We're using NX Log (CE) as a test to see if it will work for our purposes. The overall idea is to use it as a forwarder of syslog flat files to any brand of SIEM.
My config looks like this:
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
# Module im_file
# File 'E:\\DGQradarExports\\ForwarderCust\\Alerts\\*'
# ReadFromLast True
# Exec parse_syslog();
Path Events,Process => Customer
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
# Check the size of our log file hourly, rotate if larger than 5MB
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
# Rotate our log file every week on Sunday at midnight
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
My log just shows this:
2018-11-19 08:50:43 INFO nxlog-ce-2.10.2102 started
2018-11-19 08:50:43 INFO connecting to 192.168.160.141:514
QRadar shows an information source has registered but no data ever flows.
I should see a 'connection was successful' message shouldn't I?
Is there any way to up the logging so I can tell if NX Log is even reading the files and attempting to send them? I really can't tell what it's doing currently.
Multiple files exist in the input directories, I'm trying to have NX Log work through all of them, send them to SIEM and then wait for more files. Config examples seem straightforward, I just can't tell what it's doing.
Any help is appreciated.