NXLOG on Windows - Logs sent with a very long delay

#1 siem_20

Hi All,

I am collecting and sending logs from a Windows Domain Controller (only security events). When I start the nxlog service, the logs are send in “real time”. However, Over time, a delay is generated, causing the accumulated delay to be hours after one day. What could happen to explain this behavior?


define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data
<Extension _json>
    Module      xm_json
<Input windows_security_eventlog>
    Module  im_msvistalog
            <Query Id="0">
                <Select Path="Security">*</Select>
    ReadFromLast  True
    SavePos  True
<Output out_chronicle_windevents>
    Module      om_tcp
    Port        41001
    Exec        $EventTime = integer($EventTime) / 1000;
    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
    Exec        to_json();
<Route r2>
    Path    windows_security_eventlog => out_chronicle_windevents

Environment description

NXLog CE is running on Windows 2022 server 

Package version is 3.2.2329




#2 alexander.lifanov@nxlog.org

Did you check the difference between $EventTime, $EventReceivedTime and Chronicle ingestion time? This is needed to figure out at which transition the delay occurs.
You can also make the second output and write a local log file in parallel.