Hi:
I am struggling to get terminal server events into Log Server because it seems NXLog isn't parsing the messages as expected. It appears anything with a IPv6 address in the message body is throwing an error. Here is an example:
{"EventTime":"2018-08-14 14:40:30","Hostname":"server.domain.ca","Keywords":1152921504606846976,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":21,"SourceName":"Microsoft-Windows-TerminalServices-LocalSessionManager","ProviderGuid":"{5D896912-022D-40AA-A3A8-4FA5515C76D7}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":43149,"ActivityID":"{F420F181-1449-4944-B6A9-3CF4D9FA0000}","ProcessID":908,"ThreadID":1688,"Channel":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","ERROR_EVT_UNRESOLVED":true,"Opcode":"Info","EventReceivedTime":"2018-08-14 14:40:31","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":null}
I have attached the corresponding event. If the Source IP is V4 it works fine but any event with the IPv6 containing the percent sign doesn't work. I have tried adding replace statements in the NXLog config to no avail. Any help would be appreciated!
NXLog Issue?
NXLog Issue?
You do not have the required permissions to view the files attached to this post.
Re: NXLog Issue?
What version of nxlog are you using? This sounds like an issue with nxlog and it may be fixed in newer versions: https://nxlog.co/products/nxlog-communi ... n/download
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Re: NXLog Issue?
That was my thought as well so I updated to the latest and I am still seeing the issue. Can you recommend an alternative to nxlog?cdienger wrote:What version of nxlog are you using? This sounds like an issue with nxlog and it may be fixed in newer versions: https://nxlog.co/products/nxlog-communi ... n/download
Re: NXLog Issue?
I don't have direct experience with much else, but I know some people use syslog agents on their Windows machines.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Re: NXLog Issue?
I'm almost certain there's some clever things you could do with im_exec to work around this particular problem, but that's getting pretty into the weeds with nxlog. Something to the effect of "if using im_msvistalog, and ERROR_EVT_UNRESOLVED=true, run powershell to find eventlog record by EventReceivedTime, EventID, ProcessID, and ThreadID then overwrite the original event". I'm pretty sure this is strictly a bug in nxlog; I cannot find anything on the MSDN that says you shouldn't put % signs in your EventLog records.
syslog-ng is a very viable alternative for windows If you're comfortable building your own binaries.
syslog-ng is a very viable alternative for windows If you're comfortable building your own binaries.
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
Re: NXLog Issue?
Thanks for the input, @mcapra!
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.