Log access errors
This page provides troubleshooting tips and solutions for NXLog Agent errors related to reading logs. The NXLog Agent user not having the correct permissions to access the logs is often the cause of such issues.
Permission denied to a log file on Linux
- Symptom
-
NXLog Agent fails to collect logs from a file with the following error:
ERROR failed to open /var/log/syslog;Permission denied
- Possible reason
-
The NXLog Agent User and Group do not have permission to read the file. This issue often happens when reading files from
/var/log
or other system directories. - Investigation
-
Open the NXLog Agent configuration file and check the value of the
User
andGroup
directives. By default, NXLog Agent uses thenxlog
user and group it creates during the installation. This user cannot read from/var/log
and other system folders.Then, check the log file’s access permissions. On Debian/Ubuntu, the
adm
group typically has read access to system log files. - Solution
-
You have two options to address this issue:
- Option 1
-
Change the
User
andGroup
directives in the NXLog Agent configuration to ones with permission to read the log file. Restart the NXLog Agent service to apply the changes.$ sudo systemctl restart nxlog
- Option 2
-
Add the
nxlog
user to the necessary group to allow it to read the log file. For example, execute the following command to add thenxlog
user to theadm
group and restart the system to refresh the user’s group membership.$ sudo usermod -a -G adm nxlog
See Reading log files written by rsyslog for a more detailed explanation.
Access denied to a Windows Event Log channel
- Symptom
-
Collecting logs from Windows Event Log with im_msvistalog fails with one of the following errors:
WARNING [im_msvistalog|windows] failed to subscribe to msvistalog events,access denied [error code: 5]: Access is denied. WARNING [im_msvistalog|windows] Invalid channel: 'Security': Access is denied.
or
WARNING [im_msvistalog|windows] ignoring source as it cannot be subscribed to (error code: 5)
- Possible reason
-
The NXLog Agent user may not have sufficient permissions to access specific channels. When NXLog Agent runs as a service, this applies to the service user.
- Investigation
-
If you’re running NXLog Agent as a service, verify under which user account it’s configured to run. By default, it runs under the Local System account.
-
Open the Services (
services.msc
) console. -
Find the nxlog service, right-click on it, and select Properties.
-
Switch to the Log On tab to see the service user.
-
- Solution
-
You must grant the NXLog Agent user permission to read the specified channel. For default channels, it is usually sufficient to add the user to the built-in Event Log Readers group by following these steps:
-
Open the Computer Management (
compmgmt.msc
) console. -
Expand System Tools > Local Users and Groups > Groups.
-
Double-click the Event Log Readers group and add the NXLog Agent user.
If the error persists, you must grant permission using Group Policy for the default Windows Event Log channels or the Windows Registry for other channels. Permissions are specified using the Security Descriptor Definition Language (SDDL).
These steps require altering the Windows Registry. Follow the instructions with care because incorrect modifications could render the system unusable. -
The first step is to retrieve the SID of the NXLog Agent user. Execute the following command:
> wmic useraccount where name='<username>' get sid
-
For default Windows Event Log channels:
-
Open the command prompt with an admin user and run the following command, replacing
<channel_name>
with the actual channel name.> wevtutil gl <channel_name>
This example uses the security channel.
-
Take note of the channelAccess value.
-
Open the Group Policy Editor (
gpedit.msc
) console. -
Expand Computer Configuration > Administrative Templates > Windows Components > Event Log Service.
-
Select the required channel from the list, such as Security. Double-click on the Configure log access policy to edit it.
-
Select the Enabled option.
-
Under Log Access, enter the channelAccess value retrieved above.
-
Append the permission for the NXLog Agent service user to the Log Access value. The following permission grants the user read access:
(A;;0x1;;;<user_sid>)
Here,
A
means allow, and0x1
means read. Replace<user_sid>
with the SID retrieved in step 1. -
Execute the following command to apply the updated policy:
> gpupdate /force
-
-
For other Windows Event Log channels:
-
Open Registry Editor by clicking the Windows Start menu, typing regedit, and pressing Enter.
-
Expand the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels
Your channel selection might be stored in a different registry key than the one specified above. If so, you must research the correct registry key for each channel. -
From the list of keys, find the channel shown in the error and click on it.
-
In the right pane, double-click on the ChannelAccess value to modify it.
-
Append the permission for the NXLog Agent service user to the existing value. Add the following permission to grant the user read access:
(A;;0x1;;;<user_sid>)
Here,
A
means allow, and0x1
means read. Replace<user_sid>
with the SID retrieved in step 1. -
Repeat these steps for each channel showing the error.
-
Restart Windows. This step is essential because the new permissions will only come into effect after restarting Windows.
-
-
Cannot write to a mapped network drive
- Symptom
-
NXLog Agent fails to write logs to a file on a mapped network drive with one of the following errors:
ERROR [om_file|audit] Couldn't create directory: z:\logs\audit_secure (perms=OS_DEFAULT)
or
ERROR [om_file|audit] apr_file_write failed; The request is not supported.
- Possible reason
-
This issue occurs because NFS mounting is only available for the current user and session. When NXLog Agent runs as a service, it operates under a different user and session that does not have access to the logged-on user’s drive mappings.
- Investigation
-
If you’re running NXLog Agent as a service, verify under which user account it’s configured to run. By default, it runs under the Local System account.
-
Open the Services (
services.msc
) console. -
Find the nxlog service, right-click on it, and select Properties.
-
Switch to the Log On tab to see the service user.
-
- Solution
-
The NXLog Agent user must have access to the mapped drive. A workaround would be to run NXLog Agent as an application instead of a service. For example, the following batch script maps
DC1:/log
toZ:
and starts NXLog Agent interactively. You can change the NXLog Agent service startup type to manual and configure Task Scheduler to execute the script on Windows startup instead.echo off mount -o fileaccess=777 DC1:/log Z: cd "C:\Program Files\nxlog\" nxlog.exe -f -c conf\nxlog.conf
Log file is in use by another application
- Symptom
-
Trying to open the NXLog Agent log file or a file it’s writing to results in Windows displaying the following error:
This file is in use by another application or user.
- Possible reason
-
The application you’re using requires exclusive access to the file.
- Solution
-
Open the log file with an application that does not require exclusive locking, such as Notepad. Otherwise, stop NXLog Agent before opening the log file.