NXLog time configurations | Log collection solutions

#1 ilya 6 years ago

Hi,

My scenario is: (Windows server + nxlog configured for Windows events) => Logstash => Elasticsearch

I am wondering where nxlog stores current informations about sent Windows Events (for every category).
If i need to resend a few Windows events from past, how i can do it?

Is there any way to select last X hours (example: last 48 hours from Security category, from the starting nxlog service moment).
SavePos and ReadFromLast are helpful, but if both are false, event logs are sent from the first one stored on Windows server.

Also, where nxlog save all events in case of temporary lost tcp connection? This is probably SavePos location.

Thanks

Permalink

#2 b0ti Nxlog ✓ 6 years ago (Last updated 6 years ago )

#1 ilya

Hi, My scenario is: (Windows server + nxlog configured for Windows events) => Logstash => Elasticsearch I am wondering where nxlog stores current informations about sent Windows Events (for every category). If i need to resend a few Windows events from past, how i can do it? Is there any way to select last X hours (example: last 48 hours from Security category, from the starting nxlog service moment). SavePos and ReadFromLast are helpful, but if both are false, event logs are sent from the first one stored on Windows server. Also, where nxlog save all events in case of temporary lost tcp connection? This is probably SavePos location. Thanks

It saves an XML bookmark provided by the Windows Eventlog API. This is what savepos does.

Unfortunately it is not possible to have it start from x hours before. What you can do is remove `configcache.dat`, set `SavePos` and `ReadFromLast` to `FALSE` and use a filter such as this:

Exec if $EventTime < 2017-07-15 00:00:00 drop();

When the network connection is lost it simply does not read and forward more logs (=flow control).