responses
I'm attempting to use nxlog to pull in audit files from ModSecurity the root of the log files reside at /var/log/modsec_audit/. The actual log files are two folders lower, as modsecurity creates the folders that are timestamped by day and then minute.
Inside my nxlog input config, I have my logfile path as /var/log/modsec_audit/*, and I have enabled recursive file lookup, but to this point, no modsecurity logs are being picked up. The same sidecar instance is grabbing apache logs perfectly fine, however. I feel like the issue is related to the directory structure, but I'm not seeing an issue with my config. Any thoughts?
<Input 579d7bd625b5bc05cc7f1614>
Module im_file
File "/var/log/modsec_audit/*"
PollInterval 5
SavePos True
ReadFromLast True
Recursive True
RenameCheck False
Exec $FileName = file_name(); # Send file name with each message
</Input>
Comments (5)
The config looks ok.
Permission issue perhaps?
Have you tried with "ReadFromLast FALSE" just to see if old logs are picked up?
The directories and files have read permissions for all users, and I'm not seeing any permission denied errors in nxlog.log. I've also set ReadFromLast to false with no change.
Could the contents of the files be causing any issues? For a bit more context, this data is a string of JSON being read into Graylog. If I create a test file with some words in it, graylog reads it immediately. However, if I create a test file with a string of JSON, nothing happens.
Sounds like this is a graylog issue then.
I'm not sure that's the case. I ran a packet capture on my log server, and the tests that show up in graylog show traffic on the proper ports associated with the JSON data collection. When I run the same test with JSON data that doesn't show up in graylog, I don't see any traffic on that port. It appears that nxlog isn't even sending that data out.