Some NXLog Messages dont seem to make it into Graylog


(Johannes) #1

Hi guys,

I setup a graylog instance on debian in order to collect our windows clients event-logs.
I setup nxlog on my clients using a very basic config (no query at first). Input on graylog is very basic GELF UDP.
While everything seemed to work fine with the default candidates (eventlogs seen in eventviewer on the windows client were probably popping up on the graylog instance) I stumbled about a curious case involving the windows defender Eventlogs.
I am only seeing certain types of messages/eventIDs appear on graylog while other messages (of course the ones about more important EventIDs) from the same source/client dont seem to make it into the logserver.

I stared searching on the windows setup and got so far to see the UDP packages with the messages on the network - so that seems ok really.
I already tried to use TCP instead, but that doesn’t change the behavior either.

How can I figure out if/what of these is received on the graylog server and/or why these are not recorded/recevied?

Any help would be appreciated.
thanks in advance


(Johannes) #2

I figured it out myself - at least I think I know where the messages get lost.

I am seeing indexer failures about the indexer hitting the total-fields-limit recently and the missing messages seem to be the ones causing the troubles.

{“type”:“illegal_argument_exception”,“reason”:“Limit of total fields [1000] in index [graylog_0] has been exceeded”}

so currently I’m trying to figure out why these messages run into that limitation (they are all coming form the same nxlog config) while others are being processed just fine.


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.