Logging from Windows (NXLog)

Sending logs to Logmatic.io from Windows is made easy thanks to the universal log shipper Nxlog

Overview

Already a Logmatic.io user ?

We advise you to to directly go to the NXLog - Integration on your platform. It will help you do the setup and the configuration.

Global overview of Logmatic.io Input API

You will find a global overview on our Input API here.

Sending logs to Logmatic.io from Windows is easy thanks to the universal log shipper: NXlog. In this chapter, we show you how to configure NXlog to send system logs and other files you may want to follow.

Setup - installing NXlog

Install the daemon NXlog

In order to start using the log shipper, you will have to install it. You can find the Windows installer at NXlog sourceforge

pick the .msi package and install it.

Installation of NXlog

Installation of NXlog

Setup - Forward all the syslog messages

  • Edit the nxlog.conf file which resides in the C:\Program Files\nxlog\conf directory with any text editor you want. We use Notepad in the following example.

Watch out!

Depending on your Windows system, the configuration file could be in C:\Program Files(x86)\nxlog\conf directory. Take note, this parameter will be used in the configuration file.

  • Replace the whole file with the following configuration, and don't forget to replace variables depending on your Windows OS and your API key:
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#To change your own system if necessary
define ROOT C:\Program Files\nxlog
#define ROOT_STRING C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog;

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

##Extension to format the message in JSON format
<Extension xm_json>
	Module xm_json
</Extension>

##Extension to format the message in syslog format
<Extension xm_syslog>
 Module xm_syslog
</Extension>

########## INPUTS ###########


##Input for widows event logs
<Input syslog>
    Module      im_msvistalog
## For windows 2003 and earlier use the following:
#   Module      im_mseventlog
</Input>

############ OUTPUTS ##############

##TCP output module
<Output out_logmatic>
    Module      om_tcp
    Host        api.logmatic.io
    Port        10514

##Put the event in IETF format
    Exec to_syslog_ietf();
    
####Add the API key before the event
    Exec 	$raw_event="<your_api_key> "+$raw_event;
</Output>


############ ROUTES TO CHOOSE #####

<Route 1>
    Path       syslog => out_logmatic
</Route>

Don't forget to correctly replace <your_api_key> by the one generated for your usage.

  • Once you are happy with this configuration don't forget to restart the service by going to the service administration page in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Services.lnk
Configuration of NXlog

Configuration of NXlog

If you need more details about this config, please refer to the NXlog documentation:

Setup - Watching your own files

Using NXlog as a forwarder is easy. Just follow these steps:

  • Edit the nxlog.conf file

  • Insert the following configuration block for each file you want to follow:

##Module to watch a file
<Input file_watch_1>
 Module im_file
 File "Path\\to\\your\\file1"
 Exec   $SourceName = 'my_application_file1'; 
 SavePos TRUE
 
##include the message and add meta data
 Exec $Message = $raw_event;
</Input>

<Input file_watch_2>
 Module im_file
 File "Path\\to\\your\\file2"
 Exec   $SourceName = 'my_application_file2'; 
 SavePos TRUE
 
##include the message and add meta data
 Exec $Message = $raw_event;
</Input>

etc...
Don't forget to exit your \ within your file path.

  • Insert the following Route configuration block to each file to be oriented correctly:
<Route file1>
    Path       file_watch_1,file_watch2,... => out_logmatic
</Route>

If you need more details about this config, please refer to the im_file module documentation.

  • Once you are happy with this configuration don't forget to restart the service via the Services tool.

Setup - Enabling security

You need to deploy a NXLog instance equal or superior to version 2.9.x

SSL configuration doesn't work otherwise.

You can set up encryption for NXlog with the certificate validation. [ Download final certificate here ]

First, be sure you have installed OpenSSL as the SSL/TLS transport is actually using the OpenSSL library. Usually, this is done by installing OpenSSL with the binary found Here.

You can now enable TLS by replacing it - if you followed the previous step:

<Output out_logmatic>
    Module      om_tcp
    Host        api.logmatic.io
    Port        10514

##Put the event in IETF format
    Exec to_syslog_ietf();
    
####Add the API key before the event
    Exec 	$raw_event="<your_api_key> "+$raw_event;
</Output>
<Output out_logmatic>
    Module      om_ssl
    Host        api.logmatic.io
    Port        10515
    CAFile   <path_to_your_.crt_file>

##Put the event in IETF format
    Exec to_syslog_ietf();
    
####Add the API key before the event
    Exec 	$raw_event="<your_api_key> "+$raw_event;
</Output>

Don't forget to specify <path_to_your_.crt_file>, <your_api_key> and ensure that the port number is 10515!


What's next ?

Analyse your first logs with infrastructure integration

Infrastructure

Logging from Windows (NXLog)

Sending logs to Logmatic.io from Windows is made easy thanks to the universal log shipper Nxlog