3
responses

Hi everyone!

You many help me, thanks a lot. I hope you kind to help me now.

My NXLog clients don't collect Windows System logs. And now I often see in my logs this message:

2019-06-04 17:49:50 INFO nxlog-4.3.4308 started
2019-06-04 17:49:50 ERROR failed to subscribe to msvistalog events using bookmark: The interface is unknown.  
2019-06-04 17:49:50 ERROR failed to subscribe to msvistalog events using bookmark: The interface is unknown.  

       <QueryList>
         <Query Id='1'>         
           <Select Path='System'>*</Select>
         </Query>
       </QueryList>

       <QueryList>
         <Query Id='1'>
           <Select Path='Application'>*</Select>      
         </Query>
       </QueryList>
2019-06-04 17:49:50 ERROR failed to subscribe to msvistalog events [error code: 1717]; The interface is unknown.  

My config:

define ROOT         C:\nxlog
define NXLOGLOGFILE %ROOT%\data\nxlog.log
define CERTDIR      %ROOT%\cert

PersistLogqueue TRUE 
SyncLogqueue TRUE 
CacheFlushInterval 0 
CacheSync TRUE

<Input winapp>
    Module       im_msvistalog
    ReadFromLast TRUE
    <QueryXML>
       <QueryList>
         <Query Id='1'>
           <Select Path='Application'>*</Select>      
         </Query>
       </QueryList>
   </QueryXML>
   Exec $FileName = 'winapp.log';
   Exec $EventTime = $EventReceivedTime;   
</Input>

<Input winsys>
    Module       im_msvistalog
    ReadFromLast TRUE
    <QueryXML>
       <QueryList>
         <Query Id='1'>         
           <Select Path='System'>*</Select>
         </Query>
       </QueryList>
   </QueryXML>
   Exec $FileName = 'winsys.log';
   Exec $EventTime = $EventReceivedTime;
</Input>

<Output out>
    BufferSize  9500000
    Module      om_batchcompress
    Host        192.168.100.100
    Port        1514
    UseSSL      true 
    AllowUntrusted TRUE 
    CAFile      %CERTDIR%\cacert.pem 
    CertFile    %CERTDIR%\clientcert.pem 
    CertKeyFile %CERTDIR%\clientkey.pem 
</Output>

<Route client>
    Path   winapp, winsys => out
</Route>

After restart service nothing new.

Any ideas, please!

AskedJune 4, 2019 - 4:58pm

Answer (1)

The interface is unknown error messages are normally because the underlying Event Log service is not running or has errors (not stable).
Suggested steps would be to restart the Windows Event Log service and then restart nxlog. I believe on some Windows versions, the service is just called Event Log.

Comments (2)

  • hatula's picture

    Thank you, Zhengshi!

    But Windows Event Log is running and I have this problem on many nxlog clients.

    And what can you say about the ACL to the service? What ACL is required? Thanks!

  • Zhengshi's picture
    (NXLog)

    I would make sure you can restart the Event Log without error and ensure that the user that NXLog is running as can read the Event Log resources.