I can't configure NXlog to send Windows Event Logon logs. the logs are created before NXlog starts, so NXlog needs to remember When was the last time that he grabbed the Event logs.
The problem occurs when I try to use the "savePos" directive in my configuration:
This directive takes a boolean value of TRUE or FALSE and specifies whether the file position should be saved when nxlog exits. The file position will be read from the cache file upon startup. The file position is saved by default if this directive is not specified in the configuration. Even if SavePos is enabled, it can be explicitly turned off with the NoCache directive.
(from the doc).
But NXlog never writes the position (or anything else) to the cache.
I'm not using the noCache, and I didn't find anything on the web.
My NXlog configuration (generated by Graylog2):
define ROOT C:\Program Files (x86)\nxlog
<Extension gelf>
Module xm_gelf
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO
<Extension logrotate>
Module xm_fileop
<Schedule>
When @daily
Exec file_cycle('%ROOT%\data\nxlog.log', 7);
</Schedule>
</Extension>
<Input 57849fe093a38e030db3e1d7>
Module im_msvistalog
PollInterval 2
SavePos True
ReadFromLast True
</Input>
<Output 57849aa293a38e030db3dc55>
Module om_udp
Host 10.200.68.102
Port 12201
OutputType GELF
Exec $short_message = $raw_event;
# Avoids truncation of the short_message field.
Exec $gl2_source_collector = '8d8925b7-f1c0-40ae-a1ed-e918432e2125';
Exec $Hostname = hostname_fqdn();
</Output>
<Route route-0>
Path 57849fe093a38e030db3e1d7 => 57849aa293a38e030db3dc55
</Route>
