WARNING input file was deleted
Hi,
I'm receiving the follow errors in nxlog.log:
2022-01-20 10:11:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-0939.log
2022-01-20 10:41:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1009.log
2022-01-20 11:11:17 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1039.log
2022-01-20 11:41:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1109.log
2022-01-20 12:11:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1139.log
2022-01-20 12:41:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1209.log
2022-01-20 13:11:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1239.log
2022-01-20 13:41:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1309.log
2022-01-20 14:11:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1339.log
2022-01-20 14:41:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1409.log
2022-01-20 15:11:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1439.log
2022-01-20 15:41:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1509.log
2022-01-20 16:11:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1539.log
Version: nxlog-ce-2.11.2190.msi
Contents of nxlog.conf:
#
# Configuration for converting and sending Windows logs
# to AlienVault USM Anywhere.
#
# Version: 0.2.20
# Last modification: 2021-10-15
#
define ROOT C:\Program Files (x86)\nxlog
define OUTPUT_DESTINATION_ADDRESS SYSLOG IP
define OUTPUT_DESTINATION_PORT 514
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
#######################################################################
#### SHAREPOINT-NXLOG #####
#### Uncomment the following lines for SharePoint-NXLOG #####
#### log forwarding #####
#######################################################################
<Extension transform_alienvault_csv_sharepoint>
Module xm_csv
Fields $Timestamp, $Process, $TID, $Area, $Category, $EventID, $Level, $Message, $Correlation
FieldTypes string, string, string, string, string, string, string, string, string
Delimiter \t
</Extension>
<Input SHAREPOINT_IN>
Module im_file
File "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS*-????????-????.log"
<Exec>
# Drop header lines and empty lines
if $raw_event =~ /^(\xEF\xBB\xBF|Timestamp)/ drop();
else
{
$raw_event =~ s/ +(?=\t)//g;
transform_alienvault_csv_sharepoint->parse_csv();
$EventTime = strptime($Timestamp, "%m/%d/%Y %H:%M:%S");
$Hostname = hostname_fqdn();
$SourceName = "SHAREPOINT-NXLOG";
}
</Exec>
</Input>
<Output SHAREPOINT_OUT>
Module om_udp
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
Exec $EventTime = strftime($EventTime, '%Y-%m-%d %H:%M:%S');
Exec $Message = to_json(); to_syslog_bsd();
</Output>
<Route SP_Route>
Path SHAREPOINT_IN => SHAREPOINT_OUT
</Route>
#######################################################################
#### SHAREPOINT-NXLOG #####
#######################################################################
The files are no longer available due to the log retention policy. How do I prevent this error? I'm relatively sure that I'm missing something in the config file. Any help is appreciated.
