responses
Here are the error messages:
2019-10-30 11:38:17 INFO nxlog-ce-2.10.2150 started
2019-10-30 11:38:22 WARNING stopping nxlog service
2019-10-30 11:38:22 WARNING nxlog-ce received a termination request signal, exiting...
Conf file:
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _gelf>
Module xm_gelf
</Extension>
<Input in>
Module im_msvistalog
ReadFromLast TRUE
# For windows 2003 and earlier use the following:
# Module im_mseventlog
Query <QueryList> \
<Query Id="0"> \
<Select Path="Application">*</Select> \
<Select Path="System">*</Select> \
<Select Path="Security">*</Select> \
</Query> \
</QueryList>
</Input>
<Output Graylog>
Module om_udp
Host secret
Port secret
OutputType GELF_UDP
</Output>
<Route 1>
Path in => Graylog
</Route>
Comments (8)
Hi Shawn!
Would you mind pasting the most recent content of nxlog.log?
Apologies, I mean after you have changed verbosity level in logs.
LogLevel DEBUGHi, thank you for the help.
I cannot paste the recent logs after adding DEBUG because it outputted a large amount of logs.
2019-11-01 10:43:20 DEBUG worker 0 processing event 0x3e838
2019-11-01 10:43:20 DEBUG evaluating expression 'field' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48
2019-11-01 10:43:20 DEBUG PROCESS_EVENT: MODULE_RESUME (in)
2019-11-01 10:43:20 DEBUG RESUME: in
2019-11-01 10:43:20 DEBUG not resuming stopped module in
2019-11-01 10:43:20 DEBUG worker 0 waiting for new event
2019-11-01 10:43:20 DEBUG om_udp sent 934 bytes
2019-11-01 10:43:20 DEBUG before nx_logqueue_pop, size: 2
2019-11-01 10:43:20 DEBUG Graylog get_next_logdata: got (queuesize: 0)
2019-11-01 10:43:20 DEBUG nx_event_to_jobqueue: DATA_AVAILABLE (Graylog)
2019-11-01 10:43:20 DEBUG nx_event_to_jobqueue: MODULE_RESUME (in)
2019-11-01 10:43:20 DEBUG event added to jobqueue
2019-11-01 10:43:20 DEBUG executing statements
2019-11-01 10:43:20 DEBUG worker 2 got signal for new job
2019-11-01 10:43:20 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48
2019-11-01 10:43:20 DEBUG worker 2 processing event 0x3e8e0
2019-11-01 10:43:20 DEBUG evaluating expression 'field' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48
2019-11-01 10:43:20 DEBUG PROCESS_EVENT: MODULE_RESUME (in)
2019-11-01 10:43:20 DEBUG RESUME: in
2019-11-01 10:43:20 DEBUG not resuming stopped module in
2019-11-01 10:43:20 DEBUG worker 2 waiting for new event
2019-11-01 10:43:20 DEBUG om_udp sent 815 bytes
2019-11-01 10:43:20 DEBUG before nx_logqueue_pop, size: 1
2019-11-01 10:43:20 DEBUG Graylog get_next_logdata: got NULL (queuesize: 0)
2019-11-01 10:43:20 DEBUG nx_event_to_jobqueue: MODULE_RESUME (in)
2019-11-01 10:43:20 DEBUG event added to jobqueue
2019-11-01 10:43:20 DEBUG worker 0 got signal for new job
2019-11-01 10:43:20 DEBUG worker 0 processing event 0x3ed78
2019-11-01 10:43:20 DEBUG worker 1 processing event 0x3de60
2019-11-01 10:43:20 DEBUG PROCESS_EVENT: MODULE_RESUME (in)
2019-11-01 10:43:20 DEBUG PROCESS_EVENT: DATA_AVAILABLE (Graylog)
2019-11-01 10:43:20 DEBUG RESUME: in
2019-11-01 10:43:20 DEBUG om_udp_write
2019-11-01 10:43:20 DEBUG not resuming stopped module in
2019-11-01 10:43:20 DEBUG Graylog get_next_logdata: got NULL (queuesize: 0)
2019-11-01 10:43:20 DEBUG worker 0 waiting for new event
2019-11-01 10:43:20 DEBUG nx_event_to_jobqueue: MODULE_RESUME (in)
2019-11-01 10:43:20 DEBUG event added to jobqueue
2019-11-01 10:43:20 DEBUG worker 2 got signal for new job
2019-11-01 10:43:20 DEBUG worker 2 processing event 0x3eb80
2019-11-01 10:43:20 DEBUG worker 1 processing event 0x3e8a8
2019-11-01 10:43:20 DEBUG PROCESS_EVENT: MODULE_RESUME (in)
2019-11-01 10:43:20 DEBUG PROCESS_EVENT: MODULE_STOP (Graylog)
2019-11-01 10:43:20 DEBUG RESUME: in
2019-11-01 10:43:20 DEBUG STOP: Graylog
2019-11-01 10:43:20 DEBUG not resuming stopped module in
2019-11-01 10:43:20 DEBUG worker 2 waiting for new event
2019-11-01 10:43:20 DEBUG worker 1 processing event 0x3ec60
2019-11-01 10:43:20 DEBUG PROCESS_EVENT: DATA_AVAILABLE (Graylog)
2019-11-01 10:43:20 DEBUG om_udp_write
2019-11-01 10:43:20 DEBUG module Graylog is not running, not reading any more data
2019-11-01 10:43:20 DEBUG worker 1 waiting for new event
2019-11-01 10:43:20 DEBUG no events or no future events, event thread sleeping in condwait
2019-11-01 10:43:20 DEBUG stopping EXTENSION modules
2019-11-01 10:43:20 DEBUG stopping module _gelf
2019-11-01 10:43:20 DEBUG nx_event_to_jobqueue: MODULE_STOP (_gelf)
2019-11-01 10:43:20 DEBUG event added to jobqueue
2019-11-01 10:43:20 DEBUG worker 0 got signal for new job
2019-11-01 10:43:20 DEBUG worker 0 processing event 0x3eb80
2019-11-01 10:43:20 DEBUG PROCESS_EVENT: MODULE_STOP (_gelf)
2019-11-01 10:43:20 DEBUG STOP: _gelf
2019-11-01 10:43:20 DEBUG worker 0 waiting for new event
2019-11-01 10:43:20 DEBUG no events or no future events, event thread sleeping in condwait
2019-11-01 10:43:20 DEBUG no events or no future events, event thread sleeping in condwait
2019-11-01 10:43:20 DEBUG stopping module fileop
2019-11-01 10:43:20 DEBUG nx_event_to_jobqueue: MODULE_STOP (fileop)
2019-11-01 10:43:20 DEBUG event added to jobqueue
2019-11-01 10:43:20 DEBUG worker 2 got signal for new job
2019-11-01 10:43:20 DEBUG worker 2 processing event 0x3ede8
2019-11-01 10:43:20 DEBUG PROCESS_EVENT: MODULE_STOP (fileop)
2019-11-01 10:43:20 DEBUG STOP: fileop
2019-11-01 10:43:20 DEBUG worker 2 waiting for new event
2019-11-01 10:43:20 DEBUG no events or no future events, event thread sleeping in condwait
2019-11-01 10:43:20 DEBUG no events or no future events, event thread sleeping in condwait
2019-11-01 10:43:20 DEBUG worker 2 got signal for new job
2019-11-01 10:43:20 DEBUG worker 2 got no event to process
2019-11-01 10:43:20 DEBUG event_thread still running, waiting for threads to exit
2019-11-01 10:43:20 DEBUG worker 0 got signal for new job
2019-11-01 10:43:20 DEBUG worker 0 got no event to process
2019-11-01 10:43:20 DEBUG worker 1 got signal for new job
2019-11-01 10:43:20 DEBUG worker 1 got no event to process
2019-11-01 10:43:20 DEBUG worker thread 2 exiting
2019-11-01 10:43:20 DEBUG worker thread 0 exiting
2019-11-01 10:43:20 DEBUG worker thread 1 exiting
2019-11-01 10:43:20 DEBUG data_available() == FALSE, processing finished
2019-11-01 10:43:20 DEBUG event thread exiting
2019-11-01 10:43:21 DEBUG shutdown_modules: INPUT
2019-11-01 10:43:21 DEBUG SHUTDOWN: in
2019-11-01 10:43:21 DEBUG shutdown_modules: PROCESSOR
2019-11-01 10:43:21 DEBUG shutdown_modules: OUTPUT
2019-11-01 10:43:21 DEBUG SHUTDOWN: Graylog
2019-11-01 10:43:21 DEBUG shutdown_modules: EXTENSION
2019-11-01 10:43:21 DEBUG SHUTDOWN: _gelf
2019-11-01 10:43:21 DEBUG SHUTDOWN: fileop
2019-11-01 10:43:21 DEBUG nx_config_cache_write()
2019-11-01 10:43:21 DEBUG config cache written to C:\Program Files (x86)\nxlog\data\configcache.dat
2019-11-01 10:43:21 DEBUG nxlog_shutdown() leave
2019-11-01 10:43:21 DEBUG service stopped
This is probably only a 1/100th of the whole DEBUG log.
7 DEBUG executing statements
2019-11-01 10:29:17 DEBUG before nx_logqueue_push, size: 76
2019-11-01 10:29:17 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48
2019-11-01 10:29:17 DEBUG nx_event_to_jobqueue: DATA_AVAILABLE (Graylog)
2019-11-01 10:29:17 DEBUG evaluating expression 'field' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48
2019-11-01 10:29:17 DEBUG before nx_logqueue_push, size: 77
2019-11-01 10:29:17 DEBUG nx_event_to_jobqueue: DATA_AVAILABLE (Graylog)
2019-11-01 10:29:17 DEBUG no events or no future events, event thread sleeping in condwait
2019-11-01 10:29:17 DEBUG om_udp sent 815 bytes
2019-11-01 10:29:17 DEBUG before nx_logqueue_pop, size: 78
2019-11-01 10:29:17 DEBUG Graylog get_next_logdata: got (queuesize: 76)
2019-11-01 10:29:17 DEBUG nx_event_to_jobqueue: DATA_AVAILABLE (Graylog)
2019-11-01 10:29:17 WARNING nxlog-ce received a termination request signal, exiting...
2019-11-01 10:29:17 DEBUG before nx_logqueue_push, size: 77
2019-11-01 10:29:17 DEBUG nxlog_shutdown() enter
2019-11-01 10:29:17 DEBUG executing statements
2019-11-01 10:29:17 DEBUG stopping INPUT modules
2019-11-01 10:29:17 DEBUG nx_event_to_jobqueue: DATA_AVAILABLE (Graylog)
2019-11-01 10:29:17 DEBUG stopping module in
2019-11-01 10:29:17 DEBUG evaluating expression 'string literal' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48
2019-11-01 10:29:17 DEBUG nx_event_to_jobqueue: MODULE_STOP (in)
2019-11-01 10:29:17 DEBUG evaluating expression 'field' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:48
2019-11-01 10:29:17 DEBUG event added to jobqueue
2019-11-01 10:29:17 DEBUG worker 0 got signal for new job
This refers to the fact that the service gets stopped.
Thank you b0ti. Would there be anyway to find out what is causing the service to stop?
When I look at the logs they do not provide any information aside from that nxlog is stopping.
2019-11-04 11:38:17 INFO nxlog-ce-2.10.2150 started
2019-11-04 11:38:22 WARNING stopping nxlog service
2019-11-04 11:38:22 WARNING nxlog-ce received a termination request signal, exiting...
You could check in Windows Event Log to see if there is any data recorded, or enable auditing of services and then check the Event Log.
There are various EventID's that track service stopped events throughout the different Windows product lines. 7036,7040, 4689/4546 for auditing, etc.
On our side, we don't record which app sends termination signal or which user.