<tbody id="asv3h"><nobr id="asv3h"></nobr></tbody>

<track id="asv3h"></track>
<bdo id="asv3h"></bdo>

      Support Logging setup

      NXLog & Windows Event Log

      NXLog & Windows Event Log

      This guide will show you how to send your Windows Event Log to Loggly. It uses the free and open source Nxlog tool to send your logs. We will also automatically parse your logs so you can easily search them.

      This guide was written for Windows Vista or later in 64-bit. It assumes you have the latest version of nxlog in the default installation directory, and can send TCP events out on port 514.

      For alternatives, please see the Advanced Options Windows logging section, or visit our logging guide for Windows logging basics, troubleshooting with Windows logs, or centralizing Windows logs.

      Make sure to replace the CUSTOMER_TOKEN in the config file with your specific token found under Source Setup > Customer Tokens.


      1. Install Nxlog

      Download the latest version of nxlog. It’s probably easiest to choose the Windows msi file which includes an installer.

      2. Copy the Configuration

      Open the Nxlog configuration file at:

      C:\Program Files (x86)\nxlog\conf\nxlog.conf

      Replace the entire configuration file by pasting the following, and replacing the variables below.

      ## This is a sample NXLog configuration file created by Loggly. June 2013
      ## See the nxlog reference manual about the configuration options.
      ## It should be installed locally and is also available
      ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
       
      ## Please set the ROOT to the folder your nxlog was installed into,
      ## otherwise it will not start.
      #define ROOT C:\\Program Files\\nxlog
      #define ROOT_STRING C:\\Program Files\\nxlog
      define ROOT C:\\Program Files (x86)\\nxlog
      define ROOT_STRING C:\\Program Files (x86)\\nxlog
      define CERTDIR %ROOT%\\cert
       
      Moduledir %ROOT%\\modules
      CacheDir %ROOT%\\data
      Pidfile %ROOT%\\data\\nxlog.pid
      SpoolDir %ROOT%\\data
      LogFile %ROOT%\\data\\nxlog.log
       
      # Include fileop while debugging, also enable in the output module below
      #<Extension fileop>
      # Module xm_fileop
      #</Extension>
       
      <Extension json>
       Module xm_json
      </Extension>
       
      <Extension syslog>
       Module xm_syslog
      </Extension>
       
      <Input internal>
       Module im_internal
       Exec $Message = to_json(); 
      </Input>
       
      # Windows Event Log
      <Input eventlog>
      # Uncomment im_msvistalog for Windows Vista/2008 and later
       Module im_msvistalog
       
      #Uncomment im_mseventlog for Windows XP/2000/2003
      #Module im_mseventlog
       
       Exec $Message = to_json();
      </Input>
      
      <Processor buffer>
      Module pm_buffer
      # 100Mb disk buffer
      MaxSize 102400
      Type disk
      </Processor>
       
      <Output out>
       Module om_tcp
       Host logs-01.loggly.com
       Port 514
       
       Exec to_syslog_ietf(); 
       Exec $raw_event =~ s/(\[.*])//g; $raw_event = replace($raw_event, '{', '[CUSTOMER_TOKEN@41058 tag="windows"] {', 1);
       
      #Use the following line for debugging (uncomment the fileop extension above as well)
      #Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);
      </Output>
       
      <Route 1>
       Path internal, eventlog => buffer => out
      </Route>

      Replace the above variables:

      • CUSTOMER_TOKEN: Replace with your own customer token
      • ROOT and ROOT_STRING: If you are in 32-bit Windows, uncomment the top root path on lines 8 and 9 to use the 32-bit program files folder then comment the two below.

      Note: The pm_buffer module supports disk based message buffering and helps in storing logs during network outage, it also send buffered logs when network connection is re-established. You can increase or decrease the MaxSize under the pm_buffer module according to your requirement of disk buffer.

      3. Restart Nxlog

      Open the Services tool in the Start menu, find nxlog in the list, and then restart the service.

      Logging From Windows

      4. Verify

      Verify it shows up in Loggly by doing a search for the windows tag over the past hour. If it doesn’t work, see the troubleshooting section below.

      tag:windows

      Click on one of the logs to show a list of JSON fields (see screenshot below). If you don’t see them, please check that you are using one of our automatically parsed formats.

      NXLog & Windows Event Log Example

      5. Next Steps

      Advanced NXLog & Logging From Windows Options

      • Nxlog with TLS – for secure encrypted data transmission
      • Syslog-NG for Windows – with commercial support from Balabit
      • Event Forwarding – Windows 2008/Windows 7 and up include “Event Forwarding”. Events can be forwarded to a central server which are then stored on the server under the “Forwarded Events” category in the event viewer. Nxlog can be installed on the central server which would then be able to forward events via Syslog to Loggly.
      • Search or post your own NXLog documentation and logging from Windows question in the community forum.
      • Nxlog supports buffer to store the logs during a temporary network outage and send those buffered logs to Loggly when network is back.
      • The pm_buffer module in above nxlog.conf file supports buffer implementation.
      • Configuration to monitor RDP logs in Windows:
        # Windows Event Log
        
        <Input eventlog>
        
        # Uncomment im_msvistalog for Windows Vista/2008 and later
        
        ?Module im_msvistalog
        
        ?SavePos TRUE
        
        ? Query <QueryList><Query Id="0"><Select Path="Application">*</Select><Select Path="System">*</Select><Select Path="Security">*</Select><Select Path="Setup">*</Select><Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">*</Select></Query></QueryList>
        
        ? Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
        
        #Uncomment im_mseventlog for Windows XP/2000/2003
        
        #Module im_mseventlog
        
        </Input>
      • How to monitor a value in Windows logs and then add it as a tag:

      This below config has:
      1. A regex to extract a field, and store it.
      2. Use the field to add a new tag.
      3. Inject additional JSON keys in the event.
      4. A local buffer of 100 MB.

      # http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
       
      define ROOT C:\\Program Files (x86)\\nxlog
      define ROOT_STRING C:\\Program Files (x86)\\nxlog
      define CERTDIR %ROOT%\\cert
       
      Moduledir %ROOT%\\modules
      CacheDir %ROOT%\\data
      Pidfile %ROOT%\\data\\nxlog.pid
      SpoolDir %ROOT%\\data
      LogFile %ROOT%\\data\\nxlog.log
       
      # Include fileop while debugging, also enable in the output module below
      #<Extension fileop>
      # Module xm_fileop
      #</Extension>
       
      <Extension json>
       Module xm_json
      </Extension>
       
      <Extension syslog>
       Module xm_syslog
      </Extension>
       
      <Input internal>
       Module im_internal
       Exec $Message = to_json();
      </Input>
       
      # Windows Event Log
      <Input eventlog>
      # Uncomment im_msvistalog for Windows Vista/2008 and later
       Module im_msvistalog
       
      #Uncomment im_mseventlog for Windows XP/2000/2003
      #Module im_mseventlog
       
       Exec $Message = to_json();
      </Input>
      
      <Processor buffer>
      Module pm_buffer
      # 100Mb disk buffer
      MaxSize 102400
      Type disk
      </Processor>
      
      <Input APP>
       Module im_file
       File "c:\logs\app.log"
       SavePos TRUE
       CloseWhenIdle TRUE
       Exec $event = $raw_event;
      </Input>
       
      <Output out>
       Module om_tcp
       Host logs-01.loggly.com
       Port 514
       
       Exec to_syslog_ietf();
      
      Exec $raw_event =~ /\[.*\] { "role": "(.*?)"/; \
       $role = $1;
       
       Exec if (type($role) == "string") \
       $logglyHeader = '[CUSTOMER_TOKEN@41058 tag="'+$role+'" tag="prod" tag="app1" tag="windows"] { "SourceName":"APP", "HostIpAddress":"' + host_ip() + '",'; \
       else \
       $logglyHeader = '[CUSTOMER_TOKEN@41058 tag="prod" tag="app1" tag="windows"] { "SourceName":"APP", "HostIpAddress":"' + host_ip() + '",'; 
       Exec $raw_event =~ s/(\[.*?] {)/ {/g; $raw_event = replace($raw_event, '{', $logglyHeader, 1);
      
      #Use the following line for debugging (uncomment the fileop extension above as well)
       #Exec file_write("C:\Program Files (x86)\nxlog\data\nxlog_output.log", $raw_event);
      </Output>
      
      
      
      <Route IIS>
       Path internal, eventlog, APP => buffer => out
      </Route>

      Troubleshooting Windows Logging

      If you don’t see any data show up in the verification step, then check for these common problems.

       

      Thanks for the feedback! We'll use it to improve our support documentation.


      caopon超碰最新