Seems that nxlog does not read all the line of my log file

#1 sv 6 years ago

Hi,

It seems that nxlog does not send to the output all lines of a file which is monitored. Here is an example of what I want to send to my syslog server :

30,01/16/18,09:24:23,Requête de mise à jour DNS,192.168.31.66,volant2.enterprise.local,,,0,6,,,
10,01/16/18,09:24:23,Assigner,192.168.31.66,volant2.enterprise.local,F01FAF2F23D7,,2412417530,0,,,
32,01/16/18,09:24:23,Mise à jour DNS réussie,192.168.31.66,volant2.enterprise.local,,,0,6,,,
30,01/16/18,09:25:55,Requête de mise à jour DNS,192.168.31.68,volant3.enterprise.local,,,0,6,,,
10,01/16/18,09:25:55,Assigner,192.168.31.68,volant3.enterprise.local,5C514FDCA690,,2181532597,0,,,
32,01/16/18,09:25:55,Mise à jour DNS réussie,192.168.31.68,volant3.enterprise.local,,,0,6,,,

And here is what I have received :

2018-01-16T09:24:23+01:00 DC 30,01/16/18,09: 24:23,Requ▒te de mise ▒ jour DNS,192.168.31.66,volant2.enterprise.local,,,0,6,,,
2018-01-16T09:24:23+01:00 DC 10,01/16/18,09: 24:23,Assigner,192.168.31.66,volant2.enterprise.local,F01FAF2F23D7,,2412417530,0,,,
2018-01-16T09:24:23+01:00 DC 32,01/16/18,09: 24:23,Mise ▒ jour DNS r▒ussie,192.168.31.66,volant2.enterprise.local,,,0,6,,,
2018-01-16T09:25:55+01:00 DC 32,01/16/18,09: 25:55,Mise ▒ jour DNS r▒ussie,192.168.31.68,volant3.enterprise.local,,,0,6,,,

Here is my whole nxlog configuration

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Input in>
    Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
</Input>

define DHCPDIR C:\Windows\Sysnative\dhcp

<Input inDhcp>
 Module im_file
 File '%DHCPDIR%\DhcpSrvLog-*.log'
 SavePos TRUE
 ReadFromLast TRUE
 PollInterval 1
 Exec $Message = $raw_event; $SyslogFacilityValue = 17;
</Input>

<Output outSyslogSrv>
    Module      om_udp
    Host        192.168.2.12
    Port        514
    Exec        to_syslog_bsd();
</Output>

<Route 1>
    Path        inDhcp => outSyslogSrv
</Route>

Did I miss something ?

Thanks

Permalink

#2 b0ti Nxlog ✓ 6 years ago

#1 sv

Hi, It seems that nxlog does not send to the output all lines of a file which is monitored. Here is an example of what I want to send to my syslog server : 30,01/16/18,09:24:23,Requête de mise à jour DNS,192.168.31.66,volant2.enterprise.local,,,0,6,,, 10,01/16/18,09:24:23,Assigner,192.168.31.66,volant2.enterprise.local,F01FAF2F23D7,,2412417530,0,,, 32,01/16/18,09:24:23,Mise à jour DNS réussie,192.168.31.66,volant2.enterprise.local,,,0,6,,, 30,01/16/18,09:25:55,Requête de mise à jour DNS,192.168.31.68,volant3.enterprise.local,,,0,6,,, 10,01/16/18,09:25:55,Assigner,192.168.31.68,volant3.enterprise.local,5C514FDCA690,,2181532597,0,,, 32,01/16/18,09:25:55,Mise à jour DNS réussie,192.168.31.68,volant3.enterprise.local,,,0,6,,, And here is what I have received : 2018-01-16T09:24:23+01:00 DC 30,01/16/18,09: 24:23,Requ▒te de mise ▒ jour DNS,192.168.31.66,volant2.enterprise.local,,,0,6,,, 2018-01-16T09:24:23+01:00 DC 10,01/16/18,09: 24:23,Assigner,192.168.31.66,volant2.enterprise.local,F01FAF2F23D7,,2412417530,0,,, 2018-01-16T09:24:23+01:00 DC 32,01/16/18,09: 24:23,Mise ▒ jour DNS r▒ussie,192.168.31.66,volant2.enterprise.local,,,0,6,,, 2018-01-16T09:25:55+01:00 DC 32,01/16/18,09: 25:55,Mise ▒ jour DNS r▒ussie,192.168.31.68,volant3.enterprise.local,,,0,6,,, Here is my whole nxlog configuration define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog> Module xm_syslog </Extension> <Input in> Module im_msvistalog # For windows 2003 and earlier use the following: # Module im_mseventlog </Input> define DHCPDIR C:\Windows\Sysnative\dhcp <Input inDhcp> Module im_file File '%DHCPDIR%\DhcpSrvLog-*.log' SavePos TRUE ReadFromLast TRUE PollInterval 1 Exec $Message = $raw_event; $SyslogFacilityValue = 17; </Input> <Output outSyslogSrv> Module om_udp Host 192.168.2.12 Port 514 Exec to_syslog_bsd(); </Output> <Route 1> Path inDhcp => outSyslogSrv </Route> Did I miss something ? Thanks

The cause most likely lies elsewhere , e.g. your syslog server may be dropping those. Before pointing fingers I suggest that you confirm what is happening first:

use wireshark and look at what's being sent in the udp packets.
replace om_udp with om_file and look into the file it writes. Anything present there would be sent via UDP the same way.