NXLog docs page backgorund
Request Trial
6.03

Log access errors

This page provides troubleshooting tips and solutions for NXLog Agent errors related to reading logs. The NXLog Agent user not having the correct permissions to access the logs is often the cause of such issues.

Permission denied to a log file on Linux

Symptom

NXLog Agent fails to collect logs from a file with the following error:

ERROR failed to open /var/log/syslog;Permission denied
Possible reason

The NXLog Agent User and Group do not have permission to read the file. This issue often happens when reading files from /var/log or other system directories.

Investigation

Open the NXLog Agent configuration file and check the value of the User and Group directives. By default, NXLog Agent uses the nxlog user and group it creates during the installation. This user cannot read from /var/log and other system folders.

Then, check the log file’s access permissions. On Debian/Ubuntu, the adm group typically has read access to system log files.

/var/log/syslog file access permissions
Solution

You have two options to address this issue:

Option 1

Change the User and Group directives in the NXLog Agent configuration to ones with permission to read the log file. Restart the NXLog Agent service to apply the changes.

$ sudo systemctl restart nxlog
Option 2

Add the nxlog user to the necessary group to allow it to read the log file. For example, execute the following command to add the nxlog user to the adm group and restart the system to refresh the user’s group membership.

$ sudo usermod -a -G adm nxlog

See Reading log files written by rsyslog for a more detailed explanation.

Access denied to a Windows Event Log channel

Symptom

Collecting logs from Windows Event Log with im_msvistalog fails with one of the following errors:

WARNING [im_msvistalog|windows] failed to subscribe to msvistalog events,access denied [error code: 5]: Access is denied.
WARNING [im_msvistalog|windows] Invalid channel: 'Security': Access is denied.

or

WARNING [im_msvistalog|windows] ignoring source as it cannot be subscribed to (error code: 5)
Possible reason

The NXLog Agent user may not have sufficient permissions to access specific channels. When NXLog Agent runs as a service, this applies to the service user.

Investigation

If you’re running NXLog Agent as a service, verify under which user account it’s configured to run. By default, it runs under the Local System account.

  1. Open the Services (services.msc) console.

  2. Find the nxlog service, right-click on it, and select Properties.

  3. Switch to the Log On tab to see the service user.

Solution

You must grant the NXLog Agent user permission to read the specified channel. For default channels, it is usually sufficient to add the user to the built-in Event Log Readers group by following these steps:

  1. Open the Computer Management (compmgmt.msc) console.

  2. Expand System Tools > Local Users and Groups > Groups.

  3. Double-click the Event Log Readers group and add the NXLog Agent user.

If the error persists, you must grant permission using Group Policy for the default Windows Event Log channels or the Windows Registry for other channels. Permissions are specified using the Security Descriptor Definition Language (SDDL).

These steps require altering the Windows Registry. Follow the instructions with care because incorrect modifications could render the system unusable.

  1. The first step is to retrieve the SID of the NXLog Agent user. Execute the following command:

    > wmic useraccount where name='<username>' get sid

  2. For default Windows Event Log channels:

    1. Open the command prompt with an admin user and run the following command, replacing <channel_name> with the actual channel name.

      > wevtutil gl <channel_name>

      This example uses the security channel.

    2. Take note of the channelAccess value.

      wevtutil command result

    3. Open the Group Policy Editor (gpedit.msc) console.

    4. Expand Computer Configuration > Administrative Templates > Windows Components > Event Log Service.

    5. Select the required channel from the list, such as Security. Double-click on the Configure log access policy to edit it.

    6. Select the Enabled option.

    7. Under Log Access, enter the channelAccess value retrieved above.

    8. Append the permission for the NXLog Agent service user to the Log Access value. The following permission grants the user read access:

      (A;;0x1;;;<user_sid>)

      Here, A means allow, and 0x1 means read. Replace <user_sid> with the SID retrieved in step 1.

      Configure log access policy

    9. Execute the following command to apply the updated policy:

      > gpupdate /force

  3. For other Windows Event Log channels:

    1. Open Registry Editor by clicking the Windows Start menu, typing regedit, and pressing Enter.

    2. Expand the following registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels
      Your channel selection might be stored in a different registry key than the one specified above. If so, you must research the correct registry key for each channel.

    3. From the list of keys, find the channel shown in the error and click on it.

    4. In the right pane, double-click on the ChannelAccess value to modify it.

    5. Append the permission for the NXLog Agent service user to the existing value. Add the following permission to grant the user read access:

      (A;;0x1;;;<user_sid>)

      Here, A means allow, and 0x1 means read. Replace <user_sid> with the SID retrieved in step 1.

      Windows Registry channel access permissions

    6. Repeat these steps for each channel showing the error.

    7. Restart Windows. This step is essential because the new permissions will only come into effect after restarting Windows.

Cannot write to a mapped network drive

Symptom

NXLog Agent fails to write logs to a file on a mapped network drive with one of the following errors:

ERROR [om_file|audit] Couldn't create directory: z:\logs\audit_secure (perms=OS_DEFAULT)

or

ERROR [om_file|audit] apr_file_write failed; The request is not supported.
Possible reason

This issue occurs because NFS mounting is only available for the current user and session. When NXLog Agent runs as a service, it operates under a different user and session that does not have access to the logged-on user’s drive mappings.

Investigation

If you’re running NXLog Agent as a service, verify under which user account it’s configured to run. By default, it runs under the Local System account.

  1. Open the Services (services.msc) console.

  2. Find the nxlog service, right-click on it, and select Properties.

  3. Switch to the Log On tab to see the service user.

Solution

The NXLog Agent user must have access to the mapped drive. A workaround would be to run NXLog Agent as an application instead of a service. For example, the following batch script maps DC1:/log to Z: and starts NXLog Agent interactively. You can change the NXLog Agent service startup type to manual and configure Task Scheduler to execute the script on Windows startup instead.

echo off
mount -o fileaccess=777 DC1:/log Z:
cd "C:\Program Files\nxlog\"
nxlog.exe -f -c conf\nxlog.conf

Log file is in use by another application

Symptom

Trying to open the NXLog Agent log file or a file it’s writing to results in Windows displaying the following error:

This file is in use by another application or user.
Possible reason

The application you’re using requires exclusive access to the file.

Solution

Open the log file with an application that does not require exclusive locking, such as Notepad. Otherwise, stop NXLog Agent before opening the log file.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS