4
responses

Hello,

I'm trying to use the log rotation functionality of nxlog but when nxlog tries to rotate is get the follow error message:

Error failed to rename file from C:\Users\me\Desktop\pfirewall.log to C:\Users\me\Desktop\pfirewall.log.1: The process cannot access the file because it is being used by another process.

Is there anyway to get around this?
---------------------------------------------------

Here is my nxlog.conf

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

define FWLOG C:\Users\me\Desktop\pfirewall.log

<Extension _syslog>
Module xm_syslog
</Extension>

<Extension fileop>
Module xm_fileop
</Extension>

<Input FWLOG>
Module im_file
File '%FWLOG%'
InputType LineBased
SavePos TRUE
</Input>

<Output OUT>
Module om_file
File '%FWLOG%'

<Schedule>
Every 10 sec
Exec if (file_size('%FWLOG%') >= 1K) \
{ \
file_cycle('%FWLOG%',10); \
OUT->reopen(); \
}
</Schedule>
</Output>

<Route 1>
Path FWLOG => OUT
</Route>

AskedJuly 23, 2018 - 4:20am

Answers (2)

This is most likely caused by the source application (Windows Firewall) keeping the file open with an exclusive lock.

Comments (2)

  • EL_GA's picture

    Thank you for your response. Is there anyway get around that with nxlog?

    As a workaround I was thinking about using nxlog to copy the current data over, then truncate the original log. I haven't tested it yet so I'm not sure if I'll be able to call truncate on the file while it's locked. Any suggestions?

  • b0ti's picture
    (NXLog)

    You could try stopping/starting the firewall service using the exec() call provided by xm_exec or if there are any other commands that could force it to release the log file. Not sure if this is a good idea to do this with the firewall service though.

Not sure about the level of details logged by the Windows Firewall through the Event Tracing for Windows facility but you might want to take a look at capturing log data this way using im_etw.