NXLog

Mezmo provides an integration with NXLog to collect, monitor, and analyze Windows event logs

📘

LogDNA is now Mezmo

LogDNA has recently become Mezmo. As you access technical resources like our API, Code Libraries, and GitHub repositories, you will continue to see references to LogDNA for a short time as we update our new name across all our resource channels.

NXLog is the workhorse of Windows logging plugins. You can use our configuration file for NXLog to set up the ingestion of Windows events logs to Mezmo.

Set Up NXLog Log Ingestion

Follow the instructions in the Mezmo Web App to set up NXLog log ingestion using your Mezmo syslog port and security certificate

  1. Log in to the Mezmo Web App.
  2. In the left-hand navigation, click the Help icon.
  3. Click Logging Setup.
  4. Under Via platform, click NXLog.
  5. Follow the instructions to set up NXLog log ingestion.

You can also get a copy of the NXLog configuration file from our GitHub repository.

Example NXLog Configuration File

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\\Program Files (x86)\\nxlog
define CERTDIR  %ROOT%\\cert
define CONFDIR  %ROOT%\\conf
define LOGDIR   %ROOT%\\data
define LOGFILE  %LOGDIR%\\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\\modules
CacheDir  %ROOT%\\data
Pidfile   %ROOT%\\data\\nxlog.pid
SpoolDir  %ROOT%\\data

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension _exec>
    Module      xm_exec
</Extension>

<Extension json>
    Module  xm_json
</Extension>

<Input internal>
    Module im_internal
    Exec $Message = to_json();
</Input>

#######################################################################
##### This is just explicit version of internal input above ###########
#######################################################################
# <Input nxlog>
#     Module im_file
#     File '%LOGFILE%'
#     <Exec>
#         $Message = $raw_event;
#         if $Message == '' drop();
#         $SourceName = substr(file_name(), size('%LOGDIR%') + 1);
#     </Exec>
# </Input>
#######################################################################

# Define Directory for Making Substring Operation
define LOGFOLDER C:\\ProgramData\\logs

<Input filelog>
    Module im_file
    File '%LOGFOLDER%\\*.log'
    Recursive TRUE
    <Exec>
        $Message = $raw_event;
        if $Message == '' drop();
        $SourceName = substr(file_name(), size('%LOGFOLDER%') + 2);
    </Exec>
</Input>

<Input eventlog>
    Module im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id='0'>
                <!--Select Path='Application'>*</Select-->
                <Select Path='System'>*</Select>
                <!--Select Path='Security'>*</Select-->
            </Query>
        </QueryList>
    </QueryXML>
    Exec $Message = to_json();
</Input>

<Processor buffer>
    Module pm_buffer
    MaxSize 102400
    Type disk
</Processor>

<Output out>
    Module om_ssl
    Host syslog-a.logdna.com
    Port CUSTOM_PORT
    CAFile %CERTDIR%\ca.pem
    Exec to_syslog_ietf();
</Output>

<Route 1>
    Path internal, filelog, eventlog => buffer => out
</Route>

👍

Tail Additional Log Files

You can add additional logfiles by creating a new <Input {name}> section that imitates the previous ones, and adding the name of that section to <Route 1> at the end.

Example for Tailing Additional Log Files

<Input newlog>
    Module im_file
    File '%LOGDIR%\\example.log'
    Exec $Message = to_json();
</Input>