1
answer

Is there a command or switch to prevent nxlog from deleting log files that have already been consumed and forward to their destination?

I am want to forward the Exchange 2013 Message Tracking logs to a Graylog Server but need to leave the tracking logs in place.

Thanks,

Dan

AskedSeptember 22, 2015 - 4:57pm

Answer (1)

NXLog does not delete files unless you explicitly tell it to do so.

AnsweredSeptember 22, 2015 - 5:35pm

Comments (2)

  • dmcfadden's picture

    Well, I cannot find the switches in the documentation that allow control of deleting.

    I used a simple configuration and after consuming the first log, nxlog wrote into its log file, that it was deleting log files. I did not place any explicit command allowing nxlog to delete logs file. This is my initial conf file in my test environment:

    ## Initial configuration ##

    define ROOT C:\\Program Files\\nxlog
    Moduledir %ROOT%\\modules
    CacheDir %ROOT%\\data
    Pidfile %ROOT%\\data\\nxlog.pid
    SpoolDir %ROOT%\\data
    LogFile %ROOT%\\data\\nxlog.log

    Module xm_gelf

    Module im_file
    ##File "D:\\Logs\\x11\\\\*.LOG"
    File "\\\exsvr1\\logs\\\\*.LOG"
    ##SavePos TRUE

    Module om_tcp
    Host syslog-02.mydomain.com
    Port 5514
    OutputType GELF_TCP

    Path in_exsvr1 => out_graylog

    There is no explicit allow for delete, yet this nxlog wrote the following entries in its log:

    2015-09-15 15:43:28 INFO connecting to syslog-02.mydomain.com:5514
    2015-09-15 15:43:28 INFO nxlog-ce-2.9.1347 started
    2015-09-15 16:00:01 WARNING input file was deleted: \\exsvr1\logs\\MSGTRKMD2015090708-2.LOG
    2015-09-15 16:00:01 WARNING input file was deleted: \\exsvr1\logs\\MSGTRK2015090321-1.LOG
    2015-09-15 16:00:02 WARNING input file was deleted: \\exsvr1\logs\\MSGTRKMS2015081614-1.LOG
    2015-09-15 16:00:02 WARNING input file was deleted: \\exsvr1\logs\\MSGTRK2015090323-1.LOG
    2015-09-15 16:00:02 WARNING input file was deleted: \\exsvr1\logs\\MSGTRK2015090400-1.LOG
    2015-09-15 16:00:02 WARNING input file was deleted: \\exsvr1\logs\\MSGTRKMD2015090709-1.LOG
    2015-09-15 16:00:03 WARNING input file was deleted: \\exsvr1\logs\\MSGTRK2015090322-1.LOG
    2015-09-15 16:00:05 WARNING input file was deleted: \\exsvr1\logs\\MSGTRK2015090401-1.LOG
    2015-09-15 16:08:14 WARNING stopping nxlog service
    2015-09-15 16:08:14 WARNING nxlog-ce received a termination request signal, exiting...

    The data was sent into our graylog server in GELF format, and I can confirm that nxlog did delete the listed log files.

    So, where can I find the control switch(es) in the documentation to explicit allow or forbid deleting of log files.

    Thanks for the help.

    Dan

    September 23, 2015 - 9:01am
  • adm's picture
    (NXLog)

    "WARNING input file was deleted" refers to the fact that it detects that the file was deleted but NXLog (im_file) does not delete files. You probably have log rotation set up for your exchange message tracking logs, please check your exchange configuration for that.

    September 23, 2015 - 4:08pm