2
responses

Hello!
I would execute an simple powershell script that only creates a folder, at every incoming ERROR message. But can not running powershell script!
My config file is as follows:

<Input 1>

Module im_tcp
host 0.0.0.0
Port 514
Exec parse_syslog();
</Input>

<Output out>

Module om_file
Module xm_exec
File "C:\\NXlogs\\Test_Log.log"
exec if $raw_event =~ /ERROR/ exec_async("C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "‪‪C:\\NXlogs\\test.ps1");

</Output>

<Route >
Path 1 => out
</Route>
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
After running it got error message like:

2022-09-07 15:21:22 ERROR subprocess 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe' was terminated by a signal.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Even running notpad.exe or a batch script have got same error like:
ERROR subprocess ................. was terminated by a signal.
---------------------------------------------------------------------------------------------------------------------------------------------------------------
Does anyone know what is the reason?

AskedSeptember 7, 2022 - 4:03pm

Answer (1)

Hi Shinee,

it appears the agent was failing due to a wrong configuration. You need to add xm_exec module to an extension module.

<Extension _exec>
    Module xm_exec
</Extension>

<Input in>  
    Module im_tcp
    ListenAddr 0.0.0.0:514
    Exec parse_syslog();
</Input>

<Output out>
    Module om_file
    File "C:\\NXlogs\\Test_Log.log"
    <Exec>
        if $raw_event =~ /ERROR/
            exec_async("C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "‪‪C:\\NXlogs\\test.ps1");
    </Exec>
</Output>

<Route 1>
    Path in => out
</Route>

I hope this helps.

Jeffron

Comments (1)

  • shinee's picture

    Hi Jeffron,
    Thanks for your advice.
    It doesn't seem like a problem with the extension. I had defined my extensions like bellow in my config file.
    I am logged in as an administrator and i have permission to execute the script and program, the structure is look like right...
    Have any of you got similar?

    -------------------- my nxlog.cof ---------------------------
    Panic Soft
    #NoFreeOnExit TRUE

    define ROOT C:\Program Files\nxlog
    define CERTDIR %ROOT%\cert
    define CONFDIR %ROOT%\conf\nxlog.d
    define LOGDIR %ROOT%\data

    define LOGFILE %LOGDIR%\nxlog.log
    LogFile %LOGFILE%

    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data

    <Extension _syslog>
    Module xm_syslog
    </Extension>

    <Extension _charconv>
    Module xm_charconv
    AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
    </Extension>

    <Extension _exec>
    Module xm_exec
    </Extension>

    <Extension _json>
    Module xm_json
    </Extension>

    <Extension _fileop>
    Module xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
    Every 1 hour
    Exec if (file_exists('%LOGFILE%') and \
    (file_size('%LOGFILE%') >= 5M)) \
    file_cycle('%LOGFILE%', 8);
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
    When @weekly
    Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
    </Extension>

    -----------------------------------------------------------------------------------------------------------------------------