Request trial
Request Trial

NXLOG service won't start when config changed

Tags:
#1 edberp

After a bit of trial and and lots of reading, I managed to get Graylog2 working like a charm


I'm using NXLOG to send the logs to Graylog via GELF UDP


Right now I'm just testing and trying diffrent things.

Right now I';m testing with just 4 servers (have close to 100) has consumed a fair bit of space

So to evaluate usage, I figured I'd just send the security logs (these are all Windows Servers)



Original working configuration
__________________________________________________________
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension gelf>
Module xm_gelf
</Extension>
<Input in>
# Use ’im_mseventlog’ for Windows XP, 2000 and 2003
Module im_msvistalog
# Uncomment the following to collect specific event logs only
Query <QueryList>\
<Query Id="0">\
<Select Path="System">*</Select>\
<Select Path="Application">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
</Input>
<Output out>
Module om_udp
Host 10.60.10.62
Port 12201
OutputType GELF
</Output>
<Route r>
Path in => out
</Route>
_______________________________________________________

Now I put a REM statement at the beginning of the file

# Just capturing security logs

The service won't start.
If I rem out Application and System path, it won't start.

Any suggestions?

Permalink
#2 b0ti Nxlog ✓ (Last updated )
#1 edberp
After a bit of trial and and lots of reading, I managed to get Graylog2 working like a charm I'm using NXLOG to send the logs to Graylog via GELF UDP Right now I'm just testing and trying diffrent things. Right now I';m testing with just 4 servers (have close to 100) has consumed a fair bit of space So to evaluate usage, I figured I'd just send the security logs (these are all Windows Servers) Original working configuration __________________________________________________________ define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension gelf> Module xm_gelf </Extension> <Input in> # Use ’im_mseventlog’ for Windows XP, 2000 and 2003 Module im_msvistalog # Uncomment the following to collect specific event logs only Query <QueryList>\ <Query Id="0">\ <Select Path="System">*</Select>\ <Select Path="Application">*</Select>\ <Select Path="Security">*</Select>\ </Query>\ </QueryList> </Input> <Output out> Module om_udp Host 10.60.10.62 Port 12201 OutputType GELF </Output> <Route r> Path in => out </Route> _______________________________________________________ Now I put a REM statement at the beginning of the file # Just capturing security logs The service won't start. If I rem out Application and System path, it won't start. Any suggestions?

Assuming by REM you mean #.

Putting that in the middle of the below query won't work:


Query <QueryList>\
<Query Id="0">\
<Select Path="System">*</Select>\
<Select Path="Application">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
</Input>
<Output out>

The reason is that the above is treated as a single line because the backslash at the end of each line escapes the newline characters.  I suggest using QueryXML which does not need the backslashes added to each line and you can have your XML formatted and spanning multiple lines.

Please take a look at nxlog.log. There should be an error message explaining why the service doesn't start.

 
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS