Frequent disconnects after 2 hours

Post a different question
1
response

Hey guys,

We tested nxlog on a few servers and everything worked fine, no problem at all. Now when we deployed it to more, after 2 hours, the clients just keep disconnecting and reconnecting. I'm really not sure what's happening. We're using a self signed cert, made with opeenssl.
Not sure what would you need to identify my problem.
If needed I'll copy over the debug log or conf file.

Environment is windows.

Any help is appreciated!

AskedNovember 5, 2020 - 11:03am

Comments (1)

  • MG_903683's picture

    Hey,

    Our client config

    Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _json>
    Module  xm_json 
</Extension>

<Extension _xml>
    Module xm_xml
</Extension>

<Extension _multiline>
    Module  xm_multiline
    Headerline /^<Event/
    Endline /^</Event>/
</Extension>

# Collect login events from local Windows EventLog
<Input eventlog>
    Module  im_msvistalog       
    <QueryXML>
        <QueryList>
               <Query Id='0'>
                    <Select Path='Security'>*[System[(EventID='4624')]]</Select>
                    <Select Path='Security'>*[System[(EventID='4648')]]</Select>
                    <Select Path='Security'>*[System[(EventID='4625')]]</Select>
                    <Select Path='Security'>*[System[(EventID='4720')]]</Select>
                    <Select Path='Security'>*[System[(EventID='1102')]]</Select>
                    <Select Path='Security'>*[System[(EventID='5025')]]</Select>
               </Query>
               <Query Id='1'>
                    <Select Path='System'>*[System[(EventID='1074')]]</Select>
                    <Select Path='System'>*[System[(EventID='6008')]]</Select>
                    <Select Path='System'>*[System[(EventID='12')]]</Select>
                    <Select Path='System'>*[System[(EventID='4609')]]</Select>
               </Query>
        </QueryList>
    </QueryXML>
</Input>

<Output hosted>
    Module om_ssl
    Host hostaddress
    Port 5999
    CAFile      %CERTDIR%\rootCA.pem
    CertFile    %CERTDIR%\client.crt
    CertKeyFile %CERTDIR%\client.key
    KeyPass     supersecretpass
    AllowUntrusted TRUE
    Exec to_json();
</Output>

<Route hosted>
    Path        eventlog => hosted
</Route>

    Our collector config

    Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%
#define WINLOG  D:\nxlog\all-events-cloud-remote.json
define CLOUDDIR     D:\\nxlog\cloud
define HOSTEDDIR    D:\\nxlog\hosted
define INFRADIR     D:\\nxlog\infra

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _json>
    Module  xm_json
</Extension>

<Extension fileop>
    Module  xm_fileop
</Extension>

<Extension _exec>
    Module  xm_exec
</Extension>

# Collect everything from local Windows Event Log
<Input eventlog>
    Module  im_msvistalog
</Input>

# Collect logs from remote agents via encrypted SSL connections (self-signed)
<Input in_cloud>
    Module      im_ssl
    Host        0.0.0.0
    Port        5999
    CAFile      %CERTDIR%\rootCA.pem
    CertFile    %CERTDIR%\server.crt
    CertKeyFile %CERTDIR%\server.key
    KeyPass     supersecretpass
    AllowUntrusted TRUE
</Input>

<Input in_hosted>
    Module      im_ssl
    Host        0.0.0.0
    Port        5999
    CAFile      %CERTDIR%\rootCA.pem
    CertFile    %CERTDIR%\server.crt
    CertKeyFile %CERTDIR%\server.key
    KeyPass     supersercretpass
    AllowUntrusted TRUE
</Input>

#Local eventlog dump output
<Output local>
    Module  om_file
    File    'D:\nxlog\all-events-local.json'
    # The output format will be JSON
    Exec    to_json();
</Output>

<Output cloud>
    Module  om_file
    File    'D:\nxlog\all-events-cloud-remote.json'
    <Schedule>      
        When @daily
        <Exec>
            cloud->rotate_to("%CLOUDDIR%\\logcollection_" + strftime(now() - 60, "%Y%m%d%H%M%S") + ".json");
        </Exec>
    </Schedule>
</Output>

<Output hosted>
    Module  om_file
    File    'D:\nxlog\all-events-hosted-remote.json'
    <Schedule>      
        When @daily
        <Exec>
            hosted->rotate_to("%HOSTEDDIR%\\logcollection_" + strftime(now() - 60, "%Y%m%d%H%M%S") + ".json");
        </Exec>
    </Schedule>
</Output>

<Route local>
    Path        eventlog => local
</Route>

<Route cloud_file>
    Path        in_cloud => cloud
</Route>

<Route hosted_file>
    Path        in_hosted => hosted
</Route>

    The config is in the default place. edit: Yes, I restarted the service. Not sure if it's worth metioning, the service runs under the default Local System user. Tried it with a dedicated user for nxlog, and the problem still occurs after 2 hours.

    November 9, 2020 - 12:32pm

Answers (0)