Eventlog Source Limitation on Server 2016

Post a different question
9
responses

Hi, when configuring nxlog-CE on a Server 2016, there are limitations for collecting all eventlog sources. After starting the nxlog service, I see the following information in the nxlog-logfile:

2017-12-12 18:18:38 INFO nxlog-ce-2.9.1716 started
2017-12-12 18:18:50 WARNING Due to a limitation in the Windows EventLog subsystem, a query cannot contain more than 256 sources.

here is my nxlog-configuration:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
    Module xm_gelf
</Extension>

<Input in>
    Module      im_msvistalog

    Exec if ($EventType == 'VERBOSE') OR ($EventType == 'INFO') OR ($EventType == 'AUDIT_SUCCESS') drop();
    Exec if ($SourceName == 'Microsoft-Windows-KnownFolders' AND $EventID == 1002) drop();
</Input>

<Output out>
    Module      om_udp
    OutputType  GELF
    Host        our.graylog.server
    Port        1515
</Output>

<Route 1>
    Path        in => out
</Route>

We use the same configuration on our Windows Server 2012 / 2012 R2 systems without any issues.

Will there be a fix in the a new edition? We don't want to filter the eventlog sources in the configuration.

Kind regards, Markus

AskedDecember 15, 2017 - 11:11am

Answers (2)

This is already solved in the NXLog Enterprise Edition as far as I know. It will be also fixed in the CE at some point but there is no ETA.

AnsweredDecember 15, 2017 - 11:22am

Comments (6)

  • micsnare's picture

    Hi b0ti,

    is this already fixed in the current CE version? Is it worth upgrading or still only fixed in EE?

    EDIT: since you have already fixed it in the EE, can you please at least say what the root cause was for this problem?

    thanks,
    theresa

    March 7, 2019 - 9:08am
  • infosystir's picture

    Just wondering if anyone one else found a work around for this issue. I've seen in a couple nxlog changelogs that it was fixed, but the current CE is still broken for all versions above 2016

    April 24, 2019 - 5:56pm

Hi,
Today I faced this issue.
I solved this way, probably this is helping others too.

cheers
chris

#------------------------------------------------ nxlog.conf -----------------------------------------
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension gelf>
Module xm_gelf
</Extension>

<Input in_app>
Module im_msvistalog
Query <QueryList><Query Id="0"><Select Path="Application">*</Select></Query></QueryList>
Exec $Hostname = hostname();
</Input>
<Input in_sys>
Module im_msvistalog
Query <QueryList><Query Id="0"><Select Path="System">*</Select></Query></QueryList>
Exec $Hostname = hostname();
</Input>
<Input in_sec>
Module im_msvistalog
Query <QueryList><Query Id="0"><Select Path="Security">*</Select></Query></QueryList>
Exec $Hostname = hostname();
</Input>

<Output out>
Module om_udp
Host syslog.domain.local
Port 2016
OutputType GELF
</Output>

<Route oute_app>
Path in_app => out
</Route>
<Route oute_sys>
Path in_sys => out
</Route>
<Route oute_sec>
Path in_sec => out
</Route>
# ------------------------------------------------------------------------------------------------------

AnsweredJuly 11, 2019 - 5:32pm

Comments (1)