1
response

Hi!

I have an issue with NXlog CE 2.10.2102. I noticed that nxlog send the same log many times on some PCs. This happends when the PC reboot. I found that the file "configcache.dat" is not always overwritten.

How to avoid this issue?

Here is a part of my conf

<Processor in_win_eventlog_buffer_disk>
    Module      pm_buffer
    MaxSize 61440
    Type    Disk
    WarnLimit   49152
</Processor>

<Input in_win_eventlog>
  Module im_msvistalog
  SavePos   TRUE
  Query  \
    <QueryList> \
      <Query Id="0"> \
        <Select Path="Security">*</Select> \
        <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> \
        <Select Path="Microsoft-Windows-PrintService/Operational">*</Select> \
      </Query> \
    </QueryList>
  <Exec> 
    if $EventID>=5151 and $EventID<=5159 drop();
    if $EventID==4688 or $EventID==4689 drop();

    if ($Channel == 'Security') $_ds = 'win-security';
    else if ($Channel == 'Microsoft-Windows-Sysmon/Operational') {
    $_ds = 'win-sysmon';
        delete($UserID);
        delete($AccountName);
    }
    else {
    $_ds = 'win-customapps';
        delete($UserID);
        delete($AccountName);
    }

    $_fmt = 'json';
    $_conv_to_json = TRUE;
  </exec>
</Input>

<Route r_win_eventlog>
  Path      in_win_eventlog => in_win_eventlog_buffer_disk => out_logs_pref
</Route>
AskedNovember 2, 2018 - 9:32am

Answer (1)