4
responses

Running on Win2012R2.

This is my nxlog config:
******************************************************
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

# Check log file for nxlog errors
LogFile %ROOT%\data\nxlog.log

Module im_file
File "C:\\inetpub\logs\\\*.log"
SavePos True
ReadFromLast True

Module om_tcp
Host logstashserver
Port 9902
OutputType LineBased

Exec if (get_var('count') == undef) set_var('count',0);
Exec set_var('count', get_var('count') + 1);
# Send 5% of log lines
Exec if (get_var('count')%20 != 0) drop();

Path iis_1 => out

******************************************************

The problem is that nxlog seems to be way behind. Im setting a counter and using modulus to filter out only a sample of logs- not sure if that is slowing it down?

As a test I added this line to the config to write to a file to see where nxlog is in its processing: Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);

When I did that and looked in the nxlog_output.log file I can see the log lines it is on are hours ago- its taking too long to process them. Resource utilization on the server is very low (CPU and memory).

How can I make it faster?

AskedApril 18, 2017 - 10:59pm

Answer (1)

You should try with om_null instead of om_tcp.

Chances are that your logstash is slow.

Comments (3)

  • red888's picture

    How would I use om_null to confirm this?

    I thought nxlog just sent logs to logstash as fast as it could, does it actually scale it's requests relative to what logstash can process?

    From what I saw it looked like nxlog was taking a long time to work through the logs. Logstash doesn't seem to be the bottleneck

  • b0ti's picture
    (NXLog)

    NXLog uses flow-control to ensure logs are not dropped if the remote tcp is slow to accept data. The input will wait until the output can send more data.

    You can disable flow-control , see FlowControl in the manual.

  • red888's picture

    I guess this is more of a logstash\linux question, but I would expect logstash to be under heavy load if it was backed up, but it is not. CPU, Memory, and iowait are super low on that server. So I guess it could be network saturation.

    How can I confirm the slowness is due to nxlog being blocked by the logstash server's Nic saturation/slowness? When I ping logstash from an endpoint latency is low and reliable.