Frequent disconnects after 2 hours | Log collection solutions

#1 Deleted user 4 years ago

Hey guys,

We tested nxlog on a few servers and everything worked fine, no problem at all. Now when we deployed it to more, after 2 hours, the clients just keep disconnecting and reconnecting. I'm really not sure what's happening. We're using a self signed cert, made with opeenssl. Not sure what would you need to identify my problem. If needed I'll copy over the debug log or conf file.

Environment is windows.

Any help is appreciated!

Permalink

#2 Deleted user 4 years ago

#1 Deleted user

Hey guys,

Environment is windows.

Any help is appreciated!

Hey, Our client config Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_json Module xm_xml Module xm_multiline Headerline /^ hosted Our collector config Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% #define WINLOG D:\nxlog\all-events-cloud-remote.json define CLOUDDIR D:\\nxlog\cloud define HOSTEDDIR D:\\nxlog\hosted define INFRADIR D:\\nxlog\infra Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_json Module xm_fileop Module xm_exec # Collect everything from local Windows Event Log Module im_msvistalog # Collect logs from remote agents via encrypted SSL connections (self-signed) Module im_ssl Host 0.0.0.0 Port 5999 CAFile %CERTDIR%\rootCA.pem CertFile %CERTDIR%\server.crt CertKeyFile %CERTDIR%\server.key KeyPass supersecretpass AllowUntrusted TRUE Module im_ssl Host 0.0.0.0 Port 5999 CAFile %CERTDIR%\rootCA.pem CertFile %CERTDIR%\server.crt CertKeyFile %CERTDIR%\server.key KeyPass supersercretpass AllowUntrusted TRUE #Local eventlog dump output Module om_file File 'D:\nxlog\all-events-local.json' # The output format will be JSON Exec to_json(); Module om_file File 'D:\nxlog\all-events-cloud-remote.json' When @daily cloud->rotate_to("%CLOUDDIR%\\logcollection_" + strftime(now() - 60, "%Y%m%d%H%M%S") + ".json"); Module om_file File 'D:\nxlog\all-events-hosted-remote.json' When @daily hosted->rotate_to("%HOSTEDDIR%\\logcollection_" + strftime(now() - 60, "%Y%m%d%H%M%S") + ".json"); Path eventlog => local Path in_cloud => cloud Path in_hosted => hosted The config is in the default place. edit: Yes, I restarted the service. Not sure if it's worth metioning, the service runs under the default Local System user. Tried it with a dedicated user for nxlog, and the problem still occurs after 2 hours.