Hi all,
searching on internet I found that by defaukt nxlog has a buffer of 65000 bytes,
but it seems it's not working in my environment.

I'm using nxlog CE 2.10 (in a Windows 2012 environment) and Graylog 2.5.1
In my nxlog conf file I have 2 inputs (im_msvistalog, im_file) and 1 output (om_udp).
I tried to stop the input in Graylog and start it after 1 hour, but logs collected by event viewer during that our were not sent to Graylog.

How can I configure nxlog in order to keep logs in memory while Graylog is offline and send them when Graylog comes back online?

Thank you,

AskedJuly 4, 2019 - 6:12pm

Answer (1)

could you please let me know?

Thank you,

Comments (2)

  • Zhengshi's picture


    I think it may be useful to read through the buffering section of the EE manual. CE has the concept of FlowControl and Buffering (pm_buffer), just like EE.
    The 65,000 buffer that you have read online is likely about pm_buffer. If you do not manually setup buffering, then you would be using FlowControl which is a built-in mini buffer of sorts that uses a LogQueue to store 100 events by default. NXLog keeps track of EventLog and File location data so in a situation like you are describing, we should pause the events if we know that the upstream connection is not available. This is only the case in connection oriented methods like TCP where we can be relatively certain on the connection status.
    With UDP, it is kind of a "fire and forget" method. There is no persistent connection.
    With your setup, it is likely that we processed the events and shipped them out to UDP while the Graylog connection was down. You can test this by adding another Output like om_file to see the events. I think if you are wanting to ensure message delivery, you should use TCP instead.