1
response

We are using Windows event collector which is pulling in from over 400 hundred servers. We have configured both disk and memory buffers and looks like nxlog peaks at 2GB memory and then starts to crash and no longer sends logs. I am seeing the following messages in the nxlog log.

When using mem only buffer

2016-01-29 17:46:52 ERROR EvtNext failed with error 14: Not enough storage is available to complete this operation.  
2016-01-29 17:46:52 ERROR EvtUpdateBookmark failed: The handle is invalid.  
2016-01-29 17:46:52 ERROR EvtNext failed with error 14: Not enough storage is available to complete this operation.  
2016-01-29 17:46:52 ERROR EvtUpdateBookmark failed: The handle is invalid.  
2016-01-29 17:46:52 ERROR EvtCreateRenderContext failed; Not enough storage is available to complete this operation.

I've adjusted the buffer to use both disk and mem and now getting this... 

2016-01-29 18:03:51 ERROR couldn't connect to tcp socket on IP:3515; An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.  

Did we reach some sort of limitation or perhaps just too much logs incoming for it to handle? Using version: nxlog-ce-2.9.1504

 

AskedFebruary 1, 2016 - 6:05pm

Answer (1)

The errors Not enough storage and lacked sufficient buffer space refer to the same thing, i.e. the process ran out of memory due to a memory leak. You should try trimming your config (e.g. get rid of pm_buffer) to see if that helps.

I suggest to also test the EE trial as that has a fix for a recent isse with im_msvistalog that the CE does not contain yet.