Nagios Support Forum

Hello all,

we have a windows 2016 server which was successfully sending log files to our nagios log server since we brought it online a few months ago. A couple days ago, we noticed that logs were no longer being sent. the nxlog client on the server starts/restarts successfully. however, in the nxlog client file, there is a error message:
"WARNING Due to a limitation in the Windows EventLog subsystem, a query cannot contain more than 256 sources."

and then a more extended message:
"WARNING The following sources are omitted to avoid exceeding the limit in the generated query: Microsoft-Windows-TerminalServices-PnPDevices/Admin Microsoft-Windows-TerminalServices-PnPDevices/Operational Microsoft-Windows-TerminalServices-Printers/Admin Microsoft-Windows-TerminalServices-Printers/Operational Microsoft-Windows-TerminalServices-RDPClient/Operational Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational Microsoft-Windows-TWinUI/Operational Microsoft-Windows-TZSync/Operational Microsoft-Windows-TZUtil/Operational Microsoft-Windows-UAC-FileVirtualization/Operational Microsoft-Windows-UAC/Operational Microsoft-Windows-UniversalTelemetryClient/Ope"

we need terminal services running on this system....
has anyone experienced this before?
thanks!

I see there was a bug in the CE edition of NXLog that states it was fixed https://gitlab.com/nxlog-public/nxlog-c ... ngeLog.txt

You may want to try updating to the latest found here
https://nxlog.co/products/nxlog-communi ... n/download

Hello,

we installed the latest client. This did not fix the issue we are experiencing. We did notice that the error messages did start many weeks ago...around the time we installed the client the first time. However, the client has been sending messages to the syslog server until a 11/27. So, now I am not sure if the error regarding the "max 256 sources" points to the actual problem. can we run nxlog in debug mode? thanks again for all of your help.

So this is the latest from nxlog.co link above? (Nagios Log Server has an older version included)

You can add the following to turn on debug mode https://nxlog.co/docs/nxlog-ce/nxlog-re ... l_loglevel


In researching this I did find the following on their website which had some conflicting information
https://nxlog.co/question/3200/eventlog ... erver-2016

LOL...
ok...sys admin error.
I found the nxlog-reference-manual and started the service in debug mode. I saw the same error regarding the 256 sources. but then I noticed that there was an connection error for the windows client on port 3515. I always assumed that all clients nix/windows/network-nodes were configured for port 5544. then....I noticed that most of the windows clients were having the same issue.

Lesson learned....make sure if you enable the firewalld, that you allow tcp/udp ports 3515. I had to do enable port forwarding 514 to 5544 in order to get older rsyslog clients sending logs on standard 514.

my issue of windows clients not connecting is fixed. thanks

mtarose wrote:LOL...
ok...sys admin error.
I found the nxlog-reference-manual and started the service in debug mode. I saw the same error regarding the 256 sources. but then I noticed that there was an connection error for the windows client on port 3515. I always assumed that all clients nix/windows/network-nodes were configured for port 5544. then....I noticed that most of the windows clients were having the same issue.

Lesson learned....make sure if you enable the firewalld, that you allow tcp/udp ports 3515. I had to do enable port forwarding 514 to 5544 in order to get older rsyslog clients sending logs on standard 514.

my issue of windows clients not connecting is fixed. thanks

Awesome, glad it was that simple.

Locking thread