Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

pm_buffer not filling on network error
Hi,
I have the requirement to buffer logs that were unable to be sent during network failures.
I have the following config which makes NXLog CE create a buffer file but it stays at 0KB size with a missing network.
My logs show the expected network failure:
2022-10-04 10:01:52 INFO nxlog-ce-3.0.2284 started
2022-10-04 10:01:52 INFO reconnecting in 1 seconds
2022-10-04 10:01:52 ERROR apr_sockaddr_info failed for myserver.com:1514; No such host is known.  
2022-10-04 10:01:53 INFO reconnecting in 2 seconds
2022-10-04 10:01:53 ERROR apr_sockaddr_info failed for myserver.com:1514; No such host is known.  
2022-10-04 10:01:55 INFO reconnecting in 4 seconds


nxlog.conf

<Extension syslog>
    Module  xm_syslog
</Extension>

<Extension json>
    Module  xm_json
</Extension>

<Input inWindowsAudit>
Module im_msvistalog
ReadFromLast True

<QueryXML>
    <QueryList>
        <Query Id="0">
            <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
        </Query>
    </QueryList>
</QueryXML>
Exec    parse_syslog(); to_json();
</Input>

<Processor buffer>
    Module      pm_buffer
    Type        Disk
    # 40 MiB buffer
    MaxSize     40960
    # Generate warning message at 20 MiB
    WarnLimit   20480
</Processor>

<Output ssl>
    Module          om_ssl
    Host            myserver.com
    Port            1514
    CAFile          %CERTDIR%\ca-root.cer
    CertFile        %CERTDIR%\client.cer
    CertKeyFile     %CERTDIR%\client_private.key
    KeyPass         secret
    AllowUntrusted  FALSE
</Output>

<Route main>
    Path            inWindowsAudit => buffer => ssl
</Route>

Any ideas? Thanks.

dmuensterer
Replies: 2
View post »
dmuensterer