responses
Hi, when configuring nxlog-CE on a Server 2016, there are limitations for collecting all eventlog sources. After starting the nxlog service, I see the following information in the nxlog-logfile:
2017-12-12 18:18:38 INFO nxlog-ce-2.9.1716 started
2017-12-12 18:18:50 WARNING Due to a limitation in the Windows EventLog subsystem, a query cannot contain more than 256 sources.
here is my nxlog-configuration:
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension gelf>
Module xm_gelf
</Extension>
<Input in>
Module im_msvistalog
Exec if ($EventType == 'VERBOSE') OR ($EventType == 'INFO') OR ($EventType == 'AUDIT_SUCCESS') drop();
Exec if ($SourceName == 'Microsoft-Windows-KnownFolders' AND $EventID == 1002) drop();
</Input>
<Output out>
Module om_udp
OutputType GELF
Host our.graylog.server
Port 1515
</Output>
<Route 1>
Path in => out
</Route>
We use the same configuration on our Windows Server 2012 / 2012 R2 systems without any issues.
Will there be a fix in the a new edition? We don't want to filter the eventlog sources in the configuration.
Kind regards, Markus
Comments (6)
Thanks for the information, so we need to wait for the release of the new CE version
Hello,
This problem continues. When will the new version come out?
Thanks.
new CE version 2.10.2102 has been released and the warning messages still appear
I have this problem to and is still not solved...
Hi b0ti,
is this already fixed in the current CE version? Is it worth upgrading or still only fixed in EE?
EDIT: since you have already fixed it in the EE, can you please at least say what the root cause was for this problem?
thanks,
theresa
Just wondering if anyone one else found a work around for this issue. I've seen in a couple nxlog changelogs that it was fixed, but the current CE is still broken for all versions above 2016