Seems that nxlog does not read all the line of my log file
Tags:
im_file
#1
sv
Hi,
It seems that nxlog does not send to the output all lines of a file which is monitored. Here is an example of what I want to send to my syslog server :
```
30,01/16/18,09:24:23,Requête de mise à jour DNS,192.168.31.66,volant2.enterprise.local,,,0,6,,,
10,01/16/18,09:24:23,Assigner,192.168.31.66,volant2.enterprise.local,F01FAF2F23D7,,2412417530,0,,,
32,01/16/18,09:24:23,Mise à jour DNS réussie,192.168.31.66,volant2.enterprise.local,,,0,6,,,
30,01/16/18,09:25:55,Requête de mise à jour DNS,192.168.31.68,volant3.enterprise.local,,,0,6,,,
10,01/16/18,09:25:55,Assigner,192.168.31.68,volant3.enterprise.local,5C514FDCA690,,2181532597,0,,,
32,01/16/18,09:25:55,Mise à jour DNS réussie,192.168.31.68,volant3.enterprise.local,,,0,6,,,
```
And here is what I have received :
```
2018-01-16T09:24:23+01:00 DC 30,01/16/18,09: 24:23,Requ▒te de mise ▒ jour DNS,192.168.31.66,volant2.enterprise.local,,,0,6,,,
2018-01-16T09:24:23+01:00 DC 10,01/16/18,09: 24:23,Assigner,192.168.31.66,volant2.enterprise.local,F01FAF2F23D7,,2412417530,0,,,
2018-01-16T09:24:23+01:00 DC 32,01/16/18,09: 24:23,Mise ▒ jour DNS r▒ussie,192.168.31.66,volant2.enterprise.local,,,0,6,,,
2018-01-16T09:25:55+01:00 DC 32,01/16/18,09: 25:55,Mise ▒ jour DNS r▒ussie,192.168.31.68,volant3.enterprise.local,,,0,6,,,
```
Here is my whole nxlog configuration
```
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
Module xm_syslog
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog
define DHCPDIR C:\Windows\Sysnative\dhcp
Module im_file
File '%DHCPDIR%\DhcpSrvLog-*.log'
SavePos TRUE
ReadFromLast TRUE
PollInterval 1
Exec $Message = $raw_event; $SyslogFacilityValue = 17;
Module om_udp
Host 192.168.2.12
Port 514
Exec to_syslog_bsd();
Path inDhcp => outSyslogSrv
```
Did I miss something ?
Thanks
#1
sv
Hi,
It seems that nxlog does not send to the output all lines of a file which is monitored. Here is an example of what I want to send to my syslog server :
30,01/16/18,09:24:23,Requête de mise à jour DNS,192.168.31.66,volant2.enterprise.local,,,0,6,,,
10,01/16/18,09:24:23,Assigner,192.168.31.66,volant2.enterprise.local,F01FAF2F23D7,,2412417530,0,,,
32,01/16/18,09:24:23,Mise à jour DNS réussie,192.168.31.66,volant2.enterprise.local,,,0,6,,,
30,01/16/18,09:25:55,Requête de mise à jour DNS,192.168.31.68,volant3.enterprise.local,,,0,6,,,
10,01/16/18,09:25:55,Assigner,192.168.31.68,volant3.enterprise.local,5C514FDCA690,,2181532597,0,,,
32,01/16/18,09:25:55,Mise à jour DNS réussie,192.168.31.68,volant3.enterprise.local,,,0,6,,,
And here is what I have received :
2018-01-16T09:24:23+01:00 DC 30,01/16/18,09: 24:23,Requ▒te de mise ▒ jour DNS,192.168.31.66,volant2.enterprise.local,,,0,6,,,
2018-01-16T09:24:23+01:00 DC 10,01/16/18,09: 24:23,Assigner,192.168.31.66,volant2.enterprise.local,F01FAF2F23D7,,2412417530,0,,,
2018-01-16T09:24:23+01:00 DC 32,01/16/18,09: 24:23,Mise ▒ jour DNS r▒ussie,192.168.31.66,volant2.enterprise.local,,,0,6,,,
2018-01-16T09:25:55+01:00 DC 32,01/16/18,09: 25:55,Mise ▒ jour DNS r▒ussie,192.168.31.68,volant3.enterprise.local,,,0,6,,,
Here is my whole nxlog configuration
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_msvistalog
# For windows 2003 and earlier use the following:
# Module im_mseventlog
</Input>
define DHCPDIR C:\Windows\Sysnative\dhcp
<Input inDhcp>
Module im_file
File '%DHCPDIR%\DhcpSrvLog-*.log'
SavePos TRUE
ReadFromLast TRUE
PollInterval 1
Exec $Message = $raw_event; $SyslogFacilityValue = 17;
</Input>
<Output outSyslogSrv>
Module om_udp
Host 192.168.2.12
Port 514
Exec to_syslog_bsd();
</Output>
<Route 1>
Path inDhcp => outSyslogSrv
</Route>
Did I miss something ?
Thanks
The cause most likely lies elsewhere , e.g. your syslog server may be dropping those. Before pointing fingers I suggest that you confirm what is happening first:
- use wireshark and look at what's being sent in the udp packets.
- replace
om_udpwithom_fileand look into the file it writes. Anything present there would be sent via UDP the same way.
