nxlog on XP machine

Post a different question
6
responses

Hi
I am trying to install nxlog on XP machine but I couldn't troubleshoot the error. Following is the error I am seeing on XP machine:

2020-08-20 15:54:06 WARNING nxlog-ce received a termination request signal, exiting...
2020-08-20 15:54:10 ERROR invalid keyword: Query at C:\Program Files\nxlog\conf\nxlog.conf:37
2020-08-20 15:54:10 ERROR module 'in' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:52
2020-08-20 15:54:10 ERROR route 1 is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:52
2020-08-20 15:54:10 WARNING no routes defined!
2020-08-20 15:54:10 WARNING not starting unused module in
2020-08-20 15:54:10 WARNING not starting unused module out
2020-08-20 15:54:10 INFO nxlog-ce-2.10.2150 started

AskedAugust 20, 2020 - 10:54pm

Answer (1)

It seems there is a syntax error.
The word "Query" is in the wrong place.
Maybe you can paste here the involved module config.

AnsweredAugust 20, 2020 - 11:52pm

Comments (5)

  • ssingam's picture

    Panic Soft
    #NoFreeOnExit TRUE

    define ROOT C:\Program Files\nxlog
    define CERTDIR %ROOT%\cert
    define CONFDIR %ROOT%\conf
    define LOGDIR %ROOT%\data
    define LOGFILE %LOGDIR%\nxlog.log
    LogFile %LOGFILE%

    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data

    <Extension _gelf>
    Module xm_gelf
    </Extension>

    <Extension _charconv>
    Module xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
    </Extension>

    <Extension _exec>
    Module xm_exec
    </Extension>

    <Input in>
    Module im_mseventlog
    Query <QueryList>\
    <Query Id="0">\
    <Select Path="Application">*</Select>\
    <Select Path="System">*</Select>\
    <Select Path="Security">*</Select>\
    </Query>\
    </QueryList>
    Exec if ($EventID == 5156) drop();
    </Input>

    <Output out>
    Module om_ssl
    Host x.x.x.xm
    Port x
    CertFile %CERTDIR%\gliclient.crt
    CertKeyFile %CERTDIR%\gliclient.key
    AllowUntrusted TRUE
    OutputType GELF_TCP
    </Output>

    <Route 1>
    Path in => out
    </Route>

    August 20, 2020 - 11:59pm
  • raf's picture
    (NXLog)

    Hi,

    Is there any particular reason why you are using obsolete OS?
    I've checked your config on Win2019 server and it seems to work properly - at least there're no errors.

    Best,

    Rafal

    August 21, 2020 - 11:01am
  • manuel.munoz's picture
    (NXLog)

    I would recommend you to stick to the following syntax regarding the query part.

    <Input eventlog>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0" Path="Application">
                <Select Path="Application">
                    *[System[(Level=1 or Level=2 or Level=3)]]</Select>
                <Select Path="System">
                    *[System[(Level=1 or Level=2 or Level=3)]]</Select>
                <Select Path="Microsoft-Office Server-Search/Operational">
                    *</Select>
                <Select Path="Microsoft-Office-EduServer Diagnostics">*</Select>
                <Select Path="Microsoft-SharePoint Products-Shared/Operational">
                    *</Select>
                <Select Path="Microsoft-SharePoint Products-Shared/Audit">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>

    August 21, 2020 - 11:58am
  • ssingam's picture

    I have few applications that only runs on XP and I want to see logs generating from those. If it works on 2019, then what could possibly wrong in conf file? I was going through the documentations and found im_mseventlog support limited directives. Is that XP limitation?

    August 21, 2020 - 1:34pm