NXLog Agent known issues

6.14 and newer

On Windows versions earlier than Vista (Windows 2000, Windows XP, and Windows Server 2003), the Remote Management module cannot populate the load, fd_count, and thread_count fields in the ServerInfo response. These fields return -1 or 0 instead of the actual values because the Windows APIs required to collect them are not available on these operating systems.

6.12 and newer

When NXLog Agent stops with undelivered events in an output module’s log queue, those events are saved to a temporary .q file named after the module. This behavior applies even when PersistLogqueue is set to the default value FALSE, as NXLog Agent saves in-memory queues to disk on shutdown to allow recovery.

After restarting NXLog Agent, manually delete the .q files from the log queue directory. These files are stored in /opt/nxlog/var/spool/nxlog by default, or in the directory specified by the LogqueueDir directive.

6.8 to 6.12

6.13

When FlowControl is active and it pauses a module instance, agent statistics may count events twice—once in the evt-fwd metric of the paused module instance and again in the evt-recvd metric of the next module instance.

6.4 and newer

The OpenTelemetry Collector input module does not support gRPC+TLS when specifying an IP address for the listen address.

Specify a domain name when when using gRPC+TLS.

6.2 and newer

Due to missing build dependencies, the Ubuntu 22.04, Red Hat Enterprise Linux 9, and Amazon Linux 2022 packages do not include the Check Point OPSEC LEA input module.

6.2 to 6.11

6.12

NXLog Agent is not yet tested on operating systems that ship with OpenSSL 3.2.x, such as RHEL 9.5, and may have compatibility issues due to major changes introduced in OpenSSL 3.2.2.

Downgrade OpenSSL to version 3.0.x.

6.2 to 6.5

6.6

Microsoft Windows Server 2022 and Windows 11 contain a bug that causes the Event Log API to return fewer fields than expected.

Upgrade Windows Server 2022 to version 10.0.20348.740 and Windows 11 to version 10.0.22000.739, where Microsoft addressed this bug.

All

The Google Cloud Pub/Sub input and output modules trim messages containing a NULL byte (\x00), discarding all subsequent data.

Ensure that messages do not contain NULL byte characters at the event source or contact us if this is not possible.

All

There is a small possibility that the Microsoft 365 input module generates multiple events for the same email. This issue is caused by a duplicate Reporting Web Service API response.

All

NXLog Agent relies on an external systemd service, which is usually a part of the operating system. However, there are several operating systems, such as CentOS 8 and 9, RHEL 9, Debian 12, Ubuntu 22 and 24, Amazon Linux 2023, and possibly others, that contain a known bug causing a failure during NXLog Agent log rotation. This issue results in an NXLog Agent crash (version 6.2 and earlier) or manifests as a log entry containing "BAD MESSAGE" (versions 6.3 and 6.3HF1).

Contact us if you require technical support regarding this issue.

All

The Character Set Conversion extension module’s convert_fields() procedure fails to autodetect UTF-16 encoding because the Byte Order Mark (BOM) at the beginning of the file does not propagate to subsequent messages.

Use a fixed input character set instead of autodetection, or use the InputType converter.convert directive. For more information, see Example 2 of the Character Set Conversion extension module documentation.

All

NXLog Agent for Amazon Linux 2023 does not include the im_kafka and om_kafka modules because the librdkafka dependency is not available for this operating system.

Contact us if you require technical support regarding this issue.