1
response

Hey guys,

We tested nxlog on a few servers and everything worked fine, no problem at all. Now when we deployed it to more, after 2 hours, the clients just keep disconnecting and reconnecting. I'm really not sure what's happening. We're using a self signed cert, made with opeenssl.
Not sure what would you need to identify my problem.
If needed I'll copy over the debug log or conf file.

Environment is windows.

Any help is appreciated!

AskedNovember 5, 2020 - 11:03am

Comments (1)

  • MG_903683's picture

    Hey,

    Our client config

    Panic Soft
    #NoFreeOnExit TRUE
    
    define ROOT     C:\Program Files (x86)\nxlog
    define CERTDIR  %ROOT%\cert
    define CONFDIR  %ROOT%\conf
    define LOGDIR   %ROOT%\data
    define LOGFILE  %LOGDIR%\nxlog.log
    LogFile %LOGFILE%
    
    Moduledir %ROOT%\modules
    CacheDir  %ROOT%\data
    Pidfile   %ROOT%\data\nxlog.pid
    SpoolDir  %ROOT%\data
    
    <Extension _json>
        Module  xm_json 
    </Extension>
    
    <Extension _xml>
        Module xm_xml
    </Extension>
    
    <Extension _multiline>
        Module  xm_multiline
        Headerline /^<Event/
        Endline /^</Event>/
    </Extension>
    
    # Collect login events from local Windows EventLog
    <Input eventlog>
        Module  im_msvistalog       
        <QueryXML>
            <QueryList>
                   <Query Id='0'>
                        <Select Path='Security'>*[System[(EventID='4624')]]</Select>
                        <Select Path='Security'>*[System[(EventID='4648')]]</Select>
                        <Select Path='Security'>*[System[(EventID='4625')]]</Select>
                        <Select Path='Security'>*[System[(EventID='4720')]]</Select>
                        <Select Path='Security'>*[System[(EventID='1102')]]</Select>
                        <Select Path='Security'>*[System[(EventID='5025')]]</Select>
                   </Query>
                   <Query Id='1'>
                        <Select Path='System'>*[System[(EventID='1074')]]</Select>
                        <Select Path='System'>*[System[(EventID='6008')]]</Select>
                        <Select Path='System'>*[System[(EventID='12')]]</Select>
                        <Select Path='System'>*[System[(EventID='4609')]]</Select>
                   </Query>
            </QueryList>
        </QueryXML>
    </Input>
    
    <Output hosted>
        Module om_ssl
        Host hostaddress
        Port 5999
        CAFile      %CERTDIR%\rootCA.pem
        CertFile    %CERTDIR%\client.crt
        CertKeyFile %CERTDIR%\client.key
        KeyPass     supersecretpass
        AllowUntrusted TRUE
        Exec to_json();
    </Output>
    
    <Route hosted>
        Path        eventlog => hosted
    </Route>
    

    Our collector config

    Panic Soft
    #NoFreeOnExit TRUE
    
    define ROOT     C:\Program Files (x86)\nxlog
    define CERTDIR  %ROOT%\cert
    define CONFDIR  %ROOT%\conf
    define LOGDIR   %ROOT%\data
    define LOGFILE  %LOGDIR%\nxlog.log
    LogFile %LOGFILE%
    #define WINLOG  D:\nxlog\all-events-cloud-remote.json
    define CLOUDDIR     D:\\nxlog\cloud
    define HOSTEDDIR    D:\\nxlog\hosted
    define INFRADIR     D:\\nxlog\infra
    
    Moduledir %ROOT%\modules
    CacheDir  %ROOT%\data
    Pidfile   %ROOT%\data\nxlog.pid
    SpoolDir  %ROOT%\data
    
    <Extension _json>
        Module  xm_json
    </Extension>
    
    <Extension fileop>
        Module  xm_fileop
    </Extension>
    
    <Extension _exec>
        Module  xm_exec
    </Extension>
    
    # Collect everything from local Windows Event Log
    <Input eventlog>
        Module  im_msvistalog
    </Input>
    
    # Collect logs from remote agents via encrypted SSL connections (self-signed)
    <Input in_cloud>
        Module      im_ssl
        Host        0.0.0.0
        Port        5999
        CAFile      %CERTDIR%\rootCA.pem
        CertFile    %CERTDIR%\server.crt
        CertKeyFile %CERTDIR%\server.key
        KeyPass     supersecretpass
        AllowUntrusted TRUE
    </Input>
    
    <Input in_hosted>
        Module      im_ssl
        Host        0.0.0.0
        Port        5999
        CAFile      %CERTDIR%\rootCA.pem
        CertFile    %CERTDIR%\server.crt
        CertKeyFile %CERTDIR%\server.key
        KeyPass     supersercretpass
        AllowUntrusted TRUE
    </Input>
    
    #Local eventlog dump output
    <Output local>
        Module  om_file
        File    'D:\nxlog\all-events-local.json'
        # The output format will be JSON
        Exec    to_json();
    </Output>
    
    <Output cloud>
        Module  om_file
        File    'D:\nxlog\all-events-cloud-remote.json'
        <Schedule>      
            When @daily
            <Exec>
                cloud->rotate_to("%CLOUDDIR%\\logcollection_" + strftime(now() - 60, "%Y%m%d%H%M%S") + ".json");
            </Exec>
        </Schedule>
    </Output>
    
    <Output hosted>
        Module  om_file
        File    'D:\nxlog\all-events-hosted-remote.json'
        <Schedule>      
            When @daily
            <Exec>
                hosted->rotate_to("%HOSTEDDIR%\\logcollection_" + strftime(now() - 60, "%Y%m%d%H%M%S") + ".json");
            </Exec>
        </Schedule>
    </Output>
    
    <Route local>
        Path        eventlog => local
    </Route>
    
    <Route cloud_file>
        Path        in_cloud => cloud
    </Route>
    
    <Route hosted_file>
        Path        in_hosted => hosted
    </Route>
    

    The config is in the default place. edit: Yes, I restarted the service. Not sure if it's worth metioning, the service runs under the default Local System user. Tried it with a dedicated user for nxlog, and the problem still occurs after 2 hours.

Answers (0)