Windows DNS Log 2008/2012
I am having an issue where I am outputing a DNS log from Windows Server and having NXLOG read it and ship it to a Logstash environment. My issue however is that after a period of time the log file disappears and is not created. I am assuming it is an issue with NXLog having a lock on the file and when windows rotates it, it fails and doesnt get created.
The DNS Event View Log shows:
The DNS server was unable to open file E:\Log Files\DNS\dns.log for write. Most likely the file is a zone file that is already open. Close the zone file and re-initiate zone write.
Stopping and restarting the service does not help unless I completely stop NXLOG first. How can I change it so NXLog does not completely lock the log file so that windows can't rotate it?
This seems to occur on various versions of windows from 2008 to 2012 R2.
Appreciate any help you can provide regarding this issue.
This is a known issue with the DNS log but the problem is not in NXLog because im_file does not lock the file when it opens it. The issue is most likely caused by the DNS service trying to lock the file while NXLog is reading from it and failing to obtain the exclusive lock it will remove the log file.
There is a CloseWhenIdle directive for this purpose, i.e. to potentially help with broken apps that can't tolerate other processes reading their logs (why is it writing the log then?!). Note that this is not a real solution, it will just reduce the time window for the issue to happen.
Also note that the same DNS log file is truncated and restarted if the max size is reached, this is again pretty bad practice. It should be configured to start a new log file if the current one reaches max size. This should potentially solve the disappearing log issue also. Haven't looked if that's possible. Please let us know if you have managed to solve it.
