Logging from Windows (NXLog)

Sending logs to Logmatic.io from Windows is made easy thanks to the universal log shipper: Nxlog. In this chapter, we show you how to configure Nxlog to send system logs and other files you may want to follow.

Install the daemon Nxlog

In order to start using the log shipper, you will have to install it. You can find the Windows installer at Nxlog sourceforge

pick the .msi package and install it.

Installation of Nxlog

Installation of Nxlog

Forward all the syslog messages

  • Please edit the nxlog.conf file which resides in the C:\Program Files\nxlog\conf directory with any text editor you want. We use Notepad in the following example.

Watch out!

Depending of your Windows system, the conf file could be in C:\Program Files(x86)\nxlog\conf directory. Be careful, this parameter will be used in the configuration file.

  • Replace the whole file with the following configuration, and don't forget to replace variables depending on your Windows OS and your API key:
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#To change your own system if necessary
define ROOT C:\Program Files\nxlog
#define ROOT_STRING C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog;

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

##Extension to format the message in JSON format
<Extension xm_json>
    Module xm_json
</Extension>

##Extension to format the message in syslog format
<Extension xm_syslog>
 Module xm_syslog
</Extension>

########## INPUTS ###########


##Input for widows event logs
<Input syslog>
    Module      im_msvistalog
## For windows 2003 and earlier use the following:
#   Module      im_mseventlog

##Put the event in IETF format
    Exec to_syslog_ietf();
</Input>

############ OUTPUTS ##############

##TCP output module
<Output out>
    Module      om_tcp
    Host        api.logmatic.io
    Port        10514

####Add the API key before the event
    Exec     $raw_event="<your_api_key> "+$raw_event;
</Output>


############ ROUTES TO CHOOSE #####

<Route 1>
    Path       syslog => out
</Route>

Don't forget to correctly replace <your_api_key> by the one generated for your usage.

  • Once you are happy with this configuration don't forget to restart the service by going in the service administration page in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Services.lnk
Configuration of Nxlog

Configuration of Nxlog

If you need more details about this config, please refer to the Nxlog documentation:

Watching your own files

Using Nxlog as a file content forwarder is easy. Just follow these steps:

  • Edit the nxlog.conf file

  • Insert the following configuration block for each file you want to follow:

##Module to watch a file
<Input file_watch_1>
 Module im_file
 File "Path\\to\\your\\file1"
 Exec   $SourceName = 'my_application_file1'; 
 SavePos TRUE

##include the message and add meta data
 Exec $Message = $raw_event;
 Exec to_syslog_ietf();
</Input>

<Input file_watch_2>
 Module im_file
 File "Path\\to\\your\\file2"
 Exec   $SourceName = 'my_application_file2'; 
 SavePos TRUE

##include the message and add meta data
 Exec $Message = $raw_event;
 Exec to_syslog_ietf();
</Input>

etc...

Don't forget to escape your \ within your file path.

  • Insert the following Route configuration block to each file to be oriented correctly:
<Route file1>
    Path       file_watch_1,file_watch2,... => out
</Route>

If you need more details about this config, please refer to the im_file module documentation.

  • Once you are happy with this configuration don't forget to restart the service with the Services tool.

Enabling security

You need to deploy a NXLog instance equal or superior to version 2.9.x

SSL configuration doesn't work otherwise.

You can set up encryption for Nxlog with the certificate validation. [ Download final certificate here ]

First, be sure you have installed OpenSSL as the SSL/TLS transport is using the OpenSSL library beneath the surface. Usually, this is done by installing OpenSSL with the binary found Here.

You can now enable TLS by replacing it - if you followed the previous step:

<Output out>
    Module      om_tcp
    Host        api.logmatic.io
    Port        10514

####Add the API key before the event
    Exec     $raw_event="<your_api_key> "+$raw_event;
</Output>

by:

<Output out>
    Module      om_ssl
    Host        api.logmatic.io
    Port        10515
    CAFile   <path_to_your_.crt_file>

####Add the API key before the event
    Exec     $raw_event="<your_api_key> "+$raw_event;
</Output>

Don't forget to specify <path_to_your_.crt_file>, <your_api_key> and ensure that the port number is 10515!

Parsing of syslogs

As long as you strictly respect the RFC-5424 format, Logmatic.io automatically parses syslogs. It basically means that fields like appname, facility, severity, hostname and message are correctly interpreted and available as filters in the main view.

In addition to this, if the message field contain valid JSON or key-value pairs the corresponding custom fields are automatically generated.

Please have a look here if you need more information.

FAQ

How can I forward my logs on a local central server with Nxlog ?
How do I use regex with Nxlog ?
How can I replace part of a log message with Nxlog?
How to filter logs sent to logmatic.io with Nxlog?

Logging from Windows (NXLog)

Sending logs to Logmatic.io from Windows is made easy thanks to the universal log shipper: Nxlog. In this chapter, we show you how to configure Nxlog to send system logs and other files you may want to follow.