Eventlog Source Limitation on Server 2016
Hi, when configuring nxlog-CE on a Server 2016, there are limitations for collecting all eventlog sources. After starting the nxlog service, I see the following information in the nxlog-logfile:
2017-12-12 18:18:38 INFO nxlog-ce-2.9.1716 started 2017-12-12 18:18:50 WARNING Due to a limitation in the Windows EventLog subsystem, a query cannot contain more than 256 sources.
here is my nxlog-configuration:
define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension gelf> Module xm_gelf </Extension> <Input in> Module im_msvistalog Exec if ($EventType == 'VERBOSE') OR ($EventType == 'INFO') OR ($EventType == 'AUDIT_SUCCESS') drop(); Exec if ($SourceName == 'Microsoft-Windows-KnownFolders' AND $EventID == 1002) drop(); </Input> <Output out> Module om_udp OutputType GELF Host our.graylog.server Port 1515 </Output> <Route 1> Path in => out </Route>
We use the same configuration on our Windows Server 2012 / 2012 R2 systems without any issues.
Will there be a fix in the a new edition? We don't want to filter the eventlog sources in the configuration.
Kind regards, Markus
This is already solved in the NXLog Enterprise Edition as far as I know. It will be also fixed in the CE at some point but there is no ETA.