os: Windows Server 2008 R2 with Nxlog 企业版 4.0.3550 (64位(
当我启动 nxlog 时,它占用 100%CPU,我将日志记录模式设置为调试,但我无法从中找到有意义的信息。下面是我的 nxlog 配置,其中日志发送到 SIEM 服务器 192.168.0.100
define ROOT C:Program Filesnxlog
define CERTDIR %ROOT%cert
define CONFDIR %ROOT%conf
define LOGDIR %ROOT%data
define LOGFILE %LOGDIR%nxlog.log
Moduledir %ROOT%modules
CacheDir %ROOT%data
Pidfile %ROOT%datanxlog.pid
SpoolDir %ROOT%data
LogFile %LOGFILE%
LogLevel DEBUG
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _json>
Module xm_json
</Extension>
### Define our inputs ###
<Input winlog>
Module im_msvistalog
ReadFromLast TRUE
ResolveSID TRUE
<QueryXML>
<QueryList>
<Query Id='1'>
<Select Path='Application'>*</Select>
<Select Path='Security'>*</Select>
<Select Path='System'>*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output winout>
Module om_tcp
Host 192.168.0.100
Port 514
Exec to_json(); $Message = $raw_event;to_syslog_bsd();
</Output>
<Route 1>
Path winlog => winout
</Route>
include %CONFDIR%extra.conf
调试日志类似于粘贴链接 pastebin.com
这在nxlog-4.0.3689中已修复。