Duplicate events from NXLog
HI,
I have NXLog (nxlog-ce-2.9.1716) deployed to over 100 Windows servers to send Windows events to Graylog and its working fantastically on all but one server, our main File server. On this one server, the same 5145 events seem to be repeating events up to 19 times - from what I can see, they are identical on Graylog but don't appear duplicated on the file server - the only difference I can see is the volume of events which (by design we need to see file access successes as well as failures and have ABE enabled so see up to 170k events per min).
We don't see the issue on any other server, I have implemented the no repeat module (config below) but still no joy. Any suggestions or advice welcome please?
NXLog configuration file. See the nxlog reference manual for more info
#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
<Extension gelf> Module xm_gelf </Extension>
<Input in>
# Use 'im_mseventlog' for Windows XP and 2003
Module im_msvistalog
Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004 or $EventID == 5156) drop();
else{
if ( $EventType == "INFO" ) $SyslogSeverityValue = 6;
if ( $EventType == "WARNING" ) $SyslogSeverityValue = 4;
if ( $EventType == "ERROR" ) $SyslogSeverityValue = 3;
}
</Input>
<Processor norepeat> Module pm_norepeat CheckFields Hostname, SourceName, Message </Processor>
<Output out> Module om_udp #Our Graylog server Host [our graylog server] Port 12201 OutputType GELF </Output>
<Route 1> Path in => norepeat => out </Route>
On this one server, the same 5145 events seem to be repeating events up to 19 times
Do the events repeat , or the whole log gets resent?
I.e. for Foo , Bar
do you see Foo, Foo, Bar, Bar
or Foo, Bar, Foo, Bar
?
I suggest setting up a local om_file output for debugging purposes where you can check this. If there is no duplication there then the issue is likely elsewhere.