Trouble with Nxlog sending the same windows logs again after a server restart, duplicate log messages


#1 Gary.Blackwell

We're using nxlog-ce-3.1.2319 and have configuration files in the nxlog.d folder.  The windows event logs configuration looks like below.

# Configuration for converting and sending Windows logs# directly to Devo## Compatible with NXLog 3.x## Place in C:\Program Files\nxlog\conf\nxlog.d\## Last modification: 2023-2-15#

# Output destination. Valid options are: ssl_devo local_devodefine DEVO_OUTPUT ssl_devo

# Vars for local Devo relay communication#define OUTPUT_DEVO_RELAY_IP {REPLACE_WITH_RELAY_IP}define OUTPUT_DEVO_RELAY_PORT 13000

# Vars for direct Devo communicationdefine OUTPUT_DESTINATION_ADDRESS redacted.logtrust.netdefine OUTPUT_DESTINATION_PORT 443define CHAIN %CERTDIR%\chain.crtdefine CERT %CERTDIR%\domain.crtdefine KEY %CERTDIR%\domain.keydefine KEYPASS *******define IIS_TAG web.iis.access-w3c.env.app.clon

<Extension json>   Module      xm_json   DateFormat YYYY-MM-DD hh:mm:ss.sUTC   GenerateDateInUTC TRUE</Extension>

######## Send to Devo Start ########<Output ssl_devo>   Module          om_ssl   Host            %OUTPUT_DESTINATION_ADDRESS%   Port            %OUTPUT_DESTINATION_PORT%   CAFile          %CHAIN%   CertFile        %CERT%   CertKeyFile     %KEY%   KeyPass         %KEYPASS%   AllowUntrusted  TRUE</Output>

# <Output local_devo>#    Module  om_tcp#    Host    %OUTPUT_DEVO_RELAY_IP%#    Port    %OUTPUT_DEVO_RELAY_PORT%#</Output>

######## Send to Devo End ########

######## Windows Events Start ########<Input win_event_in>   Module      im_msvistalog

 <QueryXML>       <QueryList>           <Query Id="0">               <Select Path="Application">*</Select>               <Select Path="System">*</Select>               <Select Path="Security">*</Select>               <Select Path="Windows PowerShell">*</Select>           </Query>       </QueryList>   </QueryXML>   <Exec>       $Message = to_json();       $SourceName="box.win_nxlog."+lc($Channel);       delete($ProcessID);       to_syslog_bsd();   </Exec></Input>

<Route eventlog>   Path  win_event_in => %DEVO_OUTPUT%</Route>Do you have any ideas on how to prevent it from resending the same logs again?

Thanks

#2 Gary.Blackwell

Does anyone have any ideas about why Nxlog would resend windows events it already sent?  This is happening in multiple environments.