My team is currently experiencing an issue with duplicate logs being produced in NXLog's outbound syslog feed. NXLog is reading from a flat file and sending a syslog feed to another machine for processing. Running a TCPdump for the incoming data on that second machine shows that multiple copies of the same log are being sent by NXlog. Moreover, the duplicates are not sent sequentially, but instead are sent almost exactly 5 minutes apart as show by five minute gaps between the "EventReceivedTime" syslog header values. We have reviewed the flat file and confirmed that it does not produce the duplicates, and thus must be related to the configuration of NXLog and the way it reads the flat file. I'd appreciate any insight others might have on what is causing this problem.

The NXLog configuration is as follows:

Panic Soft
#NoFreeOnExit TRUE

define ROOT D:\NX Log\Program Files
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

<Extension _syslog>
Module xm_syslog

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32

<Extension _exec>
Module xm_exec

<Extension _fileop>
Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);

# Rotate our log file every week on Sunday at midnight
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);

<Input in>
Module im_file
File "D:\[Ingested File Path].cef"
InputType LineBased
SavePos TRUE
ReadFromLast TRUE
PollInterval 1

<Processor norepeat>
Module pm_norepeat

<Output out>
Module om_ssl
Host [Second Machine IP]
Port 515
Exec to_syslog_ietf();
# Allows using self-signed certificates
AllowUntrusted FALSE
# Certificate from the peer host
CAFile D:\[CA File Path].pem
# Certificate file
CertFile D:\[Certificate File Path].pem
# Keypair file
CertKeyFile D:\[Key File Path].pem

<Route sitecollector>
Path in => norepeat => out

AskedFebruary 23, 2021 - 4:12pm

Answers (0)