Need help with nxlog

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
bennyboy
Posts: 157
Joined: Thu Oct 29, 2015 9:42 am

Need help with nxlog

Post by bennyboy »

Hi,

I try to use nxlog to send Windows event to Nagios Log Server. I only need Application Log event id 98 and 99. I try that configuration but I see couple error in nxlog.log.

NXLOG.LOG

Code: Select all

2017-05-03 15:31:27 ERROR invalid keyword: QueryXML at C:\Program Files\nxlog\conf\nxlog.conf:45
2017-05-03 15:31:27 ERROR module 'eventlog' has configuration errors, not adding to route '1' at C:\Program Files\nxlog\conf\nxlog.conf:72
2017-05-03 15:31:27 WARNING not starting unused module eventlog
2017-05-03 15:31:27 INFO nxlog-ce-2.9.1347 started
2017-05-03 15:31:27 INFO connecting to nagioslog.localdomain:3515
NXLOG.CONF

Code: Select all

## See the nxlog reference manual at
## http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
define CERT %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
#    Module xm_fileop
#</Extension>

<Extension json>
    Module      xm_json
</Extension>

<Extension syslog>
    Module xm_syslog
</Extension>

<Input internal>
    Module im_internal
</Input>

# Watch your own files
<Input file1>
    Module   im_file
    File     '%ROOT%\data\nxlog.log'
    SavePos  TRUE
    Exec     $Message = $raw_event;
</Input>

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
    Module im_msvistalog
    <QueryXML>
      <QueryList>
        <Query Id="0">
          <Select Path="Application">
            *[System[(EventID=EventID=98 or EventID=99)]]
          </Select>
        </Query>
      </QueryList>
    </QueryXML>

# Uncomment im_mseventlog for Windows XP/2000/2003
#   Module im_mseventlog
</Input>

<Output out>
    Module om_tcp
    Host nagioslog.localdomain
    Port 3515

    Exec  $tmpmessage = $Message; delete($Message); rename_field("tmpmessage","message");
    Exec  $raw_event = to_json();

  # Uncomment for debug output
  # Exec file_write('%ROOT%\data\nxlog_output.log', $raw_event + "\n");
</Output>

<Route 1>
    Path internal, file1, eventlog => out
</Route>
Thank you in advance !!
Top
bennyboy
Posts: 157
Joined: Thu Oct 29, 2015 9:42 am

Re: Need help with nxlog

Post by bennyboy »

I find the solution...

Code: Select all

Query <QueryList>\
  <Query Id="0" Path="Application">\
    <Select Path="Application">*[System[(EventID=98 or EventID=99)]]</Select>\
  </Query>\
</QueryList>
Top
User avatar
tgriep
Madmin
Posts: 9190
Joined: Thu Oct 30, 2014 9:02 am

Re: Need help with nxlog

Post by tgriep »

Thanks for posting back the solution. Shall I close and lock the post as solved for you?
Be sure to check out our Knowledgebase for helpful articles and solutions!
Top
bennyboy
Posts: 157
Joined: Thu Oct 29, 2015 9:42 am

Re: Need help with nxlog

Post by bennyboy »

Ok you can close that thread :)
Top
Locked

Return to “Nagios Log Server”