Issues creating a buffer for with nxlog

Hello All,
Im using nxlog on my Windows Server 2022 to send security event logs to my graylog instance, which works totally fine itself with this nxlog config:

I wanted to configure a buffer i thos config, so logs are still available if graylog should be unreachable.
I tried this config:

Sadly this didnt work (i know there is a diffierent IP in this config, im aware it was just to test if it even creates the buffer logfile locally) and I get following errors:

I did my research but didnt find anything helping in my regard.
Is it better to use the “om_file” module or do i need to create another output for the buffer?

@jxnnis, full disclosure - it was a chatGPT suggestion :expressionless_face:

<Output buffered_file>
    Module      om_file
    File        "C:/ProgramData/nxlog/buffered.log"
    FlushInterval 10
    BufferSize  10M
    Exec        to_syslog_snare();
</Output>

<Output out>
   XXXX
</Output>

<Route buffer_route>
    Path        file_input => buffered_file => out
</Route>

@Wine_Merchant
I now know why it didn’t work for me, BufferSize or the Buffer Module in general is a Enterprise only feature, while im using the community edition.

And since the older MaxSize Parameter doesnt exist anymore for om_file, im not able to limit the files Size

If you are sending windows events you dont reallg need a buffer, it keeps track of which events were sent so the windows event log is the buffer.

Also dont send over syslog, send output over GELF to a graylog GELF input and then you wont need to parse the message because it will be sent as structured data.

@Joel_Duffield Thanks for the information, i thought i needed buffering, because when i restarted my graylog server yesterday i had a buffer where no logs where sent about 10mins.

Gelf could be on any port.

That could be a few things, it could actually be the syslog output just sending things blindly and not checking to make sure they are delivered, ive never seen that issue with the gelf output over tcp.


This would be my GELF Config, question is do i need the Exec to_gelf();
Im getting and error from that line after all

This is my Newest Config file, which works perfectly, Thanks for the Help

NXLog has a whole page about it as well Send logs to Graylog | NXLog Documentation

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.