Add a Log Source -> Windows Source

[gornm565]

On a newly installed Nagios Log Server, I went to Add a Log Source, Windows Source. it recommends using Nxlog. I installed Nxlog from the link provided. Then it has the following instructions:
Configure Windows Event Logs using Nxlog
Save the entire contents below to your nxlog.conf file usually located in C:\Program Files (x86)\nxlog\conf\nxlog.conf

nls1.JPG

Following those instructions, net start nxlog, fails. Nxlog.log has the following error:
nxlog failed to start: Empty configuration

Looks like this is due to the fact that the nxlog.conf isn't properly formatted - it doesn't have any line breaks. Is that a bug? How do we get a properly formatted nxlog.conf ?

Thank you.

[gornm565]

I tried editing this conf file to put in the line breaks where I thought they belonged. I hope I got this right. Here's what i got:

Code: Select all

## See the nxlog reference manual at ## http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html 
## Please set the ROOT to the folder your nxlog was installed into, 
## otherwise it will not start. 
#define ROOT C:\Program Files\nxlog 

define ROOT C:\Program Files (x86)\nxlog 
define CERT %ROOT%\cert 
Moduledir %ROOT%\modules 
CacheDir %ROOT%\data 
Pidfile %ROOT%\data\nxlog.pid 
SpoolDir %ROOT%\data 
LogFile %ROOT%\data\nxlog.log 

# Include fileop while debugging, also enable in the output module below 
#<Extension fileop> 
# Module xm_fileop 
#</Extension> <Extension json> Module xm_json </Extension> 

<Extension syslog> 
	Module xm_syslog 
</Extension> 

<Input internal> 
	Module im_internal 
</Input> 

# Watch your own files <Input file1> Module im_file File '%ROOT%\data\nxlog.log' SavePos TRUE Exec $Message = $raw_event; </Input> 
# Windows Event Log 
<Input eventlog> 
# Uncomment im_msvistalog for Windows Vista/2008 and later Module im_msvistalog 
# Uncomment im_mseventlog for Windows XP/2000/2003 
# Module im_mseventlog 
</Input> 

<Output out> 
	Module om_tcp 
	Host usnagioslog01 
	Port 3515 
	Exec $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message"); 
	Exec $raw_event = to_json(); 
# Uncomment for debug output 
# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n"); 
</Output> 

<Route 1> 
	Path internal, file1, eventlog => out 
</Route>

Now the log file has these messages:

Code: Select all

2017-09-26 12:42:19 ERROR empty 'Input' block at C:\Program Files (x86)\nxlog\conf\nxlog.conf:66
2017-09-26 12:42:19 WARNING no routes defined!
2017-09-26 12:42:19 WARNING not starting unused module internal
2017-09-26 12:42:19 INFO nxlog-ce-2.9.1347 started

Looks like something is still wrong. Any ideas?

[gormank]

Looks like it wants

Module im_mseventlog

To be uncommented in the input section...

[tacolover101]

i believe you'll need to uncomment so this <input> is actually used -

Code: Select all

<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later Module im_msvistalog
# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
</Input> 

[gormank]

Sorry,
Looks like the route section might need something as well.

[scottwilkerson]

It should look like this

Code: Select all

    ## See the nxlog reference manual at 
    ## http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
     
    ## Please set the ROOT to the folder your nxlog was installed into,
    ## otherwise it will not start.
    #define ROOT C:\Program Files\nxlog
    define ROOT C:\Program Files (x86)\nxlog
    define CERT %ROOT%\cert
     
    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data
    LogFile %ROOT%\data\nxlog.log
     
    # Include fileop while debugging, also enable in the output module below
    #<Extension fileop>
    #    Module xm_fileop
    #</Extension>
     
    <Extension json>
        Module      xm_json
    </Extension>
     
    <Extension syslog>
        Module xm_syslog
    </Extension>
     
    <Input internal>
        Module im_internal
    </Input>
     
    # Watch your own files
    <Input file1>
        Module   im_file
        File     '%ROOT%\data\nxlog.log'
        SavePos  TRUE
        Exec     $Message = $raw_event;
    </Input>
     
    # Windows Event Log
    <Input eventlog>
    # Uncomment im_msvistalog for Windows Vista/2008 and later
        Module im_msvistalog
     
    # Uncomment im_mseventlog for Windows XP/2000/2003
    #   Module im_mseventlog
    </Input>
     
    <Output out>
        Module om_tcp
        Host usnagioslog01
        Port 3515
    	
        Exec  $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
        Exec  $raw_event = to_json();
    	
    	# Uncomment for debug output
    	# Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
    </Output>
     
    <Route 1>
        Path internal, file1, eventlog => out
    </Route>

[gornm565]

Any idea why this doesn't work out of the box? Is it a bug?

[scottwilkerson]

Any idea why this doesn't work out of the box? Is it a bug?

It is a bug in the formatting in some browsers. This will be fixed in the next release that will come out.