Nagios Support Forum

I disabled my input from Windows Event Log on port 3515 and applied the changes, but I am still getting Windows Events in my queries.

Thoughts to why this is still accepting Windows events?

Inputs: Windows disabled at 10:30am est Events appeared to stop for a bit.

OK

So I changed the Host from a "servername" to a "fully qualified domain name" in the nxlog conf file.
This reduced and/or eliminated the extra windows events coming from the nxlog.exe.
BEFORE

<Output out>
Module om_tcp
Host hnapxlamslog01
Port 3515
Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();
# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>

AFTER

<Output out>
Module om_tcp
Host hnapxlamslog01.corp.com
Port 3515
Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();
# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>



Packets creating extra windows events:

The Windows Filtering Platform has permitted a connection.

Application Information:
Process ID: 1932
Application Name: \device\harddiskvolume2\program files (x86)\nxlog\nxlog.exe

Network Information:
Direction: Outbound
Source Address: 17X.108.7X0.5
Source Port: 59557
Destination Address: 17X.1X8.X74.80
Destination Port: 3515
Protocol: 6

Filter Information:
Filter Run-Time ID: 69447
Layer Name: Connect
Layer Run-Time ID: 48

Forget that I still saw the windows events.

I likely forgot to "apply" the changes after I de-activated the windows event input.

Thanks

@newmember, I see. Seems like the problem is now resolved. Are we good to close this thread as resolved?

resolved please close this Case

Thanks