Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
xml log parsing on windows with community edition won't get extract_xml recognized.
har3005 created
I'm trying to ws_ftp logs that are xml formatted as such :
<?xml version="1.0" encoding="utf-8" ?>
<log>
<entry>
<log_time> xxxx </log_time>
<description>data <![CDATA[Connection established]]></description>
<service>data </service>
<sessionid> xxxx </sessionid>
<type>0</type> <severity>0</severity>
<lstnconnaddr> ip </lstnconnaddr>
<cliconnaddr>ip </cliconnaddr>
<sguid> xxx </sguid>
</entry>
...
with this configuration :
define ROOT C:\Program Files\nxlog
<Extension gelf>
Module xm_gelf
</Extension>
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension multiline>
Module xm_multiline
HeaderLine /^<event>/
EndLine /^</event>/
</Extension>
<Extension xmlparser>
Module xm_xml
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input in>
Module im_file
File "PATH TO .XML"
SavePos FALSE
PollInterval 1
ReadFromLast FALSE
InputType multiline
<Exec>
$EventData = extract_xml("/log/entry");
if $EventData == ""
{
delete($EventData);
}
to_json();
</Exec>
</Input>
<Output out>
Module om_file
File "C:\\temp\\output_test.txt"
</Output>
<Route 1>
Path in => out
</Route>
i can't get past this error :
ERROR Couldn't parse Exec block at C:\Program Files\nxlog\conf\nxlog.conf:34; couldn't parse statement at line 35, character 40 in C:\Program Files\nxlog\conf\nxlog.conf; function 'extract_xml()' does not exist or takes different arguments
ERROR module 'in' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:51
how can i get further?
har3005 created
Link to download older version of trial installer
bryan.tabb.secops created
Hi
Ive got a customer with windows server core (no gui) and they are wanting to uninstall the trial version and have asked if we can give them a copy of the original msi.
They are after version 5.4.7313
I've had a look at the download section and it isn't there.
Any suggestions please?
Thanks
Bryan
bryan.tabb.secops created
Is it possible to use a variable in a regex?
opoplawski created
Is it possible to use a variable in a regex? I'm trying to do something like the following:
Exec if ($EventID == 4104) {
if defined(get_var('scriptblockid')) {
$id = get_var('scriptblockid');
if ($Message =~ /ScriptBlock ID: $id/) drop();
}
if ($Message =~ /ClassName = 'Root\/Microsoft\/Windows/) {
if ($Message =~/ScriptBlock ID: (\S+)/) {
set_var('scriptblockid', $1);
}
drop();
}
}
opoplawski created
Agent not showing as online in manager
nervevector created
Hello,
We've deployed NXLog EE agents on numerous Windows servers, and we're facing a strange issue with just one agent.
It does not, and we're unable to get it to, show as online within the NXLog Manager. The agent's log states that it was able to successfully connect to the manager, but it's still showing as offline in the UI.
I have tried the following:
Upgraded agent to the latest version
Verified that the agent's logs said it was able to connect to the manager (10.40.1.90)
Removed the agent from the manager interface
Removed the agent off of the server
Reinstalled the agent on the server, and reconfigured the certificate and managed.conf file
Verified that it connected to the manager in the agent's logs
And even after all of that, the agent is still showing as offline on the manager's UI.
2022-09-23 16:22:40 WARNING [CORE|main] no functional input modules!
2022-09-23 16:22:40 INFO [CORE|main] nxlog-5.6.7727 (50b2a4353@REL_v5.6) started on Windows
2022-09-23 16:22:40 INFO [xm_admin|agent_management] connecting to 192.168.1.1:4041
2022-09-23 16:23:01 ERROR [xm_admin|agent_management] couldn't connect to 192.168.1.1:4041; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2022-09-23 16:23:01 INFO [xm_admin|agent_management] reconnecting to 192.168.1.1:4041 in 1 sec
2022-09-23 16:23:02 INFO [xm_admin|agent_management] connecting to 192.168.1.1:4041
2022-09-23 16:23:21 WARNING [CORE|main] stopping nxlog service
2022-09-23 16:23:21 WARNING [CORE|main] nxlog received a termination request signal, exiting...
2022-09-23 16:23:23 ERROR [xm_admin|agent_management] couldn't connect to 192.168.1.1:4041; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2022-09-23 16:23:23 INFO [xm_admin|agent_management] reconnecting to 192.168.1.1:4041 in 2 sec
2022-09-23 16:23:24 WARNING [CORE|main] no functional input modules!
2022-09-23 16:23:24 INFO [CORE|main] nxlog-5.6.7727 (50b2a4353@REL_v5.6) started on Windows
2022-09-23 16:23:24 INFO [xm_admin|agent_management] connecting to 10.40.1.90:4041 <==== Here I set the manager's correct IP in managed.conf
2022-09-23 16:23:24 INFO [xm_admin|agent_management] tcp connection established with 10.40.1.90:4041
2022-09-23 16:28:24 WARNING [xm_admin|agent_management] did not receive requests from agent manager in the past 300 seconds, disconnecting
2022-09-23 16:28:24 INFO [xm_admin|agent_management] reconnecting to 10.40.1.90:4041 (last connection attempt was 300 sec ago)
2022-09-23 16:28:24 INFO [xm_admin|agent_management] connecting to 10.40.1.90:4041
2022-09-23 16:28:24 INFO [xm_admin|agent_management] tcp connection established with 10.40.1.90:4041 <==== Here it says it was able to connect to the manager just fine.
Does anyone have an idea as to what's going on here?
Any help would be greatly appreciated!
Thanks!
nervevector created
im_vistalog parser failure. Introducing \n characters in syslog output that split a single record in two records...
Ak0 created
Hello,
I am experiencing truncated syslog messages, and found the root cause. Event are not correctly parsed such as this example:
Here is the original message read from eventviewer:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4663</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12812</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2022-09-22T13:19:53.982486800Z" />
<EventRecordID>5610</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="2724" />
<Channel>Security</Channel>
<Computer>PC-1304.domain.priv</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-894803723-839211917-112803419-1225</Data>
<Data Name="SubjectUserName">username</Data>
<Data Name="SubjectDomainName">Domain</Data>
<Data Name="SubjectLogonId">0x71979</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">\Device\HarddiskVolume5</Data>
<Data Name="HandleId">0x1054</Data>
<Data Name="AccessList">%%4416</Data>
<Data Name="AccessMask">0x1</Data>
<Data Name="ProcessId">0x484</Data>
<Data Name="ProcessName">C:\Windows\System32\mstsc.exe</Data>
<Data Name="ResourceAttributes" />
</EventData>
<RenderingInfo Culture="fr-FR">
<Message>Une tentative d’accès à un objet a été effectuée. Sujet : ID de sécurité : S-1-5-21-894803723-839211917-112803419-1225 Nom du compte : username Domaine du compte : Domain ID d’ouverture de session : 0x71979 Objet : Serveur de l’objet : Security Type d’objet : File Nom de l’objet : \Device\HarddiskVolume5\ ID du handle : 0x1054 Attributs de ressource : Informations sur le processus : ID du processus : 0x484 Nom du processus : C:\Windows\System32\mstsc.exe Informations sur la demande d’accès : Accès : Lecture données (ou liste de répertoire) Masque d’accès : 0x1</Message>
<Level>Information</Level>
<Task>Removable Storage</Task>
<Opcode>Informations</Opcode>
<Channel>Sécurité</Channel>
<Provider>Microsoft Windows security auditing.</Provider>
<Keywords>
<Keyword>Succès de l’audit</Keyword>
</Keywords>
</RenderingInfo>
</Event>
Here's the corresponding syslog line produced by om_syslog.
Please note that this line is spannig more than one line, this is the problem, read more please. (Forum post format may alter the rendering...)
<14>1 2022-09-22T15:19:53.982486+02:00 PC-1304.domain.priv Microsoft-Windows-Security-Auditing 4 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="4663" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="1" Task="12812" OpcodeValue="0" RecordNumber="5610" ThreadID="2724" Channel="Security" Category="Removable Storage" Opcode="Informations" SubjectUserSid="S-1-5-21-894803723-839211917-112803419-1225" SubjectUserName="username" SubjectDomainName="domain" SubjectLogonId="0x71979" ObjectServer="Security" ObjectType="File" ObjectName="\Device\HarddiskVolume5\" HandleId="0x1054" AccessList="%%4416
" AccessMask="0x1" ProcessName="C:\Windows\System32\mstsc.exe" EventReceivedTime="2022-09-22 15:20:26" SourceModuleName="eventlog" SourceModuleType="im_msvistalog"] <Event><EventTime>2022-09-22 15:19:53</EventTime><Hostname>PC-1304.domain.priv</Hostname><Keywords>-9214364837600034816</Keywords><EventType>AUDIT_SUCCESS</EventType><SeverityValue>2</SeverityValue><Severity>INFO</Severity><EventID>4663</EventID><SourceName>Microsoft-Windows-Security-Auditing</SourceName><ProviderGuid>{54849625-5478-4994-A5BA-3E3B0328C30D}</ProviderGuid><Version>1</Version><Task>12812</Task><OpcodeValue>0</OpcodeValue><RecordNumber>5610</RecordNumber><ProcessID>4</ProcessID><ThreadID>2724</ThreadID><Channel>Security</Channel><Message>Une tentative d’accès à un objet a été effectuée.

Sujet :
 ID de sécurité : S-1-5-21-894803723-839211917-112803419-1225
 Nom du compte : username
 Domaine du compte : domain
 ID d’ouverture de session : 0x71979

Objet :
 Serveur de l’objet : Security
 Type d’objet : File
 Nom de l’objet : \Device\HarddiskVolume5&#xD;
 ID du handle : 0x1054
 Attributs de ressource : 

Informations sur le processus :
 ID du processus : 0x484
 Nom du processus : C:\Windows\System32\mstsc.exe

Informations sur la demande d’accès :
 Accès : Lecture données (ou liste de répertoire)
 
 Masque d’accès : 0x1</Message><Category>Removable Storage</Category><Opcode>Informations</Opcode><SubjectUserSid>S-1-5-21-894803723-839211917-112803419-1225</SubjectUserSid><SubjectUserName>username</SubjectUserName><SubjectDomainName>Domain</SubjectDomainName><SubjectLogonId>0x71979</SubjectLogonId><ObjectServer>Security</ObjectServer><ObjectType>File</ObjectType><ObjectName>\Device\HarddiskVolume5</ObjectName><HandleId>0x1054</HandleId><AccessList>%%4416
 </AccessList><AccessMask>0x1</AccessMask><ProcessName>C:\Windows\System32\mstsc.exe</ProcessName><EventReceivedTime>2022-09-22 15:20:26</EventReceivedTime><SourceModuleName>eventlog</SourceModuleName><SourceModuleType>im_msvistalog</SourceModuleType></Event>
Problem is the AccessList value (read from the syslog message):
HandleId="0x1054" AccessList="%%4416
" AccessMask="0x1" ProcessName="C:\Windows\System32\mstsc.exe"
If we comparing XML and syslog output:
XML output
<Data Name="AccessList">%%4416</Data>
syslog output
AccessList="%%4416
"
^^^^^^^^^^^^^^^^ Mind those characters !
AccessList="%%4416 <---- a new line character is invisible but here (this is THE bug, splitting the syslog message)
" <----- multiple tab characters are invisible but here (because of HTML)
End of line \x0a is record separator in syslog format so the line is split in two syslog records (of course the second record is invalid)
It seems that the content of AccessList Key Value is not extracted from XML but from the Message.
Looking at the <Message> we see AccessList is incorrect:
<AccessList>%%4416
 </AccessList>
where AccessList in XML is:
<Data Name="AccessList">%%4416</Data>
Conclusion there is a bug in the event parser that do not escape "#xD;
 " characters correctly, decoding the #xA; in \x0a cutting the syslog message...
You can easily reproduce the problem using this configuration:
<Input eventlog>
Module im_msvistalog
SavePos True
<QueryXML>
<QueryList>
<Query Id="10">
<Select Path="ForwardedEvents">*</Select>
</Query>
<Query Id="20">
<Select Path="Application">*</Select>
<Select Path="System">*</Select>
</Query>
</QueryList>
</QueryXML>
Exec $Message = to_xml();
</Input>
<Output debugsyslog>
Module om_file
File 'C:\Install\nxlog.debug.syslog.txt'
Exec to_syslog_ietf();
</Output>
<Route syslog_file>
Path eventlog => debugsyslog
</Route>
Ak0 created
TLS Syslog Cert Question - PEM vs CER
mwidesba created
Hi All,
We are cutting our NXLog Community version over to a new solution and are currently using .pem certificate files to encrypt syslog in the om_ssl module. The new system is using a .cer file for the certificate and when cutting over an agent to reference the .cer rather than .pem, it doesn't seem like the logs are being decrypted. I didn't see anything in the documentation indicating NXLog doesn't support .cer or only supports .pem, but I wanted to query the forum to see if anyone else experienced issues with setting the TLS to utilize a .epm files for encrypted log forwrding.
Thanks.
mwidesba created
Add on end of line
5ss0 created
Hi
I have this config:
<Input WarnLog>
Module im_file
File 'C:\warnlog.txt'
</Input>
<Input SpamLog>
Module im_file
File 'C:\spamlog.txt'
</Input>
<Output out>
Module om_udp
Host 192.168.1.2
Port 5555
</Output>
<Route 1>
Path WarnLog => out
</Route>
<Route 2>
Path SpamLog => out
</Route>
Warnlog look like this:
16.09.2022 11:54:54 Update Updater: Switch modules type retval = 0x00005007 [NOT NEED] SYSTEM
16.09.2022 11:54:54 Update Updater: retval = 0x5003, failures: 0, profile: aktualizacja, trigger: ConfigChange SYSTEM
16.09.2022 11:54:54 Update Mirror: retval = 0x5003 SYSTEM
Spamlog:
16.09.2022 12:07:24 some@address.com some@address.com RE: subject 16.09.2022 12:04:59 0 No rule classifies the email Retained H|RN=0;RNP=
16.09.2022 12:12:24 some@address.com some@address.com RE: subject 16.09.2022 12:09:51 0 No rule classifies the email Retained H|RN=0;RNP=
Everything works fine, i see messages on my syslog server, but i don't know what type of message it is. From spamlog or form warnlog.
How can I add something to the end of each line before sending to syslog. Or there is other way?
5ss0 created
Require Windows Event log in Raw XML Format
Srijan created
I am having trouble configuring NXlog Enterprise to forward Windows Event log in the original raw XML format that is shown in the XML View in Details Tab. The required data is:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Name="Microsoft-Windows-Security-Auditing"/>
<EventID>4624</EventID>
<Version>2</Version>
<Level>Information</Level>
<Task>Logon</Task>
<Opcode>Info</Opcode>
<Keywords>Audit Success</Keywords>
<TimeCreated SystemTime="2022-09-15T07:25:38.254241000Z"/>
<EventRecordID>6733</EventRecordID>
<Correlation ActivityID="{9C53E768-C82B-0003-78E7-539C2BC8D801}"/>
<Execution ProcessID="772" ThreadID="19980"/>
<Channel>Security</Channel>
<Computer>Redacted01</Computer>
<Security/>
</System>
<EventData>
<Data Name="SubjectUserSid">NT AUTHORITY\SYSTEM</Data>
<Data Name="SubjectUserName">Redacted01$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">Redacted01\Redacted03</Data>
<Data Name="TargetUserName">Redacted03</Data>
<Data Name="TargetDomainName">Redacted01</Data>
<Data Name="TargetLogonId">0x45b8d14</Data>
<Data Name="LogonType">7</Data>
<Data Name="LogonProcessName">User32 </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">Redacted01</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x438</Data>
<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
<Data Name="IpAddress">Redacted02</Data>
<Data Name="IpPort">0</Data>
<Data Name="ImpersonationLevel">Impersonation</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">No</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">Yes</Data>
</EventData>
</Event>
The data I am currently receiving is the informatio in the General Tab instead.
I have applied the following configuration to convert the data in XML format:
define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Extension xml>
Module xm_xml
</Extension>
<Input in_win>
Module im_msvistalog
Query <QueryList> \
<Query Id="0"> \
<Select Path="Application">*</Select> \
<Select Path="System">*</Select> \
<Select Path="Security">*</Select> \
</Query> \
</QueryList>
Exec $Message=$EventXML;$log_type=$event_trace;to_xml();
</Input>
<Output out_win>
Module om_udp
Host 192.168.108.201:514
</Output>
<Route 2>
Path in_win => out_win
</Route>
However, I am not able to get the desired output. The data I am currently receiving is:
09 15 2022 03:53:34 192.168.115.4 <USER:NOTE> <EventTime>2022-09-15 16:38:31</EventTime><Hostname>SOCJH-04.cryptogennepal.com</Hostname><Keywords>9232379236109516800</Keywords><EventType>AUDIT_SUCCESS</EventType><SeverityValue>2</SeverityValue><Severity>INFO</Severity><EventID>4624</EventID><SourceName>Microsoft-Windows-Security-Auditing</SourceName><ProviderGuid>{54849625-5478-4994-A5BA-3E3B0328C30D}</ProviderGuid><Version>2</Version><TaskValue>12544</TaskValue><OpcodeValue>0</OpcodeValue><RecordNumber>189928</RecordNumber><ExecutionProcessID>748</ExecutionProcessID><ExecutionThreadID>11540</ExecutionThreadID><Channel>Security</Channel><Message/><Category>Logon</Category><Opcode>Info</Opcode><SubjectUserSid>S-1-5-18</SubjectUserSid><SubjectUserName>SOCJH-04$</SubjectUserName><SubjectDomainName>CGN</SubjectDomainName><SubjectLogonId>0x3e7</SubjectLogonId><TargetUserSid>S-1-5-21-1983202128-2021996171-226450221-1105</TargetUserSid><TargetUserName>srijan.kafle</TargetUserName><TargetDomainName>CGN</TargetDomainName><TargetLogonId>0x1e170ee</TargetLogonId><LogonType>7</LogonType><LogonProcessName>Negotiat</LogonProcessName><AuthenticationPackageName>Negotiate</AuthenticationPackageName><WorkstationName>SOCJH-04</WorkstationName><LogonGuid>{4eaf9196-9215-5425-4e8c-729f74b2f1ce}</LogonGuid><TransmittedServices>-</TransmittedServices><LmPackageName>-</LmPackageName><KeyLength>0</KeyLength><ProcessId>0x2ec</ProcessId><ProcessName>C:\Windows\System32\lsass.exe</ProcessName><IpAddress>-</IpAddress><IpPort>-</IpPort><ImpersonationLevel>%%1833</ImpersonationLevel><RestrictedAdminMode>-</RestrictedAdminMode><TargetOutboundUserName>-</TargetOutboundUserName><TargetOutboundDomainName>-</TargetOutboundDomainName><VirtualAccount>%%1843</VirtualAccount><TargetLinkedLogonId>0x0</TargetLinkedLogonId><ElevatedToken>%%1843</ElevatedToken><EventReceivedTime>2022-09-15 16:38:33</EventReceivedTime><SourceModuleName>in_win</SourceModuleName><SourceModuleType>im_msvistalog</SourceModuleType><log_type/></Event>
Requesting assistance/documentation to achieve the desired log format
Srijan created
Possible memory leak? - Windows Server 2012 R2 - NXLog EE
nervevector created
Hello all,
Hoping someone will be able to pinpoint the issue we're experiencing.
We have deployed the latest NXLog Enterprise Edition agents (nxlog-5.5.7535) on numerous Windows servers, including multiple domain controllers (DCs).
We're running into an issue where the agents on two DCs have a continuous increase in RAM usage. No other servers experience this problem.
Over multiple days the memory usage by the agent slowly increases to gigabytes. This will keep increasing, but we restart the agent and we're back at ~10MB of RAM usage. The DCs with this issue run Windows Server 2012 R2.
There are newer DCs in place as well, running Windows Server 2022. These new DCs do not have this problem.
Does anyone have an idea as to why this is happening?
If you require further information, please let me know.
All the DCs have the same agent template deployed on them, see below:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<agent>
<agentType>TEMPLATE</agentType>
<global-config>
<log-level>INFO</log-level>
<is-log-to-file>true</is-log-to-file>
<connection-mode>LISTEN_FROM</connection-mode>
<connection-address>172.16.1.44</connection-address> <!-- IP address of NXlog Manager -->
<connection-port>4041</connection-port>
<verbatim></verbatim>
</global-config>
<route>
<name>route1</name>
<priority>0</priority>
<module-route>
<module-id>RIN</module-id>
</module-route>
<module-route>
<module-id>eventlog</module-id>
</module-route>
<module-route>
<module-id>dnsaudit</module-id>
</module-route>
</route>
<module>
<name>RIN</name>
<module>om_tcp</module>
<config xsi:type="module-connect-address-config-mapping" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<type>OUTPUT</type>
<verbatim>Exec to_syslog_snare();</verbatim>
<connect-address>172.16.1.43</connect-address> <!-- IP address of log collector -->
<port>517</port> <!-- Port used to collect logs by collector. Traffic is syslog but we've opted to not use standard port 514 to facilitate easier splitting of collected logs. -->
<output-format>LineBased</output-format>
</config>
</module>
<module>
<name>eventlog</name>
<module>im_msvistalog</module>
<config xsi:type="module-windows-vista-log-in-config-mapping" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<type>INPUT</type>
<verbatim><QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Security">*</Select>
</Query>
<Query Id="1">
<Select Path="Application">*</Select>
</Query>
<Query Id="2">
<Select Path="System">*</Select>
</Query>
</QueryList>
</QueryXML></verbatim>
<savePosition>true</savePosition>
<read-from-last-position>true</read-from-last-position>
<query></query>
<channel></channel>
<remote>false</remote>
<server></server>
<user-name></user-name>
<domain></domain>
<password></password>
<auth-method>Default</auth-method>
</config>
</module>
<module>
<name>dnsaudit</name>
<module>im_etw</module>
<config xsi:type="module-event-tracing-for-windows-in-config-mapping" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<type>INPUT</type>
<verbatim></verbatim>
<provider>Microsoft-Windows-DNSServer</provider>
<level>Verbose</level>
</config>
</module>
</agent>
nervevector created
Memory Consumption Is High
SISA created
Hi Team,
Installed the "nxlog-5.4.7313_aix_ppc.rpm" package and installed on AIX device but nxloger consuming nearly 500MB RAM
Can you please lett me know how to reduce the resource consumption.
getting the below debug logs, please suggest to is there any issue
-bash-4.3# /opt/nxlog/bin/nxlog -v
2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module 'multiline' using xm_multiline
2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module '_xml' using xm_xml
2022-08-25 16:12:59 DEBUG [CORE|main] module _xml has 1 exported functions
2022-08-25 16:12:59 DEBUG [CORE|main] registering function to_xml
2022-08-25 16:12:59 DEBUG [CORE|main] function 'to_xml' registered
2022-08-25 16:12:59 DEBUG [CORE|main] module _xml has 5 exported procedures
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure parse_xml
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'parse_xml' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure parse_xml
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'parse_xml' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure to_xml
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'to_xml' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure parse_windows_eventlog_xml
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'parse_windows_eventlog_xml' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure parse_windows_eventlog_xml
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'parse_windows_eventlog_xml' registered
2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module 'filein' using im_file
2022-08-25 16:12:59 DEBUG [CORE|main] module filein has 2 exported functions
2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_name
2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_name' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering function record_number
2022-08-25 16:12:59 DEBUG [CORE|main] function 'record_number' registered
2022-08-25 16:12:59 DEBUG [CORE|main] module filein has 0 exported procedures
2022-08-25 16:12:59 DEBUG [CORE|main] FlowControl enabled for filein
2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module 'fim' using im_fim
2022-08-25 16:12:59 DEBUG [CORE|main] module fim has 1 exported functions
2022-08-25 16:12:59 DEBUG [CORE|main] registering function is_scanning
2022-08-25 16:12:59 DEBUG [CORE|main] function 'is_scanning' registered
2022-08-25 16:12:59 DEBUG [CORE|main] module fim has 1 exported procedures
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure start_scan
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'start_scan' registered
2022-08-25 16:12:59 DEBUG [CORE|main] FlowControl enabled for fim
2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module 'fileout' using om_tcp
2022-08-25 16:12:59 DEBUG [CORE|main] module fileout has 0 exported functions
2022-08-25 16:12:59 DEBUG [CORE|main] module fileout has 1 exported procedures
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure reconnect
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'reconnect' registered
2022-08-25 16:12:59 DEBUG [CORE|main] FlowControl enabled for fileout
2022-08-25 16:12:59 DEBUG [CORE|main] Setting up module '_fileop' using xm_fileop
2022-08-25 16:12:59 DEBUG [CORE|main] module _fileop has 12 exported functions
2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_read
2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_read' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_exists
2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_exists' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_basename
2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_basename' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_dirname
2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_dirname' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_mtime
2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_mtime' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_ctime
2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_ctime' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_type
2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_type' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_size
2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_size' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_hash
2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_hash' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering function file_inode
2022-08-25 16:12:59 DEBUG [CORE|main] function 'file_inode' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering function dir_temp_get
2022-08-25 16:12:59 DEBUG [CORE|main] function 'dir_temp_get' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering function dir_exists
2022-08-25 16:12:59 DEBUG [CORE|main] function 'dir_exists' registered
2022-08-25 16:12:59 DEBUG [CORE|main] module _fileop has 17 exported procedures
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_cycle
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_cycle' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_cycle
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_cycle' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_rename
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_rename' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_copy
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_copy' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_remove
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_remove' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_remove
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_remove' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_link
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_link' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_append
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_append' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_write
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_write' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_truncate
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_truncate' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_truncate
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_truncate' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_chown
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_chown' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_chown
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_chown' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_chmod
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_chmod' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure file_touch
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'file_touch' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure dir_make
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'dir_make' registered
2022-08-25 16:12:59 DEBUG [CORE|main] registering procedure dir_remove
2022-08-25 16:12:59 DEBUG [CORE|main] procedure 'dir_remove' registered
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] CONFIG: multiline
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpquote start
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [^]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] adding string [^]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [<]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [<] to [^]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [A]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [A] to [^<]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [u]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [u] to [^<A]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [d]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [d] to [^<Au]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [i]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [i] to [^<Aud]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [t]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [t] to [^<Audi]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [R]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [R] to [^<Audit]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [e]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [e] to [^<AuditR]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [c]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [c] to [^<AuditRe]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [o]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [o] to [^<AuditRec]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [r]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [r] to [^<AuditReco]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [d]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [d] to [^<AuditRecor]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [>]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [>] to [^<AuditRecord]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpquote end
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpmodifiers end with eof
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp literal
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] new regexp: /^<AuditRecord>/
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp declared at line 42, character 32 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] literal
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] parsed expression
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpquote start
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [^]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] adding string [^]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [<]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [<] to [^]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append slash
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [/] to [^<]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [A]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [A] to [^</]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [u]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [u] to [^</A]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [d]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [d] to [^</Au]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [i]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [i] to [^</Aud]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [t]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [t] to [^</Audi]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [R]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [R] to [^</Audit]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [e]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [e] to [^</AuditR]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [c]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [c] to [^</AuditRe]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [o]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [o] to [^</AuditRec]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [r]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [r] to [^</AuditReco]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [d]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [d] to [^</AuditRecor]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp: append [>]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] appending [>] to [^</AuditRecord]
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpquote end
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexpmodifiers end with eof
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp literal
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] new regexp: /^</AuditRecord>/
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] regexp declared at line 43, character 34 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] literal
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] parsed expression
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] inputreader 'multiline' registered
2022-08-25 16:12:59 DEBUG [xm_multiline|multiline] Inputreader 'multiline' registered
2022-08-25 16:12:59 DEBUG [xm_xml|_xml] CONFIG: _xml
2022-08-25 16:12:59 DEBUG [im_file|filein] CONFIG: filein
2022-08-25 16:12:59 DEBUG [im_file|filein] adding string [/oraaud/oracle/adump/SVBO/.xml]
2022-08-25 16:12:59 DEBUG [im_file|filein] string literal declared at line 56, character 45 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [im_file|filein] literal
2022-08-25 16:12:59 DEBUG [im_file|filein] parsed expression
2022-08-25 16:12:59 DEBUG [im_file|filein] adding string [The Raw Event is ]
2022-08-25 16:12:59 DEBUG [im_file|filein] string literal declared at line 58, character 37 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [im_file|filein] literal
2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_field: raw_event
2022-08-25 16:12:59 DEBUG [im_file|filein] field declared at line 58, character 49 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [im_file|filein] binary operation declared at line 58, character 50 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_procedure: log_info
2022-08-25 16:12:59 DEBUG [im_file|filein] global procedure: log_info
2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_debug (NULL - NULL)
2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure debug (NULL - NULL)
2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_info (NULL - NULL)
2022-08-25 16:12:59 DEBUG [im_file|filein] log_info declared at line 58, character 51 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [im_file|filein] procedure
2022-08-25 16:12:59 DEBUG [im_file|filein] statement: procedure
2022-08-25 16:12:59 DEBUG [im_file|filein] finished parsing statements
2022-08-25 16:12:59 DEBUG [im_file|filein] adding string [The Source Address is ]
2022-08-25 16:12:59 DEBUG [im_file|filein] string literal declared at line 59, character 42 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [im_file|filein] literal
2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_field: sourceaddr
2022-08-25 16:12:59 DEBUG [im_file|filein] field declared at line 59, character 56 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [im_file|filein] binary operation declared at line 59, character 57 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_procedure: log_info
2022-08-25 16:12:59 DEBUG [im_file|filein] global procedure: log_info
2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_debug (NULL - NULL)
2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure debug (NULL - NULL)
2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_info (NULL - NULL)
2022-08-25 16:12:59 DEBUG [im_file|filein] log_info declared at line 59, character 58 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [im_file|filein] procedure
2022-08-25 16:12:59 DEBUG [im_file|filein] statement: procedure
2022-08-25 16:12:59 DEBUG [im_file|filein] finished parsing statements
2022-08-25 16:12:59 DEBUG [im_file|filein] adding string [The Message is ]
2022-08-25 16:12:59 DEBUG [im_file|filein] string literal declared at line 60, character 35 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [im_file|filein] literal
2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_field: Message
2022-08-25 16:12:59 DEBUG [im_file|filein] field declared at line 60, character 46 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [im_file|filein] binary operation declared at line 60, character 47 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [im_file|filein] nx_expr_new_procedure: log_info
2022-08-25 16:12:59 DEBUG [im_file|filein] global procedure: log_info
2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_debug (NULL - NULL)
2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure debug (NULL - NULL)
2022-08-25 16:12:59 DEBUG [im_file|filein] checking procedure log_info (NULL - NULL)
2022-08-25 16:12:59 DEBUG [im_file|filein] log_info declared at line 60, character 48 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [im_file|filein] procedure
2022-08-25 16:12:59 DEBUG [im_file|filein] statement: procedure
2022-08-25 16:12:59 DEBUG [im_file|filein] finished parsing statements
2022-08-25 16:12:59 DEBUG [im_fim|fim] CONFIG: fim
2022-08-25 16:12:59 DEBUG [im_fim|fim] adding string [/file/path]
2022-08-25 16:12:59 DEBUG [im_fim|fim] string literal declared at line 67, character 24 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [im_fim|fim] literal
2022-08-25 16:12:59 DEBUG [im_fim|fim] parsed expression
2022-08-25 16:12:59 DEBUG [im_fim|fim] adding string [.bak]
2022-08-25 16:12:59 DEBUG [im_fim|fim] string literal declared at line 68, character 19 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [im_fim|fim] literal
2022-08-25 16:12:59 DEBUG [im_fim|fim] parsed expression
2022-08-25 16:12:59 DEBUG [im_fim|fim] adding string [/opt/nxlog/*]
2022-08-25 16:12:59 DEBUG [im_fim|fim] string literal declared at line 69, character 26 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [im_fim|fim] literal
2022-08-25 16:12:59 DEBUG [im_fim|fim] parsed expression
2022-08-25 16:12:59 DEBUG [om_tcp|fileout] CONFIG: fileout
2022-08-25 16:12:59 WARNING [om_tcp|fileout] The 'Port' directive is deprecated in favor of the the new 'host:port' syntax from 'ListenAddr', and will be removed in a future version
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] CONFIG: _fileop
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] adding string [/opt/nxlog/var/log/nxlog/nxlog.log]
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] string literal declared at line 102, character 65 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] nx_expr_new_function: file_exists
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] global function: file_exists
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] file_exists declared at line 102, character 66 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] new function: file_exists
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] adding string [/opt/nxlog/var/log/nxlog/nxlog.log]
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] string literal declared at line 103, character 64 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] nx_expr_new_function: file_size
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] global function: file_size
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] file_size declared at line 103, character 65 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] new function: file_size
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal: 5M
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal declared at line 103, character 71 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] binary operation declared at line 103, character 72 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] ( expr:5 )
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] binary operation declared at line 103, character 74 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] ( expr:5 )
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] adding string [/opt/nxlog/var/log/nxlog/nxlog.log]
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] string literal declared at line 105, character 64 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal: 8
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal declared at line 105, character 67 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] nx_expr_new_procedure: file_cycle
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] global procedure: file_cycle
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_debug (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure debug (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_info (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_warning (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_error (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_all (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_var (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure set_var (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_stat (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_stat (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_stat (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure sleep (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure drop (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure rename_field (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure rename_field (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure reroute (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_to_route (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure duplicate_guard (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_stop (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_start (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_restart (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_xml (_xml - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_xml (_xml - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure to_xml (_xml - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_windows_eventlog_xml (_xml - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_windows_eventlog_xml (_xml - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure start_scan (fim - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure reconnect (fileout - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure file_cycle (_fileop - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure file_cycle (_fileop - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] file_cycle declared at line 105, character 69 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] procedure
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] statement: procedure
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] block declared at line 106, character 13 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] statement: block
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] if-else declared at line 106, character 13 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] if
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] finished parsing statements
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] adding string [/opt/nxlog/var/log/nxlog/nxlog.log]
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] string literal declared at line 115, character 67 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] nx_expr_new_function: file_exists
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] global function: file_exists
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] file_exists declared at line 115, character 68 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] new function: file_exists
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] adding string [/opt/nxlog/var/log/nxlog/nxlog.log]
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] string literal declared at line 115, character 116 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal: 8
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] integer literal declared at line 115, character 119 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] literal
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] nx_expr_new_procedure: file_cycle
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] global procedure: file_cycle
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_debug (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure debug (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_info (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_warning (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure log_error (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_all (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_var (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_var (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure set_var (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure create_stat (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure delete_stat (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_stat (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_stat (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure sleep (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure drop (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure rename_field (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure rename_field (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure reroute (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure add_to_route (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure duplicate_guard (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_stop (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_start (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure module_restart (NULL - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_xml (_xml - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_xml (_xml - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure to_xml (_xml - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_windows_eventlog_xml (_xml - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure parse_windows_eventlog_xml (_xml - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure start_scan (fim - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure reconnect (fileout - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure file_cycle (_fileop - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] checking procedure file_cycle (_fileop - NULL)
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] file_cycle declared at line 115, character 121 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] procedure
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] statement: procedure
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] if-else declared at line 115, character 121 in /opt/nxlog/etc/nxlog.conf
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] if
2022-08-25 16:12:59 DEBUG [xm_fileop|_fileop] finished parsing statements
2022-08-25 16:12:59 DEBUG [CORE|main] parsing path: filein => fileout
2022-08-25 16:12:59 DEBUG [CORE|main] adding module filein to route parse_xml
2022-08-25 16:12:59 DEBUG [CORE|main] adding module fileout to route parse_xml
2022-08-25 16:12:59 DEBUG [CORE|main] parsing path: fim => fileout
2022-08-25 16:12:59 DEBUG [CORE|main] adding module fim to route 3
2022-08-25 16:12:59 DEBUG [CORE|main] adding module fileout to route 3
2022-08-25 16:12:59 INFO [CORE|main] configuration OK
2022-08-25 16:12:59 DEBUG [CORE|main] nxlog_shutdown() enter
2022-08-25 16:12:59 DEBUG [CORE|main] stopping INPUT modules
2022-08-25 16:12:59 DEBUG [CORE|main] stopping module fim
2022-08-25 16:12:59 DEBUG [CORE|main] stopping module filein
2022-08-25 16:12:59 DEBUG [CORE|main] stopping PROCESSOR modules
2022-08-25 16:12:59 DEBUG [CORE|main] stopping OUTPUT modules
2022-08-25 16:12:59 DEBUG [CORE|main] stopping module fileout
2022-08-25 16:12:59 DEBUG [CORE|main] stopping EXTENSION modules
2022-08-25 16:12:59 DEBUG [CORE|main] stopping module _fileop
2022-08-25 16:12:59 DEBUG [CORE|main] stopping module _xml
2022-08-25 16:12:59 DEBUG [CORE|main] stopping module multiline
2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: INPUT
2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (filein) : 0x1100f3358
2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (fim) : 0x110105a38
2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: PROCESSOR
2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: OUTPUT
2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (fileout) : 0x110118178
2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: EXTENSION
2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (multiline) : 0x1100ed0b8
2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (_xml) : 0x1100f0cf8
2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (_fileop) : 0x11012a918
2022-08-25 16:12:59 DEBUG [CORE|main] no entries found, not writing configcache.dat
2022-08-25 16:12:59 DEBUG [CORE|main] nxlog_shutdown() leave
2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: INPUT
2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: PROCESSOR
2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: OUTPUT
2022-08-25 16:12:59 DEBUG [CORE|main] shutdown_modules: EXTENSION
2022-08-25 16:12:59 DEBUG [CORE|main] Module pool FREE (CORE) : 0x10029B78
SISA created
NXlog version
SISA created
Hi Team,
Nxlogger is installed on the IBM AIX, but am not able to find the nxlogger version with the below command.
nxlog -v
nxlog -V
SISA created
nxlog-ce-3.0.2284 on Windows, exec_async can not running powershell or batch script...
shinee created
Hello!
I would execute an simple powershell script that only creates a folder, at every incoming ERROR message. But can not running powershell script!
My config file is as follows:
<Input 1>
Module im_tcp
host 0.0.0.0
Port 514
Exec parse_syslog();
</Input>
<Output out>
Module om_file
Module xm_exec
File "C:\\NXlogs\\Test_Log.log"
exec if $raw_event =~ /ERROR/ exec_async("C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe", "-ExecutionPolicy", "Bypass", "-command", "C:\\NXlogs\\test.ps1");
</Output>
<Route >
Path 1 => out
</Route>
After running it got error message like:
2022-09-07 15:21:22 ERROR subprocess 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe' was terminated by a signal.
Even running notpad.exe or a batch script have got same error like:
ERROR subprocess ................. was terminated by a signal.
Does anyone know what is the reason?
shinee created
Memory leak xm_python, om_python
Grzegorz.Grabowski created
In a heavily loaded environment, around 250K values per minute using python modules, causes memory leaks and out of memory errors.
Checked on: Ubuntu 20 LTS, Centos 8 Stream.
After 15-20 minutes of working (Kafka python script) nxlog eats over 8 GB of RAM + 3G swap and crush.
Every restart or reload service clean the memory.
Using the perl module is not the solution.
Anyone has the same? Maybe any tips to resolve it.
Grzegorz.Grabowski created
High cpu usage on rhel 8 with nxlog ce-3.0.2272 after losing connection to syslog-server
Gray.Logger created
Hi,
we have a problem with nxlog cpu usage after it loses connection to syslog-server. After losing connection the cpu usage peaks to 100% until nxlog is stopped. We are using om_ssl module and the problem only happens on rhel 8-computers. All the other computers with windows/rhel 7 are working fine with same configurations.
I have tried without om_ssl-module, then it works just fine.
Our system:
Rocky Linux 8.6
Nxlog version ce-3.0.2272_rhel8.x86_64
As my syslog-server, i am using graylog.
Is anyone else having this problem?
Gray.Logger created
Parsing XML Logs
monarch684 created
I have never had to parse XML files with NxLog so I am new at this process. This config file grabs Windows Event logs and some trace files from XML files. The Windows Event logs works as it should. The XML, I cannot get to work. I am not getting any output from the XML.
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _gelf>
Module xm_gelf
ShortMessageLength 500
</Extension>
<Extension xml>
Module xm_xml
</Extension>
<Input EventLog_In>
# Use 'im_mseventlog' for Windows XP, 2000 and 2003
Module im_msvistalog
# Uncomment the following to collect specific event logs only
Query <QueryList>
<Query Id="0">
<Select Path="Application"></Select>
<Select Path="System"></Select>
<Select Path="Security">*</Select>
</Query>
</QueryList>
</Input>
<Input IISTrace_In>
Module im_file
File 'F:\Fileshare\Infrastructure Department\Logs\W3SVC1\fr001307.xml'
Exec parse_xml();
</Input>
<Output EventLog_Out>
Module om_tcp
Host IP SCRUBBED
Port 12201
Exec to_syslog_snare();
OutputType GELF_TCP
</Output>
<Output IISTrace_Out>
Module om_file
File 'F:\Fileshare\Infrastructure Department\Logs\NxLog\Test\Test.log'
</Output>
<Route EventLog>
Path EventLog_In => EventLog_Out
</Route>
<Route IISTrace>
Path IISTrace_In => IISTrace_Out
</Route>
monarch684 created
Source code version issue
dmillfree created
Has anyone else noticed that the source code package says version nxlog-ce-3.0.2272.tar.gz and when you decompress the package it says version nxlog-ce-3.0.14 and the compiled version is nxlog-ce-3.0.14
I really appreciate nxlog-ce being free and available. Thumbs up to the developers.
dmillfree created
Reading logs from Multiple CSV file
Rawchase created
Hello Team,
I would like to read multiple types of CSV files from a share folder. Is it possible? Could you please share some sample?
Rawchase created
logs are not forwarded if windows time-date is changed backwards
juanjo created
Hi!
We have nxlog ce running in a Windows machine. It works ok.
If time is changed to the future, it continues forwarding logs.
However, if time is changed to the past, logs are not forwarded anymore. This affects to logs from windows events, from a text file, etc.
It seems that nxlog is filtering the logs and that logs with a previous time than others received are discarded. Logs are forwarded again if nxlog service is restarted (this seems to be doing a 'reset' on expected time)
Do you know how could we avoid this?
juanjo created
nxlog-ce for SLES?
DennisG created
Hello nxlog community, :-)
we're currently in the preparation process of analyzing nxlog as potential logging software for our company and while doing so we were looking for a nxlog community edition that supports our SLES operating systems.
The official download page does not list versions for any SUSE operating system.
We know that SLES is supported by the enterprise edition, but for testing purposes we would like to use the community edition to get started.
We've successfully compiled the community edition's source code and installed it on SLES via ...
zypper in gcc apr-devel pcre-devel libopenssl-devel libexpat-devel
./configure
make
make install
... but doing so lacks a lot of other things (which must be taken care of manually) like creating nxlog user and group, assigning its GID, creating config files, systemd units, directories in /usr/local/etc ...
What are we missing?
What is the best way to get nxlog-ce installed on SLES 15 SP3?
Thank you in advance.
Best regards
Dennis
DennisG created
Windows Event log processing slow
dgpv created
Hello,
We are using nxlog-ce 3.0.2284 on Windows 2016 to collect event logs and forward them to our new SIEM.
We experience an increasing delay in the reception of these events by the SIEM. It starts with a few seconds delay and after a moment, the delay has progressively increased to hours. We collect all the event logs, without any filter and the observed throughput is around 150eps, with peaks at 700eps. The output is om_tcp with TLS. Last, we disabled the buffer processor to see if it helps, but with no improvement.
The server does not seem to be very loaded in terms of RAM, CPU and disk.
Are we reaching nxlog maximum performance ? Looking at the docs, it seems and the default values for BatchSize is 31 and PollInterval is 1 second. Does it mean that the maximum input thoughput is 31eps ? Lowering the PollInterval to 0.1 seconds seems to help, but is it the recommended strategy to improve performance ?
How can we configure nxlog to improve the performance ?
Thank you for your help !
David
dgpv created