responses
Hi everyone
After the update of the Nxlog community to the last version(3.0.2272) the consumption of CPU had a huge increase. The configuration basic work over the im_file module.
<Input fake>
Module im_file
File "C:\fakedir\logs\fake_file*"
SavePos TRUE
Exec if $raw_event =~ /^#/ drop(); \
else \
{ \
w3c->parse_csv(); \
$EventTime = parsedate($date + " " + $time); \
$Message = to_json(); \
}
</Input>
Is there someone that had the same issue with this version?
Comments (3)
We are seeing the exact same issue. Community edition 3.0.2272 will typically sit at 0% CPU usage for ~1 minute, and then spike to 65-120% of one CPU for ~1 minute. It cycles back and forth for as long as the NxLog client is running. At first we believed this was caused by the quite extensive amount exec statements we performed, but we were able to reproduce the issue with a very simple config that only loaded the im_msvistalog module and monitored a mostly unused event log (see below). We deployed to 35 servers running server 2012r2 datacenter, server 2016 datacenter, and server 2019 datacenter. How many logs/events were monitored and how busy the servers were, seemed irrelevant. Every server displayed the same issue.
We reverted back to community edition 2.11.2190 and did not see any issues
<Input windows_eventlog_defender>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Route winserverevent_to_winserverevent_out>
Path windows_eventlog_defender => winserverevent_out
</Route>
<Output winserverevent_out>
Module om_tcp
Host cyclops.not.a.real.address.com
Port 33333
</Output>
i have a client that is having the same issue but I don't have and older version of NXlog to give them. Would you be able to provide a download link that I could use?
We are seeing exactly the same issue. Community edition 3.0.2272 will typically sit at 0% CPU usage for ~1 minute, and then spike to 65-120% of one CPU for ~1 minute. It cycles back and forth for as long as the NxLog client is running. We were also able to reproduce the issue with a very simple config. We deployed to 164 servers running server 2012r2 datacenter, server 2016 datacenter, and server 2019 datacenter. How many logs/events were monitored and how busy the servers were, seemed irrelevant. Every server displaying the same issue.
As of today, we reverted back to community edition 2.11.2190 and NO MORE ISSUES. Anyone trying to upgrade to remove the vulnerability - Please BEWARE OF THIS ISSUE.... Test thoroughly before rolling out to many servers.
For NXlog support - Please fix this issue as soon as possible - We were only trying to upgrade due to the DDOS vulnerability. Well, the new version appears to be a DDOS vulnerability. Just about brought many of our systems down before we could revert to the previous version which had no issues.
We would appreciate any help that you can provide...