I have NXLog (nxlog-ce-2.9.1716) deployed to over 100 Windows servers to send Windows events to Graylog and its working fantastically on all but one server, our main File server. On this one server, the same 5145 events seem to be repeating events up to 19 times - from what I can see, they are identical on Graylog but don't appear duplicated on the file server - the only difference I can see is the volume of events which (by design we need to see file access successes as well as failures and have ABE enabled so see up to 170k events per min).

We don't see the issue on any other server, I have implemented the no repeat module (config below) but still no joy. Any suggestions or advice welcome please?

## NXLog configuration file. See the nxlog reference manual for more info
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
Module xm_gelf

<Input in>
# Use 'im_mseventlog' for Windows XP and 2003
Module im_msvistalog
Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004 or $EventID == 5156) drop();\
if ( $EventType == "INFO" ) $SyslogSeverityValue = 6;\
if ( $EventType == "WARNING" ) $SyslogSeverityValue = 4;\
if ( $EventType == "ERROR" ) $SyslogSeverityValue = 3;\

<Processor norepeat>
Module pm_norepeat
CheckFields Hostname, SourceName, Message

<Output out>
Module om_udp
#Our Graylog server
Host [our graylog server]
Port 12201
OutputType GELF

<Route 1>
Path in => norepeat => out

AskedNovember 9, 2017 - 10:27am

Answer (1)

On this one server, the same 5145 events seem to be repeating events up to 19 times

Do the events repeat , or the whole log gets resent? I.e. for Foo , Bar do you see Foo, Foo, Bar, Bar or Foo, Bar, Foo, Bar ?

I suggest setting up a local om_file output for debugging purposes where you can check this. If there is no duplication there then the issue is likely elsewhere.

Comments (3)

  • sticks221's picture


    Thank you for the prompt response. I did as you suggested and enabled a local log file. Upon checking the file, I can see the same event logged 3 times and all look identical (see below). I cannot see the same happening in the Windows event log - any other ideas please as I am at a loss :(

    2017-11-14 15:28:52 server.org AUDIT_SUCCESS 5145 A network share object was checked to see whether client can be granted desired access.

    Security ID: S-1-5-21-2887501903-2386530923-2143528260-103622
    Account Name: username
    Account Domain: org
    Logon ID: 0x134900EA

    Network Information:
    Object Type: File
    Source Address:
    Source Port: 50457

    Share Information:
    Share Name: \\server\Users
    Share Path: \??\U:\users
    Relative Target Name: username\Finance\mydoc.doc

    Access Request Information:
    Access Mask: 0x80
    Accesses: ReadAttributes

    Access Check Results:
    ReadAttributes: Granted by D:(A;;0x1301bf;;;DU)

  • b0ti's picture

    You are the first to report such, so I wouldn't be surprised if there is something related to your environment. Other than that I'm not sure how we could help. I could suggest testing the NXLog EE trial to see if it works differently.

  • cdenneen's picture

    Seen same issue on nxlog-ce-2.8.1248 reading from local file.
    We've had many servers using NXLog but for some reason we find a log file from one server to keep resending the same events over and over.
    The dat file seems to be fine.
    No idea what's causing this.