Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
Buffering not working
billychua
Hi,I had this situation whereby when I unplugged the cable of the outgoing interface of the nxlog server, the logs went into the cache folder. When I connected back to the interface, the new logs continues to flow to the external logger, but the cached logs remain inside the cache folder and do not forward out to the external logger.below is my configuration. Looking forward to any help, please. thank youUser rootGroup rootPanic Soft##modify change# default values:# PidFile /opt/nxlog/var/run/nxlog/nxlog.pid# CacheDir /opt/nxlog/var/spool/nxlog# ModuleDir /opt/nxlog/lib/nxlog/modules# SpoolDir /opt/nxlog/var/spool/nxlogCacheDir /data/nxlogcachedefine CERTDIR /opt/nxlog/var/lib/nxlog/certdefine CONFDIR /opt/nxlog/var/lib/nxlog# Note that these two lines define constants only; the log file location# is ultimately set by the `LogFile` directive (see below). The# `MYLOGFILE` define is also used to rotate the log file automatically# (see the `_fileop` block).define LOGDIR /opt/nxlog/var/log/nxlogdefine MYLOGFILE %LOGDIR%/nxlog.log# By default, `LogFile %MYLOGFILE%` is set in log4ensics.conf. This# allows the log file location to be modified via NXLog Manager. If you# are not using NXLog Manager, you can instead set `LogFile` below and# disable the `include` line.LogFile %MYLOGFILE%#include %CONFDIR%/log4ensics.conf<Extension _syslog> Module xm_syslog</Extension><Extension exec> Module xm_exec</Extension><Extension _leef>Module xm_leef</Extension><Output Egress_To_xxx> Module om_tcp Port 1524 Host xxx.xxx.xxx.xxx</Output># Set port and Ip Address to listen to traffic<Input External_Ingress> Module im_tcp Port 1524 Host 0.0.0.0</Input><Output External_Log_Locally> Module om_file File '/data/store/External/External_logs.txt'#Set log rotation to run daily and keep 90 days worth of logs <Schedule> when @daily <Exec> # Create year/month directories if necessary dir_make('/data/store/External/' + strftime(now() - 86400, '%Y-%m')); # Rotate current file into the correct directory rotate_to('/data/store/External/' + strftime(now() - 86400, '%Y-%m/External_logs_%Y-%m-%d.txt')); #Remove files older than 90 days exec_async("/usr/bin/find", "/data/store/External", "-mtime", "+90", "-type", "f", "-delete"); </Exec> </Schedule></Output><Processor External_To_xxx_Buffer> Module pm_buffer Type Disk #130MiB buffer MaxSize 130000000 WarnLimit 100000000</Processor><Route External_To_xxx_Path> Path External_Ingress => External_To_xxx_Buffer => Egress_To_xxx</Route><Route External_To_Local> Path External_Ingress => External_Log_Locally</Route><Input Internal_Ingress> Module im_tcp Port 2524 Host 0.0.0.0 <Exec> # edit syslog header for xxxx if $raw_event =~ /\d\d:\d\d:\d\d\s+(xxxx)\s+/ { $Hostname = $1; to_syslog_bsd(); } </Exec></Input><Output Internal_Log_Locally> Module om_file File '/data/store/Internal/Internal_logs.txt' #Set log rotation to run daily and keep 90 days worth of logs <Schedule> when @daily <Exec> # Create year/month directories if necessary dir_make('/data/store/Internal/' + strftime(now() - 86400, '%Y-%m')); # Rotate current file into the correct directory rotate_to('/data/store/Internal/' + strftime(now() - 86400, '%Y-%m/Internal_logs_%Y-%m-%d.txt')); #Remove files older than 90 days exec_async("/usr/bin/find", "/data/store/Internal", "-mtime", "+90", "-type", "f", "-delete"); </Exec> </Schedule></Output><Processor Internal_To_xxx_Buffer> Module pm_buffer Type Disk #130MiB buffer MaxSize 130000000 WarnLimit 100000000</Processor><Route Internal_To_xxx_Path> Path Internal_Ingress => Internal_To_xxx_Buffer => Egress_To_xxx</Route><Route Internal_To_Local> Path Internal_Ingress => Internal_Log_Locally</Route><Input xxx_UDP_Ingress> Module im_udp Port 514 Host 0.0.0.0<Exec> # edit syslog header for xxx else if $MessageSourceAddress == 'xx.xxx.x.x' { $Hostname = 'xxx'; to_syslog_bsd(); } # edit syslog header for xxx else if $MessageSourceAddress == 'xx.xxx.xx.xx' { $Hostname = 'xxx'; to_syslog_bsd(); } # edit syslog header for xxx else if $MessageSourceAddress == 'xx.xx.xx' { $Hostname = 'xxx'; to_syslog_bsd(); }</Exec></Input><Output xxx_UDP_Log_Locally> Module om_file File '/data/store/UDP/xxx_UDP_logs.txt' #Set log rotation to run daily and keep 90 days worth of logs <Schedule> when @daily <Exec> # Create year/month directories if necessary dir_make('/data/store/UDP/' + strftime(now() - 86400, '%Y-%m')); # Rotate current file into the correct directory rotate_to('/data/store/UDP/' + strftime(now() - 86400, '%Y-%m/xxxx_UDP_logs_%Y-%m-%d.txt')); #Remove files older than 90 days exec_async("/usr/bin/find", "/data/store/UDP", "-mtime", "+90", "-type", "f", "-delete"); </Exec> </Schedule></Output><Processor xxx_UDP_To_xxx_Buffer> Module pm_buffer Type Disk #130MiB buffer MaxSize 130000000 WarnLimit 100000000</Processor><Route xxx_UDP_To_xxx_Path> Path xxx_UDP_Ingress => xxx_UDP_To_xxx_Buffer => Egress_To_xxx</Route><Route xxx_UDP_To_Local> Path xxx_UDP_Ingress => xxx_UDP_Log_Locally</Route><Input audit_log> Module im_file File '/var/log/secure' <Exec> to_syslog_bsd(); </Exec></Input><Processor xxx_Audit_To_xxx_Buffer> Module pm_buffer Type Disk #130MiB buffer MaxSize 130000000 WarnLimit 100000000</Processor><Route xx_Audit_To_xx_Path> Path audit_log => xxx_Audit_To_xxx_Buffer => Egress_To_xxx</Route><Input audit_log_2> Module im_file File '/var/log/audit/audit.log' <Exec> to_syslog_bsd(); </Exec></Input><Processor xxx_Audit_2_To_xxx_Buffer> Module pm_buffer Type Disk #130MiB buffer MaxSize 130000000 WarnLimit 100000000</Processor><Route xxx_Audit2_To_xxxx_Path> Path audit_log_2 => xxxx_Audit_2_To_xxxx_Buffer => Egress_To_xxxx</Route># This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`# is changed in log4ensics.conf via NXLog Manager, rotation of the new# file should also be configured there.<Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour <Exec> if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') >= 5M) ) { file_cycle('%MYLOGFILE%', 8); } </Exec> </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); </Schedule></Extension>
billychua
Does the parser quit after not matching x amount of logs?
jhartman
I am having issues where when I try to parse a big file ~1500 lines the regexp doesn't find any lines that match and then eventually “gives up”. There is no ERROR log in the nxlog.log saying that it essentially stopped but it never writes anything to my output file. In the input file I have 6 lines that match my parser though.<Exec>
if $raw_event =~ /srv_name="([^"]+).+?user_auth_entr="([^"]+)/
{
$event_type = 'VPN_SESSION_IP_ASSIGNED';
$version = 'v1';
$time = 'test';
$account = $2;
$account_domain = 'null';
$assigned_ip = 'null';
$source_ip = 'null';
$authentication_result = 'FAILURE';
$authentication_target = $1;
}
</Exec>I was confused at first and thought there was an issue with my statement but it checks out. When I specifically grabbed only those 6 log lines that would match and ran the service against ONLY those logs, everything parsed and worked just fine giving my the 6 new log lines in my output file.So this leads me to believe that the only reason it didn't work the first time is because the first time it actually matches those log lines is the 112th line. So my assumption is that it tries to process the incoming log lines against my regex and after so many not matching it just stops. Can anyone confirm if this is accurate and if so, how can I increase the threshold and/or remove this dependency?
jhartman
IF statements for varying values
jhartman
I am trying to parse some logs coming in and trying to figure out the proper way to build the nxlog.conf when specifying what to do depending on the conditions met in the parser. I have a working conf file that can read all the logs from a file and parse them into one set of conditions but how do I add multiple IF statements in a single Exec block?<Input NetMotion>
Module im_file
File "C:\Testing-logs\NetMotion.txt"
<Exec>
if $raw_event =~ /m_user="([^"]+).+?pop_ip_srv="([^"]+).+?ses_start="([^"]+).+?ses_state="([^"]+).+?vip="([^"]+)/
{
if $4 = 'Connected' $event_type = 'VPN_SESSION_IP_ASSIGNED';
{
$version = 'v1';
$time = $3;
$account = $1;
$assigned_ip = $6;
$source_ip = $2;
$authentication_result = 'SUCCESS';
$authentication_target = $5;
}
if $3 == 'Disconnected' $event_type = 'VPN_SESSION_IP_TERMINATION';
{
$version = 'v1';
$time = $2;
$account = $1;
}
}
</Exec>
</Input>The above code works in the fact that it doesn't give me any errors in the NXLog log file however the actual log lines are mixed up. If the events match 'VPN_SESSION_IP_ASSIGNED' then it all works just fine. This gives me the order of event_type, version, time, account, assigned_ip, source_ip, authentication_result, authentication_target which is exactly what I need. However for the lines where it doesn't match, it messes up the order and puts version first, and then tacks on the event_type = 'VPN_SESSION_IP_TERMINATION' at the end.How do I get it so that when the $event_type = 'VPN_SESSION_IP_TERMINATION' the log format only shows the fields I want e.g. event_type, version, time, account. I tried a different method where I put the second if statement directly after the first and it worked to keep the order but I still don't know how to drop the unnecessary fields from the termination events.<Input NetMotion>
Module im_file
File "C:\Testing-logs\NetMotion.txt"
<Exec>
if $raw_event =~ /m_user="([^"]+).+?pop_ip_srv="([^"]+).+?ses_start="([^"]+).+?ses_state="([^"]+).+?vip="([^"]+)/
{
if $4 = 'Connected' $event_type = 'VPN_SESSION_IP_ASSIGNED';
if $3 == 'Disconnected' $event_type = 'VPN_SESSION_IP_TERMINATION';
$version = 'v1';
$time = $3;
$account = $1;
$assigned_ip = $6;
$source_ip = $2;
$authentication_result = 'SUCCESS';
$authentication_target = $5;
}
</Exec>
</Input>Would I do an additional if statement after that to basically say, if $event_type == 'VPN_SESSION_IP_TERMINATION'
{
delete($assigned_ip);
delete($source_ip);
delete($authentication_result);
delete($authentication_target);
}Any and all help is appreciated!
jhartman
NXlog Enterprise Edition Licenses
L2.cdc@valuepointsystems.com
Hi All,We have purchased 100 NXLog Enterprise Edition Annual Licenses (node based). Can anybody let us know how we update the license when we install the NXLog Enterprise Edition to a windows server?Regards,Valuepoint Team
L2.cdc@valuepointsystems.com
Some error about getting data from chrome history log
lida02@megvii.com
I want collect chrome histroy log, follow the https://docs.nxlog.co/userguide/integrate/browser-history.html#google-chrome-history-location-and-details guide on windows terminal, because the http://www.ch-werner.de/ site is down, so I can't download “SQLite ODBC Driver”,but i found another substitution https://www.devart.com/odbc/sqlite/download.html , I don't know if this driver is not as same as “SQLite ODBC Driver”. But when I run nxlog, I got some error info.2023-02-14 11:23:25 INFO [im_odbc|odbc] im_odbc successfully connected to the database2023-02-14 11:23:25 WARNING [im_odbc|odbc] im_odbc detected a disconnection, attempting to reconnect in 10 seconds2023-02-14 11:23:25 ERROR [im_odbc|odbc] SQLExecute failed, 22001:2:390:[Devart][ODBC]String data, right-truncated (odbc error code: -1) my input conf like below<Input odbc> Module im_odbc PollInterval 1200 ConnectionString DRIVER=Devart ODBC Driver for SQLite; Database=D:\ProgramFiles\logs\History_Chrome;Version=3; SQL Select visits.id AS id,urls.url AS URL,urls.title AS Title FROM visits INNER JOIN urls ON visits.url = urls.id WHERE visits.id > ? Exec $Hostname = hostname(); Exec to_json();</Input>I want to know what's wrong with my config ,or how to fix it.
lida02@megvii.com
ERROR [om_file|file] failed to open C:\Users\Administrator\Documents\Data; Access is denied.
billychua
Hi,I get the above error when I tried to start nxlog server. Below is my config file. Please assists. thank you Panic Softdefine INSTALLDIR C:\Program Files\nxlog#ModuleDir %INSTALLDIR%\modules#CacheDir %INSTALLDIR%\data#SpoolDir %INSTALLDIR%\datadefine CERTDIR %INSTALLDIR%\certdefine CONFDIR %INSTALLDIR%\conf\nxlog.d# Note that these two lines define constants only; the log file location# is ultimately set by the `LogFile` directive (see below). The# `MYLOGFILE` define is also used to rotate the log file automatically# (see the `_fileop` block).define LOGDIR c:\datadefine MYLOGFILE %INSTALLDIR%\data\nxlog.log# If you are not using NXLog Manager, disable the `include` line# and enable LogLevel and LogFile.#include %CONFDIR%\*.confLogLevel INFOLogFile %MYLOGFILE%<Extension exec> Module xm_exec</Extension><Extension _syslog> Module xm_syslog</Extension><Extension fileop> Module xm_fileop</Extension># This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`# is changed in managed.conf via NXLog Manager, rotation of the new# file should also be configured there.<Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB <Schedule> Every 1 hour <Exec> if ( file_exists('%MYLOGFILE%') and (file_size('%MYLOGFILE%') >= 5M) ) { file_cycle('%MYLOGFILE%', 8); } </Exec> </Schedule> # Rotate our log file every week on Sunday at midnight <Schedule> When @weekly Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8); </Schedule></Extension><Input tcp> Module im_tcp ListenAddr 0.0.0.0:514</Input>define LOCALFILE 'C:\Users\Administrator\Documents\Data'<Output file> Module om_file File %LOCALFILE%</Output><Route tcp_to_file> Path tcp => file</Route> Error Message:2023-02-06 00:41:43 INFO [CORE|main] nxlog-5.6.7727 (50b2a4353@REL_v5.6) started on Windows2023-02-06 00:41:43 ERROR [om_file|file] failed to open C:\Users\Administrator\Documents\Data; Access is denied. 2023-02-06 00:41:43 INFO [im_tcp|tcp] listening on 0.0.0.0:514 Regards, Billy
billychua
License true-up
TS_521115
If a customer purchases 100 NXLog Enterprise licenses and needs more six months later, do they place an order for the additional licenses separately or increase the original order? Are they able to deploy and then true-up, or do they need a unique key for each before deploying?
TS_521115
extraspaces added after ; converting messages with multiline parser
Dileep Nannapaneni
Hi team, i have converted auit messages in multiline to singleline using multiline parser. problem is two spaces are added instead of one space after semicolon. message1;message2; single line: message1;. message2; There is two space first simicolon and message2 instead of one how to remove extra space
Dileep Nannapaneni
NX LOG Newbie Question
jrpayne
Good Afternoon.I currently run a NX log solution that was setup by the vendor of our cloud IDS. I do know that we have a collection of logs coming from workstations to a central server and that server uploads the logs to the IDS. That being said, I have set up a gray log server on an Ubuntu box and I want to send my Windows DNS logs to that server so that I have a way to search DNS queries made by workstations should on of them become compromised. (via malware, ransomware, etc) I realize that there is already a config fiile for nx log that sends the event viewer logs so I am assuming that I would have to use that same file to have nx send dns logs to a different location (if that is even possible). So my questions are, Is it possible to do that? If so, is the collection service that has to be stopped in order to edit the config file?I would send these logs to the same online IDS service but we are already going over our quota every month and management doesn't see the need to upgrade our service. Therefore, I am left to figure out another way to stay on top of DNS threat hunting. Any input will be greatly appreciated.
jrpayne
Randomly TCP Output
Tulio Gomes
Hi Folks,I have a tcp output that has 3 hosts in sequence to send to graylog (failover), but I would like to "randomly" switch the ouputs to better distribute the load on the nodes. In my config example, 'graylog_1' will always receive all events. Is there a bultin solution for processor/output to send randomly to the multiple nodes?Config example:<Output out_graylog>
Module om_tcp
FlowControl False
Host 192.168.0.10:514 # graylog_1
Host 192.168.0.11:514 # graylog_2
Host 192.168.0.12:514 # graylog_3
</Output>A viP/loadbalancer for graylog is not the solution I'm looking for, I want to understand the power of nxlog and its customization.
Tulio Gomes
Eliminate scrolling with wrapping
TestNXLogQA_01
It would be nice if you eliminate scrolling with wrapping in this forum posts.
TestNXLogQA_01
Unable to forward the windows logs to QRadar SIEM
Venky
Hi All,I have requirement to forward the windows logs to QRadar using NX . Below is my config file , I am unable to receive the log in my SIEM platform. I could encounter the error : ERROR failed to subscribe to msvistalog events,the channel was not found [error code: 15007]; The specified channel could not be found. Check channel configuration.Panic Soft#NoFreeOnExit TRUEdefine ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%Moduledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data<Extension _syslog> Module xm_syslog</Extension># Snare compatible example configuration# Collecting event log<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Application'>*</Select> <Select Path='Security'>*[System/Level<4]</Select> <Select Path='System'>*</Select> <Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select> <Select Path='Microsoft-Windows-PowerShell/Operational'>*</Select> <Select Path='Windows PowerShell'>*</Select> </Query> </QueryList> </QueryXML> <Exec> if $Category == undef $Category = 0; if $EventType == 'CRITICAL' { $EventTypeNum = 1; $EventTypeStr = "Critical"; } else if $EventType == 'ERROR' { $EventTypeNum = 2; $EventTypeStr = "Error"; } else if $EventType == 'INFO' { $EventTypeNum = 4; $EventTypeStr = "Informational"; } else if $EventType == 'WARNING' { $EventTypeNum = 3; $EventTypeStr = "Warning"; } else if $EventType == 'VERBOSE' { $EventTypeNum = 5; $EventTypeStr = "Verbose"; } else { $EventTypeNum = 0; $EventTypeStr = "Audit"; } if $OpcodeValue == 0 $Opcode = "Info"; if $TaskValue == 0 $TaskValue = "None"; $EpochTime = string(integer($EventTime)); $EpochTime =~ /^(?<sec>\d+)(?<ms>\d{6})$/; $EpochTime = $sec; if $TaskValue == 12288 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSTATECHANGE"; } else if $TaskValue == 12289 { $TaskStr = "SE_ADT_SYSTEM_SECURITYSUBSYSTEMEXTENSION"; } else if $TaskValue == 12290 { $TaskStr = "SE_ADT_SYSTEM_INTEGRITY"; } else if $TaskValue == 12291 { $TaskStr = "SE_ADT_SYSTEM_IPSECDRIVEREVENTS"; } else if $TaskValue == 12292 { $TaskStr = "SE_ADT_SYSTEM_OTHERS"; } else if $TaskValue == 12544 { $TaskStr = "SE_ADT_LOGON_LOGON"; } else if $TaskValue == 12545 { $TaskStr = "SE_ADT_LOGON_LOGOFF"; } else if $TaskValue == 12546 { $TaskStr = "SE_ADT_LOGON_ACCOUNTLOCKOUT"; } else if $TaskValue == 12547 { $TaskStr = "SE_ADT_LOGON_IPSECMAINMODE"; } else if $TaskValue == 12548 { $TaskStr = "SE_ADT_LOGON_SPECIALLOGON"; } else if $TaskValue == 12549 { $TaskStr = "SE_ADT_LOGON_IPSECQUICKMODE"; } else if $TaskValue == 12550 { $TaskStr = "SE_ADT_LOGON_IPSECUSERMODE"; } else if $TaskValue == 12551 { $TaskStr = "SE_ADT_LOGON_OTHERS"; } else if $TaskValue == 12552 { $TaskStr = "SE_ADT_LOGON_NPS"; } else if $TaskValue == 12553 { $TaskStr = "SE_ADT_LOGON_CLAIMS"; } else if $TaskValue == 12554 { $TaskStr = "SE_ADT_LOGON_GROUPS"; } else if $TaskValue == 12800 { $TaskStr = "SE_ADT_OBJECTACCESS_FILESYSTEM"; } else if $TaskValue == 12801 { $TaskStr = "SE_ADT_OBJECTACCESS_REGISTRY"; } else if $TaskValue == 12802 { $TaskStr = "SE_ADT_OBJECTACCESS_KERNEL"; } else if $TaskValue == 12803 { $TaskStr = "SE_ADT_OBJECTACCESS_SAM"; } else if $TaskValue == 12804 { $TaskStr = "SE_ADT_OBJECTACCESS_OTHER"; } else if $TaskValue == 12805 { $TaskStr = "SE_ADT_OBJECTACCESS_CERTIFICATIONAUTHORITY"; } else if $TaskValue == 12806 { $TaskStr = "SE_ADT_OBJECTACCESS_APPLICATIONGENERATED"; } else if $TaskValue == 12807 { $TaskStr = "SE_ADT_OBJECTACCESS_HANDLE"; } else if $TaskValue == 12808 { $TaskStr = "SE_ADT_OBJECTACCESS_SHARE"; } else if $TaskValue == 12809 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLPACKETDROPS"; } else if $TaskValue == 12810 { $TaskStr = "SE_ADT_OBJECTACCESS_FIREWALLCONNECTION"; } else if $TaskValue == 12811 { $TaskStr = "SE_ADT_OBJECTACCESS_DETAILEDFILESHARE"; } else if $TaskValue == 12812 { $TaskStr = "SE_ADT_OBJECTACCESS_REMOVABLESTORAGE"; } else if $TaskValue == 12813 { $TaskStr = "SE_ADT_OBJECTACCESS_CBACSTAGING"; } else if $TaskValue == 13056 { $TaskStr = "SE_ADT_PRIVILEGEUSE_SENSITIVE"; } else if $TaskValue == 13057 { $TaskStr = "SE_ADT_PRIVILEGEUSE_NONSENSITIVE"; } else if $TaskValue == 13058 { $TaskStr = "SE_ADT_PRIVILEGEUSE_OTHERS"; } else if $TaskValue == 13312 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSCREATION"; } else if $TaskValue == 13313 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PROCESSTERMINATION"; } else if $TaskValue == 13314 { $TaskStr = "SE_ADT_DETAILEDTRACKING_DPAPIACTIVITY"; } else if $TaskValue == 13315 { $TaskStr = "SE_ADT_DETAILEDTRACKING_RPCCALL"; } else if $TaskValue == 13316 { $TaskStr = "SE_ADT_DETAILEDTRACKING_PNPACTIVITY"; } else if $TaskValue == 13317 { $TaskStr = "SE_ADT_DETAILEDTRACKING_TOKENRIGHTADJ"; } else if $TaskValue == 13568 { $TaskStr = "SE_ADT_POLICYCHANGE_AUDITPOLICY"; } else if $TaskValue == 13569 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHENTICATIONPOLICY"; } else if $TaskValue == 13570 { $TaskStr = "SE_ADT_POLICYCHANGE_AUTHORIZATIONPOLICY"; } else if $TaskValue == 13571 { $TaskStr = "SE_ADT_POLICYCHANGE_MPSSCVRULEPOLICY"; } else if $TaskValue == 13572 { $TaskStr = "SE_ADT_POLICYCHANGE_WFPIPSECPOLICY"; } else if $TaskValue == 13573 { $TaskStr = "SE_ADT_POLICYCHANGE_OTHERS"; } else if $TaskValue == 13824 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_USERACCOUNT"; } else if $TaskValue == 13825 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_COMPUTERACCOUNT"; } else if $TaskValue == 13826 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_SECURITYGROUP"; } else if $TaskValue == 13827 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_DISTRIBUTIONGROUP"; } else if $TaskValue == 13828 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_APPLICATIONGROUP"; } else if $TaskValue == 13829 { $TaskStr = "SE_ADT_ACCOUNTMANAGEMENT_OTHERS"; } else if $TaskValue == 14080 { $TaskStr = "SE_ADT_DSACCESS_DSACCESS"; } else if $TaskValue == 14081 { $TaskStr = "SE_ADT_DSACCESS_DSCHANGES"; } else if $TaskValue == 14082 { $TaskStr = "SE_ADT_DS_REPLICATION"; } else if $TaskValue == 14083 { $TaskStr = "SE_ADT_DS_DETAILED_REPLICATION"; } else if $TaskValue == 14336 { $TaskStr = "SE_ADT_ACCOUNTLOGON_CREDENTIALVALIDATION"; } else if $TaskValue == 14337 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBEROS"; } else if $TaskValue == 14338 { $TaskStr = "SE_ADT_ACCOUNTLOGON_OTHERS"; } else if $TaskValue == 14339 { $TaskStr = "SE_ADT_ACCOUNTLOGON_KERBCREDENTIALVALIDATION"; } else if $TaskValue == 65280 { $TaskStr = "SE_ADT_UNKNOWN_SUBCATEGORY"; } else { $TaskStr = "Unknown[" + $taskValue + "]"; } if $KeywordsStr == undef { if $TaskValue == 0 { $KeywordsStr = 'None'; } else { $KeywordsStr = '0'; } } if $TaskStr == undef { $TaskStr = $TaskValue; } if $EventType == 'AUDIT_SUCCESS' { $KeywordsStr = "Audit Success"; $EventTypeNum = 8; } else { $KeywordsStr = "Audit Failure"; $EventTypeNum = 16; } $Message = "AgentDevice=WindowsLog" + "\tAgentLogFile=" + $Channel + "\tSource=" + $SourceName + "\tComputer=" + hostname_fqdn() + "\tOriginatingComputer=" + host_ip() + "\tUser=" + $AccountName + "\tDomain=" + $Domain + "\tEventIDCode=" + $EventID + "\tEventType=" + $EventTypeNum + "\tEventCategory=" + $TaskValue + "\tRecordNumber=" + $RecordNumber + "\tTimeGenerated=" + $EpochTime + "\tTimeWritten=" + $EpochTime + "\tLevel=" + $EventTypeStr + "\tKeywords=" + $KeywordsStr + "\tTask=" + $TaskStr + "\tOpcode=" + $Opcode + "\tMessage=" + $Message; $Hostname = host_ip(); delete($SourceName); delete($Severity); delete($SeverityValue); to_syslog_bsd(); </Exec></Input># # Converting events to Snare format and sending them out over TCP syslog<Output out> Module om_tcp Host 10.x.x.x Port 514 Exec to_syslog_bsd();</Output># # Connect input 'in' to output 'out'<Route 1> Path eventlog => out</Route>
Venky
IM_ETW Module
jrpayne
Can anyone tell me for certain if this module is only included in the Enterprise version? If so, where does one buy the Enterprise Version and what is it's approximate cost? (USD)
jrpayne
How to get NXLog Manager license
klevintest2
Hello team,How to get NXLog Manager license?Thank you Klevin
klevintest2
nxlog-ce-3.1.2319.msi vs windows 2008 R2
egas84
HiIs it possible to install nxlog-ce-3.1.2319.msi on Windows 2008 R2?Regards.
egas84
Update required of a specific windows EventID
dudu.confirm@gmail.com
Hi, Doing my first steps with NXlog.I have managed to collect all “Security” windows event log and also managed to update the “Version” parameter to my own parameter - Just for a test purposes Now I need to perform 3 tasks Collect all “Security” windows event log - DoneUpdate the “Version” parameter from int to string - Done Update the “Hostname” parameter of specific event ID (for example EventID":4656) to “test” - Please advice Thank you <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'>*</Select> </Query> </QueryList> </QueryXML><Exec> $Hostname = "test" ; # This task should be only for eventID 4656 $Version = string($Version); to_json(); </Exec></Input>
dudu.confirm@gmail.com
Memory leak in NXLog 5 (include latest v5.6.7727)
Roman_Andreev
Hello!
We have permanent memory leaks on Windows Event Collect server with any 5 version NXLog. If we install any 4 version - it work without memory leak, but very slowly - it's accumulating queue on single filter for windows events. How we can help to fix it in next release?
Roman_Andreev
using CE and EE in a same machine
Sangeetha
Hi,
I'm using EE trial edition now in my machine but i need to use CE edition as well for testing. Can I use both in same machine? will I lose my EE trial if i download CE now?
Sangeetha
Cost of Enterprise Edition
Sangeetha
Hi,
I would like to know the cost of enterprise edition.
Also, I would like to know whether we could use the purchased nxlog EE package in more than one server to collect logs?
Sangeetha
Large eventlog entries makes nxlog "hang"
MagnusBjarnlid
We are using nxlog to collect eventlog information. Some entries can be large, in fact some message are split over several entries as a workaround for the maximum eventlog entry size. However, these large entries seem to hang nxlog so that it stops processing new entries. Typical error messages are:
---------------------------------------
2014-10-27 17:10:32 ERROR EvtNext failed with error 1734: The array bounds are invalid.
2014-10-27 17:10:33 ERROR EvtUpdateBookmark failed: The handle is invalid.
----------------------------------------
Why is this? Is there any workaround?
MagnusBjarnlid