I am trying to install nxlog on XP machine but I couldn't troubleshoot the error. Following is the error I am seeing on XP machine:

2020-08-20 15:54:06 WARNING nxlog-ce received a termination request signal, exiting...
2020-08-20 15:54:10 ERROR invalid keyword: Query at C:\Program Files\nxlog\conf\nxlog.conf:37
2020-08-20 15:54:10 ERROR module 'in' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:52
2020-08-20 15:54:10 ERROR route 1 is not functional without input modules, ignored at C:\Program Files\nxlog\conf\nxlog.conf:52
2020-08-20 15:54:10 WARNING no routes defined!
2020-08-20 15:54:10 WARNING not starting unused module in
2020-08-20 15:54:10 WARNING not starting unused module out
2020-08-20 15:54:10 INFO nxlog-ce-2.10.2150 started

AskedAugust 20, 2020 - 10:54pm

Answer (1)

It seems there is a syntax error.
The word "Query" is in the wrong place.
Maybe you can paste here the involved module config.

Comments (5)

  • ssingam's picture

    Panic Soft
    #NoFreeOnExit TRUE

    define ROOT C:\Program Files\nxlog
    define CERTDIR %ROOT%\cert
    define CONFDIR %ROOT%\conf
    define LOGDIR %ROOT%\data
    define LOGFILE %LOGDIR%\nxlog.log
    LogFile %LOGFILE%

    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data

    <Extension _gelf>
    Module xm_gelf

    <Extension _charconv>
    Module xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32

    <Extension _exec>
    Module xm_exec

    <Input in>
    Module im_mseventlog
    Query <QueryList>\
    <Query Id="0">\
    <Select Path="Application">*</Select>\
    <Select Path="System">*</Select>\
    <Select Path="Security">*</Select>\
    Exec if ($EventID == 5156) drop();

    <Output out>
    Module om_ssl
    Host x.x.x.xm
    Port x
    CertFile %CERTDIR%\gliclient.crt
    CertKeyFile %CERTDIR%\gliclient.key
    AllowUntrusted TRUE
    OutputType GELF_TCP

    <Route 1>
    Path in => out

  • raf's picture


    Is there any particular reason why you are using obsolete OS?
    I've checked your config on Win2019 server and it seems to work properly - at least there're no errors.



  • manuel.munoz's picture

    I would recommend you to stick to the following syntax regarding the query part.

    <Input eventlog>
        Module  im_msvistalog
                <Query Id="0" Path="Application">
                    <Select Path="Application">
                        *[System[(Level=1 or Level=2 or Level=3)]]</Select>
                    <Select Path="System">
                        *[System[(Level=1 or Level=2 or Level=3)]]</Select>
                    <Select Path="Microsoft-Office Server-Search/Operational">
                    <Select Path="Microsoft-Office-EduServer Diagnostics">*</Select>
                    <Select Path="Microsoft-SharePoint Products-Shared/Operational">
                    <Select Path="Microsoft-SharePoint Products-Shared/Audit">*</Select>

  • ssingam's picture

    I have few applications that only runs on XP and I want to see logs generating from those. If it works on 2019, then what could possibly wrong in conf file? I was going through the documentations and found im_mseventlog support limited directives. Is that XP limitation?