Recent threads
Windows logs EventReceivedTime is late than EventTime - im_msvistalog
Rasan created
I am using nxlog to get my Windows logs from a Domain Controller into a SIEM. I am using the im_msvistalog module. ProblemI am receiving logs with large amount of delay. The EventReceivedTime is much later than the EventTime. Please have a look at one of the sample logs output from nxlog. <14>Jun 24 10:56:26 EXHost1.Example.net Microsoft-Windows-Security-Auditing[0x28c0]: {
"EventTime":"2025-06-24T10:56:26.039509+02:00",
"Hostname":"EXHost1.Example.net","Keywords":"9232379236109516800","EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4674,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{91548763-9812-1113-B4AC-12BAC98DDE11}","Version":0,"TaskValue":13056,"OpcodeValue":0,"RecordNumber":355721231415,"ExecutionProcessID":4,"ExecutionThreadID":13033,"Channel":"Security","Message":"An operation was attempted on a privileged object.","Category":"Sensitive Privilege Use","Opcode":"Info","SubjectUserSid":"S-1-5-21-3604662650-2432062322-1707920734-40372","SubjectUserName":"Test_Subject","SubjectDomainName":"EXAMPLE","SubjectLogonId":"0x12ab121bc","ObjectServer":"Security","ObjectType":"-","ObjectName":"-","HandleId":"0x1168","AccessMask":"1048577","PrivilegeList":"SeBackupPrivilege","ProcessId":"0x28c0","ProcessName":"C:\\EXAMPLE\\HELLO\\HELLOBIN\\yxnw3018\\dispatch\\knex3alo.exe",
"EventReceivedTime":"2025-06-24T13:04:13.896816+02:00",
"SourceModuleName":"i_win","SourceModuleType":"im_msvistalog"}The delays are not consistent. The delays can be ranging from about 10 minutes to sometimes 2 or 3 hours. I have tried to find a pattern but failed to do so. The resources in the Windows device is sufficient and there has been no outstanding logs in nxlog/nxlog.log file. ConfigHere is the snippet of my config that I am using. Any help would be highly appreciated. ...
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input in>
Module im_msvistalog
</Input>
<Output out>
Module om_tcp
Host 10.xx.xx.xx
Port 514
Exec to_json();$Message=$raw_event;to_syslog_bsd();
</Output>
<Route 1>
Path in=>out
</Route>
Rasan created
nxlog service is stopping with - WARNING nxlog-ce received a termination request signal, exiting...
Jack123 created
I am having problems with the nxlog service being stopped randomly with the log entry: "WARNING nxlog-ce received a termination request signal, exiting...” I have nxlog installed on Windows 2016 server sending powershell windows event logs to Rapid7 IDR SIEM collector I have looked in application, security and system windows event logs, but I can't see what is stopping it. I am new to nxlog, so it could well be my config:Panic Soft#NoFreeOnExit TRUEdefine ROOT C:\Program Files\nxlogdefine CERTDIR %ROOT%\certdefine CONFDIR %ROOT%\conf\nxlog.ddefine LOGDIR %ROOT%\datainclude %CONFDIR%\\*.confdefine LOGFILE %LOGDIR%\nxlog.logLogFile %LOGFILE%LogLevel DEBUGModuledir %ROOT%\modulesCacheDir %ROOT%\dataPidfile %ROOT%\data\nxlog.pidSpoolDir %ROOT%\data<Extension _syslog> Module xm_syslog</Extension># Input: PowerShell logs only<Input powershell_logs> Module im_msvistalog PollInterval 30 Query <QueryList>\ <Query Id="0">\ <Select Path="Microsoft-Windows-PowerShell/Admin">*</Select>\ <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>\ <Select Path="Windows PowerShell">*</Select>\ </Query>\ </QueryList></Input># Output: Send to SIEM at 10.20.2.10:1563<Output to_siem> Module om_udp Host 10.20.2.10 Port 1563 Exec to_syslog_snare();</Output># Route: PowerShell logs => SIEM<Route 1> Path powershell_logs => to_siem</Route>
Jack123 created