Has anyone successfully configured the new event tracing for windows (ETW) input module in nxlog 4.0 to collect Windows DNSServer events? I configured it in nxlog, but the output file doesn't show most of the DNS queries being made. When I look at the nxlog output and compare it with a trace session in Event Viewer, Event Viewer shows all of the events but nxlog is missing almost all of them. There are a few entries in the nxlog file, but not many. I can't seem to reproduce the scenario that causes them to be included in the nxlog output file.

Info on setup:
Server 2016 datacenter, v1607
nxlog 4.0.3735-x64

Related nxlog config:

<Input winetw>
Module im_etw
Provider Microsoft-Windows-DNSServer
<Output file>
Module om_file
File 'C:\Windows\Logs\nxlog\test.txt'
<Route messages_to_file>
Path winetw => file

AskedJuly 18, 2018 - 10:59pm

Comments (2)

  • bcid's picture

    Hi Zhengshi,

    Yes, those instructions were what I used to configure the logging. I will see if I can find out if it is a certain event number or not.

Answers (2)

In our testing im_etw was able to capture around 20,000 EPS.

It's possible that the trace session from Event Viewer interferes with im_etw. Have you tried disabling this?

Comments (1)

  • bcid's picture

    I only enabled the trace session from Event Viewer after I noticed that I wasn't getting many logs with nxlog. The server that this is running on is a low utilization server, so I don't think it is an EPS issue. I will remove the configuration and re-configure it to see if anything changes.

I am not sure what the final solution to this was, but it appears to be working now. I did three things:
1. Disabled the ETW log and then re-enabled it
2. Moved the output file to a different folder (out of the C:\Windows\ folder)
3. Restarted the nxlog service

Thanks for the help and the great product - this is a really cool feature!

Comments (1)