NXlog sends the same logs after PC reboot

#1 Alexander 6 years ago

Hi! I have an issue with NXlog CE 2.10.2102. I noticed that nxlog send the same log many times on some PCs. This happends when the PC reboot. I found that the file "configcache.dat" is not always overwritten. How to avoid this issue? Here is a part of my conf Module pm_buffer MaxSize 61440 Type Disk WarnLimit 49152 Module im_msvistalog SavePos TRUE Query \ \ \ * \ * \ * \ \ if $EventID>=5151 and $EventID in_win_eventlog_buffer_disk => out_logs_pref

Permalink

#2 b0ti Nxlog ✓ 6 years ago

#1 Alexander

Hi! I have an issue with NXlog CE 2.10.2102. I noticed that nxlog send the same log many times on some PCs. This happends when the PC reboot. I found that the file "configcache.dat" is not always overwritten. How to avoid this issue? Here is a part of my conf <Processor in_win_eventlog_buffer_disk> Module pm_buffer MaxSize 61440 Type Disk WarnLimit 49152 </Processor> <Input in_win_eventlog> Module im_msvistalog SavePos TRUE Query \ <QueryList> \ <Query Id="0"> \ <Select Path="Security">*</Select> \ <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> \ <Select Path="Microsoft-Windows-PrintService/Operational">*</Select> \ </Query> \ </QueryList> <Exec> if $EventID>=5151 and $EventID<=5159 drop(); if $EventID==4688 or $EventID==4689 drop(); if ($Channel == 'Security') $_ds = 'win-security'; else if ($Channel == 'Microsoft-Windows-Sysmon/Operational') { $_ds = 'win-sysmon'; delete($UserID); delete($AccountName); } else { $_ds = 'win-customapps'; delete($UserID); delete($AccountName); } $_fmt = 'json'; $_conv_to_json = TRUE; </exec> </Input> <Route r_win_eventlog> Path in_win_eventlog => in_win_eventlog_buffer_disk => out_logs_pref </Route>

You'll need to find out why it is not updating configcache.dat. Perhaps the service shutdown is not leaving enough time for it to process what it needs to.
The NXLog EE has CacheFlushInterval that may help.