I configured my conf file (comm. edition) with a query for certain event id's. The output works, however, is there a way to prevent every event from creating it's own log file? For instance, create 1 large file for the date vs having 200k+ logfiles daily.

AskedJanuary 5, 2021 - 6:54pm

Answer (1)


I'm not sure if I understand you correctly - what do you mean by " every event from creating its own log file"? Did you mean limit/filtering events to be stored?

If the filesize is your issue, you may want to check the filecycle directive.

In case I misunderstood you - please, provide your conf file & bring us more details on your case.

Best regards,

Comments (2)

  • JC_570223's picture

    A copy of the conf is included, without the entire list of EventID's and host. I think I set a pretty basic query with the event ID's I need. Every event is producing it's own log file which leads to 200k+ log files per day. I would like to see if we could output all the events in to 1 large file per date. We would rather have a large file daily than many small ones daily.

    <Extension _syslog>
    Module xm_syslog

    <Input in>
    Module im_msvistalog

    <Query Id='0'>
    <Select Path='Security'>*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and (EventID=4624 or EventID=4634)]]</Select>

    <Output out>
    Module om_tcp
    Host (redacted)
    Port 514
    Exec to_syslog_snare();

    <Route 1>
    Path in => out

  • raf's picture

    Thanks for the file.

    I'm not sure what do you mean by "files", since you're clearly using TCP to send the data "somewhere" - is there anything else missing beside enclosing the <Output> section?

    From what I see now, it looks like you're sending Windows logs to some server, listening over TCP. Correct me if I'm wrong - I assume you'd like to make it in batches - that's possible with NXLog Enterprise Edtion. You can find some useful hints here: 32. Reducing Bandwidth and Data Size.

    Best regards,