Issues creating a buffer for with nxlog

jxnnis · March 26, 2025, 8:48am

Hello All,
Im using nxlog on my Windows Server 2022 to send security event logs to my graylog instance, which works totally fine itself with this nxlog config:

I wanted to configure a buffer i thos config, so logs are still available if graylog should be unreachable.
I tried this config:

Sadly this didnt work (i know there is a diffierent IP in this config, im aware it was just to test if it even creates the buffer logfile locally) and I get following errors:

I did my research but didnt find anything helping in my regard.
Is it better to use the “om_file” module or do i need to create another output for the buffer?

Wine_Merchant · March 26, 2025, 10:06am

@jxnnis, full disclosure - it was a chatGPT suggestion

<Output buffered_file>
    Module      om_file
    File        "C:/ProgramData/nxlog/buffered.log"
    FlushInterval 10
    BufferSize  10M
    Exec        to_syslog_snare();
</Output>

<Output out>
   XXXX
</Output>

<Route buffer_route>
    Path        file_input => buffered_file => out
</Route>

jxnnis · March 26, 2025, 10:29am

@Wine_Merchant
I now know why it didn’t work for me, BufferSize or the Buffer Module in general is a Enterprise only feature, while im using the community edition.

And since the older MaxSize Parameter doesnt exist anymore for om_file, im not able to limit the files Size

Joel_Duffield · March 26, 2025, 11:09am

If you are sending windows events you dont reallg need a buffer, it keeps track of which events were sent so the windows event log is the buffer.

Also dont send over syslog, send output over GELF to a graylog GELF input and then you wont need to parse the message because it will be sent as structured data.

jxnnis · March 26, 2025, 11:58am

@Joel_Duffield Thanks for the information, i thought i needed buffering, because when i restarted my graylog server yesterday i had a buffer where no logs where sent about 10mins.

Joel_Duffield · March 26, 2025, 12:27pm

Gelf could be on any port.

That could be a few things, it could actually be the syslog output just sending things blindly and not checking to make sure they are delivered, ive never seen that issue with the gelf output over tcp.

jxnnis · March 26, 2025, 12:43pm

This would be my GELF Config, question is do i need the Exec to_gelf();
Im getting and error from that line after all

jxnnis · March 26, 2025, 1:12pm

This is my Newest Config file, which works perfectly, Thanks for the Help

Joel_Duffield · March 26, 2025, 1:22pm

NXLog has a whole page about it as well Send logs to Graylog | NXLog Documentation

system · April 9, 2025, 1:23pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
61 / 5000 Resultados de traducción I need help sending IIS events to graylog with NXLog Graylog Central (peer support) sidecar , nxlog , nodatanx , send-csv-logsnx	2	712	August 17, 2021
NxLog Help - Logs Not Fully Ingesting Graylog Central (peer support) nxlog	4	411	July 14, 2023
Windows Server NXLog - Graylog Graylog Central (peer support) sidecar , nxlog , nodatanx	3	9150	August 2, 2018
Issue receive data from NXlog on TCP Graylog Central (peer support) sidecar , nxlog , winlogbeat , nodatanx	3	3940	May 3, 2018
NXLog to Gray Log Graylog Central (peer support) sidecar , nxlog , nodatanx	6	1232	February 4, 2020

Issues creating a buffer for with nxlog

Related topics