Problem sending new logs with im_file to remote SIEM
I have a setup with nxlog to collect audit log files that come to me daily. Each day the file name changes.
I noticed that the incoming files are not sent to my remote SIEM, only the first one after restarting the NXLOG service.
Below is my NXLOG configuration using the im_file and on_tcp modules.
Would anyone have an idea how to resolve this?
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO
#######################################################################
EXTENTIONS
#######################################################################
<Extension _gelf>
Module xm_gelf
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input auditoria>
Module im_file
File "E:\Dataside\SIEM*.json"
ReadFromLast False
SavePos False
</Input>
<Output graylog>
Module om_tcp
Host 10.100.8.113
Port 5555
</Output>
<Route auditoria-to-graylog>
Path auditoria => graylog
</Route>
Hello,
Can you say what OS and what CE version you are running exactly? → https://nxlog.co/community-forum/t/1521-readme-how-to-ask-questions-effectively?page=1#post-1
Is there a specific reason for this?
ReadFromLast False
SavePos FalseThis would essentially resend the log files every time NXLog CE restarts.
You could enable LogLevel DEBUG in the im_file instance to see what it's doing. Beware, it's VERY noisy.
