exec_async powershell.exe causes huge number of open handles which leads to memory exhaustion
We use NXlog on Windows server to send audit logs from MariaDB to a syslog server. On certain messages I execute a powershell script with exec_async. We discoverred that the powershell.exe subprocesses is not closed correctly which leads to excessive memory use which can be seen by using RamMap and then the Page Table value. In the processes tab a lot of powershell.exe's can be seen with 4KB memory use. With Process Explorer I can see a large number of Handles in the NXlog.exe process. A restart of the nxlog service temporary resolves the issue by cleaning up the (zombie?) powershell.exe processes. I could reproduce the issue with a very simple powershell script with only 1 line: "exit". When I run "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy ByPass -NonInteractive -File C:\temp\test.ps1" from a cmd.exe it exits normally and the powershell.exe subprocess doesn't stay visible in RamMap.
Could this be a bug? Or should I call powershell.exe differently?
Excerpt of my config:
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _exec>
Module xm_exec
</Extension>
.....
<Processor discard_messages>
Module pm_null
<Exec>
# Discard messages with 'keepalive'
if( $auditlog_object == "SELECT 0 FROM DUAL" ) exec_async("C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "-ExecutionPolicy", "ByPass", "-NonInteractive", "-File", "C:\\temp\\test.ps1");
if( $auditlog_object == "SELECT 0 FROM DUAL" ) drop();
</Exec>
</Processor>
....
<Input mariadb_audit_file>
Module im_file
File 'C:\mariadb\data\server_audit.log'
PollInterval 1
SavePos True
ReadFromLast True
Recursive False
RenameCheck False
Exec $FileName = file_name(); # Send file name with each message
</Input>
<Output output_graylog>
Module om_udp
Host x.x.x.x
Port 12201
OutputType GELF
Exec $short_message = $raw_event; # Avoids truncation of the short_message field.
Exec $Hostname = hostname_fqdn();
</Output>
<Route route-0>
Path mariadb_audit_file => preprocess => extract_fields => discard_messages => whitelist_queries => output_graylog
</Route>