5
responses

I'm attempting to use nxlog to pull in audit files from ModSecurity the root of the log files reside at /var/log/modsec_audit/. The actual log files are two folders lower, as modsecurity creates the folders that are timestamped by day and then minute.

Inside my nxlog input config, I have my logfile path as /var/log/modsec_audit/*, and I have enabled recursive file lookup, but to this point, no modsecurity logs are being picked up. The same sidecar instance is grabbing apache logs perfectly fine, however. I feel like the issue is related to the directory structure, but I'm not seeing an issue with my config. Any thoughts?

 

<Input 579d7bd625b5bc05cc7f1614>
        Module im_file
        File "/var/log/modsec_audit/*"
        PollInterval 5
        SavePos True
        ReadFromLast True
        Recursive True
        RenameCheck False
        Exec $FileName = file_name(); # Send file name with each message
</Input>

 

AskedOctober 18, 2016 - 4:55pm

Comments (5)

  • jason.mull's picture

    The directories and files have read permissions for all users, and I'm not seeing any permission denied errors in nxlog.log.  I've also set ReadFromLast to false with no change.

  • jason.mull's picture

    Could the contents of the files be causing any issues?  For a bit more context, this data is a string of JSON being read into Graylog.  If I create a test file with some words in it, graylog reads it immediately.  However, if I create a test file with a string of JSON, nothing happens.

  • jason.mull's picture

    I'm not sure that's the case.  I ran a packet capture on my log server, and the tests that show up in graylog show traffic on the proper ports associated with the JSON data collection.  When I run the same test with JSON data that doesn't show up in graylog, I don't see any traffic on that port.  It appears that nxlog isn't even sending that data out.

Answers (0)