Hello, I'm using nxlog to send logs from an AD to a syslog server, this is my nxlog.conf:
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
<Extension _syslog> Module xm_syslog </Extension>
<Input in> Module im_msvistalog </Input>
<Output out> Module om_udp Host xxxxx Port xxx Exec to_syslog_snare(); </Output>
<Route 1> Path in => out </Route>
However, the volume of log generated is very large and nxlog is not able to send everything, causing some packages to be lost. I noticed this with a wireshark at the source and saw that the packages don't even leave the server. Is there anything I can do to increase your performance? Be it in nxlog.conf, or clear some cache Thank you.
Boa tarde Gustavo, you may want to start by restricting the logs you want the source machine to produce. Do you really need all of them? For example, if you add the following to im_msvistalog module, only security related events will be sent (saving lots of bandwidth).
<QueryXML> <QueryList> <Query Id='1'> <Select Path='Security'>*[System/Level=4]</Select> </Query> </QueryList> </QueryXML>