11
responses

It seems I have a problem with Nxlog-ce and Windows eventlog after power resume/reconnect to the network.

On the high level we won't get any logs from a a machine before we restart the nxlog service. It shows as runnig but sends no logs.
As soon as you restart it, the logs are sent.

I Enabled debug logging and got the following

2017-11-27 08:02:40 DEBUG before nx_logqueue_push, size: 26
2017-11-27 08:02:40 DEBUG nx_event_to_jobqueue: DATA_AVAILABLE (eventlogOUT)
2017-11-27 08:02:40 DEBUG executing statements
2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\\conf\\add-on\\eventlog_client.conf:3
2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\\conf\\add-on\\eventlog_client.conf:4
2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\\conf\\add-on\\eventlog_client.conf:5
2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\\conf\\add-on\\eventlog_client.conf:6
2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\\conf\\add-on\\eventlog_client.conf:7
2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\\conf\\add-on\\eventlog_client.conf:8
2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\\conf\\add-on\\eventlog_client.conf:9
2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\\conf\\add-on\\eventlog_client.conf:10
2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\\conf\\add-on\\eventlog_client.conf:11
2017-11-27 08:02:40 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\\conf\\add-on\\eventlog_client.conf:12
2017-11-27 08:02:40 DEBUG before nx_logqueue_push, size: 27
2017-11-27 08:02:40 DEBUG nx_event_to_jobqueue: DATA_AVAILABLE (eventlogOUT)
2017-11-27 08:02:40 ERROR Exception was caused by "apr_sockaddr_info_get(&sa, omconf->host, APR_INET, omconf->port, 0, pool)" at om_udp.c:279/om_udp_connect(); [om_udp.c:279/om_udp_connect()] apr_sockaddr_info failed for Myhost.mydomain.XX:12235; Det begärda namnet är giltigt men data för den begärda typen kunde inte hittas.
2017-11-27 08:02:40 DEBUG worker 2 processing event 0x27a5078
2017-11-27 08:02:40 DEBUG PROCESS_EVENT: DATA_AVAILABLE (eventlogOUT)
2017-11-27 08:02:40 DEBUG om_udp_write
2017-11-27 08:02:40 DEBUG module eventlogOUT is not running, not reading any more data
2017-11-27 08:02:40 DEBUG worker 2 waiting for new event
2017-11-27 08:02:40 DEBUG executing statements

my NXlog.conf looks like this
## Nxlog.conf ##
## Created: 10/12/2017 15:21:54 ##

LogLevel DEBUG
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
Module xm_gelf
</Extension>

## Include plug-in directory ##
include %ROOT%\\conf\\add-on\\*.conf

and I have an include file for the eventlog that looks like this
<Input eventlogIN>
Module im_msvistalog
</Input>

<Output eventlogOUT>
Module om_udp
Host myhost.mydomain.xx
Port 12235
OutputType GELF
</Output>

<Route eventlog>
Path eventlogIN => eventlogOUT
</Route>

Has anyone seen this before or got some ideas?

AskedNovember 27, 2017 - 8:58am

Comments (1)

  • mats's picture

    I have done some further testing.

    first step. Replaced the FQDN of my target server with the IPaddress of the server.
    That removed the errormessage but it still won't send the logs

    Second step.
    tested with putting the machine in sleep and then resuming.
    It will fail to send logs after resume 100% of the times i tested.
    Therefore I belive it's an issue how the NXlog service handles suspend/resume.

    As an experiment I added a sheduled task that runs 30 seconds after the Power-Troubleshooter logs event 1. (IE resumed from sleep/hibernation)
    My script is very simple
    Net stop Nxlog
    Net start NXlog

    I have only done a few tests but so far that seems to get nxlog to log after resume.

Answer (1)

This is a known issue with NXLog CE 2.9.1716 affecting om_udp as it does not reconnect on some error conditions.

This has been fixed in the NXLog EE and the next release of the NXLog CE will also contain the fix.

Comments (9)

  • AlienVault's picture

    Hi,

    I'm actually running NXLog EE version 3.1.1903. Is the fix include in this release? I have plenty of entries like this that disappear when I restart the nxlog service:

    ERROR om_udp apr_socket_send failed;Connection refused

    Is this related with the bug you are talking about?

  • b0ti's picture
    (NXLog)

    NXLog EE 3.1.1903 should be good with this.

    When om_udp detects an error such as Connection refused it will try to reconnect. In the case of UDP this is essentially the same as restarting the module and restarting the service so it sounds odd that the latter solves it.

  • AlienVault's picture

    Then the patch is not working properly,

    We are running NXLog EE 3.1.1903 and we found that error in the logs and we stop receiving events. We have to restart the nxlog service manually and once we do it then events start coming through again.

  • tape's picture

    Hello,

    could you try the NXLog EE 3.2.1999 version? it is a fresher version. I tried with that version the om_udp, and in my every test cases, the om_udp reconnected.

    Peter