NXlog Problem, Windows event logs not preserving event time

#1 SDavis 9 years ago

Remote Agent: Windows Event Log -> im__mseventlog -> om_SSL (Type Binary) (to Log Collector)

Log Collector: im_SSL (Type Binary) -> om_UDP (Type GELF) (to Graylog server)

When Graylog is offline it will buffer correctly, but after Graylog comes back online, NXlog will send the logs with the current time.

Permalink

#2 adm Nxlog ✓ 9 years ago

#1 SDavis

I'm noticing something weird with my NXLog endpoints. If I have my NXLog agents pull windows event logs and transfer them over the network it loses the event time somewhere along the way. My current setup looks like this: Remote Agent: Windows Event Log -> im__mseventlog -> om_SSL (Type Binary) (to Log Collector) Log Collector: im_SSL (Type Binary) -> om_UDP (Type GELF) (to Graylog server) When Graylog is offline it will buffer correctly, but after Graylog comes back online, NXlog will send the logs with the current time.

Not sure if this is NXLog's fault. Debugging it with tcpdump/wireshark is not trivial since GELF UDP messages are compressed. You can capture the packet and then unzip it.

BTW the next version of NXLog CE will come with GELF TCP support (this is already in the EE version).

You could add the following to the output module to debug this via nxlog.log:

Exec log_info("EventTime: " + $EventTime);