Receiving Incomplete Windows Events


#1 ashutosh

Hi,

I am using NXLog's <Input MSEvtIN> module to forward Windows Event Logs to a syslog server. The problem I am facing is with MTU Size. The default MTU across is 1500 (i.e. 1472 Bytes actual length) But there are many events in windows which are much larger than 1472. Those events having length greater than 1472 bytes are getting truncated at 1472 and received partially on the syslog server. This is creating a problem for my SIEM to parse the logs.

Can anyone please help me in diagnosing and resolving this?

What I know about MTU is, if the packets are greater than 1472 bytes, MTU Fragmentation is used. I don't know how to enable this fragmentation setting in NXLog.

################
#============ Define ROOT here ===================
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
#============ NXLog Machine Log info =============
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

#=========== For Windows Event Log ===========
<Extension json>
Module xm_json
</Extension>

<Input MSEvtIN>
# For windows 2003 and earlier use the following:
#Module im_mseventlog
# For windows 2005 and later use the following:
Module im_msvistalog
Exec to_json();
</Input>

<Output MSEvtOUT>
Module om_udp
Host DNIF-Adapter-IP
Port 514
</Output>

<Route 1>
Path MSEvtIN => MSEvtOUT
</Route>

#2 ArkadiyDeactivated Nxlog ✓
#1 ashutosh
Hi, I am using NXLog's <Input MSEvtIN> module to forward Windows Event Logs to a syslog server. The problem I am facing is with MTU Size. The default MTU across is 1500 (i.e. 1472 Bytes actual length) But there are many events in windows which are much larger than 1472. Those events having length greater than 1472 bytes are getting truncated at 1472 and received partially on the syslog server. This is creating a problem for my SIEM to parse the logs. Can anyone please help me in diagnosing and resolving this? What I know about MTU is, if the packets are greater than 1472 bytes, MTU Fragmentation is used. I don't know how to enable this fragmentation setting in NXLog. ################ #============ Define ROOT here =================== #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog #============ NXLog Machine Log info ============= Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log #=========== For Windows Event Log =========== <Extension json> Module xm_json </Extension> <Input MSEvtIN> # For windows 2003 and earlier use the following: #Module im_mseventlog # For windows 2005 and later use the following: Module im_msvistalog Exec to_json(); </Input> <Output MSEvtOUT> Module om_udp Host DNIF-Adapter-IP Port 514 </Output> <Route 1> Path MSEvtIN => MSEvtOUT </Route>

Hello,

Could you drop here a full config? I have some idea but want to be sure.

Regards, Arch