Hello all,
we have a windows 2016 server which was successfully sending log files to our nagios log server since we brought it online a few months ago. A couple days ago, we noticed that logs were no longer being sent. the nxlog client on the server starts/restarts successfully. however, in the nxlog client file, there is a error message:
"WARNING Due to a limitation in the Windows EventLog subsystem, a query cannot contain more than 256 sources."
and then a more extended message:
"WARNING The following sources are omitted to avoid exceeding the limit in the generated query: Microsoft-Windows-TerminalServices-PnPDevices/Admin Microsoft-Windows-TerminalServices-PnPDevices/Operational Microsoft-Windows-TerminalServices-Printers/Admin Microsoft-Windows-TerminalServices-Printers/Operational Microsoft-Windows-TerminalServices-RDPClient/Operational Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational Microsoft-Windows-TWinUI/Operational Microsoft-Windows-TZSync/Operational Microsoft-Windows-TZUtil/Operational Microsoft-Windows-UAC-FileVirtualization/Operational Microsoft-Windows-UAC/Operational Microsoft-Windows-UniversalTelemetryClient/Ope"
we need terminal services running on this system....
has anyone experienced this before?
thanks!
nxlog client fails windows server 2016 max 256 sources
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: nxlog client fails windows server 2016 max 256 sources
I see there was a bug in the CE edition of NXLog that states it was fixed
https://gitlab.com/nxlog-public/nxlog-c ... ngeLog.txt
You may want to try updating to the latest found here
https://nxlog.co/products/nxlog-communi ... n/download
Code: Select all
Added a workaround for the 256 source limit in the autogenerated QueryXML in im_msvistalog.You may want to try updating to the latest found here
https://nxlog.co/products/nxlog-communi ... n/download
Re: nxlog client fails windows server 2016 max 256 sources
Hello,
we installed the latest client. This did not fix the issue we are experiencing. We did notice that the error messages did start many weeks ago...around the time we installed the client the first time. However, the client has been sending messages to the syslog server until a 11/27. So, now I am not sure if the error regarding the "max 256 sources" points to the actual problem. can we run nxlog in debug mode? thanks again for all of your help.
we installed the latest client. This did not fix the issue we are experiencing. We did notice that the error messages did start many weeks ago...around the time we installed the client the first time. However, the client has been sending messages to the syslog server until a 11/27. So, now I am not sure if the error regarding the "max 256 sources" points to the actual problem. can we run nxlog in debug mode? thanks again for all of your help.
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: nxlog client fails windows server 2016 max 256 sources
So this is the latest from nxlog.co link above? (Nagios Log Server has an older version included)
You can add the following to turn on debug mode
https://nxlog.co/docs/nxlog-ce/nxlog-re ... l_loglevel
In researching this I did find the following on their website which had some conflicting information
https://nxlog.co/question/3200/eventlog ... erver-2016
You can add the following to turn on debug mode
Code: Select all
LogLevel DEBUGIn researching this I did find the following on their website which had some conflicting information
https://nxlog.co/question/3200/eventlog ... erver-2016
Re: nxlog client fails windows server 2016 max 256 sources
LOL...
ok...sys admin error.
I found the nxlog-reference-manual and started the service in debug mode. I saw the same error regarding the 256 sources. but then I noticed that there was an connection error for the windows client on port 3515. I always assumed that all clients nix/windows/network-nodes were configured for port 5544. then....I noticed that most of the windows clients were having the same issue.
Lesson learned....make sure if you enable the firewalld, that you allow tcp/udp ports 3515. I had to do enable port forwarding 514 to 5544 in order to get older rsyslog clients sending logs on standard 514.
my issue of windows clients not connecting is fixed. thanks
ok...sys admin error.
I found the nxlog-reference-manual and started the service in debug mode. I saw the same error regarding the 256 sources. but then I noticed that there was an connection error for the windows client on port 3515. I always assumed that all clients nix/windows/network-nodes were configured for port 5544. then....I noticed that most of the windows clients were having the same issue.
Lesson learned....make sure if you enable the firewalld, that you allow tcp/udp ports 3515. I had to do enable port forwarding 514 to 5544 in order to get older rsyslog clients sending logs on standard 514.
my issue of windows clients not connecting is fixed. thanks
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: nxlog client fails windows server 2016 max 256 sources
Awesome, glad it was that simple.mtarose wrote:LOL...
ok...sys admin error.
I found the nxlog-reference-manual and started the service in debug mode. I saw the same error regarding the 256 sources. but then I noticed that there was an connection error for the windows client on port 3515. I always assumed that all clients nix/windows/network-nodes were configured for port 5544. then....I noticed that most of the windows clients were having the same issue.
Lesson learned....make sure if you enable the firewalld, that you allow tcp/udp ports 3515. I had to do enable port forwarding 514 to 5544 in order to get older rsyslog clients sending logs on standard 514.
my issue of windows clients not connecting is fixed. thanks
Locking thread