4
responses

Hi,

My scenario is:  (Windows server + nxlog configured for Windows events) => Logstash => Elasticsearch

I am wondering where nxlog stores current informations about sent Windows Events (for every category).
If i need to resend a few Windows events from past, how i can do it?

Is there any way to select last X hours (example: last 48 hours from Security category, from the starting nxlog service moment).
SavePos and ReadFromLast are helpful, but if both are false, event logs are sent from the first one stored on Windows server.

Also, where nxlog save all events in case of temporary lost tcp connection? This is probably SavePos location.

 

Thanks

 

AskedJuly 18, 2017 - 3:20pm

Answer (1)

It saves an XML bookmark provided by the Windows Eventlog API. This is what savepos does.

Unfortunately it is not possible to have it start from x hours before. What you can do is remove `configcache.dat`, set `SavePos` and `ReadFromLast` to `FALSE` and use a filter such as this:

Exec if $EventTime < 2017-07-15 00:00:00 drop();

When the network connection is lost it simply does not read and forward more logs (=flow control).

Comments (3)

  • ilya's picture

    Thank you,

    This drop() solution is enough for me.

    Flow control mean, nxlog drop every windows event until connection to logstash become active again?
    Service on source windows server is active all the time and forwarding is the only problem due to missing link.

    In many configurations i found Eventreceivedtime conversion to integer before sending to json, and later to logstash:
    $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();

    Am i missing some benefit from this except converting this integer later to desired time format?

  • b0ti's picture
    (NXLog)

    FlowControl is enabled by default so there should be no message loss when a connection is down.

    I believe the integer conversion is done in order to preserve the timestamp for logstash. By default the timezone is not shown in the JSON output , though the NXLog EE has a DateFormat configuration option for this.