How to monitor Windows files for specific entry

[dlukinski]

Hello LOG support

Please help with creating nxlog configuration file as follows:

S:\somepath\somepath
monitor all txn*.log files under this path for specific "123456" entry in them

Thank you

[hsmith]

You can use the wizard that is built in to NLS to generate an nxlog configuration file. NXLog is going to send all of the logs that you specify to NLS, and then NLS will handle looking for the certain string that you want to match from the Windows event logs.

[dlukinski]

You can use the wizard that is built in to NLS to generate an nxlog configuration file. NXLog is going to send all of the logs that you specify to NLS, and then NLS will handle looking for the certain string that you want to match from the Windows event logs.

Cannot get this one to work:

## See the nxlog reference manual at
## http://nxlog.org/nxlog-docs/en/nxlog-re ... anual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
# Module xm_fileop
#</Extension>

<Extension json>
Module xm_json
</Extension>

<Extension syslog>
Module xm_syslog
</Extension>

<Input internal>
Module im_internal
</Input>

# Watch your own files
<Input file1>
Module im_file
File '%ROOT%\data\nxlog.log'
SavePos TRUE
Exec $Message = $raw_event;
</Input>

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
# Module im_msvistalog

# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
</Input>

<Input windowsfile>
Module im_file
File 'D:\sba81\siebsrvr\log\txn*.log'
SavePos TRUE
Exec $Message = $raw_event;
</Input>


<Output out>
Module om_tcp
Host logging.mydomain.com
Port 3515

Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
Exec $raw_event = to_json();

# Uncomment for debug output
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>

<Route 1>
Path internal, txn*.log, eventlog => out
</Route>

[hsmith]

What is happening when you try? Is anything hitting the logserver? Did you make sure that you restarted the nxlog service after making changes to the configuration file?

[dlukinski]

What is happening when you try? Is anything hitting the logserver? Did you make sure that you restarted the nxlog service after making changes to the configuration file?

Did restart, but nothing is happening. (txn*.log files are present on the system)

[hsmith]

Are the logs currently being generated, or are they old logs you're hoping to send to NLS?

[dlukinski]

Are the logs currently being generated, or are they old logs you're hoping to send to NLS?

Yes logs are being generated (at least 2 files after logging had started with configuration file from above

[jolson]

Change this:

Code: Select all

 Path internal, txn*.log, eventlog => out

To this:

Code: Select all

 Path internal, windowsfile, eventlog => out

Restart nxlog and I bet the logs will begin arriving. Thanks!

[dlukinski]

Change this:

Code: Select all

 Path internal, txn*.log, eventlog => out

To this:

Code: Select all

 Path internal, windowsfile, eventlog => out

Restart nxlog and I bet the logs will begin arriving. Thanks!

Still does not work. What about this one:

# Watch your own files
<Input windowsfile>
Module im_file
File 'C:\path\to\target\file'
SavePos TRUE
Exec $Message = $raw_event;
</Input>
You will need to rename windowsfile to the name of the file you desire to monitor. This must be unique.

You will need to rename 'C:\path\to\target\file' to the path of the file you desire to monitor. They must be inside single quotes.
-----------
While adding the Input and filename of the file you are monitoring you will need to add to the route section in the configuration right under the input section above.

Select AllCopy
<Route 1>
Path internal, eventlog, windowsfile => out
</Route>
Again, You will need to rename windowsfile to the name of the file you desire to monitor.

[hsmith]

Can you send in a ticket? This one might be easier to look at over remote.