3
responses

Good day everyone!

I am starting to use NXLog:CE in my environment and am having a few windows devices not reporting to my Observium server. I have the same .conf deployed across all windows devices. I am attempting to pattern hunt what could be different but being enterprise devices they are not configured much differently. I have a local debug file running and I am seeing events being written on all devices.

I know this is not much detail but I would appreciate any suggestions of places to look.

Thank you in advance,

Scott

AskedOctober 23, 2019 - 3:08am

Comments (1)

  • sconnary32's picture

    Here is my .conf:

    ## Set the ROOT to the folder your nxlog was installed into,
    ## otherwise it won't start.
    #To change for your own system if necessary
    define ROOT C:\Program Files (x86)\nxlog
    
    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data
    LogFile %ROOT%\data\nxlog.log
    Define LOGOUT %ROOT%\data\nxlog_output.log
    
    ##Extension to format the message in JSON format
    <Extension json>
        Module xm_json
    </Extension>
    ##Extension to format the message in syslog format
    <Extension syslog>
    Module xm_syslog
    </Extension>
    
    <Extension fileop>
        Module   xm_fileop
    
    # Check the size of our log file hourly, rotate if larger than 5MB
        <Schedule>
            Every   1 hour
            Exec    if (file_exists('%ROOT%\data\nxlog_output.log') and \
                       (file_size('%ROOT%\data\nxlog_output.log') >= 5M)) \
                        file_cycle('%ROOT%\data\nxlog_output.log', 8);
        </Schedule>
    
        # Rotate our log file every week on Sunday at midnight
        <Schedule>
            When    @weekly
            Exec    if file_exists('%ROOT%\data\nxlog_output.log') file_cycle('%ROOT%\data\nxlog_output.log', 8);
        </Schedule>
    </Extension>
    
    
    ########## INPUTS ###########
    ##Input for windows event logs
    <Input in>
    # Use 'im_mseventlog' for Windows XP, 2000 and 2003
    Module im_msvistalog
    # Uncomment the following to collect specific event logs only
    Query <QueryList>\
    <Query Id="0">\
    <Select Path="Application">*</Select>\
    <Select Path="System">*</Select>\
    <Select Path="Security">*</Select>\
    </Query>\
    </QueryList>
    </Input>
    ############ OUTPUTS ##############
    ##TCP output module
    <Output out>
        Module      om_udp
        Host        x.x.x.x 
        Port        514
        Exec        to_syslog_ietf();
        Exec        $Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); $Message = replace($Message, "\r", " ");
        Exec file_write('%ROOT%\data\nxlog_output.log',  $raw_event);
    </Output>
    ############ ROUTES TO CHOOSE #####
    <Route 1>
        Path        in => out
    </Route>
    
    

Answer (1)

UDP is unreliable. If you are seeing data in nxlog_output.log then you need to look elsewhere and investigate why the UDP packets are not reaching your server sent by those clients.

Comments (1)