Windows events that occur when an agent is disabled are not synchronized when the agent is started. The documentation says that the agent stores the value of the last event in the registry and sends all events since the last synchronization on startup.
Hi there, we have replicated this issue and team will work to provide a fix. Thank you for your contribution.
Hi Saksham
This function should be explicitly enabled by setting ProcessOfflineEvents = true in LogWatch section. Please try and let us know if any further issues observed.
Hi Uldis, I tried several possible where to specify the ProcessOfflineEvents parameter with a value of true, but none sent the event after running nxagent again.
I tried
First option:
[Logwatch]
ProcessOfflineEvents = true
[WinEventSync]
EventLog = Application
[WinEventSync/Application]
ProcessOfflineEvents = true
WinEventSync = *
Second
[WinEventSync]
EventLog = Application
ProcessOfflineEvents = true
[WinEventSync/Application]
WinEventSync = * Last
[WinEventSync]
EventLog = Application
[WinEventSync/Application]
ProcessOfflineEvents = true
WinEventSync = *By the way, the Logwatch section is only for the logwatch subagent, and for the Windows event is the WinEventSync section. Or this section is common for both subagents?
Hi Saksham
In your configuration examples, we note mix-ups between log synchronization and log watch functionalities, those are completely separate and have been such due to historical reasons and that is also reflected in documentation. Here is my LogWatch configuration
SubAgent = logwatch
[LOGWATCH]
ProcessOfflineEvents = true
I have created template "WINDOWS LOG", added Agent Policies where all Windows event IDs generate my custom event in Actions section. I stopped Agent, observed new Windows events generated in Event Viewer->Windows Logs->Security, for example, started up Agent and saw Windows backlog events processed and my custom events genearted for time span when Agent was down. Please try the above scenario from your side.
In my environment I only use SubAgent for wineventsync.nsm. I don't use Logwatch. I also don't use the agent policy (I set everything via the INI file of the nx agent).
So if I make a policy and use the logwatch subagent, can I also collect Windows events?
Hi Saksham
You would need to set your side up as per exmaple and the functionality would work. SubAgent logwatch is a must here.
To clarify this - we have two ways of dealing with windows event logs
- logwatch
- wineventsync
Logwatch supports parsing of offline events, while wineventsync currently does not. There is an issue in our bug tracker on this, so some day this will be fixed: https://track.radensolutions.com/issue/NX-1997