pm_buffer not filling on network error

Tags: pm_buffer

#1 dmuensterer

Hi, I have the requirement to buffer logs that were unable to be sent during network failures. I have the following config which makes NXLog CE create a buffer file but it stays at 0KB size with a missing network. My logs show the expected network failure: 2022-10-04 10:01:52 INFO nxlog-ce-3.0.2284 started 2022-10-04 10:01:52 INFO reconnecting in 1 seconds 2022-10-04 10:01:52 ERROR apr_sockaddr_info failed for myserver.com:1514; No such host is known.
2022-10-04 10:01:53 INFO reconnecting in 2 seconds 2022-10-04 10:01:53 ERROR apr_sockaddr_info failed for myserver.com:1514; No such host is known.
2022-10-04 10:01:55 INFO reconnecting in 4 seconds

nxlog.conf

<Extension syslog> Module xm_syslog </Extension>

<Extension json> Module xm_json </Extension>

<Input inWindowsAudit> Module im_msvistalog ReadFromLast True

<QueryXML> <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query> </QueryList> </QueryXML> Exec parse_syslog(); to_json(); </Input>

<Processor buffer> Module pm_buffer Type Disk # 40 MiB buffer MaxSize 40960 # Generate warning message at 20 MiB WarnLimit 20480 </Processor>

<Output ssl> Module om_ssl Host myserver.com Port 1514 CAFile %CERTDIR%\ca-root.cer CertFile %CERTDIR%\client.cer CertKeyFile %CERTDIR%\client_private.key KeyPass secret AllowUntrusted FALSE </Output>

<Route main> Path inWindowsAudit => buffer => ssl </Route>

Any ideas? Thanks.

#2 dmuensterer
#1 dmuensterer
Hi, I have the requirement to buffer logs that were unable to be sent during network failures. I have the following config which makes NXLog CE create a buffer file but it stays at 0KB size with a missing network. My logs show the expected network failure: 2022-10-04 10:01:52 INFO nxlog-ce-3.0.2284 started 2022-10-04 10:01:52 INFO reconnecting in 1 seconds 2022-10-04 10:01:52 ERROR apr_sockaddr_info failed for myserver.com:1514; No such host is known. 2022-10-04 10:01:53 INFO reconnecting in 2 seconds 2022-10-04 10:01:53 ERROR apr_sockaddr_info failed for myserver.com:1514; No such host is known. 2022-10-04 10:01:55 INFO reconnecting in 4 seconds nxlog.conf <Extension syslog> Module xm_syslog </Extension> <Extension json> Module xm_json </Extension> <Input inWindowsAudit> Module im_msvistalog ReadFromLast True <QueryXML> <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query> </QueryList> </QueryXML> Exec parse_syslog(); to_json(); </Input> <Processor buffer> Module pm_buffer Type Disk # 40 MiB buffer MaxSize 40960 # Generate warning message at 20 MiB WarnLimit 20480 </Processor> <Output ssl> Module om_ssl Host myserver.com Port 1514 CAFile %CERTDIR%\ca-root.cer CertFile %CERTDIR%\client.cer CertKeyFile %CERTDIR%\client_private.key KeyPass secret AllowUntrusted FALSE </Output> <Route main> Path inWindowsAudit => buffer => ssl </Route> Any ideas? Thanks.

No ideas? I’m sure I’m not the only one with the buffer requirement.