NXLog

NXLog is the workhorse of Windows logging plugins. You can use our configuration file for NXLog to set up the ingestion of Windows events logs to Mezmo.

Set Up NXLog Log Ingestion

Follow the instructions in the Mezmo Web App to set up NXLog log ingestion using your Mezmo syslog port and security certificate

Log in to the Mezmo Web App.
In the bottom section of the left-hand navigation, click Help.
Select Add Log Sources.
Under Via platform, click NXLog.
Follow the instructions to set up NXLog log ingestion.

You can also get a copy of the NXLog configuration file from our GitHub repository.

Example NXLog Configuration File

Text
    
​x
 
Panic Soft#NoFreeOnExit TRUE​define ROOT     C:\\Program Files (x86)\\nxlogdefine CERTDIR  %ROOT%\\certdefine CONFDIR  %ROOT%\\confdefine LOGDIR   %ROOT%\\datadefine LOGFILE  %LOGDIR%\\nxlog.logLogFile %LOGFILE%​Moduledir %ROOT%\\modulesCacheDir  %ROOT%\\dataPidfile   %ROOT%\\data\\nxlog.pidSpoolDir  %ROOT%\\data​<Extension _syslog>    Module      xm_syslog</Extension>​<Extension _exec>    Module      xm_exec</Extension>​<Extension json>    Module  xm_json</Extension>​<Input internal>    Module im_internal    Exec $Message = to_json();</Input>​############################################################################ This is just explicit version of internal input above ################################################################################### <Input nxlog>#     Module im_file#     File '%LOGFILE%'#     <Exec>#         $Message = $raw_event;#         if $Message == '' drop();#         $SourceName = substr(file_name(), size('%LOGDIR%') + 1);#     </Exec># </Input>#######################################################################​# Define Directory for Making Substring Operationdefine LOGFOLDER C:\\ProgramData\\logs​<Input filelog>    Module im_file    File '%LOGFOLDER%\\*.log'    Recursive TRUE    <Exec>        $Message = $raw_event;        if $Message == '' drop();        $SourceName = substr(file_name(), size('%LOGFOLDER%') + 2);    </Exec></Input>​<Input eventlog>    Module im_msvistalog    <QueryXML>        <QueryList>            <Query Id='0'>                <!--Select Path='Application'>*</Select-->                <Select Path='System'>*</Select>                <!--Select Path='Security'>*</Select-->            </Query>        </QueryList>    </QueryXML>    Exec $Message = to_json();</Input>​<Processor buffer>    Module pm_buffer    MaxSize 102400    Type disk</Processor>​<Output out>    Module om_ssl    Host syslog-a.logdna.com    Port CUSTOM_PORT    CAFile %CERTDIR%\ca.pem    Exec to_syslog_ietf();</Output>​<Route 1>    Path internal, filelog, eventlog => buffer => out</Route>
Copy

You can add additional logfiles by creating a new <Input {name}> section that imitates the previous ones, and adding the name of that section to <Route 1> at the end.

Example for Tailing Additional Log Files

Text
    
 
<Input newlog>    Module im_file    File '%LOGDIR%\\example.log'    Exec $Message = to_json();</Input>
Copy

Last updated on

Was this page helpful?