Request trial
Request Trial

Not sending to syslog

Tags:
#1 ebjers

I am trying to use nxlog to read from a text file and send to a syslog collector from Rapid7.

I have read through Rapid7's documentation found at https://insightidr.help.rapid7.com/docs/nxlog

I have verified that the input is working by outputting to a text file and verifying there was output, but it will not output to syslog. This is traversing a firewall and I have the proper rules in place, I can also see that the traffic is not getting to the firewall as there are no packets dropped or captured at the firewall so my only logical conclusion is nxlog is not sending the output to syslog. ICMP (Ping) traffic goes through the firewall so there is connectivity.

Is there a debug log mode for nxlog where I can get more details on what is happening.

Here is my config file: Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_syslog </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension fileop> Module xm_fileop </Extension>

<Input Ping_Audit> Module im_file File 'C:\ping-logs\audit.log' SavePos TRUE ReadFromLast TRUE PollInterval 1 <Exec>
if $raw_event =~ /^#. drop(); else { to_syslog_bsd(); } </Exec> </Input>

<Output Rapid7_5004> Module om_udp Host 192.168.251.201 Port 5004 </Output>

<Route 1> Path Ping_Audit => Rapid7_5004 </Route>

<Extension _exec> Module xm_exec </Extension>

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
&lt;Schedule&gt;
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') &gt;= 5M)) \
                file_cycle('%LOGFILE%', 8);
&lt;/Schedule&gt;

# Rotate our log file every week on Sunday at midnight
&lt;Schedule&gt;
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
&lt;/Schedule&gt;

</Extension>

Permalink
#2 ebjers
#1 ebjers
I am trying to use nxlog to read from a text file and send to a syslog collector from Rapid7. I have read through Rapid7's documentation found at https://insightidr.help.rapid7.com/docs/nxlog I have verified that the input is working by outputting to a text file and verifying there was output, but it will not output to syslog. This is traversing a firewall and I have the proper rules in place, I can also see that the traffic is not getting to the firewall as there are no packets dropped or captured at the firewall so my only logical conclusion is nxlog is not sending the output to syslog. ICMP (Ping) traffic goes through the firewall so there is connectivity. Is there a debug log mode for nxlog where I can get more details on what is happening. Here is my config file: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension fileop> Module xm_fileop </Extension> <Input Ping_Audit> Module im_file File 'C:\ping-logs\audit.log' SavePos TRUE ReadFromLast TRUE PollInterval 1 <Exec> if $raw_event =~ /^#. drop(); else { to_syslog_bsd(); } </Exec> </Input> <Output Rapid7_5004> Module om_udp Host 192.168.251.201 Port 5004 </Output> <Route 1> Path Ping_Audit => Rapid7_5004 </Route> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension>

I did find a couple errors in my config and have updated it, shown below

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_syslog </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension fileop> Module xm_fileop </Extension>

<Extension _exec> Module xm_exec </Extension>

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
&lt;Schedule&gt;
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') &gt;= 5M)) \
                file_cycle('%LOGFILE%', 8);
&lt;/Schedule&gt;

# Rotate our log file every week on Sunday at midnight
&lt;Schedule&gt;
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
&lt;/Schedule&gt;

</Extension>

<Input Ping_Audit> Module im_file File 'C:\ping-logs\audit.log' SavePos TRUE ReadFromLast TRUE PollInterval 1 <Exec>
if $raw_event =~ /^#/ drop(); else { to_syslog_bsd(); } </Exec> </Input>

<Output Rapid7_5004> Exec file_write("C:\Program Files (x86)\nxlog\data\nxlog_output.log", $raw_event); Module om_udp Host 192.168.251.201 Port 5004 </Output>

<Route 1> Path Ping_Audit => Rapid7_5004 </Route>
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS