Problem sending new logs with im_file to remote SIEM
lucasbittencourt
I have a setup with nxlog to collect audit log files that come to me daily. Each day the file name changes.
I noticed that the incoming files are not sent to my remote SIEM, only the first one after restarting the NXLOG service.
Below is my NXLOG configuration using the im_file and on_tcp modules.
Would anyone have an idea how to resolve this?
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO
#######################################################################
#### EXTENTIONS #####
#######################################################################
<Extension _gelf>
Module xm_gelf
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input auditoria>
Module im_file
File "E:\Dataside\SIEM\*.json"
ReadFromLast False
SavePos False
</Input>
<Output graylog>
Module om_tcp
Host 10.100.8.113
Port 5555
</Output>
<Route auditoria-to-graylog>
Path auditoria => graylog
</Route>
