4
responses

I setup nxlog on windows 2008 , windows 2008 R2 , windows 2012 and windows 2016.

windows 2008 and 2008 R2 nxlog have some issue with connection with syslog server while 2012 and 2016 works perfectly fine.

> nxlog log file

`2019-01-31 22:06:31 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2019-01-31 22:06:32 INFO connecting to <some loadbalancer IP>
2019-01-31 22:24:57 INFO reconnecting in 1 seconds
2019-01-31 22:24:58 INFO connecting to <some loadbalancer IP>:514
2019-01-31 22:41:51 INFO reconnecting in 1 seconds
2019-01-31 22:41:52 INFO connecting to <some loadbalancer IP>:514
2019-02-01 00:45:43 INFO reconnecting in 1 seconds
2019-02-01 00:45:44 INFO connecting to <some loadbalancer IP>:514
2019-02-01 01:00:56 INFO reconnecting in 1 seconds
2019-02-01 01:00:56 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2019-02-01 01:00:56 INFO reconnecting in 2 seconds
2019-02-01 01:00:57 INFO connecting to <some loadbalancer IP>:514
2019-02-01 01:19:06 WARNING received a system shutdown request
2019-02-01 01:19:06 WARNING stopping nxlog service
2019-02-01 01:19:06 WARNING nxlog-ce received a termination request signal, exiting...
2019-02-01 01:19:42 INFO nxlog-ce-2.10.2150 started
2019-02-01 01:19:42 INFO connecting to <some loadbalancer IP>:514
2019-02-01 01:20:09 INFO reconnecting in 1 seconds
2019-02-01 01:20:09 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2019-02-01 01:20:10 INFO connecting to <some loadbalancer IP>:514
2019-02-01 01:20:13 WARNING received a system shutdown request
2019-02-01 01:20:13 WARNING stopping nxlog service
2019-02-01 01:20:13 WARNING nxlog-ce received a termination request signal, exiting...
2019-02-01 01:20:47 INFO nxlog-ce-2.10.2150 started
2019-02-01 01:20:47 INFO connecting to <some loadbalancer IP>o:514
2019-02-01 02:03:05 INFO reconnecting in 1 seconds
2019-02-01 02:03:05 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.
2019-02-01 02:03:06 INFO connecting to <some loadbalancer IP>:514
`

> Configuration file

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log

LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogLevel INFO

<Extension _syslog>
Module xm_syslog
</Extension>

<Input eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id='0'>
<Select Path='Application'>*</Select>
<Select Path='Security'>*</Select>
<Select Path='System'>*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>

<Output tcp>
Module om_tcp
Host <Load Balancer IP>
Port 514
Exec to_syslog_snare();
</Output>

<Route 1>
Path eventlog => tcp
</Route>

What could be the issue?
Is there anything more to be added in 2008 and 2008R2?

AskedFebruary 4, 2019 - 9:50pm

Answer (1)

`2019-01-31 22:06:31 ERROR om_tcp send failed; An existing connection was forcibly closed by the remote host.

This would appear that the loadbalancer is closing the connection.
The 2008+ all use im_msvistalog with no differences, and the binary for install is the same.
The om_tcp is the same as well. There should be no reason on the NXLog side that the connections would be viewed as different.
On the network side, do the servers take the same path to get to the Syslog server? I would investigate why the Loadbalancer is closing the connection and move from there.

Comments (3)