0

操作系统:带有 Nxlog Enterprise 4.0.3550(64 位)的 Windows Server 2008 R2

当我启动 nxlog 它占用 100%cpu 我将日志记录模式设置为调试但我无法从中找到有意义的信息。下面是我的 nxlog 配置,其中日志被发送到 SIEM 服务器 192.168.0.100

define ROOT C:\Program Files\nxlog

define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %LOGFILE%
LogLevel DEBUG   

<Extension _syslog>
    Module      xm_syslog
</Extension>


<Extension _exec>
    Module      xm_exec
</Extension>

<Extension _json>
    Module      xm_json
</Extension>

### Define our inputs ###

<Input winlog>
    Module       im_msvistalog
    ReadFromLast TRUE
    ResolveSID  TRUE
    <QueryXML>
       <QueryList>
         <Query Id='1'>
            <Select Path='Application'>*</Select>
            <Select Path='Security'>*</Select>
            <Select Path='System'>*</Select>
         </Query>
       </QueryList>
   </QueryXML>
</Input>

<Output winout>
    Module     om_tcp
    Host       192.168.0.100
    Port       514
    Exec       to_json(); $Message = $raw_event;to_syslog_bsd();
</Output>

<Route 1>
    Path        winlog => winout
</Route>
include %CONFDIR%\extra.conf

调试日志看起来像在 pastebin 链接pastebin.com

4

1 回答 1

0

自从nxlog-4.0.3689.

于 2018-06-21T12:29:53.857 回答