Trouble with Nxlog sending the same windows logs again after a server restart, duplicate log messages

#1 Gary.Blackwell 11 months ago

We're using nxlog-ce-3.1.2319 and have configuration files in the nxlog.d folder. The windows event logs configuration looks like below.

# Configuration for converting and sending Windows logs# directly to Devo## Compatible with NXLog 3.x## Place in C:\Program Files\nxlog\conf\nxlog.d\## Last modification: 2023-2-15#

# Output destination. Valid options are: ssl_devo local_devodefine DEVO_OUTPUT ssl_devo

# Vars for local Devo relay communication#define OUTPUT_DEVO_RELAY_IP {REPLACE_WITH_RELAY_IP}define OUTPUT_DEVO_RELAY_PORT 13000

# Vars for direct Devo communicationdefine OUTPUT_DESTINATION_ADDRESS redacted.logtrust.netdefine OUTPUT_DESTINATION_PORT 443define CHAIN %CERTDIR%\chain.crtdefine CERT %CERTDIR%\domain.crtdefine KEY %CERTDIR%\domain.keydefine KEYPASS *******define IIS_TAG web.iis.access-w3c.env.app.clon

<Extension json> Module xm_json DateFormat YYYY-MM-DD hh:mm:ss.sUTC GenerateDateInUTC TRUE</Extension>

######## Send to Devo Start ########<Output ssl_devo> Module om_ssl Host %OUTPUT_DESTINATION_ADDRESS% Port %OUTPUT_DESTINATION_PORT% CAFile %CHAIN% CertFile %CERT% CertKeyFile %KEY% KeyPass %KEYPASS% AllowUntrusted TRUE</Output>

# <Output local_devo># Module om_tcp# Host %OUTPUT_DEVO_RELAY_IP%# Port %OUTPUT_DEVO_RELAY_PORT%#</Output>

######## Send to Devo End ########

######## Windows Events Start ########<Input win_event_in> Module im_msvistalog

<QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">*</Select> <Select Path="System">*</Select> <Select Path="Security">*</Select> <Select Path="Windows PowerShell">*</Select> </Query> </QueryList> </QueryXML> <Exec> $Message = to_json(); $SourceName="box.win_nxlog."+lc($Channel); delete($ProcessID); to_syslog_bsd(); </Exec></Input>

<Route eventlog> Path win_event_in => %DEVO_OUTPUT%</Route>Do you have any ideas on how to prevent it from resending the same logs again?

Thanks

Permalink