I am using nxlog to get my Windows logs from a Domain Controller into a SIEM. I am using the im_msvistalog module. ProblemI am receiving logs with large amount of delay. The EventReceivedTime is much later than the EventTime. Please have a look at one of the sample logs output from nxlog. <14>Jun 24 10:56:26 EXHost1.Example.net Microsoft-Windows-Security-Auditing[0x28c0]: { "EventTime":"2025-06-24T10:56:26.039509+02:00", "Hostname":"EXHost1.Example.net","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4674,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{91548763-9812-1113-B4AC-12BAC98DDE11}","Version":0,"TaskValue":13056,"OpcodeValue":0,"RecordNumber":355721231415,"ExecutionProcessID":4,"ExecutionThreadID":13033,"Channel":"Security","Message":"An operation was attempted on a privileged object.","Category":"Sensitive Privilege Use","Opcode":"Info","SubjectUserSid":"S-1-5-21-3604662650-2432062322-1707920734-40372","SubjectUserName":"Test_Subject","SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x12ab121bc","ObjectServer":"Security","ObjectType":"-","ObjectName":"-","HandleId":"0x1168","AccessMask":"1048577","PrivilegeList":"SeBackupPrivilege","ProcessId":"0x28c0","ProcessName":"C:\\EXAMPLE\\HELLO\\HELLOBIN\\yxnw3018\\dispatch\\knex3alo.exe", "EventReceivedTime":"2025-06-24T13:04:13.896816+02:00", "SourceModuleName":"i_win","SourceModuleType":"im_msvistalog"}The delays are not consistent. The delays can be ranging from about 10 minutes to sometimes 2 or 3 hours. I have tried to find a pattern but failed to do so. The resources in the Windows device is sufficient and there has been no outstanding logs in nxlog/nxlog.log file. ConfigHere is the snippet of my config that I am using. Any help would be highly appreciated. ... <Extension _syslog> Module xm_syslog </Extension> <Extension _json> Module xm_json </Extension> <Input in> Module im_msvistalog </Input> <Output out> Module om_tcp Host 10.xx.xx.xx Port 514 Exec to_json();$Message=$raw_event;to_syslog_bsd(); </Output> <Route 1> Path in=>out </Route>

I am having problems with the nxlog service being stopped randomly with the log entry: "WARNING nxlog-ce received a termination request signal, exiting...” I have nxlog installed on Windows 2016 server sending powershell windows event logs to Rapid7 IDR SIEM collector I have looked in application, security and system windows event logs, but I can't see what is stopping it. I am new to nxlog, so it could well be my config:Panic Soft#NoFreeOnExit TRUEdefine ROOT     C:\Program Files\nxlogdefine CERTDIR  %ROOT%\certdefine CONFDIR  %ROOT%\conf\nxlog.ddefine LOGDIR   %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE  %LOGDIR%\nxlog.logLogFile %LOGFILE%LogLevel DEBUGModuledir %ROOT%\modulesCacheDir  %ROOT%\dataPidfile   %ROOT%\data\nxlog.pidSpoolDir  %ROOT%\data<Extension _syslog>   Module      xm_syslog</Extension># Input: PowerShell logs only<Input powershell_logs>   Module      im_msvistalog   PollInterval 30   Query       <QueryList>\                   <Query Id="0">\                       <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select>\                       <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>\                       <Select Path="Windows PowerShell">*</Select>\                   </Query>\               </QueryList></Input># Output: Send to SIEM at 10.20.2.10:1563<Output to_siem>   Module      om_udp   Host        10.20.2.10   Port        1563   Exec        to_syslog_snare();</Output># Route: PowerShell logs => SIEM<Route 1>   Path        powershell_logs => to_siem</Route>