Let's Talk Start free
Let's Talk Start free

Frequent disconnects after 2 hours

Tags:
#1 Deleted user

Hey guys,

We tested nxlog on a few servers and everything worked fine, no problem at all. Now when we deployed it to more, after 2 hours, the clients just keep disconnecting and reconnecting. I'm really not sure what's happening. We're using a self signed cert, made with opeenssl. Not sure what would you need to identify my problem. If needed I'll copy over the debug log or conf file.

Environment is windows.

Any help is appreciated!

Permalink
#2 Deleted user
#1 Deleted user
Hey guys, We tested nxlog on a few servers and everything worked fine, no problem at all. Now when we deployed it to more, after 2 hours, the clients just keep disconnecting and reconnecting. I'm really not sure what's happening. We're using a self signed cert, made with opeenssl. Not sure what would you need to identify my problem. If needed I'll copy over the debug log or conf file. Environment is windows. Any help is appreciated!

Hey,

Our client config

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _json>
    Module  xm_json	
</Extension>

<Extension _xml>
	Module xm_xml
</Extension>

<Extension _multiline>
	Module	xm_multiline
	Headerline /^<Event/
	Endline /^</Event>/
</Extension>

# Collect login events from local Windows EventLog
<Input eventlog>
	Module  im_msvistalog		
	<QueryXML>
		<QueryList>
			   <Query Id='0'>
					<Select Path='Security'>*[System[(EventID='4624')]]</Select>
					<Select Path='Security'>*[System[(EventID='4648')]]</Select>
					<Select Path='Security'>*[System[(EventID='4625')]]</Select>
					<Select Path='Security'>*[System[(EventID='4720')]]</Select>
					<Select Path='Security'>*[System[(EventID='1102')]]</Select>
					<Select Path='Security'>*[System[(EventID='5025')]]</Select>
			   </Query>
			   <Query Id='1'>
					<Select Path='System'>*[System[(EventID='1074')]]</Select>
					<Select Path='System'>*[System[(EventID='6008')]]</Select>
					<Select Path='System'>*[System[(EventID='12')]]</Select>
					<Select Path='System'>*[System[(EventID='4609')]]</Select>
			   </Query>
		</QueryList>
	</QueryXML>
</Input>

<Output hosted>
	Module om_ssl
	Host hostaddress
	Port 5999
	CAFile      %CERTDIR%\rootCA.pem
    CertFile    %CERTDIR%\client.crt
    CertKeyFile %CERTDIR%\client.key
    KeyPass     supersecretpass
	AllowUntrusted TRUE
	Exec to_json();
</Output>

<Route hosted>
    Path        eventlog => hosted
</Route>

Our collector config

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%
#define WINLOG 	D:\nxlog\all-events-cloud-remote.json
define CLOUDDIR		D:\\nxlog\cloud
define HOSTEDDIR	D:\\nxlog\hosted
define INFRADIR		D:\\nxlog\infra

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _json>
    Module  xm_json
</Extension>

<Extension fileop>
	Module 	xm_fileop
</Extension>

<Extension _exec>
    Module  xm_exec
</Extension>

# Collect everything from local Windows Event Log
<Input eventlog>
    Module  im_msvistalog
</Input>

# Collect logs from remote agents via encrypted SSL connections (self-signed)
<Input in_cloud>
    Module      im_ssl
    Host        0.0.0.0
    Port        5999
	CAFile      %CERTDIR%\rootCA.pem
    CertFile    %CERTDIR%\server.crt
    CertKeyFile %CERTDIR%\server.key
    KeyPass     supersecretpass
	AllowUntrusted TRUE
</Input>

<Input in_hosted>
    Module      im_ssl
    Host        0.0.0.0
    Port        5999
	CAFile      %CERTDIR%\rootCA.pem
    CertFile    %CERTDIR%\server.crt
    CertKeyFile %CERTDIR%\server.key
    KeyPass     supersercretpass
	AllowUntrusted TRUE
</Input>

#Local eventlog dump output
<Output local>
    Module  om_file
    File    'D:\nxlog\all-events-local.json'
	# The output format will be JSON
    Exec    to_json();
</Output>

<Output cloud>
    Module  om_file
    File    'D:\nxlog\all-events-cloud-remote.json'
	<Schedule>		
		When @daily
		<Exec>
			cloud->rotate_to("%CLOUDDIR%\\logcollection_" + strftime(now() - 60, "%Y%m%d%H%M%S") + ".json");
		</Exec>
	</Schedule>
</Output>

<Output hosted>
    Module  om_file
    File    'D:\nxlog\all-events-hosted-remote.json'
	<Schedule>		
		When @daily
		<Exec>
			hosted->rotate_to("%HOSTEDDIR%\\logcollection_" + strftime(now() - 60, "%Y%m%d%H%M%S") + ".json");
		</Exec>
	</Schedule>
</Output>

<Route local>
    Path        eventlog => local
</Route>

<Route cloud_file>
    Path        in_cloud => cloud
</Route>

<Route hosted_file>
    Path        in_hosted => hosted
</Route>

The config is in the default place. edit: Yes, I restarted the service. Not sure if it's worth metioning, the service runs under the default Local System user. Tried it with a dedicated user for nxlog, and the problem still occurs after 2 hours.
Login to see more