Hellow everyone! I have a scenario that uses Citrix MCS where I installed the agent on the master image that provides clone images that should go with the nxlog agent installed and running. But the agent goes up with some errors as below: 2022-09-23 13:51:38 ERROR couldn't connect to udp socket on <IP:XYZ:514>; The socket operation was attempted to an unreachable network. 2022-09-23 13:51:46 WARNING Due to the limitation in the Windows EventLog subsystem, the query cannot contain more than 256 sources. 2022-09-23 13:51:46 WARNING The following sources are omitted to avoid exceeding the limit in the generated query: Setup WitnessClientAdmin 2022-09-23 13:52:14 WARNING received a system shutdown request 2022-09-23 13:52:14 WARNING stopping nxlog service 2022-09-23 13:52:14 WARNING nxlog-ce received a termination request signal, exiting... 2022-11-02 23:16:38 INFO nxlog-ce-2.11.2190 started 2022-11-02 23:16:44 WARNING Due to the limitation in the Windows EventLog subsystem, the query cannot contain more than 256 sources. 2022-11-02 23:16:44 WARNING The following sources are omitted to avoid exceeding the limit in the generated query: Setup WitnessClientAdmin 2022-11-02 23:27:15 ERROR EvtNext failed with error 15007: The specified channel could not be found. Check channel configuration. 2022-11-02 23:27:16 WARNING Due to the limitation in the Windows EventLog subsystem, the query cannot contain more than 256 sources. 2022-11-02 23:27:16 WARNING The following sources are omitted to avoid exceeding the limit in the generated query: WitnessClientAdmin 2022-11-02 23:27:16 ERROR Failed to retrieve eventlog fields; The handle is invalid. Has anyone had a problem like this using Citrix MCS? Thanks James \0/

Hi, I installed recently the last version of NXLOG-CE (3.0.2284) on my windows server 2016 Standard. I noticed that the configcache is not functionnal in my case because of an erreor when nxlog service stop => "System Error 109 has occurred. The pipe has ended" My configcache.dat file is not updated and when I restart the service, a lot of old logs are sended to my logstash Here's my nxlog conf file Panic Soft define ROOT C:\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% LogLevel INFO Moduledir %ROOT%\Modules Pidfile %ROOT%\nxlog.pid SpoolDir %ROOT%\SpoolDir CacheDir %ROOT%\CacheDir <Extension _syslog> Module xm_gelf </Extension> <Extension json> Module xm_json </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension> Collecting event log <Input eventlog> Module im_msvistalog ReadFromLast TRUE SavePos TRUE Exec to_json(); </Input> <Output ssl> Module om_ssl Host XX.XX.XX.XX CertFile %CERTDIR%\MyCertFile.crt Port XXXX AllowUntrusted TRUE </Output> <Route 1> Path eventlog => ssl </Route> Thank's a lot for your help

Hi All, I want to write windows events to a new file every 1 min. As of now, I have the following Output block in my conf which works. It is given below, <Output file> Module om_file File "C:\\Program Files (x86)\\nxlog\\data\\nxlog-output.json" <Schedule> Every 1 min Exec rotate_to(file_name() + strftime(now(), '_%Y-%m-%d_%H-%M-%S')); </Schedule> </Output> But in this case, I always write to the same file i.e "C:\Program Files (x86)\nxlog\data\nxlog-output.json" and after 1 min, the data is saved in other file with naming convention mentioned above. I want to create a new file every 1 min with above naming convention and then write to that file instead of writing to the same file. **How can I do this? Admins please guide. **