Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
Logs from centralised solution does not pass host field in some instances
esky created
We have a distributed solution and a centralised solutionBoth send events to Splunk (I'm the Splunk Admin)100% of the distributed events have the host field present.About 50% of the centralised events have the host field missing and show :Hostname: ?Any idea why this would be? is this a misconfiguration on the centralised host somewhere? or on the agentless side?Module:SourceModuleName: in_audit_pipe SourceModuleType: im_pipeThanks.
esky created
Read a log with yesterdays date in the filename
James created
I'm successfully using this config format with im_file to read logs with todays date in the filename:'\\server.domain\Logs\IN' + strftime(now(), "%y%m%d") + '.log'One of our services writes its log for the previous day at 3am on the next day. The filename has yesterdays date. What's the easiest/neatest/most efficient way of reading this log please?
James created
im_msvistalog --> Exec if or drop statement understanding problem
hkrischeu created
Hi,I am using this code snipping<Input EventLOG>Module im_msvistalogExec if ($TargetUserName == 'SYSTEM') OR ($EventType == 'VERBOSE') drop();</Input>This is working fine with my nx-Client at Windows 11. It push notification at my debian server with installed rsyslog server.But I want to have some specific ID´s from Windows Eventlog.( e.g. 5013, 10016, 4616, 6869)Can anybody point me to the right way? Thanks in Advance for every help. Heinz
hkrischeu created
im_azure using proxy to connect to Azure environment
mwaszut created
Hello,We are setting up log collection from Azure Log Analytics workspace but the connection is not possible without B2B proxy. I see that Proxy setup is possible only with om_azure module. We need to read and collect the logs from the Azure environment and not to send it there. What should we do to make it happen? Without proxy the connection is not possible and we can't use nxlog for our new service. Is there any other module which could set the proxy by default etc. ? Thank you,Martin W.
mwaszut created
One Input Multiple Outputs (AlienVault/Nxlog)
seppic created
We currently have a central logging server for our Windows Servers collecting and forwarding with NXLog to AlienVault. We have a working config file currently that I would like to modify to be able to send two of the Windows Event ID's that are being collected to our NDR (Vectra). What is the best route to be able to configure multiple sources and/or outputs? Currently we have two working configs, one for Vectra and one for AlienVault, but I'd like to “combine” them in a way that allows us to be able to send relevant data to their needed sources.AlienVault uses a patterndb.xml file for what events it wants to collect, Vectra just needs two specific event ID's that it calls out in the log file with the below line. It then outputs to an IP. This seems like it should be pretty straight forward but I'd like to have it sort of configured/figured out before I bring down my AlienVault feed.We are also currently using the Nxlog community edition if that matters.<Input eventlog> Module im_msvistalog<QueryXML> <QueryList> <Query Id="0" Path="ForwardedEvents"> <Select Path="ForwardedEvents">*[System[(EventID=4768 or EventID=4769)]]</Select> </Query></QueryList></QueryXML></Input>
seppic created
Windows Event Log - Drop/Filter
jacob.omara@doubleline.com created
All,Hopefully an easy question.I am currently collecting Windows event logs on a dedicated forwarding server (using native WEF) in a dedicated event log (named “Forwarded Events”). I have NxLog installed on this server and logs are being sent properly to my SIEM.Currently I am having difficulties filtering events where the SubjectUserName field ends with “$” symbol (logs are still reaching my SIEM). Below is a snippet of my configuration. I am running NXLog Enterprise version 6.2.Please advise.<Extension json>
Module xm_json
</Extension>
<Input windows_security_eventlog>
Module im_msvistalog
ReadFromLast True
SavePos True
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="ForwardedEvents">*</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
###################################################
# Drop noisy machine object access (4662) events.#
###################################################
if $EventID == 4662 AND ($SubjectUserName =~ /(.)$/) drop();
</Exec>
</Input>
jacob.omara@doubleline.com created
Running Powershell script on a schedule to retrieve and format Windows Event logs and send to logstash output
MCon30318 created
I have a Powershell script that is retrieving events from Windows Event logs that are written by a certain application. It then parses the exception info from the Event_Data portion into separate fields and combines them into JSON (the exception info is written in one big block of text, but each line has fields that we want to separate out into distinct fields so that the data is easier to filter in Kibana. I have an input im_exec module in nxlog.conf that runs that script and a route to send that input to an om_tcp output for our logstash instance. This works fine when you restart the service, however I'm having a problem getting this to pick up events after the initial restart. I've tried adding a schedule both to the input module and adding an xm_exec module to restart the input module on a scheduled basis. Anyone have any ideas on how to get this script to run repeatedly so that i can pick up and format new events? I've looked through the schedule documentation and tried some of the suggestions on other discussions that look a bit similar, but none seem to have worked so far. This is what I have in the conf file currently: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO <Extension json> Module xm_json </Extension> define LogFile %ROOT%\data\nxlog.log <Input input_logs_powershell> Module im_exec Restart true Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Arg "-ExecutionPolicy" Arg "Bypass" Arg "-NoProfile" # This specifies the path to the PowerShell script. Arg "-File" Arg "D:\Temp\events_parser.ps1"<Exec> # Parse JSON parse_json(); </Exec></Input> <Output logs_to_Kibana> Module om_tcp Host logstash_hostname Port 6710 exec to_json(); </Output><Route input_logs_powershell>PATH input_logs_powershell =>logs_to_Kibana</Route>
MCon30318 created
Regarding PaloAlto Panorama (syslog) Logs
jacob.omara@doubleline.com created
New Enterprise NxLog customer here…..hopefully any easy question.Today I am ingesting syslog messages from my PaloAlto Panorama instance into a dedicated syslog (Ununtu) server running syslog-ng. I am using syslog-ng to parse the incoming logs into 3 distinct log files (traffic, threat, and system). I am then using “logrotate” and “cron" to rotate, gzip, and retain the logs.I figure I have 2 options in terms of the log files themselves now that I am an nxlog customer.Option 1: Keep things as-is (since it is working now) and just use “im_file”.Option 2: Use nxlog to do the same things I am with syslog-ng. Being new to nxlog, not sure how to best do this.If I want to go with Option #2, does anyone have a working configuration they would be willing to share on how they parsed the incoming syslog messages from Palo Alto into those 3 distinct files (or came up with a better alternative)? Thank you.
jacob.omara@doubleline.com created
Errors when obtaining logs from Office365.
oscar.cerna@threatshieldsecurity.com created
Hello team.We have followed the steps from this link: https://docs.nxlog.co/refman/v5.10/im/ms365.html#config-certkeyfile to obtain the logs from Office365.The following permissions have been applied:However, I am encountering the following errors when trying to extract the information: 2024-05-01 18:59:31 WARNING [im_ms365|microsoft_365] Retrying request Audit.Exchange, attempt 33 failed, error: {"error":{"code":"AF20055","message":"Start time and end time must both be specified (or both omitted) and must be less than or equal to 24 hours apart, with the start time prior to end time and start time no more than 7 days in the past. StartTime:2024-05-01T22:48:58Z, EndTime:2024-05-01T21:21:47Z"}}. (Retrying in 200 seconds).
2024-05-01 18:59:34 WARNING [im_ms365|microsoft_365] Retrying request HealthOverviewsWithServiceHealthIssues, attempt 33 failed, error: {"error":{"code":"UnknownError","message":"","innerError":{"date":"2024-05-01T22:59:34","request-id":"20d6e12b-eb61-4b2b-bffa-b69f8f5c4847","client-request-id":"20d6e12b-eb61-4b2b-bffa-b69f8f5c4847"}}}. (Retrying in 200 seconds).
2024-05-01 18:59:36 WARNING [im_ms365|microsoft_365] Retrying request AuditEvents, attempt 33 failed, error: {"error":{"code":"Forbidden","message":"{\r\n \"_version\": 3,\r\n \"Message\": \"Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementApps.Read.All, DeviceManagementApps.ReadWrite.All - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: e188947b-1412-4a09-9b64-548de1c1f6a6 - Url: https://fef.amsua0602.manage.microsoft.com/StatelessAuditingFEService/deviceManagement/auditEvents?api-version=5022-08-30&$filter=activityDateTime+ge+2024-04-01T21%3a21%3a47Z+and+activityDateTime+lt+2024-05-01T21%3a21%3a47Z&$top=50\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{}\"\r\n}","innerError":{"date":"2024-05-01T22:59:36","request-id":"e188947b-1412-4a09-9b64-548de1c1f6a6","client-request-id":"e188947b-1412-4a09-9b64-548de1c1f6a
2024-05-01 18:59:44 WARNING [im_ms365|microsoft_365] Retrying request SignIns, attempt 33 failed, error: {"error":{"code":"Authentication_RequestFromNonPremiumTenantOrB2CTenant","message":"Neither tenant is B2C or tenant doesn't have premium license","innerError":{"date":"2024-05-01T22:59:44","request-id":"6eb5223c-948f-42af-b28b-bbf3fbea96fb","client-request-id":"6eb5223c-948f-42af-b28b-bbf3fbea96fb"}}}. (Retrying in 200 seconds).
2024-05-01 19:00:05 WARNING [im_ms365|microsoft_365] Retrying request ReportingWebService/MessageTrace, attempt 33 failed, error: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">; <html xmlns="http://www.w3.org/1999/xhtml">; <head>; <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>; <title>401 - Unauthorized: Access is denied due to invalid credentials.</title>; <style type="text/css">; <!--; body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}; fieldset{padding:0 15px 10px 15px;} ; h1{font-size:2.4em;margin:0;color:#FFF;}; h2{font-size:1.7em;margin:0;color:#CC0000;} ; h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ; #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;; background-color:#555555;}; #content{margin:0 0 0 2%;position:relative;}; .content-container{background:#FFF;width:96%;margin-top:8px;padding:1 Could you help me understand these errors?
oscar.cerna@threatshieldsecurity.com created
nxlog could not be stopped - error during installation
sa250367 created
I uninstalled the community version and trying to install the enterprise version, I am getting this error - Service nxlog could not be stopped, verify that you have sufficient privileges to stop system services. I am a global admin. Please help
sa250367 created
Are there any sample log files for NXLog Manager available to test?
JW created
Looking to test some ingest into a data lake to test searches adn dashboards.
JW created
DROP messages, if contains STRING SOMEWHERE
denny.fuchs@inatec.com created
hi,I try to DROP all messages, if they contains somewhere “/connection_status” or “/status”, but what ever I try, the filter won't fit on Nxlog, while it works in RegexTesterExample log:Apr 25 11:15:11 nomad-cde cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981: {"Hostname":"nomad-cde","ShortMessage":{"message":"Matched route \"status\".","context":{"route":"status","route_parameters":{"_route":"status","_controller":"App\\Controller\\Monitoring\\MonitoringController::getStatus"},"request_uri":"https://hpp.example.com/status","method":"GET"},"level":200,"level_name":"INFO","channel":"request","datetime":"2024-04-25T09:15:10.999734+00:00","extra":{}},"EventTime":"2024-04-25T11:15:11.000000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"2baaa8302059bbcb881aac339807d429b1d91e1a117659e37cb4edfb7bb1eeca","container_name":"cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981","image_id":"sha256:7ddb43de759bd8ef93975cf10b25289a4f8628587b6d31cbe3d16e8d39443572","image_name":"harbor.example.com/testing/hpp/test:433e16c7","tag":"production","EventReceivedTime":"2024-04-25T11:15:11.001689+02:00","SourceModuleName":"container","SourceName":"cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981","SyslogFacility":6}orApr 25 11:15:09 nomad-cde cde_iframes-3709bf3d-86a1-0264-fe9f-150ac2b14cdd: {"Hostname":"nomad-cde","ShortMessage":"172.16.0.40 - - [25/Apr/2024:09:15:09 +0000] \"GET /status HTTP/1.0\" 200 2 \"-\" \"-\" \"172.16.1.40\"","EventTime":"2024-04-25T11:15:09.479000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"c8b7c9357b1bc195f6d88d09e4c329627bfe165debc09cfe4bbfd556fdab966c","container_name":"cde_iframes-3709bf3d-86a1-0264-fe9f-150ac2b14cdd","image_id":"sha256:be421273041ffa5d7b8be4963f91c0376d9829ba942b86341413c59105ae671c","image_name":"harbor.example.com/testing/iframes/test:3cb57629","tag":"production","EventReceivedTime":"2024-04-25T11:15:09.524068+02:00","SourceModuleName":"container","SourceName":"cde_iframes-3709bf3d-86a1-0264-fe9f-150ac2b14cdd","SyslogFacility":6}orApr 25 11:15:09 nomad-cde cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981: {"Hostname":"nomad-cde","ShortMessage":{"message":"Matched route \"connection_status\".","context":{"route":"connection_status","route_parameters":{"_route":"connection_status","_controller":"App\\Controller\\Monitoring\\MonitoringController::getStatusDB"},"request_uri":"https://web:4433/connection_status","method":"GET"},"level":200,"level_name":"INFO","channel":"request","datetime":"2024-04-25T09:15:09.603963+00:00","extra":{}},"EventTime":"2024-04-25T11:15:09.605000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"2baaa8302059bbcb881aac339807d429b1d91e1a117659e37cb4edfb7bb1eeca","container_name":"cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981","image_id":"sha256:7ddb43de759bd8ef93975cf10b25289a4f8628587b6d31cbe3d16e8d39443572","image_name":"harbor.example.com/testing/hpp/test:433e16c7","tag":"production","EventReceivedTime":"2024-04-25T11:15:09.634920+02:00","SourceModuleName":"container","SourceName":"cde_hpp-c7d794e5-6297-e29a-81d4-c284f52e8981","SyslogFacility":6}I tried in the end the simplest one:if $raw_event =~ /.*status.*/ drop(); but it does not match. The config looks like this:
<Output syslog-container-server>
Module om_udp
Host ${user.logserver}
Port 514
<Exec>
if $raw_event =~ /.*status.*/ drop();
$Hostname = "nomad-cde";
$message =~ s/-p[^\s]+/-pXXX/;
delete($SourceModuleType);
delete($MessageSourceAddress);
delete($version);
delete($created);
$SourceName = $container_name;
$SyslogFacility = $SeverityValue;
to_json();
to_syslog_bsd();
</Exec>
</Output>Can someone give me an hint, where I have to look ?
denny.fuchs@inatec.com created
Upgrade to NXLOG Enterprise Edition 6.0
emerson.arcella@pediatrix.com created
Good Morning All,We would need to take advantage of the new features within NXLOG 6.0 EE. Are there any instructions on to perform the upgrade from 5.0 to 6.0? OR is this a revamp oft he whole environment and re-deployment of the agents? I currently have 900 agents deployed and it would not make sense to re-deploy.
emerson.arcella@pediatrix.com created
*SOLVED*: Input Gelf -> Output Syslog -> extract container_name from JSON and set $SourceName
denny.fuchs@inatec.com created
Hello,we using Nomad which sends logs in GELF format. We need to forward it to Rsyslog and also to Graylog. For Syslog I want to set $SourceName, which needs to be exracted from the JSON / GELF.The config looks like this: ...
<Input container>
Module im_tcp
ListenAddr 127.0.0.1:12202
InputType GELF_TCP
</Input>
...
<Output syslog-container-server>
Module om_udp
Host ${user.logserver}
Port 514
Exec to_json();
Exec $message =~ s/-p[^\s]+/-pXXX/;
Exec to_syslog_bsd();
</Output>
...
<Route container-to-syslog>
Path container => syslog-container-buffer => syslog-container-server
</Route>And the log on the rsyslog:Apr 15 15:24:26 qh-a07-nomad-agent-03 {"version": "1.1","Hostname":"qh-a07-nomad-agent-03","ShortMessage":"[2024-04-15 13:24:26] app.DEBUG: Connected to redis...PONG [] []","EventTime":"2024-04-15T15:24:26.376000+02:00","SeverityValue":6,"command":"/home/app/entrypoint.sh start php-fpm","container_id":"f1...","container_name":"iframes-c77e666c-fd39-f6f6-4d57-b416a4a7e28a","created":"2024-04-12T08:58:36.870730597Z","image_id":"sha256:2a26fed9c075899cfe86d74f8f44c2729be0f392a96d10c938795fe84036506d","image_name":"repos/production/iframes/production:68c00192","tag":"production","MessageSourceAddress":"127.0.0.1","EventReceivedTime":"2024-04-15T15:24:26.376703+02:00","SourceModuleName":"container","SourceModuleType":"im_tcp"}How can I extract container_nameand use for $SourceName = 'my_application'; so that “my_application” is replaced with the content of "container_name ?cu denny
denny.fuchs@inatec.com created
AllowIP Directive Not working in EE 6.2
PHILLIPS, DALE (ext) (SMO UKI RC-GB RI PE MT 1 6 1) created
Hi,I am getting the following error when using the AllowIP Directive in Enterprise Edition 6.2:2024-04-02 15:17:42 ERROR [im_udp|SynologySyslog] invalid keyword: AllowIP at C:\Program Files\nxlog\conf\nxlog.conf:45The config snippit containing this is:<Input SynologySyslog>
module im_udp
ListenAddr 0.0.0.0:514
AllowIP 10.0.0.106
<Exec>
parse_syslog_ietf();
</Exec>
</Input><Input SynologySyslog>module im_udpListenAddr 0.0.0.0:514AllowIP 10.0.0.106<Exec> parse_syslog_ietf();</Exec></Input>Any help would be greatly appreciated!!
PHILLIPS, DALE (ext) (SMO UKI RC-GB RI PE MT 1 6 1) created
ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)
JLai created
Hello,I am getting the following error message with the SSL configured using om_ssl . Has anyone encountered this issue in the past? The config works without SSL but I want to make SSL to work.Please note that some information has been modified to avoid sensitive information exposure.2024-03-20 00:26:21 INFO connecting to destination_host:###
2024-03-20 00:26:21 INFO successfully connected to destination_host:###
2024-03-20 00:26:21 INFO reconnecting in 1 seconds
2024-03-20 00:26:21 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)This is my nxlog agent config code snippet:...
<Output out_to_destination>
Module om_ssl
Host %OUTPUT_DESTINATION_HOST%
Port %OUTPUT_DESTINATION_PORT%
Exec $Message = to_json(); to_syslog_bsd();
CAFile %CERTDIR%\CA.pem
CertFile %CERTDIR%\client-cert.pem
CertKeyFile %CERTDIR%\client-key.pem
AllowUntrusted TRUE
</Output>
...Is there anyway to bypass verification? Is this issue on the nxlog agent side?
JLai created
missing module
bianmingkai created
Hi All, I am trying to test and evaluate the NXlog for collect the dns analytical log(ETL) and forward it to splunk directly. now I am using the community version of NXlog and get below error: 2024-03-14 10:35:31 ERROR Failed to load module from C:\Program Files\nxlog\modules\input\im_etw.dll, The specified module could not be found. ; The specified module could not be found. 2024-03-14 10:35:31 ERROR invalid keyword: HTTPHeader at C:\Program Files\nxlog\conf\nxlog.conf:902024-03-14 10:35:31 ERROR module 'out_to_splunk' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:942024-03-14 10:35:31 ERROR route 1 is not functional without output modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:942024-03-14 10:35:31 WARNING no routes defined!Could someone please help to point the error/misconfiguration from the below NXlog.conf? thanks. nxlog.confPanic Soft#NoFreeOnExit TRUEdefine ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data<Extension _syslog> Module xm_syslog</Extension><Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32</Extension><Extension _exec> Module xm_exec</Extension><Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); </Schedule></Extension># Snare compatible example configuration# Collecting event log# <Input in># Module im_msvistalog# </Input># # Converting events to Snare format and sending them out over TCP syslog# <Output out># Module om_tcp# Host 192.168.1.1# Port 514# Exec to_syslog_snare();# </Output># # Connect input 'in' to output 'out'# <Route 1># Path in => out# </Route><Input in_dns> Module im_etw Provider Microsoft-Windows-DNSServer</Input><Input dns_analytical_log> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Microsoft-Windows-DNS-Server/Analytical">*</Select>\ </Query>\ </QueryList></Input> <Output out_to_splunk> Module om_http URL http://192.168.1.85:8088/services/collector ContentType application/json Exec to_json(); HTTPHeader Authorization: 6aad1862-c232-4613-a248-bc58f0885ea8</Output><Route 1> Path dns_analytical_log => out_to_splunk</Route>
bianmingkai created
New User - would love some assistance
Finalcut created
Hi So im a brand new user to NXLog, and NXlog are refusing to offer me any support unless i pay for it, which i feel is a little unfair given i have literraly just purchased 8 Enterprise Editon licenses . However i have got a config file which im working with. So far i have two problems 1 - The resulting log file is empty2 - I am receiving the following errors2024-03-05 14:31:28 ERROR [im_maculs|uls] Could not get proc_info, skipping log @ 486802024-03-05 14:31:28 WARNING [im_maculs|uls] Avoided padding for log ending @ 0xBE39 I am not sure on the best course of action here, or wether i need to upload the actual config file, if anybody can offer any help or guidnace at all it would be greatly appreciated. More than happy to prove more info if it helps Thanks
Finalcut created
Compression and Encryption
billychua created
HiI have configured compression and encryption for locally stored logs, and it seems to be working fine. However, when I run the command c:\program files\nxlog\nxlog-processor.exe -c d:\data\decrypted.conf, I encounter an error while attempting to decrypt the currently active file. The error message reads: 'error [im_file:enc_in] Crypto SSL error: error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length.' Despite this error, the file is decrypted successfully, and we are able to read the log file clearly. Could you please advise on the meaning of this error? I have not encountered any errors for older encrypted files. Thank youOur current config is as follows:nxlog.confPanic Softdefine INSTALLDIR D:\Program Files\nxlog#ModuleDir %INSTALLDIR%\modules#CacheDir %INSTALLDIR%\data#SpoolDir %INSTALLDIR%\datadefine CERTDIR %INSTALLDIR%\certdefine CONFDIR %INSTALLDIR%\conf\nxlog.d# Note that these two lines define constants only; the log file location# is ultimately set by the `LogFile` directive (see below). The# `MYLOGFILE` define is also used to rotate the log file automatically# (see the `_fileop` block).define LOGDIR D:\Program Files\nxlog\datadefine MYLOGFILE %LOGDIR%/nxlog.log# If you are not using NXLog Manager, disable the `include` line# and enable LogLevel and LogFile.#include %CONFDIR%\*.confLogLevel INFOLogFile %MYLOGFILE%<Extension xml> Module xm_xml</Extension><Extension exec> Module xm_exec</Extension><Extension _syslog>Module xm_syslog</Extension><Extension zlib> Module xm_zlib</Extension><Extension crypto> Module xm_cryptoPasswordFile "d:\\Program Files\\nxlog\\conf\\nxlogkeyfile.pem"</Extension><Extension fileop> Module xm_fileop</Extension># Input from remote relay<Input nxlog_relay> Module im_ssl ListenAddr 0.0.0.0:8514 CAFile %CERTDIR%/root.pem CertFile %CERTDIR%/xxx..pem CertkeyFile %CERTDIR%/xxx..pem RequireCert FALSE Exec $Hostname = hostname(); parse_syslog(); $DeviceHostname = $Hostname;</Input># This Section contains the configuration to receive logs forwarded by Servers<Input servers_ssl> Module im_ssl ListenAddr 0.0.0.0:7514 CAFile %CERTDIR%/root.pem CertFile %CERTDIR%/xxx..pem CertkeyFile %CERTDIR%/xxx..pem RequireCert FALSE Exec $Hostname = hostname(); parse_syslog(); $DeviceHostname = $Hostname; </Input><Output log_local_encrypted>Module om_fileFile "d:/data/nxlogstore/" + $DeviceHostname + "/" + $DeviceHostname + "-" + strftime(now(), '%Y%m%d') + ".log"CreateDir trueExec to_syslog_ietf();OutputType zlib.compress, crypto.aes_encrypt</Output><Output log_remote_encrypted> Module om_fileFile "d:/data/nxlogstore/" + $DeviceHostname + "/" + $DeviceHostname + "-" + strftime(now(), '%Y%m%d') + ".log.gz.enc"CreateDir trueExec to_syslog_ietf();OutputType zlib.compress, crypto.aes_encrypt</Output># Path to forward logs to locally<Route Windows_Network_To_Locally> Path servers_ssl, network_tcp_ssl => log_local_encrypted</Route># Path to forward logs to locally<Route Remote_Windows_Network_To_Locally> Path nxlog_relay => log_remote_encrypted</Route># This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`# is changed in managed.conf via NXLog Manager, rotation of the new# file should also be configured there.<Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour <Exec> if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') >= 5M) ) { file_cycle('%MYLOGFILE%', 8); } </Exec> </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); </Schedule></Extension>Regards, Billy
billychua created
ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.
shahpasandi created
Got this error while trying to forward windows 11 event logs to SIEM:ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found.my nxlog config is heredefine ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Extension fileop>
Module xm_fileop
</Extension>
Nxlog internal logs
<Input internal>
Module im_internal
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
Win Event Log - Security
<Input inSecurityEvent>
Module im_msvistalog
Query <QueryList> <Query Id=""><Select Path="Security">*</Select></Query></QueryList>
Exec $Message = to_json();
</Input>
<Output outSecurityEvent>
Module om_tcp
Host X.X.X.X
Port 5060
Exec $EventTime = strftime($EventTime, '%Y-%m-%dT%H:%M:%SZ');
to_json();
Exec to_json();
Exec file_write("C:\Program Files\nxlog\data\SecurityEvents_output.log", $raw_event);
</Output>
<Route 1>
Path inSecurityEvent => outSecurityEvent
</Route>This works fine on other version of windows. the problem is windows 11
shahpasandi created