Request trial
Request Trial

NXLOG works over udp, not in tcp

Tags:
#1 sbergami

Hi, I'm new in NXLOG and Graylog. I'm using nxlog to send Windows server log to Graylog, My final goal is to transfer and log in ssl, but proceed by step. All my machines are on my company lan The configuration of NXLOG with OM_UDP

#define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension _syslog> Module xm_gelf </Extension>

<Input in> Module im_msvistalog Query <QueryList>
<Query Id="0">
<Select Path="Security">*[System[(EventID=4624 or EventID=4634 or EventID=4656 or EventID=4659 or EventID=4662 or EventID=4663 or EventID=4672 or EventID=4676 or EventID=6272 or EventID=6278)]]</Select>
</Query>
</QueryList> </Input>

<Output out> Module om_udp Host 10.0.0.22 Port 12201 #Exec to_syslog_snare(); Exec if ($ProcessName =~ /TbService.exe/ or $ProcessName =~ /w3wp.exe/) drop(); OutputType GELF </Output>

<Route 1> Path in => out </Route>

works correctly, while the one, identical, that I did with OM_TCP

<Output out> Module om_tcp Host 10.0.0.22 Port 12201 #Exec to_syslog_snare(); Exec if ($ProcessName =~ /TbService.exe/ or $ProcessName =~ /w3wp.exe/) drop(); OutputType GELF </Output>

create this log

018-04-11 19:48:06 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-11 19:48:06 INFO reconnecting in 2 seconds 2018-04-11 19:48:07 INFO connecting to 10.0.0.22:12201 2018-04-11 19:48:07 INFO reconnecting in 1 seconds 2018-04-11 19:48:07 ERROR om_tcp send failed; An established connection was aborted by the software in your host machine.
2018-04-11 19:48:08 INFO connecting to 10.0.0.22:12201 2018-04-11 19:52:59 ERROR couldn't connect to tcp socket on 10.0.0.22:12201; No connection could be made because the target machine actively refused it.
2018-04-11 19:53:01 INFO connecting to 10.0.0.22:12201 2018-04-11 19:53:02 INFO reconnecting in 4 seconds 2018-04-12 10:02:09 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:10 INFO connecting to 10.0.0.22:12201 2018-04-12 10:02:10 INFO reconnecting in 1 seconds 2018-04-12 10:02:10 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:11 INFO connecting to 10.0.0.22:12201 2018-04-12 10:02:11 INFO reconnecting in 1 seconds 2018-04-12 10:02:11 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:11 INFO reconnecting in 2 seconds 2018-04-12 10:02:12 INFO connecting to 10.0.0.22:12201 2018-04-12 10:02:12 INFO reconnecting in 1 seconds 2018-04-12 10:02:12 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:13 INFO connecting to 10.0.0.22:12201 2018-04-12 10:02:13 INFO reconnecting in 1 seconds 2018-04-12 10:02:13 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2018-04-12 10:02:13 INFO connecting to 10.0.0.22:12201

does not work correctly In graylog i recive 1 message / minute Instead of 15/20 which I receive with the udp onfiguration,even if the Graylog input message counter reports about 20 / minute. It seems that most messages are discarded as incorrect On Graylog server firewall port 12201 tcp/udp is open, and on windows server 12201 port is open too. I have no idea what's going on. thank you

Permalink
#3 DanC
#1 sbergami
Hi, I'm new in NXLOG and Graylog. I'm using nxlog to send Windows server log to Graylog, My final goal is to transfer and log in ssl, but proceed by step. All my machines are on my company lan The configuration of NXLOG with OM_UDP #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog> Module xm_gelf </Extension> <Input in> Module im_msvistalog Query <QueryList> <Query Id="0"> <Select Path="Security">*[System[(EventID=4624 or EventID=4634 or EventID=4656 or EventID=4659 or EventID=4662 or EventID=4663 or EventID=4672 or EventID=4676 or EventID=6272 or EventID=6278)]]</Select> </Query> </QueryList> </Input> <Output out> Module om_udp Host 10.0.0.22 Port 12201 #Exec to_syslog_snare(); Exec if ($ProcessName =~ /TbService.exe/ or $ProcessName =~ /w3wp.exe/) drop(); OutputType GELF </Output> <Route 1> Path in => out </Route> works correctly, while the one, identical, that I did with OM_TCP <Output out> Module om_tcp Host 10.0.0.22 Port 12201 #Exec to_syslog_snare(); Exec if ($ProcessName =~ /TbService.exe/ or $ProcessName =~ /w3wp.exe/) drop(); OutputType GELF </Output> create this log 018-04-11 19:48:06 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host. 2018-04-11 19:48:06 INFO reconnecting in 2 seconds 2018-04-11 19:48:07 INFO connecting to 10.0.0.22:12201 2018-04-11 19:48:07 INFO reconnecting in 1 seconds 2018-04-11 19:48:07 ERROR om_tcp send failed; An established connection was aborted by the software in your host machine. 2018-04-11 19:48:08 INFO connecting to 10.0.0.22:12201 2018-04-11 19:52:59 ERROR couldn't connect to tcp socket on 10.0.0.22:12201; No connection could be made because the target machine actively refused it. 2018-04-11 19:53:01 INFO connecting to 10.0.0.22:12201 2018-04-11 19:53:02 INFO reconnecting in 4 seconds 2018-04-12 10:02:09 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host. 2018-04-12 10:02:10 INFO connecting to 10.0.0.22:12201 2018-04-12 10:02:10 INFO reconnecting in 1 seconds 2018-04-12 10:02:10 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host. 2018-04-12 10:02:11 INFO connecting to 10.0.0.22:12201 2018-04-12 10:02:11 INFO reconnecting in 1 seconds 2018-04-12 10:02:11 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host. 2018-04-12 10:02:11 INFO reconnecting in 2 seconds 2018-04-12 10:02:12 INFO connecting to 10.0.0.22:12201 2018-04-12 10:02:12 INFO reconnecting in 1 seconds 2018-04-12 10:02:12 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host. 2018-04-12 10:02:13 INFO connecting to 10.0.0.22:12201 2018-04-12 10:02:13 INFO reconnecting in 1 seconds 2018-04-12 10:02:13 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host. 2018-04-12 10:02:13 INFO connecting to 10.0.0.22:12201 does not work correctly In graylog i recive 1 message / minute Instead of 15/20 which I receive with the udp onfiguration,even if the Graylog input message counter reports about 20 / minute. It seems that most messages are discarded as incorrect On Graylog server firewall port 12201 tcp/udp is open, and on windows server 12201 port is open too. I have no idea what's going on. thank you

Was this issue ever resolved? I am having this issue currently.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS