NXLOG Service starts and then stops immediately when trying to use Solarwinds PaperTrail (APPCRASH / Faulting Module = NTDLL.DLL)
Trying to get this to work on a Windows 2019 Server that's a clean build with nothing on it and has all current Windows updates applied
Is it an issue with Windows 2019 Server or an issue with the XM_SYSLOG module?
######### WORKING - Copies event log data to C:\Program Files\nxlog\data\nxlog-output.log ########
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
# Monitor Windows event logs
<Input eventlog>
Module im_msvistalog
</Input>
<Output file>
Module om_file
File 'C:\Program Files\nxlog\data\nxlog-output.log'
Exec to_syslog_snare();
</Output>
<Output syslogout>
Module om_ssl
Host logsx.papertrailapp.com
Port 12345
Exec $Hostname = hostname(); to_syslog_ietf();
OutputType Syslog_TLS
CAFile %CERTDIR%/papertrail-bundle.pem
AllowUntrusted FALSE
</Output>
<Route out>
Path eventlog => file
</Route>
######### NOT WORKING - NXLOG Service will start for a moment and then stop immediately ###########
<Route out>
Path eventlog => syslogout
</Route>
nxlog.log
2022-03-16 18:10:47 WARNING not starting unused module file
2022-03-16 18:10:47 INFO nxlog-ce-3.0.2272 started
2022-03-16 18:10:47 INFO connecting to logs3.papertrailapp.com:49305
2022-03-16 18:10:47 INFO successfully connected to logx.papertrailapp.com:12345
Windows Logs, Application Events:
Source: Application Error
Event ID: 1000
Faulting application name: nxlog.exe, version: 0.0.0.0, time stamp: 0x00000000
Faulting module name: ntdll.dll, version: 10.0.17763.2628, time stamp: 0x91ea188a
Exception code: 0xc0000374
Fault offset: 0x00000000000faad9
Faulting process id: 0xa7c
Faulting application start time: 0x01d8399bfa79f8d0
Faulting application path: C:\Program Files\nxlog\nxlog.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 7870365a-2a26-49dd-9670-7c8d889f9dda
Faulting package full name:
Faulting package-relative application ID:
Windows Logs, Application Events:
Source: Windows Error Reporting
Event ID: 1001
Fault bucket 1367701673690831831, type 4
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Problem signature:
P1: nxlog.exe
P2: 0.0.0.0
P3: 00000000
P4: StackHash_2e07
P5: 10.0.17763.2628
P6: 91ea188a
P7: c0000374
P8: PCH_43_FROM_ntdll+0x00000000000A0544
P9:
P10:
Attached files:
\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER86A8.tmp.dmp
\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER87D2.tmp.WERInternalMetadata.xml
\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8802.tmp.xml
\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8804.tmp.csv
\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER8843.tmp.txt
These files may be available here:
\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_nxlog.exe_7198d2d4b17dc7d6aaa419f8df82eecf4ad86a_e5992931_12418b0d
Analysis symbol:
Rechecking for solution: 0
Report Id: 7870365a-2a26-49dd-9670-7c8d889f9dda
Report Status: 268435456
Hashed bucket: 8cc762824f1e456172fb0d6d030c9bd7
Cab Guid: 0
Looks like something wasn't configured correctly for Module om_ssl because once I removed it I got data shipping to PaperTrail.
I'd prefer to run NXLOG with SSL but for the time being I guess I'll have to live with plain text.
Maybe OutputType Syslog_TLS has something to do with it as well, but I couldn't figure out how to make OutputType Syslog_TCP or something to make it work.
<Output syslogout> Module om_tcp Host logsx.papertrailapp.com Port 12345 Exec $Hostname = hostname(); to_syslog_ietf(); </Output>
<Route out> Path eventlog => syslogout </Route>
