Send file to Graylog im_file not working.

Post a different question
4
responses

I have a very basic setup. I was easily able to get the general syslog functionality working.

I have been unable to get the file transport working. I've spent several days trying alternative configurations and Googling for help; all to no avail.

I also tested with om_file - trying to just grab the file and output it locally - the outcome was just a blank file.

Any help will be greatly appreciated.

Here is my config:

define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO

<Extension gelf>
    Module  xm_gelf
</Extension>

<Extension _syslog>
module xm_syslog
</extension>

<Input 1>
    Module    im_file
    file    "C:\\MSSQL\\ERRORLOG"
</Input>

<Output 2>
    Module om_tcp
    Host 192.168.1.50
    Port 5550
    OutputType  GELF_TCP
</Output>

<Route 3>
  Path 1 => 2
</Route>

 

 

AskedMay 8, 2017 - 10:59pm

Answer (1)

There may be two reasons for that.

1. ReadFromLast for im_file defaults to FALSE. Perhaps there were no events written to your file.

2. The MSSQL ERRORLOG is UCS-2. You need the following conversion (sample taken from the manual):

<Input in>
    Module im_file
    File "C:\\MSSQL\\ERRORLOG"
    Exec $raw_event = convert($raw_event, 'UCS-2LE','UTF-8'); if $raw_event == '' drop();
</Input>
AnsweredMay 9, 2017 - 9:01am

Comments (3)

  • jcottone's picture

    I tried your suggestion. File output still blank; Graylog still not receiving anything. I also verified permissions of the file and that nxlog is being run as admin. I tried your exact code as well as this, which is what I see in the documentation regarding mssql:

    Exec convert_fields('UCS-2LE','UTF-8'); if $raw_event == '' drop();

     

    May 9, 2017 - 5:00pm
  • b0ti's picture
    (NXLog)

    It might be that the data is lost on the way to graylog. I suggest using om_file to check if you see anything there.

    See the troubleshooting section in the manual.

    For the charset conversion the first one I provided should work better.

    May 9, 2017 - 6:01pm
  • jcottone's picture

    From my initial post: "I also tested with om_file - trying to just grab the file and output it locally - the outcome was just a blank file."

    I worked around the issue with the following Powershell script running from Task Scheduler at 10 minute intervals, followed by a basic NXLog config only grabbing the normal eventvwr logs with ID 999:

    Powershell Script:

    import-module sqlserver
    [reflection.assembly]::LoadWithPartialName("Microsoft.SqlServer.Smo") 
    $machineName = "SERVERNAME" 
    $instanceName = "SQLINSTANCE" 
    $sqlServer = new-object ("Microsoft.SqlServer.Management.Smo.Server") "$machineName\$instanceName" 
    $sqlServer.ReadErrorLog(0) | export-csv c:\temp\log0.csv -force -NoTypeInformation
    $logs = get-content c:\temp\log0.csv
    foreach ($log in $logs){
        eventcreate /ID 999 /L APPLICATION /T INFORMATION /SO SQLLOG /D "$log"
        }
    Remove-item “c:\temp\log0.csv”

    NXLog.conf:

    define ROOT C:\Program Files (x86)\nxlog
    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data
    LogFile %ROOT%\data\nxlog.log
    LogLevel INFO

    <Extension _syslog>
        module xm_syslog
    </Extension>

    <Input 1>
        Module    im_msvistalog
        SavePos True
        Query <QueryList>\
        <Query Id="999">\
        <Select Path="Application">*</Select>\
        </Query>\
        </QueryList>
    </Input>

    <Output 2>
        Module    om_udp
        Host    serverIP
        Port    5550
        Exec to_syslog_snare();
    </Output>

    <Route 3>
      Path 1 => 2
    </Route>

    May 17, 2017 - 8:29pm