; the log file location# is ultimately set by the `LogFile` directive (see below). The# `MYLOGFILE` define is also used to rotate the log file automatically# (see the `_fileop` block).define LOGDIR D:\Program Files\nxlog\datadefine MYLOGFILE %LOGDIR%/nxlog.log# If you are not using NXLog Manager, disable the `include` line# and enable LogLevel and LogFile.#include %CONFDIR%\*.confLogLevel INFOLogFile %MYLOGFILE%<Extension xml> Module xm_xml</Extension><Extension exec> Module xm_exec</Extension><Extension _syslog>Module xm_syslog</Extension><Extension zlib> Module xm_zlib</Extension><Extension crypto> Module xm_cryptoPasswordFile "d:\\Program Files\\nxlog\\conf\\nxlogkeyfile.pem"</Extension><Extension fileop> Module xm_fileop</Extension># Input from remote relay<Input nxlog_relay> Module im_ssl ListenAddr 0.0.0.0:8514 CAFile %CERTDIR%/root.pem CertFile %CERTDIR%/xxx..pem CertkeyFile %CERTDIR%/xxx..pem RequireCert FALSE Exec $Hostname = hostname(); parse_syslog(); $DeviceHostname = $Hostname;</Input># This Section contains the configuration to receive logs forwarded by Servers<Input servers_ssl> Module im_ssl ListenAddr 0.0.0.0:7514 CAFile %CERTDIR%/root.pem CertFile %CERTDIR%/xxx..pem CertkeyFile %CERTDIR%/xxx..pem RequireCert FALSE Exec $Hostname = hostname(); parse_syslog(); $DeviceHostname = $Hostname; </Input><Output log_local_encrypted>Module om_fileFile "d:/data/nxlogstore/" + $DeviceHostname + "/" + $DeviceHostname + "-" + strftime(now(), '%Y%m%d') + ".log"CreateDir trueExec to_syslog_ietf();OutputType zlib.compress, crypto.aes_encrypt</Output><Output log_remote_encrypted> Module om_fileFile "d:/data/nxlogstore/" + $DeviceHostname + "/" + $DeviceHostname + "-" + strftime(now(), '%Y%m%d') + ".log.gz.enc"CreateDir trueExec to_syslog_ietf();OutputType zlib.compress, crypto.aes_encrypt</Output># Path to forward logs to locally<Route Windows_Network_To_Locally> Path servers_ssl, network_tcp_ssl => log_local_encrypted</Route># Path to forward logs to locally<Route Remote_Windows_Network_To_Locally> Path nxlog_relay => log_remote_encrypted</Route># This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`# is changed in managed.conf via NXLog Manager, rotation of the new# file should also be configured there.<Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour <Exec> if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') >= 5M) ) { file_cycle('%MYLOGFILE%', 8); } </Exec> </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); </Schedule></Extension>Regards, Billy
billychua created
ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.
shahpasandi created
Got this error while trying to forward windows 11 event logs to SIEM:ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.my nxlog config is heredefine ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Extension fileop>
Module xm_fileop
</Extension>
Nxlog internal logs
<Input internal>
Module im_internal
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
Win Event Log - Security
<Input inSecurityEvent>
Module im_msvistalog
Query <QueryList> <Query Id=""><Select Path="Security">*</Select></Query></QueryList>
Exec $Message = to_json();
</Input>
<Output outSecurityEvent>
Module om_tcp
Host X.X.X.X
Port 5060
Exec $EventTime = strftime($EventTime, '%Y-%m-%dT%H:%M:%SZ');
to_json();
Exec to_json();
Exec file_write("C:\Program Files\nxlog\data\SecurityEvents_output.log", $raw_event);
</Output>
<Route 1>
Path inSecurityEvent => outSecurityEvent
</Route>This works fine on other version of windows. the problem is windows 11
shahpasandi created
Om_azuremonitor module
mdekshinsg created
Hi.. anybody can clarify if om_azuremonitor work in air gap environment Thx for your inputs
mdekshinsg created
om_azuremonitor output module resolve URI through DNS
mdekshinsg created
The objective is to configure the Nxlog to send logs to Sentinel LAW. The output module used is om_azuremonitor. The DCE URI directive depends on DNS resolution to resolve the url to ip. We added entry in the local /etc/hosts filleBut nslookup on the URI fails.Any inputs how the DNS can be resolved.There is no specific DNS server configured
mdekshinsg created
I would like to collect log with parameters only from one type of log
Avi Israelov created
Hi,I have the configuration below in which I would like to collect data from “Security" and from ”ForwardedEvents".I would like the data from the Security to be with specific values (e.g. $TaskValue, $Version) while ForwardedEvents ignore them. How can I configure it?
Avi Israelov created
DNS resolution in Nxlog
mdekshinsg created
Hi! Can somebody help me with how DNS resolution works in Nxlog configuration?Thx !
mdekshinsg created
Does NXLog support tamper-proof logging?
billychua created
Hi Support,I would like to inquire whether NXLog supports tamper-proofing for syslog received and stored in the NXLog Relay Server.Thank you.Regards,Billy
billychua created
Webpage Error
ricky.ho@blackbox.com created
I had to restart the VM running our NXLog Manager (CentOS7).Now I'm getting the following message when attempting to access our NXLog Manager URL: HTTP ERROR 500Problem accessing /nxlog-manager/login.html. Reason: Server Error Caused by:org.apache.tiles.request.render.CannotRenderException: ServletException including path '/WEB-INF/layouts/default.jsp'.
ricky.ho@blackbox.com created
Problem when parsing Sysmon message Event 12
dudu.zbeda@cognyte.com created
I'm using NX log enterprise to collect Sysmon logs.I have a problem with EventID 12 , In the original (Windows view ) the event type is set to EventType: CreateKeyAs part of the NXlog output, in the Metadata the Event type is set to INFO and only in the msg field i can see the EventType: CreateKey Please advice
dudu.zbeda@cognyte.com created
drop action to forwarding logs to a remote server is not working
montealegre.diego@gmail.com created
Good Afternoon Team.I have a nxlog service running on a windows server. It has input rule to collect syslog from several devices like this: <Input syslog514udp>Module im_udpPort 514Host 0.0.0.0<Exec> $raw_event =~ s/\r?\n/#012/g; parse_syslog_bsd();</Exec> </Input> I am trying to forward the syslog of one specific device (10.10.10.10) to a public IP 190.20.30.40, but the filter is not working since nxlog is forwarding everything, configuration bellow: <Output OutNetomi>Exec if ($MessageSourceAddress == ‘10.10.10.10’) drop();Module om_udpHost 190.20.30.40Port 514</Output> Do you know where the error is? Thank you.Diego.
montealegre.diego@gmail.com created
Nxlog Error 1067: the process terminated unexpectedly
parint@lhbank.co.th created
We have the issue Nxlog Error 1067: the process terminated unexpectedly.Is there a way to fix this without reinstalling?Does re-installation require a reboot?
parint@lhbank.co.th created
nxlog does not send log file to graylog
Tadeusz created
Hi, can you help with the problem of nxlog not sending loose txt files to graylog?My nxlog.conf snippet about sending loose txt files<Input zpliku>Module im_fileFile "D:\file.log"</Input><Route messages_to_udp>Path zpliku => out</Route I have output defined for Graylog as GELF and the other section sending eventlog works correctly. Only sending loose files doesn't work here
Tadeusz created
Integrate Windows NXLog Agent with google Chronicle
rodrigo1413 created
I need help to integrate my Windows Server with Nxlog Agent installed to forward events/logs to Google Chronicle. I read the documentation of NxLog of this integrations, but the topic that explains how to use nxlog to direct structure logs to chronicle, he talk to edit a XML file, but i dont know what file I need to edit.
rodrigo1413 created
IIS logs in Graylog
Nunzio Brandi created
hello everyone,I am configuring nxlog to send IIS logs to Graylog.I managed to configure everything correctly but I would like to make the logs more readable on Graylog.I currently display them like this:would it be possible to somehow get the login name and ip of the user who logged in out of the “message” field?my current nxlog configuration is this: Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Extension _gelf>
Module xm_gelf
</Extension>
<Extension _json>
Module xm_json
</Extension>
#######################################################################
IIS NXLOG
#######################################################################
<Extension w3c>
Module xm_csv
Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken
FieldTypes string, string, string, string, string, string, string, string, string, string, string, string, string, string, string
Delimiter ' '
QuoteChar '"'
EscapeControl FALSE
UndefValue -
</Extension>
<Input iis>
Module im_file
File "C:\inetpub\logs\LogFiles\W3SVC*\u_ex*"
SavePos TRUE
Exec $ShortMessage = $raw_event;
Exec if $raw_event =~/^#/ drop();\
else\
{\
w3c->parse_csv();\
$EventTime = parsedate($date + " " + $time);\
$EventTime = parsedate($date + " " + $time + "Z");\
$SourceName = "IIS";\
$raw_event = to_json();\
}
</Input>
#######################################################################
/IIS NXLOG
#######################################################################
Snare compatible example configuration
Collecting event log
<Input in>
Module im_msvistalog
</Input>
Converting events to Snare format and sending them out over TCP syslog
<Output out>
Module om_tcp
Host ha-centlog-vip.xxxxxxxx
Port 12201
Exec to_json();
OutputType GELF_TCP
Exec $Hostname = hostname_fqdn();
Exec $raw_event =$Hostname + ' IIS-NXLOG ' + $raw_event;
#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\Program Files (x86)\nxlog\data\nxlog_output.log", $raw_event);
</Output>
<Route iis-to-graylog>
Path iis => out
</Route>
Connect input 'in' to output 'out'
<Route 1>
Path in => outThanks
Nunzio Brandi created