how to fix apr_sockaddr_info failed & not functional without input modules for splunk SIEM

Post a different question
3
responses

1)

2016-03-11 12:03:01 ERROR apr_sockaddr_info failed for 192.168.1.253:514;The requested name is valid, but no data of the requested type was found.  

 

2)

2016-03-11 13:21:37 ERROR module 'in' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:43
2016-03-11 13:21:37 ERROR route 1 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:43
2016-03-11 13:21:37 WARNING no routes defined!
2016-03-11 13:21:37 WARNING not starting unused module internal
2016-03-11 13:21:37 WARNING not starting unused module out
2016-03-11 13:21:37 INFO nxlog-ce-2.9.1504 started

 

My nxlog.conf file

 

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>

    Module xm_json

</Extension>

<Input internal>

    Module im_internal

</Input>

 

<Output out>

    Module om_tcp
    Host 192.168.253.134
    Port 9001
    Exec _json();
    

</Output>

<Route 1>

    Path   in => out
    
  </Route>

 

I have configured Receive port on Splunk server which is  :9001  and my splunk server ip : 192.168.253.134

I have set the receiving port on my splunk server and trying to get windows 7 logs into my splunk server using nxlog configurations.but having this erros. not able to interpreat these both erros.Appriciate if any one has answer for these both erros. 

 

Thanks!!

AskedMarch 11, 2016 - 9:30am

Answer (1)

The error message in 1) shows:

 192.168.1.253:514

Whereas the pasted configuration file has port 9001. Obviously the error comes from a different config.

To collect windows eventlog you need this:

<Input in>
    Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
</Input>

This was present in the default configuration file which you have removed for some reason. That's what the ERROR in 2) is about.

As suggested in the default config file you should read the fine manual:

## See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

 

AnsweredMarch 11, 2016 - 11:39am

Comments (2)

  • Deval Khatri's picture

    Hi Thanks for the answer.

    Yup I again configured it my Config file is as shown below  

    my nxlog.log file says  : 2016-03-11 16:49:54 INFO nxlog-ce-2.9.1504 started. 

    1)my nxlog.log file not showing any Error just showing started how to check logs are arriving to my server ?

    2) I have configured port 9001 in my splunk server as receiver but not able see any messages about logs added how to check it?

    <Extension syslog>

        Module xm_syslog
    </Extension>

    <Extension json>
        Module xm_json
    </Extension>

    <Input in>
        Module im_msvistalog
        Exec $Message = to_json(); to_syslog_bsd();
    </Input>

    <Output out>  
        #My Splunk Server IP and Port 

        Module om_udp
        Host 192.168.253.134
        Port 9001
    </Output>

    <Route r>
        Path in => out
    </Route>

    March 11, 2016 - 12:34pm