2
responses

Hi,

It seems that nxlog does not send to the output all lines of a file which is monitored. Here is an example of what I want to send to my syslog server :

30,01/16/18,09:24:23,Requête de mise à jour DNS,192.168.31.66,volant2.enterprise.local,,,0,6,,,
10,01/16/18,09:24:23,Assigner,192.168.31.66,volant2.enterprise.local,F01FAF2F23D7,,2412417530,0,,,
32,01/16/18,09:24:23,Mise à jour DNS réussie,192.168.31.66,volant2.enterprise.local,,,0,6,,,
30,01/16/18,09:25:55,Requête de mise à jour DNS,192.168.31.68,volant3.enterprise.local,,,0,6,,,
10,01/16/18,09:25:55,Assigner,192.168.31.68,volant3.enterprise.local,5C514FDCA690,,2181532597,0,,,
32,01/16/18,09:25:55,Mise à jour DNS réussie,192.168.31.68,volant3.enterprise.local,,,0,6,,,

And here is what I have received :

2018-01-16T09:24:23+01:00 DC 30,01/16/18,09: 24:23,Requ▒te de mise ▒ jour DNS,192.168.31.66,volant2.enterprise.local,,,0,6,,,
2018-01-16T09:24:23+01:00 DC 10,01/16/18,09: 24:23,Assigner,192.168.31.66,volant2.enterprise.local,F01FAF2F23D7,,2412417530,0,,,
2018-01-16T09:24:23+01:00 DC 32,01/16/18,09: 24:23,Mise ▒ jour DNS r▒ussie,192.168.31.66,volant2.enterprise.local,,,0,6,,,
2018-01-16T09:25:55+01:00 DC 32,01/16/18,09: 25:55,Mise ▒ jour DNS r▒ussie,192.168.31.68,volant3.enterprise.local,,,0,6,,,

Here is my whole nxlog configuration

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Input in>
    Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
</Input>

define DHCPDIR C:\Windows\Sysnative\dhcp

<Input inDhcp>
 Module im_file
 File '%DHCPDIR%\DhcpSrvLog-*.log'
 SavePos TRUE
 ReadFromLast TRUE
 PollInterval 1
 Exec $Message = $raw_event; $SyslogFacilityValue = 17;
</Input>

<Output outSyslogSrv>
    Module      om_udp
    Host        192.168.2.12
    Port        514
    Exec        to_syslog_bsd();
</Output>

<Route 1>
    Path        inDhcp => outSyslogSrv
</Route>

Did I miss something ?

Thanks

AskedJanuary 16, 2018 - 11:05am

Answer (1)

The cause most likely lies elsewhere , e.g. your syslog server may be dropping those. Before pointing fingers I suggest that you confirm what is happening first:

  • use wireshark and look at what's being sent in the udp packets.
  • replace om_udp with om_file and look into the file it writes. Anything present there would be sent via UDP the same way.

Comments (1)