Request trial
Request Trial

NXLog seems to forward some older events but not new ones

Tags:
#1 JF_427179

Our setup: we have Windows Server 2019 servers that are forwarding some "Security" events to a single Windows Server 2019 event collector. On that single Windows Server 2019 event collector, we have installed NXLog, which is forwarding to Graylog.

Summary: servers --> event collector server (where NXLog is installed) --> Graylog server

All selected events are getting to the event collector, but only some are getting to Graylog. So the problem is somewhere on or after the event collector server.

Here is the complete NXLog config:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log

<Extension _gelf> Module xm_gelf ShortMessageLength 500 </Extension>

<Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='ForwardedEvents'>*</Select> </Query> </QueryList> </QueryXML> </Input>

<Output out> Module om_tcp Host graylog.local Port 12201 OutputType GELF_TCP </Output>

<Route 1> Path in => out </Route>

Is anything obvious missing?

Permalink
#2 ArkadiyDeactivated Nxlog ✓
#1 JF_427179
Our setup: we have Windows Server 2019 servers that are forwarding some "Security" events to a single Windows Server 2019 event collector. On that single Windows Server 2019 event collector, we have installed NXLog, which is forwarding to Graylog. Summary: servers --> event collector server (where NXLog is installed) --> Graylog server All selected events are getting to the event collector, but only some are getting to Graylog. So the problem is somewhere on or after the event collector server. Here is the complete NXLog config: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _gelf> Module xm_gelf ShortMessageLength 500 </Extension> <Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='ForwardedEvents'>*</Select> </Query> </QueryList> </QueryXML> </Input> <Output out> Module om_tcp Host graylog.local Port 12201 OutputType GELF_TCP </Output> <Route 1> Path in => out </Route> Is anything obvious missing?

Hello,

Config looks fine, could you please share some examples of events which aren't making to nxlog but should?

Regards, Arch
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS