8
responses

We are using NXLog CE's im_msvistalog module to forward Windows Event Logs from the Security log, with some filtering, to an external syslog server. Functionally this works well and does exactly what we need it to.

The problem we are having is that nxlog.exe process often consumes rather high percentages of a workstation's CPU in bursts. Between 25 and 35 percent every few minutes, for around a minute at a time. This is generally too much of a performance hit and I need to find some way to resolve it.

I have already mitigated the size of the event log file that nxlog.exe is querying from by clearing the Security log entirely, so this is happening even on a system with not more than a few dozen log entries to read from. The query itself is fairly simple, it loads all Event ID 4625 entries from the Security log (these are logon failures). It then has a single command to drop any logon failures that were initiated for a computer account instead of a user account (this is done by reading the target account trying to logon, string parsing the account username to see if the final character is a "$", which denotes a computer account, and dropping the log if the "$" is found).

What can I do to mitigate the excessive CPU usage?

What I have tried so far: clearing the Windows event log that nxlog is reading from to reduce the size of the data it needs to read from disk, using UDP syslog forwarding instead of TCP, removed the parsing that dropped Event Log ID 4625 entries where the target account being logged in was a computer account instead of a user account. None of this has helped.

Edit to add: I did try writing out text logging instead of syslog forwarding. This worked but I am still experiencing the periodic excessive CPU consumption. The problem is likely in the im_msvistalog input module, I would assume.

AskedMarch 18, 2022 - 6:14pm

Comments (4)

  • Simon777's picture

    Hi,

    I have the exact same issue. We are also using im_msvistalog. We are forwarding also to Syslog some specific channels. Even when the channels are empty and not used, or when we forward to the null output, nxlog consumes a high amount of CPU usage with the same pattern than describe by bp81.

    Simon

  • DR_'s picture

    Yeah, others have that problem too. Including me.
    - https://nxlog.co/question/8016/nxlog-ce-302272-high-cpu-usage
    - https://nxlog.co/question/7974/nxlog-ce-3022-memory-leak-211-download

    Only solution for now is to downgrade.
    Nxlog doesn't seem to notice or doesn't seem to care. If you have any other idea how to point them to this issue (except the forum) please do so.

  • b0ti's picture
    (NXLog)

    Nxlog doesn't seem to notice or doesn't seem to care.

    We are aware and will be releasing a fix for this problem in the near future.

  • DR_'s picture

    We are aware and will be releasing a fix for this problem in the near future.

    Thank you very much!

    May I suggest further improvments:

    • Place a prominent hint to your gitlab page for reporting issues
    • Keep at least the direct predecessor for download in an archive site

Answers (2)

Hi,

There is a gitlab page where you can report an issue or a bug with NXLog CE: https://gitlab.com/nxlog-public/nxlog-ce In the meantime NXLog team is looking into this issue.

Hello bp81, Simon777 and DR_

NXLog just released hotfix1 to solve this issue (version 3.0.2284)

Please feel free to implement this new version and confirm the resolution of the issue.

Best regards

Comments (2)