Request trial
Request Trial

Duplicate events from NXLog

Tags:
#1 sticks221

HI,

I have NXLog (nxlog-ce-2.9.1716) deployed to over 100 Windows servers to send Windows events to Graylog and its working fantastically on all but one server, our main File server. On this one server, the same 5145 events seem to be repeating events up to 19 times - from what I can see, they are identical on Graylog but don't appear duplicated on the file server - the only difference I can see is the volume of events which (by design we need to see file access successes as well as failures and have ABE enabled so see up to 170k events per min).

We don't see the issue on any other server, I have implemented the no repeat module (config below) but still no joy. Any suggestions or advice welcome please?

NXLog configuration file. See the nxlog reference manual for more info

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension gelf> Module xm_gelf </Extension>

<Input in> # Use 'im_mseventlog' for Windows XP and 2003 Module im_msvistalog Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004 or $EventID == 5156) drop();
else{
if ( $EventType == "INFO" ) $SyslogSeverityValue = 6;
if ( $EventType == "WARNING" ) $SyslogSeverityValue = 4;
if ( $EventType == "ERROR" ) $SyslogSeverityValue = 3;
} </Input>

<Processor norepeat> Module pm_norepeat CheckFields Hostname, SourceName, Message </Processor>

<Output out> Module om_udp #Our Graylog server Host [our graylog server] Port 12201 OutputType GELF </Output>

<Route 1> Path in => norepeat => out </Route>

Permalink
#2 b0ti Nxlog ✓
#1 sticks221
HI, I have NXLog (nxlog-ce-2.9.1716) deployed to over 100 Windows servers to send Windows events to Graylog and its working fantastically on all but one server, our main File server. On this one server, the same 5145 events seem to be repeating events up to 19 times - from what I can see, they are identical on Graylog but don't appear duplicated on the file server - the only difference I can see is the volume of events which (by design we need to see file access successes as well as failures and have ABE enabled so see up to 170k events per min). We don't see the issue on any other server, I have implemented the no repeat module (config below) but still no joy. Any suggestions or advice welcome please? NXLog configuration file. See the nxlog reference manual for more info #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension gelf> Module xm_gelf </Extension> <Input in> # Use 'im_mseventlog' for Windows XP and 2003 Module im_msvistalog Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004 or $EventID == 5156) drop(); else{ if ( $EventType == "INFO" ) $SyslogSeverityValue = 6; if ( $EventType == "WARNING" ) $SyslogSeverityValue = 4; if ( $EventType == "ERROR" ) $SyslogSeverityValue = 3; } </Input> <Processor norepeat> Module pm_norepeat CheckFields Hostname, SourceName, Message </Processor> <Output out> Module om_udp #Our Graylog server Host [our graylog server] Port 12201 OutputType GELF </Output> <Route 1> Path in => norepeat => out </Route>

On this one server, the same 5145 events seem to be repeating events up to 19 times

Do the events repeat , or the whole log gets resent? I.e. for Foo , Bar do you see Foo, Foo, Bar, Bar or Foo, Bar, Foo, Bar ?

I suggest setting up a local om_file output for debugging purposes where you can check this. If there is no duplication there then the issue is likely elsewhere.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS