Request trial
Request Trial

NXLog not always sending logs

View thread
ntubergen

We are using a graylog server in hopes to capture 2 things (Logons and Disk Errors). NXlog is forwarding most logon attempts, but not all of them for some reason. NXlog is not forwarding any Disk error logs.

Here is my config:

Panic Soft #NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_syslog </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _exec> Module xm_exec </Extension>

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
&lt;Schedule&gt;
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') &gt;= 5M)) \
                file_cycle('%LOGFILE%', 8);
&lt;/Schedule&gt;

# Rotate our log file every week on Sunday at midnight
&lt;Schedule&gt;
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
&lt;/Schedule&gt;

</Extension>

define LogonEventIds 4648

<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'>*</Select> </Query> </QueryList> </QueryXML> <Exec> if $EventID NOT IN (%LogonEventIds%) drop(); </Exec> </Input>

define DiskEventIds 9, 11, 50, 51, 54, 55, 57, 129, 1066, 6008

<Input diskcheck> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='System'>*</Select> </Query> </QueryList> </QueryXML> <Exec> if $EventID NOT IN (%DiskEventIds%) drop(); </Exec> </Input>

<Output udpLogon> Module om_udp Host 10.0.0.220 Port 1517 </Output>

<Output udpDisk> Module om_udp Host 10.0.0.220 Port 1518 </Output>

<Route 1> Path eventlog => udpLogon </Route>

<Route 2> Path diskcheck => udpDisk </Route>

I don't know what the issue is. I am using tcpdump on the graylog server and am not receiving anything on that port (1518) despite event viewer showing several logs with 129 and 55 EventIDs.

Any help would be appreciated. Yes, the port is open.

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS