NXlog sends rubbish logs to the Graylog

Hello everyone,

I noticed when I install NXlog on Windows server, it sends mostly some rubbish logs and can’t figure it out why. This doesn’t happens all the time, not sure what causes this. Picture of an example is bellow.

We have Graylog cluster of 3 nodes which all host Graylog, Elasticsearch and MongoDB. Graylog is updated to the latest version, but this is something I noticed in earlier versions too.

Also here’s my NXlog configuration file:

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _gelf>
    Module      xm_gelf
</Extension>

########## INPUTS ###########
<Input in>
    Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
</Input>

########################################
################# OUTPUTS ##############
<Output out>
    Module      om_udp    
    Host        <SERVER_IP>
    Port        5140
    #Exec       to_syslog_snare();
    OutputType  GELF 
</Output>

#######################################
#################### ROUTE  ###########
<Route 1>
    Path in => out
</Route>

<Extension _fileop>
    Module      xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>

Any advice or help is welcomed.

Thanks in advance.

Bump.

Anyone?

I found similar issue in this thread but without solution

Hi @facyber,

I’m pretty new to Graylog myself, so I’m not entirely sure if this is going to help you out (it did for me though). It looks like you’re missing an important part in the nxlog.conf file:

Using the syslog module:

<Extension _syslog>
    Module xm_syslog
</Extension>

Which should be above (maybe) the gelf module:

<Extension _gelf>
    Module xm_gelf
</Extension>

In my case I’m actually using TCP as well for the output:

<Output out>
    Module om_tcp
    Host 172.20.0.249
    Port 50021
    OutputType GELF_TCP
</Output>

Goes to say that the right input config (input type, port) is required in Graylog… and hopefuly this should work for you!

Regards, Icanus

Hi @1c4nu5

I tried that too, the issue still occurs, unfortunately. :confused:

Sorry to hear that @facyber,

The only pointers I can personally think of are these three…

  1. Either the Windows Server version (nxlog.conf):

If older that Windows 2003, use the im_msvistalog module

If Windows 2003 (including) or before, use the im_mseventlog module

  1. Check that the input type in Graylog is set to the right one, being either Syslog TCP or Syslog UDP (depends on the Output in your nxlog.conf settings).

  2. Possible fluke here… any configured Extractors on the input which could be playing up? Even a Pipeline?

Again, I hope this helps…

Hopefully someone in the community will have a better insight regarding the strange characters in the message field.

Kind regards, Icanus

@facyber can you try this

<Input eventlog>
Module im_msvistalog
</Input>

<Output udp>
Module om_udp
Host 172.20.0.249
Port 50021
OutputType GELF
</Output>

<Route eventlog_to_udp>
Path eventlog => udp
</Route>

Create an input to accept logs - Gelf UDP

Hi @demonguru18

That’s pretty much the same to my conf file, only Input and Output names are different.

I restarted again Nxlog service and it is normal again, for now.

Bump. Anyone have solution or noticed the same issue? This is still happening for us.

@facyber
I’m also fairly new at Graylog, I had that also happen to me. Here is my nxlog.conf if that helps.

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Extension gelf
Module xm_gelf
/Extension

Input in
Module im_msvistalog
For windows 2003 and earlier use the following:
Module im_mseventlog
/Input

Output out
Module om_ssl
Host <FQDN_HERE>
Port 51412
OutputType GELF_TCP
CertFile %CERTDIR%/graylog-certificate.pem
CertKeyFile %CERTDIR%/graylog-key.pem
CAFile %CERTDIR%/cert.pem
KeyPass secret
AllowUntrusted false
Exec $Hostname = hostname_fqdn();
Exec $ShortMessage = $raw_event;
/Output

Route
Path in => out
/Route