NXLog (Windows) Configuration

Last Updated: Sep 05, 2013 12:31PM PDT

Step 1 – Install nxlog

http://sourceforge.net/projects/nxlog-ce/

Step 2 – Configuration

Replace your C:\Program Files*\nxlog\conf\nxlog.conf with the following configuration sample.   Include your Loggly Customer Token where specified. Make sure that you run the text editor as Administrator (use Notepad rather than WordPad):

Step 3 – Start nxlog

Double click on C:\Program Files*\nxlog\nxlog.exe to start the service. 
If nxlog is already running, make sure to restart nxlog in order for any new configuration changes to take effect:
Start the Service Manager, find 'nxlog' in the list. Select it and restart the service.

Optional: Using TLS

If you want to send logs securely over TLS, it's pretty easy to set up.  Download these two certificates:
  • http://logdog.loggly.com/media/loggly.com.crt
  • http://certs.starfieldtech.com/repository/sf_bundle.crt
    Concatenate them together into one file, called: loggly_full.crt:
    cmd /c copy /b loggly.com.crt+sf_bundle.crt loggly_full.crt
    
    Place it into your C:\Program Files*\nxlog\cert directory.
     
    Make the following changes to your nxlog configuration:
    FROM:
    <Output out>
       Module om_tcp
       Host logs-01.loggly.com
       Port 514
       Exec to_syslog_ietf();\
    $raw_event = replace($raw_event, 'NXLOG@14506', '<CUST_TOKEN>@41058 tag="windows"] [', 1);
    </Output>
    
    
    TO:
    <Output out>
       Module om_ssl
       Host logs-01.loggly.com
       Port 6514
       CAFile         %CERTDIR%/loggly_full.crt
       AllowUntrusted FALSE
       Exec to_syslog_ietf();\
    $raw_event = replace($raw_event, 'NXLOG@14506', '<CUST_TOKEN>@41058 tag="windows"] [', 1);
    </Output>
    
    

    Troubleshooting

    If your logs haven’t made it to Loggly yet, open up the nxlog log file and see what’s going on:  C:\Program Files*\nxlog\data\nxlog.log

    Output Debugging


    In order to see what’s actually sent over to Loggly, edit your nxlog configuration file: Add this section with the other Extensions:
    <Extension fileop>
        Module      xm_fileop
    </Extension>
    
    This line should go into the Output module that you’re debugging:
    Exec  file_write("C:\\Program Files (x86)\\nxlog\data\\nxlog_output.log",  $raw_event);
    

    “Connection attempt failed”

    Sample messages:
    2013-06-04 16:35:59 ERROR couldn't connect to tcp socket on 192.168.1.1:514; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. 
    
    2013-06-04 16:36:00 INFO connecting to 192.168.1.1:514
    
    2013-06-04 16:36:21 INFO reconnecting in 2 seconds
    
    
    If you see an error connecting to “tcp socket on 192.168.1.1:514”, you’ve probably got an issue with the configuration file.  Make sure that you’re editing the configuration file as “Administrator”, this means that you should actually open up text editor as Administrator

    “Failed to open”

     
    Sample messages:
    2013-06-04 20:46:48 WARNING nxlog-ce received a termination request signal, exiting...
    2013-06-04 20:57:10 ERROR failed to open C:\Program Files (x86);xlog\data;xlog.log; The filename, directory name, or volume label syntax is incorrect. 
    2013-06-04 20:57:10 INFO nxlog-ce-2.4.1054 started
    
    
    When you designate a directory path, be sure to escape any special characters, including back slashes.
    From:  
    File     "C:\\Program Files (x86)\nxlog\data\nxlog.log"
    
    To:
    File     "C:\\Program Files (x86)\\nxlog\\data\\nxlog.log"
    NOTE: you can also try escaping only the \n which gets confused with new line characters.
    C:\Program Files (x86)\\nxlog\data\\nxlog.log' 
     

    “Configuration errors”

    2013-06-04 21:36:28 ERROR file is already defined at C:\Program Files (x86)\nxlog\conf\nxlog.conf:34
    
    2013-06-04 21:36:28 ERROR module 'file_watch' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:58
    
    2013-06-04 21:36:28 WARNING not starting unused module file_watch
    
    

    Each input module can only reference one source.  Create unique names for each of the input streams.  E.g.
     
    <Input python_logs>
       Module   im_file
       File     "C:\\Your Project\\Python\\mylog.log"
       SavePos  TRUE
    </Input>
    
    <Input apache_logs>
       Module   im_file
       File     “C:\\Program Files (x86)\\Apache Group\Apache2\logs\error.log”
       SavePos  TRUE
    </Input>
    
    
    Double check that your Route module has the complete list of Input modules.  E.g.
    <Route 1>
       Path internal, python_logs, apache_logs, eventlog => out
    </Route>
    
    
logglyassistly@zoho.com
https://cdn.desk.com/
false
@loggly
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete