Skip to content

im_msvistalog module - nxlog.exe process consumes high percentages of CPU in bursts

A CE user has reported an issue with the im_msvistalog module. They use it to forward Windows Event Logs from the Security log, with some filtering, to an external syslog server. Functionally this works well and does exactly what they need it to. The problem they are having is that nxlog.exe process often consumes rather high percentages of a workstation's CPU in bursts. Between 25 and 35 percent every few minutes, for around a minute at a time.

CE Forum link

I am able to reproduce the issue. So far I've learned about this issue that:

  • It starts with adding the im_msvistalog module to the config.
  • On my Virtual machines CPU percentage consumed by the nxlog.exe jumps to 97% or more. It stays at high CPU usage for about 60 seconds and it decreases to normal values. After 60 seconds it jumps again.
  • The same behavior spotted on Win 2019 and Win 2022 servers.
  • I tried with FlowControl FALSE and NoCache TRUE directives but it haven't change.
  • No errors logged with the LogLevel INFO
  • When LogLevel increased to DEBUG, I've seen the following set of logs repeating ( contains an error):
2022-04-04 05:16:51 DEBUG im_msvistalog read 0 events
2022-04-04 05:16:51 DEBUG new event in event_thread [_fileop:SCHEDULE]
2022-04-04 05:16:51 DEBUG new event in event_thread [_fileop:SCHEDULE]
2022-04-04 05:16:51 DEBUG new event in event_thread [_exec:MODULE_SPECIFIC]
2022-04-04 05:16:51 DEBUG new event in event_thread [in:READ]
2022-04-04 05:16:51 DEBUG nx_event_to_jobqueue: READ (in)
2022-04-04 05:16:51 DEBUG event added to jobqueue
2022-04-04 05:16:51 DEBUG future event, event thread sleeping 689016ms in cond_timedwait
2022-04-04 05:16:51 DEBUG worker 1 got signal for new job
2022-04-04 05:16:51 DEBUG worker 1 got no event to process
2022-04-04 05:16:51 DEBUG worker 1 waiting for new event
2022-04-04 05:16:51 DEBUG worker 0 processing event 0x281fe330
2022-04-04 05:16:51 DEBUG PROCESS_EVENT: READ (in)
2022-04-04 05:16:51 DEBUG im_msvistalog checking for new events...
2022-04-04 05:16:51 DEBUG EvtNext returned ERROR_INVALID_OPERATION

The conf and the log file attached below: nxlog.7z nxlog.conf

Edited by Nenad Milosevic