5
responses

Hi all

Inherited this system, so sorry if my terminology isn't right or I'm not super clear on what i'm asking for. I am trying to get logs to ship to my SOC CTA.  It works in shipping logs to Nagios but not to the CTA.  I've tried updating the conf file from a server that is working, but every time I restart the service, 5 minutes later the conf file rolls back to its initial config.  What am I doing wrong?  Is the settings for the conf file resetting because of a script issue?

Here is my sample conf file that keeps overwriting the work I've done on it.  Thanks all in advance

# Please set the ROOT to the folder your nxlog was installed into,

## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
 
# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
#    Module xm_fileop
#</Extension>
 
<Extension json>
    Module      xm_json
</Extension>
 
<Extension syslog>
    Module xm_syslog
</Extension>
 
<Input internal>
    Module im_internal
</Input>
 
# Watch your own files
<Input file1>
    Module   im_file
    File     '%ROOT%\data\nxlog.log'
    SavePos  TRUE
    Exec     $Message = $raw_event;
</Input>
 
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
    Module im_msvistalog
    Exec if $EventID IN (5156) drop();  
# Uncomment im_mseventlog for Windows XP/2000/2003
#   Module im_mseventlog
</Input>

<Input MSDNSLOGIN>
 Module im_file
 File 'C:\Windows\Sysnative\dns\dns.log'
# 32-bit applications can access the native system directory by substituting %windir%\Sysnative for %windir%\System32. WOW64 recognizes Sysnative as a special alias used to indicate that the file system should not redirect the access. This mechanism is flexible and easy to use, therefore, it is the recommended mechanism to bypass file system redirection. Note that 64-bit applications cannot use the Sysnative alias as it is a virtual directory not a real one.
 InputType LineBased
 SavePos TRUE
 ReadFromLast FALSE
 PollInterval 1
# The input is assumed to contain log messages separated by newlines. Thus if an LF (\n) or CRLF (\r\n) is found, the function considers that it has reached the end of the log message.
 Exec if $raw_event == '' drop();  ##drops blank messages
 Exec $SourceName = "MSDNSLog";$Message = $raw_event;
</Input>

<Input MSDHCP>
 Module im_file
 File 'C:\Windows\Sysnative\dhcp\DhcpSrvLog-*.log'
# 32-bit applications can access the native system directory by substituting %windir%\Sysnative for %windir%\System32. WOW64 recognizes Sysnative as a special alias used to indicate that the file system should not redirect the access. This mechanism is flexible and easy to use, therefore, it is the recommended mechanism to bypass file system redirection. Note that 64-bit applications cannot use the Sysnative alias as it is a virtual directory not a real one.
 InputType LineBased
 SavePos TRUE
 ReadFromLast FALSE
 PollInterval 1
# The input is assumed to contain log messages separated by newlines. Thus if an LF (\n) or CRLF (\r\n) is found, the function considers that it has reached the end of the log message.
 Exec if $raw_event == '' drop();  ##drops blank messages
 Exec $SourceName = "DHCPLog";$Message = $raw_event;
</Input>
 
<Output out1>
    Module om_udp
    Host 10.*.*.*
    Port 3***
    
    Exec  $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
    Exec  $raw_event = to_json();
    
    # Uncomment for debug output
    # Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>

<Output out2>
    Module om_udp
    Host 10.*.*.*    
    Port 514
# Transmit in Snare format on local6.info
        Exec $SyslogFacilityValue = 22;to_syslog_snare();
</Output>

<Output out3>
    Module      om_udp
    Host        10.*.*.*
    Port        514
# Create our RFC3164 compliant syslog line and transmit on local5.info
    Exec        $SyslogFacilityValue = 21;$Severity = 'INFO';to_syslog_bsd();

</Output>

<Route 1>
    Path internal, file1, eventlog  => out1
</Route>

<Route 2>
    Path        eventlog => out2
</Route>

<Route 3>
    Path   MSDNSLOGIN, MSDHCP => out3
</Route>

 
#<Route 1> Note that OUTPUT 2 & 3 are the OUTPUTS not working
#    Path internal, file1, eventlog, MSDNSLOGIN, MSDHCP  => out1, out2
#</Route>

 

Error Log

2017-06-26 13:39:19 ERROR failed to open directory: C:\Windows\Sysnative\dhcp: The system cannot find the path specified.  
2017-06-26 13:39:19 WARNING Module MSDHCP has no input files to read
2017-06-26 13:39:21 WARNING input file does not exist: C:\Windows\Sysnative\dns\dns.log
2017-06-26 13:39:27 WARNING last message repeated 2 times
2017-06-26 13:39:35 WARNING input file does not exist: C:\Windows\Sysnative\dns\dns.log
2017-06-26 13:39:51 WARNING input file does not exist: C:\Windows\Sysnative\dns\dns.log
2017-06-26 13:40:23 WARNING input file does not exist: C:\Windows\Sysnative\dns\dns.log
2017-06-26 13:41:28 WARNING input file does not exist: C:\Windows\Sysnative\dns\dns.log
2017-06-26 13:43:37 WARNING input file does not exist: C:\Windows\Sysnative\dns\dns.log
2017-06-26 13:47:54 WARNING input file does not exist: C:\Windows\Sysnative\dns\dns.log
2017-06-26 13:56:27 WARNING input file does not exist: C:\Windows\Sysnative\dns\dns.log
2017-06-26 14:13:32 WARNING input file does not exist: C:\Windows\Sysnative\dns\dns.log
2017-06-26 14:47:41 WARNING input file does not exist: C:\Windows\Sysnative\dns\dns.log

AskedJune 26, 2017 - 9:10pm

Answer (1)

> 5 minutes later the conf file rolls back to its initial config.  What am I doing wrong?

Configure your GPO not to do that.

Comments (4)