Eventlog Source Limitation on Server 2016


#1 markus.wolfram

Hi, when configuring nxlog-CE on a Server 2016, there are limitations for collecting all eventlog sources. After starting the nxlog service, I see the following information in the nxlog-logfile:

2017-12-12 18:18:38 INFO nxlog-ce-2.9.1716 started
2017-12-12 18:18:50 WARNING Due to a limitation in the Windows EventLog subsystem, a query cannot contain more than 256 sources.

here is my nxlog-configuration:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module xm_gelf
</Extension>

<Input in>
    Module      im_msvistalog

    Exec if ($EventType == 'VERBOSE') OR ($EventType == 'INFO') OR ($EventType == 'AUDIT_SUCCESS') drop();
    Exec if ($SourceName == 'Microsoft-Windows-KnownFolders' AND $EventID == 1002) drop();
</Input>

<Output out>
    Module      om_udp
    OutputType  GELF
    Host        our.graylog.server
    Port        1515
</Output>

<Route 1>
    Path        in => out
</Route>

We use the same configuration on our Windows Server 2012 / 2012 R2 systems without any issues.

Will there be a fix in the a new edition? We don't want to filter the eventlog sources in the configuration.

Kind regards, Markus

#2 b0ti Nxlog ✓
#1 markus.wolfram
Hi, when configuring nxlog-CE on a Server 2016, there are limitations for collecting all eventlog sources. After starting the nxlog service, I see the following information in the nxlog-logfile: 2017-12-12 18:18:38 INFO nxlog-ce-2.9.1716 started 2017-12-12 18:18:50 WARNING Due to a limitation in the Windows EventLog subsystem, a query cannot contain more than 256 sources. here is my nxlog-configuration: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension gelf> Module xm_gelf </Extension> <Input in> Module im_msvistalog Exec if ($EventType == 'VERBOSE') OR ($EventType == 'INFO') OR ($EventType == 'AUDIT_SUCCESS') drop(); Exec if ($SourceName == 'Microsoft-Windows-KnownFolders' AND $EventID == 1002) drop(); </Input> <Output out> Module om_udp OutputType GELF Host our.graylog.server Port 1515 </Output> <Route 1> Path in => out </Route> We use the same configuration on our Windows Server 2012 / 2012 R2 systems without any issues. Will there be a fix in the a new edition? We don't want to filter the eventlog sources in the configuration. Kind regards, Markus

This is already solved in the NXLog Enterprise Edition as far as I know. It will be also fixed in the CE at some point but there is no ETA.