2
responses

Hi,

I'm receiving the follow errors in nxlog.log:

2022-01-20 10:11:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-0939.log
2022-01-20 10:41:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1009.log
2022-01-20 11:11:17 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1039.log
2022-01-20 11:41:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1109.log
2022-01-20 12:11:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1139.log
2022-01-20 12:41:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1209.log
2022-01-20 13:11:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1239.log
2022-01-20 13:41:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1309.log
2022-01-20 14:11:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1339.log
2022-01-20 14:41:19 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1409.log
2022-01-20 15:11:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1439.log
2022-01-20 15:41:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1509.log
2022-01-20 16:11:18 WARNING input file was deleted: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\SPAPP12013-20220106-1539.log

Version: nxlog-ce-2.11.2190.msi

Contents of nxlog.conf:
#
# Configuration for converting and sending Windows logs
# to AlienVault USM Anywhere.
#
# Version: 0.2.20
# Last modification: 2021-10-15
#

define ROOT C:\Program Files (x86)\nxlog
define OUTPUT_DESTINATION_ADDRESS SYSLOG IP
define OUTPUT_DESTINATION_PORT 514

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension json>
Module xm_json
</Extension>

<Extension syslog>
Module xm_syslog
</Extension>

<Input internal>
Module im_internal
</Input>

#######################################################################
#### SHAREPOINT-NXLOG #####
#### Uncomment the following lines for SharePoint-NXLOG #####
#### log forwarding #####
#######################################################################

<Extension transform_alienvault_csv_sharepoint>
Module xm_csv
Fields $Timestamp, $Process, $TID, $Area, $Category, $EventID, $Level, $Message, $Correlation
FieldTypes string, string, string, string, string, string, string, string, string
Delimiter \t
</Extension>

<Input SHAREPOINT_IN>
Module im_file
File "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\*-????????-????.log"
<Exec>
# Drop header lines and empty lines
if $raw_event =~ /^(\xEF\xBB\xBF|Timestamp)/ drop();
else
{
$raw_event =~ s/ +(?=\t)//g;
transform_alienvault_csv_sharepoint->parse_csv();
$EventTime = strptime($Timestamp, "%m/%d/%Y %H:%M:%S");
$Hostname = hostname_fqdn();
$SourceName = "SHAREPOINT-NXLOG";
}
</Exec>
</Input>

<Output SHAREPOINT_OUT>
Module om_udp
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
Exec $EventTime = strftime($EventTime, '%Y-%m-%d %H:%M:%S');
Exec $Message = to_json(); to_syslog_bsd();
</Output>

<Route SP_Route>
Path SHAREPOINT_IN => SHAREPOINT_OUT
</Route>

#######################################################################
#### SHAREPOINT-NXLOG #####
#######################################################################

The files are no longer available due to the log retention policy. How do I prevent this error? I'm relatively sure that I'm missing something in the config file. Any help is appreciated.

AskedJanuary 21, 2022 - 4:48pm

Answer (1)

Hi Kevin,

You can enable the CloseWhenIdle directive to true so that the Nxlog agent closes the file prior to its rotation.

CloseWhenIdle TRUE

Another option is to implement the log rotation using the agent. Please review the link below for more details.

https://nxlog.co/documentation/nxlog-user-guide/log-rotation.html

I hope this helps.

BR

Jeffron

Comments (1)