NXLog search
Let's talk Start free
Let's talk Start free

NXlog sends the same logs after PC reboot

Tags:
#1 Alexander

Hi!

I have an issue with NXlog CE 2.10.2102. I noticed that nxlog send the same log many times on some PCs. This happends when the PC reboot. I found that the file "configcache.dat" is not always overwritten.

How to avoid this issue?

Here is a part of my conf

<Processor in_win_eventlog_buffer_disk>
    Module      pm_buffer
    MaxSize	61440
    Type	Disk
    WarnLimit   49152
</Processor>

<Input in_win_eventlog>
  Module im_msvistalog
  SavePos	TRUE
  Query  \
    <QueryList> \
      <Query Id="0"> \
        <Select Path="Security">*</Select> \
        <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> \
        <Select Path="Microsoft-Windows-PrintService/Operational">*</Select> \
      </Query> \
    </QueryList>
  <Exec> 
    if $EventID>=5151 and $EventID<=5159 drop();
    if $EventID==4688 or $EventID==4689 drop();

    if ($Channel == 'Security') $_ds = 'win-security';
    else if ($Channel == 'Microsoft-Windows-Sysmon/Operational') {
	$_ds = 'win-sysmon';
        delete($UserID);
        delete($AccountName);
    }
    else {
	$_ds = 'win-customapps';
        delete($UserID);
        delete($AccountName);
    }

    $_fmt = 'json';
    $_conv_to_json = TRUE;
  </exec>
</Input>

<Route r_win_eventlog>
  Path		in_win_eventlog => in_win_eventlog_buffer_disk => out_logs_pref
</Route>
Permalink
#2 b0ti Nxlog ✓
#1 Alexander
Hi! I have an issue with NXlog CE 2.10.2102. I noticed that nxlog send the same log many times on some PCs. This happends when the PC reboot. I found that the file "configcache.dat" is not always overwritten. How to avoid this issue? Here is a part of my conf <Processor in_win_eventlog_buffer_disk> Module pm_buffer MaxSize 61440 Type Disk WarnLimit 49152 </Processor> <Input in_win_eventlog> Module im_msvistalog SavePos TRUE Query \ <QueryList> \ <Query Id="0"> \ <Select Path="Security">*</Select> \ <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> \ <Select Path="Microsoft-Windows-PrintService/Operational">*</Select> \ </Query> \ </QueryList> <Exec> if $EventID>=5151 and $EventID<=5159 drop(); if $EventID==4688 or $EventID==4689 drop(); if ($Channel == 'Security') $_ds = 'win-security'; else if ($Channel == 'Microsoft-Windows-Sysmon/Operational') { $_ds = 'win-sysmon'; delete($UserID); delete($AccountName); } else { $_ds = 'win-customapps'; delete($UserID); delete($AccountName); } $_fmt = 'json'; $_conv_to_json = TRUE; </exec> </Input> <Route r_win_eventlog> Path in_win_eventlog => in_win_eventlog_buffer_disk => out_logs_pref </Route>

You'll need to find out why it is not updating configcache.dat. Perhaps the service shutdown is not leaving enough time for it to process what it needs to.
The NXLog EE has CacheFlushInterval that may help.
Login to see more