how to fix apr_sockaddr_info failed & not functional without input modules for splunk SIEM

Tags: NXLog Community Edition

#1 Deval.Khatri 8 years ago

2016-03-11 12:03:01 ERROR apr_sockaddr_info failed for 192.168.1.253:514;The requested name is valid, but no data of the requested type was found.

2016-03-11 13:21:37 ERROR module 'in' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:43
2016-03-11 13:21:37 ERROR route 1 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:43
2016-03-11 13:21:37 WARNING no routes defined!
2016-03-11 13:21:37 WARNING not starting unused module internal
2016-03-11 13:21:37 WARNING not starting unused module out
2016-03-11 13:21:37 INFO nxlog-ce-2.9.1504 started

My nxlog.conf file

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Module xm_json

</Extension>

Module im_internal

</Input>

   Module om_tcp
   Host 192.168.253.134
   Port 9001
   Exec _json();

</Output>

   Path in => out

  </Route>

I have configured Receive port on Splunk server which is :9001 and my splunk server ip : 192.168.253.134

I have set the receiving port on my splunk server and trying to get windows 7 logs into my splunk server using nxlog configurations.but having this erros. not able to interpreat these both erros.Appriciate if any one has answer for these both erros.

Thanks!!

Permalink

#2 adm Nxlog ✓ 8 years ago

#1 Deval.Khatri

1) 2016-03-11 12:03:01 ERROR apr_sockaddr_info failed for 192.168.1.253:514;The requested name is valid, but no data of the requested type was found. 2) 2016-03-11 13:21:37 ERROR module 'in' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:43 2016-03-11 13:21:37 ERROR route 1 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:43 2016-03-11 13:21:37 WARNING no routes defined! 2016-03-11 13:21:37 WARNING not starting unused module internal 2016-03-11 13:21:37 WARNING not starting unused module out 2016-03-11 13:21:37 INFO nxlog-ce-2.9.1504 started My nxlog.conf file #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension syslog> Module xm_json </Extension> <Input internal> Module im_internal </Input> <Output out> Module om_tcp Host 192.168.253.134 Port 9001 Exec _json(); </Output> <Route 1> Path in => out </Route> I have configured Receive port on Splunk server which is :9001 and my splunk server ip : 192.168.253.134 I have set the receiving port on my splunk server and trying to get windows 7 logs into my splunk server using nxlog configurations.but having this erros. not able to interpreat these both erros.Appriciate if any one has answer for these both erros. Thanks!!

The error message in 1) shows:

 192.168.1.253:514

Whereas the pasted configuration file has port 9001. Obviously the error comes from a different config.

To collect windows eventlog you need this:

<Input in>
    Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
</Input>

This was present in the default configuration file which you have removed for some reason. That's what the ERROR in 2) is about.

As suggested in the default config file you should read the fine manual:

## See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/