Support for Nagios products and services
https://support.nagios.com/forum/
jdalrymple wrote:It's very likely that your new policies are causing the issue.
Maybe something in the policies is preventing network transmission from the nxlog service to the NLS?
Maybe something in the policies is preventing the nxlog service from running at all?
I would engage the help of your AD/GPO experts to identify what is causing the stoppage of log data, but those 2 things are the first 2 low-hanging fruit to double-check.
Code: Select all
-4576-9e61-2fd025fe16cc, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n10: c60b048b-8071-4532-8398-f15f4c981861, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n11: c837408d-3762-4dea-a4d7-6dba48f6c305, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n12: c99b641f-c4ea-4e63-bec3-5ed2ccd0f357, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n13: da71774d-b2c9-4c42-bb7b-a66365d5abb2, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n14: f14c8ee3-560d-441e-aee1-325c2e9ae74a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n\n"}
{"EventTime":"2015-03-05 22:30:56","Hostname":"I119065emci9030.emcdsm.com","Keywords":36028797018963968,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":902,"SourceName":"Microsoft-Windows-Security-SPP","ProviderGuid":"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":42580,"ProcessID":0,"ThreadID":0,"Channel":"Application","EventReceivedTime":"2015-03-05 22:30:56","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"The Software Protection service has started.\r\n6.1.7601.17514"}
{"EventTime":"2015-03-05 22:30:55","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4624,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12544,"OpcodeValue":0,"RecordNumber":13396,"ProcessID":508,"ThreadID":560,"Channel":"Security","Category":"Logon","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"I119065EMCI9030$","SubjectDomainName":"EMCDSM","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-5-18","TargetUserName":"SYSTEM","TargetDomainName":"NT AUTHORITY","TargetLogonId":"0x3e7","LogonType":"5","LogonProcessName":"Advapi ","AuthenticationPackageName":"Negotiate","LogonGuid":"{00000000-0000-0000-0000-000000000000}","TransmittedServices":"-","LmPackageName":"-","KeyLength":"0","ProcessName":"C:\\Windows\\System32\\services.exe","IpAddress":"-","IpPort":"-","EventReceivedTime":"2015-03-05 22:30:58","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tI119065EMCI9030$\r\n\tAccount Domain:\t\tEMCDSM\r\n\tLogon ID:\t\t0x3e7\r\n\r\nLogon Type:\t\t\t5\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tSYSTEM\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3e7\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1ec\r\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\t\r\n\tSource Network Address:\t-\r\n\tSource Port:\t\t-\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tAdvapi \r\n\tAuthentication Package:\tNegotiate\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."}
{"EventTime":"2015-03-05 22:30:55","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4672,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12548,"OpcodeValue":0,"RecordNumber":13397,"ProcessID":508,"ThreadID":560,"Channel":"Security","Category":"Special Logon","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"SYSTEM","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e7","PrivilegeList":"SeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege","EventReceivedTime":"2015-03-05 22:30:58","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tSYSTEM\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3e7\r\n\r\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege"}
{"EventTime":"2015-03-05 22:30:55","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9187343239835811840,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":64340,"ProcessID":492,"ThreadID":1472,"Channel":"System","param1":"Software Protection","param2":"running","EventReceivedTime":"2015-03-05 22:30:58","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"The Software Protection service entered the running state."}
{"EventTime":"2015-03-05 22:30:56","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9187343239835811840,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":64341,"ProcessID":492,"ThreadID":1472,"Channel":"System","param1":"Windows Modules Installer","param2":"running","EventReceivedTime":"2015-03-05 22:30:58","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"The Windows Modules Installer service entered the running state."}
{"EventTime":"2015-03-05 22:30:58","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9223372036854775808,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1015,"SourceName":"Microsoft-Windows-DNS-Client","ProviderGuid":"{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":6677,"ProcessID":976,"ThreadID":988,"Channel":"Microsoft-Windows-DNS-Client/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"NETWORK SERVICE","AccountType":"Well Known Group","Opcode":"Info","QueryName":"www.msftncsi.com","AddressLength":"16","Address":"020000350A1B0A5F0000000000000000","EventReceivedTime":"2015-03-05 22:31:00","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"Name resolution for the name http://www.msftncsi.com timed out after the DNS server 10.27.10.95:53 did not respond."}
{"EventTime":"2015-03-05 22:30:58","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9223372036854775808,"EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":1013,"SourceName":"Microsoft-Windows-DNS-Client","ProviderGuid":"{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":6678,"ProcessID":976,"ThreadID":988,"Channel":"Microsoft-Windows-DNS-Client/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"NETWORK SERVICE","AccountType":"Well Known Group","Opcode":"Info","QueryName":"www.msftncsi.com","AddressLength":"16","Address":"020000350A1B0A5F0000000000000000","EventReceivedTime":"2015-03-05 22:31:00","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"Name resolution for the name http://www.msftncsi.com timed out after none of the configured DNS servers responded."}
{"EventTime":"2015-03-05 22:31:10","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9187343239835811840,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":64342,"ProcessID":492,"ThreadID":1472,"Channel":"System","param1":"Application Management","param2":"running","EventReceivedTime":"2015-03-05 22:31:11","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"The Application Management service entered the running state."}
{"EventTime":"2015-03-05 22:31:40","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9187343239835811840,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":64343,"ProcessID":492,"ThreadID":1472,"Channel":"System","param1":"Application Information","param2":"running","EventReceivedTime":"2015-03-05 22:31:41","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"The Application Information service entered the running state."}Code: Select all
SERVICE","AccountType":"Well Known Group","Opcode":"Info","QueryName":"www.msftncsi.com","AddressLength":"16","Address":"020000350A1B0A5F0000000000000000","EventReceivedTime":"2015-03-05 22:31:00","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"Name resolution for the name http://www.msftncsi.com timed out after the DNS server 10.27.10.95:53 did not respond."}
{"EventTime":"2015-03-05 22:30:58","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9223372036854775808,"EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":1013,"SourceName":"Microsoft-Windows-DNS-Client","ProviderGuid":"{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":6678,"ProcessID":976,"ThreadID":988,"Channel":"Microsoft-Windows-DNS-Client/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"NETWORK SERVICE","AccountType":"Well Known Group","Opcode":"Info","QueryName":"www.msftncsi.com","AddressLength":"16","Address":"020000350A1B0A5F0000000000000000","EventReceivedTime":"2015-03-05 22:31:00","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"Name resolution for the name http://www.msftncsi.com timed out after none of the configured DNS servers responded."}
{"EventTime":"2015-03-05 22:31:10","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9187343239835811840,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":64342,"ProcessID":492,"ThreadID":1472,"Channel":"System","param1":"Application Management","param2":"running","EventReceivedTime":"2015-03-05 22:31:11","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"The Application Management service entered the running state."}
{"EventTime":"2015-03-05 22:31:40","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9187343239835811840,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":64343,"ProcessID":492,"ThreadID":1472,"Channel":"System","param1":"Application Information","param2":"running","EventReceivedTime":"2015-03-05 22:31:41","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"The Application Information service entered the running state."}