1. Describe your incident:
I want to add a new sidecar for Windows, to log event related to scheduled task.
When I add the tag related to the sidecar, restart the sidecar service on target machine, the new config is added and Graylog show the message error:
2. Describe your environment:
OS & Package Information:
- Rocky Linux 9
- docker compose 2.18.1
- Graylog 5.1.2
- traefik 2.10.1
- mongodb 6.0.6
- elasticsearch 7.10.2
- Windows Server DHCP
- nxlog latest
- sidecar latest
3. What steps have you already taken to try and solve the problem?
Enabling the tag and disabling it to confirm it is the one that is causing the error.
It does the same issue on my windows server.
-
I already have 12 working sidecars for my windows computer and 16 on my windows server, only this one failing (windows-tasks-sidecar)
-
List of the sidecars enabled on my computer:
-
Windows Task sidecar conf:
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO
##### EXTENSION SECTION ########
<Extension logrotate>
Module xm_fileop
<Schedule>
When @daily
Exec file_cycle('%ROOT%\data\nxlog.log', 7);
</Schedule>
</Extension>
<Extension gelfExt>
Module xm_gelf
# Avoid truncation of the short_message field to 64 characters.
ShortMessageLength 65536
</Extension>
<Extension json>
Module xm_json
</Extension>
##### INPUT SECTION ########
<Input windows_task>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Microsoft-Windows-TaskScheduler/Operational">
<Select Path="Microsoft-Windows-TaskScheduler/Operational">*[System[Provider[@Name='Microsoft-Windows-TaskScheduler'] and (EventID=106 or EventID=129 or EventID=141 or EventID=142 or EventID=200 or EventID=201)]]</Select>
</Query>
<Query Id="1" Path="Security">
<!-- 4698: A scheduled task was created -->
<!-- 4699: A scheduled task was deleted -->
<!-- 4700: A scheduled task was enabled -->
<!-- 4701: A scheduled task was disabled -->
<!-- 4702: A scheduled task was updated -->
<Select Path="Security">*[System[(EventID >=4698 and EventID <=4702)]]</Select>
</Query>
<QueryList>
<QueryXML>
Exec to_json();
</Input>
##### OUTPUT SECTION ########
<Output gelf>
Module om_tcp
Host graylog.company.lan
Port 12202
OutputType GELF_TCP
<Exec>
# These fields are needed for Graylog
$gl2_source_collector = '${sidecar.nodeId}';
$collector_node_id = '${sidecar.nodeName}';
</Exec>
</Output>
##### REDIRECT SECTION ########
# Tells to logged file to be redirected to GELF TCP input
#redirect some_name to output tcp
<Route route-1>
Path windows_task => gelf
</Route>
4. How can the community help?
I’m using the same template for all the windows sidecars, what is changing is only the input and the route output.
The windows task sidecar is the only one failing and the nxlog log detail (DEBUG) does not help me to understand what is happening.
