2
responses

Hello community, I have to collect Security logs from a Windows Server 2003. Sometimes, I have the following errors :

 

2017-11-22 09:03:52 INFO nxlog-ce-2.9.1504 started

2017-11-22 09:03:52 INFO connecting to siem.nutrition.lan:1514

2017-11-22 09:03:52 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 1 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs.

2017-11-22 09:03:54 INFO Successfully reopened Security EventLog

2017-11-22 09:03:54 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 2 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs.

2017-11-22 09:03:57 INFO Successfully reopened Security EventLog

2017-11-22 09:03:57 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 4 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs.

2017-11-22 09:04:02 INFO Successfully reopened Security EventLog

2017-11-22 09:04:02 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 8 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs.

2017-11-22 09:04:11 INFO Successfully reopened Security EventLog

2017-11-22 09:04:11 WARNING got ERROR_INVALID_PARAMETER (errorcode: 87) for the Security log, will try to reopen in 16 sec. ReadFromLast is TRUE and will try to restart from the last position. This might result in uncollected logs.

 

Here is my config file : 

 

 

define ROOT C:\Program Files\nxlog

 

Moduledir %ROOT%\modules

CacheDir %ROOT%\data

Pidfile %ROOT%\data\nxlog.pid

SpoolDir %ROOT%\data

LogFile %ROOT%\data\nxlog.log

 

############################

# EXTENSION 

############################

 

# Enable json extension

<Extension json>

    Module xm_json

</Extension>

 

# Enable syslog extension

<Extension syslog>

    Module xm_syslog

</Extension>

 

# Enable conversion module

<Extension charconv>

    Module xm_charconv

    AutodetectCharsets utf-8, euc-jp, utf-16, utf-32, iso8859-2

</Extension>

 

 

############################

# INPUT 

############################

 

# Nxlog internal logs

<Input internal>

    Module im_internal

    Exec to_json();

</Input>

 

# Windows Event Log for 2003 server

<Input eventlog2003>

  # Module for Windows 2003 server

    Module im_mseventlog

Sources Security

    Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;

    Exec convert_fields("AUTO", "utf-8");

    Exec $Message = to_json(); to_syslog_bsd();

</Input>

 

 

############################

# OUTPUT 

############################

 

 

<Output siem>

    Module         om_tcp

    Host    collector.company.com

    Port    1514

</Output>

 

<Route 1>

    Path     eventlog2003, internal => siem

</Route>

 

I can solve the issue by restarting nxlog agent but this is not a definitive solution... Anybody has the same issue ? 

AskedNovember 23, 2017 - 11:46am

Answer (1)