Problems receiving Windows event logs from nxlog

heskez · Post by **heskez** » Thu Dec 24, 2015 7:28 am

Hi there,

I've got the following issue that the Windows host where NXLOG is configured, doesn't show up in the dashboard, nor in tcpdump.

I've examined the nxlog log file and show me these error messages:

2015-12-24 12:03:07 WARNING stopping nxlog service
2015-12-24 12:03:07 WARNING nxlog-ce received a termination request signal, exiting...
2015-12-24 12:03:12 ERROR Couldn't parse Exec block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:58; couldn't parse statement at line 58, character 89 in C:\Program Files (x86)\nxlog\conf\nxlog.conf; procedure 'file_write()' does not exist or takes different arguments
2015-12-24 12:03:12 ERROR module 'out' has configuration errors, not adding to route '1' at C:\Program Files (x86)\nxlog\conf\nxlog.conf:62
2015-12-24 12:03:12 ERROR route 1 is not functional without output modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:62
2015-12-24 12:03:12 WARNING no routes defined!
2015-12-24 12:03:12 WARNING not starting unused module internal
2015-12-24 12:03:12 WARNING not starting unused module file1
2015-12-24 12:03:12 WARNING not starting unused module eventlog
2015-12-24 12:03:12 WARNING not starting unused module out
2015-12-24 12:03:12 INFO nxlog-ce-2.9.1347 started

Considering the nxlog configuration file, are spaces or line breaks allowed?

Best,

E

jolson · Post by **jolson** » Mon Dec 28, 2015 12:06 pm

Considering the nxlog configuration file, are spaces or line breaks allowed?

They should be allowed - could you please paste your nxlog configuration here for us to see?
It should be located at C:\Program Files\nxlog\conf\nxlog.conf

heskez · Post by **heskez** » Tue Dec 29, 2015 3:47 am

Here it is

Code: Select all

## See the nxlog reference manual at 
## http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
 
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert
 
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
 
# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
#    Module xm_fileop
#</Extension>
 
<Extension json>
    Module      xm_json
</Extension>
 
<Extension syslog>
    Module xm_syslog
</Extension>
 
<Input internal>
    Module im_internal
</Input>
 
# Watch your own files
<Input file1>
    Module   im_file
    File     '%ROOT%\data\nxlog.log'
    SavePos  TRUE
</Input>
 
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
    Module im_msvistalog
 
# Uncomment im_mseventlog for Windows XP/2000/2003
#   Module im_mseventlog
</Input>

<Output out>
    Module om_tcp
    Host x.x.x.x
    Port 3515
	
    Exec  $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
    Exec  $raw_event = to_json();
	
	# Uncomment for debug output
	  Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>
 
<Route 1>
    Path internal, file1, eventlog => out
</Route>

jolson · Post by **jolson** » Tue Dec 29, 2015 10:41 am

Please give the following a try instead:

Code: Select all

    ## See the nxlog reference manual at 
    ## http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
     
    ## Please set the ROOT to the folder your nxlog was installed into,
    ## otherwise it will not start.
    #define ROOT C:\Program Files\nxlog
    define ROOT C:\Program Files (x86)\nxlog
    define CERT %ROOT%\cert
     
    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data
    LogFile %ROOT%\data\nxlog.log
     
    # Include fileop while debugging, also enable in the output module below
    #<Extension fileop>
    #    Module xm_fileop
    #</Extension>
     
    <Extension json>
        Module      xm_json
    </Extension>
     
    <Extension syslog>
        Module xm_syslog
    </Extension>
     
    <Input internal>
        Module im_internal
    </Input>
     
    # Watch your own files
    <Input file1>
        Module   im_file
        File     '%ROOT%\data\nxlog.log'
        SavePos  TRUE
        Exec     $Message = $raw_event;
    </Input>
     
    # Windows Event Log
    <Input eventlog>
    # Uncomment im_msvistalog for Windows Vista/2008 and later
        Module im_msvistalog
     
    # Uncomment im_mseventlog for Windows XP/2000/2003
    #   Module im_mseventlog
    </Input>
     
    <Output out>
        Module om_tcp
        Host 192.168.1.1
        Port 3515
    	
        Exec  $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
        Exec  $raw_event = to_json();
    	
    	# Uncomment for debug output
    	# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
    </Output>
     
    <Route 1>
        Path internal, file1, eventlog => out
    </Route>

Replace 192.168.1.1 with the IP of your NLS server. After making the above changes to your configuration file, please restart nxlog. Thanks!

heskez · Post by **heskez** » Tue Dec 29, 2015 10:55 am

This looks great thanks!
What exactly made the difference?

jolson · Post by **jolson** » Tue Dec 29, 2015 10:58 am

I think it boiled down to this line:
Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");

In your config, it's uncommented and appeared to be throwing some kind of error. What I sent you above is the default configuration from Nagios Log Server 1.4.0 - if you haven't upgraded yet I highly recommend it.

Nagios Support Forum

Problems receiving Windows event logs from nxlog

Problems receiving Windows event logs from nxlog

Re: Problems receiving Windows event logs from nxlog

Re: Problems receiving Windows event logs from nxlog

Re: Problems receiving Windows event logs from nxlog

Re: Problems receiving Windows event logs from nxlog

Re: Problems receiving Windows event logs from nxlog