Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

NXLog Issue?

https://support.nagios.com/forum/viewtopic.php?t=49885

Page 1 of 1

NXLog Issue?

Posted: Tue Aug 14, 2018 2:00 pm
by CameronWP
Hi:

I am struggling to get terminal server events into Log Server because it seems NXLog isn't parsing the messages as expected. It appears anything with a IPv6 address in the message body is throwing an error. Here is an example:

{"EventTime":"2018-08-14 14:40:30","Hostname":"server.domain.ca","Keywords":1152921504606846976,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":21,"SourceName":"Microsoft-Windows-TerminalServices-LocalSessionManager","ProviderGuid":"{5D896912-022D-40AA-A3A8-4FA5515C76D7}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":43149,"ActivityID":"{F420F181-1449-4944-B6A9-3CF4D9FA0000}","ProcessID":908,"ThreadID":1688,"Channel":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","ERROR_EVT_UNRESOLVED":true,"Opcode":"Info","EventReceivedTime":"2018-08-14 14:40:31","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":null}

I have attached the corresponding event. If the Source IP is V4 it works fine but any event with the IPv6 containing the percent sign doesn't work. I have tried adding replace statements in the NXLog config to no avail. Any help would be appreciated!

Re: NXLog Issue?

Posted: Tue Aug 14, 2018 4:16 pm
by cdienger
What version of nxlog are you using? This sounds like an issue with nxlog and it may be fixed in newer versions: https://nxlog.co/products/nxlog-communi ... n/download

Re: NXLog Issue?

Posted: Tue Aug 14, 2018 4:56 pm
by CameronWP
cdienger wrote:What version of nxlog are you using? This sounds like an issue with nxlog and it may be fixed in newer versions: https://nxlog.co/products/nxlog-communi ... n/download
That was my thought as well so I updated to the latest and I am still seeing the issue. Can you recommend an alternative to nxlog?

Re: NXLog Issue?

Posted: Wed Aug 15, 2018 9:43 am
by cdienger
I don't have direct experience with much else, but I know some people use syslog agents on their Windows machines.

Re: NXLog Issue?

Posted: Thu Aug 16, 2018 8:55 am
by mcapra
I'm almost certain there's some clever things you could do with im_exec to work around this particular problem, but that's getting pretty into the weeds with nxlog. Something to the effect of "if using im_msvistalog, and ERROR_EVT_UNRESOLVED=true, run powershell to find eventlog record by EventReceivedTime, EventID, ProcessID, and ThreadID then overwrite the original event". I'm pretty sure this is strictly a bug in nxlog; I cannot find anything on the MSDN that says you shouldn't put % signs in your EventLog records.

syslog-ng is a very viable alternative for windows If you're comfortable building your own binaries.

Re: NXLog Issue?

Posted: Thu Aug 16, 2018 1:50 pm
by cdienger
Thanks for the input, @mcapra!
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited