Setting up NXlog

Tags:

#1 jpederson

Hello everyone an old employee setup nxlog with server 2008 R2. Since that is coming to an end or the support is I am trying to setup nxlog on a 2016 server. I went ahead and downloaded the client and copied the conf file over from the old server. I then looked for how it was deployed. From what I can see it was deployed using a gpo under the event forwarding section and Configure target subscription manager. I went into this location and changed the information from the old server to the new so instead of log2 it is now log3 with all the same parameters. I then waited for a couple of hours since it takes around an hour for the machine to check the gpo's. I even restarted some machines. After this was done I caused some Software restriction Policy alerts that will email us when on the old server. When doing this on the new nothing happens. I also log into the server and start an instance of wireshark. There are some logs coming into the server but not the amount that was coming into the old server in the same time. I then swith the name back in the gpo from log3 to log2. After this is done in about an hour time all the Software restriction Policy alerts start coming in to our email. I then check wireshark. In a minutes time with the new (relog3) server I will get around 200 logs. With the old now (relog2) I am over 1000 in the same time. For some reason when making the change in the gpo it seems like the computers are holding the logs and don't want to send to the new location, then when changing it back it send the logs that were held. Any idea on what is going on here?

#2 b0ti Nxlog ✓
#1 jpederson
Hello everyone an old employee setup nxlog with server 2008 R2. Since that is coming to an end or the support is I am trying to setup nxlog on a 2016 server. I went ahead and downloaded the client and copied the conf file over from the old server. I then looked for how it was deployed. From what I can see it was deployed using a gpo under the event forwarding section and Configure target subscription manager. I went into this location and changed the information from the old server to the new so instead of log2 it is now log3 with all the same parameters. I then waited for a couple of hours since it takes around an hour for the machine to check the gpo's. I even restarted some machines. After this was done I caused some Software restriction Policy alerts that will email us when on the old server. When doing this on the new nothing happens. I also log into the server and start an instance of wireshark. There are some logs coming into the server but not the amount that was coming into the old server in the same time. I then swith the name back in the gpo from log3 to log2. After this is done in about an hour time all the Software restriction Policy alerts start coming in to our email. I then check wireshark. In a minutes time with the new (relog3) server I will get around 200 logs. With the old now (relog2) I am over 1000 in the same time. For some reason when making the change in the gpo it seems like the computers are holding the logs and don't want to send to the new location, then when changing it back it send the logs that were held. Any idea on what is going on here?

Sounds like a windows / GPO question to me.
You may need to do some permission changes for the security log, see https://support.microsoft.com/en-us/help/323076/how-to-set-event-log-security-locally-or-by-using-group-policy