Request trial
Request Trial

NXLOG on Windows - Logs sent with a very long delay

Tags: NXLog Community Edition
#1 siem_20

Hi All,

I am collecting and sending logs from a Windows Domain Controller (only security events). When I start the nxlog service, the logs are send in “real time”. However, Over time, a delay is generated, causing the accumulated delay to be hours after one day. What could happen to explain this behavior?

Configuration

define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data
<Extension _json>
    Module      xm_json
</Extension>
<Input windows_security_eventlog>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    ReadFromLast  True
    SavePos  True
</Input>
<Output out_chronicle_windevents>
    Module      om_tcp
    Host        172.16.94.69
    Port        41001
    Exec        $EventTime = integer($EventTime) / 1000;
    Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000;
    Exec        to_json();
</Output>
<Route r2>
    Path    windows_security_eventlog => out_chronicle_windevents
</Route>

Environment description

NXLog CE is running on Windows 2022 server 

Package version is 3.2.2329

 

 

 

Permalink
#2 alexander.lifanov@nxlog.org Nxlog ✓

Greetings!
Did you check the difference between $EventTime, $EventReceivedTime and Chronicle ingestion time? This is needed to figure out at which transition the delay occurs.
You can also make the second output and write a local log file in parallel. 
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS