This is a very interesting issue and I was wondering if anyone has encountered it before. I have ~200 development systems that I wish to gather windows event information from however, there are toolsets within this environment that are interrupted by NXLog.

NXLog is connecting to eventlog API and polls (pause/resume) the API every second (configurable) for new events within the various subscribed to channels. My issue is with reference information loaded by the event log API due to the active connection from NXLog. The reference dll is loaded into the eventlog service but is not released because NXLog does not release the call, it pauses and resumes.  This in turn causes our development automation to fail since the automation tools are looking to replace this dll once a dev pass is complete.

Is there an exec example to reconnect so that the eventlog service will release these dlls?  Something like:

<Input eventlog>

   Module im_msvistalog
   Query\
    <QueryList>\
     <Query Id="0">\
      <Select Path="Application">*</Select>\
     </Query>\
   </QueryList>
   Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
   Exec $raw_event='{"jsonEvent":"Windows","Event":' + to_json() + '}';
    <Schedule>
         Every 30 sec
         Exec  eventlog->reopen();
     </Schedule>
</Input>