1
response

Hello,
I'm using nxlog to send logs from an AD to a syslog server, this is my nxlog.conf:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
Module xm_syslog
</Extension>

<Input in>
Module im_msvistalog
</Input>

<Output out>
Module om_udp
Host xxxxx
Port xxx
Exec to_syslog_snare();
</Output>

<Route 1>
Path in => out
</Route>

However, the volume of log generated is very large and nxlog is not able to send everything, causing some packages to be lost. I noticed this with a wireshark at the source and saw that the packages don't even leave the server.
Is there anything I can do to increase your performance? Be it in nxlog.conf, or clear some cache
Thank you.

AskedMay 26, 2020 - 6:10pm

Answer (1)

Boa tarde Gustavo, you may want to start by restricting the logs you want the source machine to produce. Do you really need all of them? For example, if you add the following to im_msvistalog module, only security related events will be sent (saving lots of bandwidth).

<QueryXML>
  <QueryList>
    <Query Id='1'>
      <Select Path='Security'>*[System/Level=4]</Select>
    </Query>
  </QueryList>
</QueryXML>