No logs from Windows server - permits in place

[rferebee]

Hello,

I received a list of servers that one of my SysAdmins wanted to me to verify were sending logs to Log Server. I started working through the list and I'm seeing several servers that aren't sending logs to our Log Server. We have the network permits in place and by all accounts everything on the Nagios side of the house is working correctly. Then I stumbled across this article while looking up an error I was seeing in Log Server:

https://nxlog.co/question/656/windows-8 ... -event-log

I made the change suggested on one of my servers and all of a sudden it ingested 15,000+ from the device. I tested on a couple other devices and while unsuccessful I think I may have found a network permit issue that is a separate issue.

My question is, do we need to be using a different version of the nxlog installer to prevent this do we need to update the .CONF file on every server? How can I ensure that all my servers are sending logs and configured properly without having to physically log into all 300+ of them?

Thank you.

[rferebee]

Wanted to post a quick update.

I've tested this fix on about a dozen servers so far and it's definitely correcting the issue.

On a side note, I've only been doing Nagios administration for about 6 months now, one of my colleague pointed out that roughly 300 servers have stopped sending logs to our Log Server cluster. The 'Unique Hosts' counter in the upper left hand corner of the Home screen it typically around 650, currently it's sitting at 368. That's a problem...

What would cause this type of issue to happen all of a sudden? It appears to be purely related to the .CONF file.

[npolovenko]

Hello, @rferebee. One way to verify that your servers are sending logs is by looking at the Unique hosts table. You can access it by clicking on the "Report" link next to the Unique Hosts field on the Home Page. The unique hosts table updates every 24 hours so if hosts are there then the log server recieved logs from them within the last 24 hours. If no logs recieved, Log Server puts them in the Not Sending table.

[rferebee]

Yes, I'm aware of that list. Thank you.

However, there seem to be duplicates. The same servers are showing up in both the Sending and Not Sending table. So, this is not a reliable method for me. Also, if you could see the Not Sending list I have you'd probably cringe. It's over 650 IPs.

Back to my original question. Should we be modifying the .CONF whenever there is a Log Server update? I'm trying to figure out what would cause this problem all of a sudden? Is Nagios aware of the issue described in the URL I linked?

Do you have an suggestions on how I can resolve this as quickly as possible? Right now I have potentially 300+ servers not sending their logs in.

Thank you.

[npolovenko]

@rferebee, Please try upgrading the nxlog agent to the latest version on one of the windows servers that is not sending logs and let us know if it fixes the issue:
https://nxlog.co/products/all/download? ... ct_nid=348

[rferebee]

Can this be installed over the top of the existing nxlog client or should we be uninstalling old and then installing fresh?

[npolovenko]

@rferebee, Looks like you'd need to back up the configuration files, uninstall the old version and install the new version of the nxlog.

[rferebee]

So, I noticed that nxlog is not listed in Add/Remove programs.

Can you recommend the best way to uninstall? If this works, we'd like to script this process so we can deploy using our software deployment suite.

Thank you.

[scottwilkerson]

So, I noticed that nxlog is not listed in Add/Remove programs.

Can you recommend the best way to uninstall? If this works, we'd like to script this process so we can deploy using our software deployment suite.

Thank you.

It should be listed in Add/Remove programs as
NXLOG-CE

[rferebee]

I see it listed on some servers, but not on others. Is there a command line uninstall script you recommend, silent would be preferable?