7
responses

Hi everyone

After the update of the Nxlog community to the last version(3.0.2272) the consumption of CPU had a huge increase. The configuration basic work over the im_file module.

<Input fake>
Module im_file
File "C:\fakedir\logs\fake_file*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$Message = to_json(); \
}
</Input>

Is there someone that had the same issue with this version?

AskedFebruary 14, 2022 - 6:51pm

Comments (3)

  • wrightdm2's picture

    We are seeing the exact same issue. Community edition 3.0.2272 will typically sit at 0% CPU usage for ~1 minute, and then spike to 65-120% of one CPU for ~1 minute. It cycles back and forth for as long as the NxLog client is running. At first we believed this was caused by the quite extensive amount exec statements we performed, but we were able to reproduce the issue with a very simple config that only loaded the im_msvistalog module and monitored a mostly unused event log (see below). We deployed to 35 servers running server 2012r2 datacenter, server 2016 datacenter, and server 2019 datacenter. How many logs/events were monitored and how busy the servers were, seemed irrelevant. Every server displayed the same issue.

    We reverted back to community edition 2.11.2190 and did not see any issues

    <Input windows_eventlog_defender>
    Module im_msvistalog

    <QueryXML>
    <QueryList>
    <Query Id="0">
    <Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>
    </Query>
    </QueryList>
    </QueryXML>
    </Input>

    <Route winserverevent_to_winserverevent_out>
    Path windows_eventlog_defender => winserverevent_out
    </Route>

    <Output winserverevent_out>
    Module om_tcp
    Host cyclops.not.a.real.address.com
    Port 33333
    </Output>

  • farrisk01's picture

    i have a client that is having the same issue but I don't have and older version of NXlog to give them. Would you be able to provide a download link that I could use?

  • acrabtree007's picture

    We are seeing exactly the same issue. Community edition 3.0.2272 will typically sit at 0% CPU usage for ~1 minute, and then spike to 65-120% of one CPU for ~1 minute. It cycles back and forth for as long as the NxLog client is running. We were also able to reproduce the issue with a very simple config. We deployed to 164 servers running server 2012r2 datacenter, server 2016 datacenter, and server 2019 datacenter. How many logs/events were monitored and how busy the servers were, seemed irrelevant. Every server displaying the same issue.

    As of today, we reverted back to community edition 2.11.2190 and NO MORE ISSUES. Anyone trying to upgrade to remove the vulnerability - Please BEWARE OF THIS ISSUE.... Test thoroughly before rolling out to many servers.

    For NXlog support - Please fix this issue as soon as possible - We were only trying to upgrade due to the DDOS vulnerability. Well, the new version appears to be a DDOS vulnerability. Just about brought many of our systems down before we could revert to the previous version which had no issues.

    We would appreciate any help that you can provide...

Answers (2)

Yes, I have that issue too. Have a look at: https://nxlog.co/question/7974/nxlog-ce-3022-memory-leak-211-download
Which Windows (Server) Version are you running NXLog on?

Comments (2)

  • DR_'s picture

    Sorry for the late reply. I didn't get a notification about your post.
    Sorry I am as clueless as you. I just searched for similiarities, but since I am using 2012 R2 Standard this can't be it. Just thought 2012 R2 is EOL soon so they might have used something new which doesn't quiet work on the old OS. I'm a bit puzzled that there are so few complains, maybe it's the configuration, or maybe there just aren't many (community) users.

    Edit: Haven't seen wrightdm2 post because why wouldn't the newest message be at the bottom. That answer / comment system really is bad.
    So it's a bug and I guess we have to wait it out because NXLog doesn't seem to read their own forum and since we are using the community version we can't ping @support

Hi,

A hotfix is being release for the high CPU consumption reported.

Please feel free to download and implement version 3.0.2284 in order to solve the problem.

Best regards,