DNS debug log is usually configured with a maximum size.
When this limit is reached the log file is cleared to start over.
Unfortunately this is not a friendly behavior when you need to monitor this data since the log collector might miss some events when the rollover occurs.
Some other services are capable of creating a new log file, the DNS service doesn’t.
The bigger problem is that the DNS debug log could disappear when it is monitored by log collector tools.
This issue is not NXLog specific and it affects any other tool that opens and reads the log file, for example Splunk users and Trellix SIEM collector users are running into the same issue.
The DNS debug log only disappears if it is monitored, so the conclusion would be to blame the log monitoring tool.
The im_file module in NXLog does not delete files and it does not lock log files.
Files are opened with READ access only.
NXLog and most other log collectors work fine collecting log files being written by most other software.
Some software requests exclusive locking on a log file that it writes, this of course will prevent the file from being opened and monitored.
Locking isn’t the problem in this case as the DNS service does not lock the debug log file.
The default behavior of NXLog’s im_file module is to keep the monitored file open.
The CloseWhenIdle configuration option can be used to instruct it to close the log file after it’s done reading the file.
Unfortunately this does not solve the disappearing DNS log file issue.