2
responses

Trying to get this to work on a Windows 2019 Server that's a clean build with nothing on it and has all current Windows updates applied
Is it an issue with Windows 2019 Server or an issue with the XM_SYSLOG module?

######### WORKING - Copies event log data to C:\Program Files\nxlog\data\nxlog-output.log ########
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
Module xm_syslog
</Extension>

# Monitor Windows event logs
<Input eventlog>
Module im_msvistalog
</Input>

<Output file>
Module om_file
File 'C:\Program Files\nxlog\data\nxlog-output.log'
Exec to_syslog_snare();
</Output>

<Output syslogout>
Module om_ssl
Host logsx.papertrailapp.com
Port 12345
Exec $Hostname = hostname(); to_syslog_ietf();
OutputType Syslog_TLS
CAFile %CERTDIR%/papertrail-bundle.pem
AllowUntrusted FALSE
</Output>

<Route out>
Path eventlog => file
</Route>

######### NOT WORKING - NXLOG Service will start for a moment and then stop immediately ###########
<Route out>
Path eventlog => syslogout
</Route>

nxlog.log
2022-03-16 18:10:47 WARNING not starting unused module file
2022-03-16 18:10:47 INFO nxlog-ce-3.0.2272 started
2022-03-16 18:10:47 INFO connecting to logs3.papertrailapp.com:49305
2022-03-16 18:10:47 INFO successfully connected to logx.papertrailapp.com:12345

Windows Logs, Application Events:
Source: Application Error
Event ID: 1000
Faulting application name: nxlog.exe, version: 0.0.0.0, time stamp: 0x00000000
Faulting module name: ntdll.dll, version: 10.0.17763.2628, time stamp: 0x91ea188a
Exception code: 0xc0000374
Fault offset: 0x00000000000faad9
Faulting process id: 0xa7c
Faulting application start time: 0x01d8399bfa79f8d0
Faulting application path: C:\Program Files\nxlog\nxlog.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 7870365a-2a26-49dd-9670-7c8d889f9dda
Faulting package full name:
Faulting package-relative application ID:

Windows Logs, Application Events:
Source: Windows Error Reporting
Event ID: 1001
Fault bucket 1367701673690831831, type 4
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: nxlog.exe
P2: 0.0.0.0
P3: 00000000
P4: StackHash_2e07
P5: 10.0.17763.2628
P6: 91ea188a
P7: c0000374
P8: PCH_43_FROM_ntdll+0x00000000000A0544
P9:
P10:

Attached files:
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER86A8.tmp.dmp
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER87D2.tmp.WERInternalMetadata.xml
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8802.tmp.xml
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8804.tmp.csv
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8843.tmp.txt

These files may be available here:
\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_nxlog.exe_7198d2d4b17dc7d6aaa419f8df82eecf4ad86a_e5992931_12418b0d

Analysis symbol:
Rechecking for solution: 0
Report Id: 7870365a-2a26-49dd-9670-7c8d889f9dda
Report Status: 268435456
Hashed bucket: 8cc762824f1e456172fb0d6d030c9bd7
Cab Guid: 0

AskedMarch 17, 2022 - 2:18am

Comments (2)

  • TXTOM's picture

    Looks like something wasn't configured correctly for Module om_ssl because once I removed it I got data shipping to PaperTrail.

    I'd prefer to run NXLOG with SSL but for the time being I guess I'll have to live with plain text.

    Maybe OutputType Syslog_TLS has something to do with it as well, but I couldn't figure out how to make OutputType Syslog_TCP or something to make it work.

    <Output syslogout>
    Module om_tcp
    Host logsx.papertrailapp.com
    Port 12345
    Exec $Hostname = hostname(); to_syslog_ietf();
    </Output>

    <Route out>
    Path eventlog => syslogout
    </Route>

Answers (0)