GRAYLOG NXLOG problem, all is running but not receiving logs

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
I am trying to put to run a GRAYLOG SERVER and I am trying to receive logs from ubuntu machine 22.04 with NXLOG, all is running ok but I am not receiving any logs so What´s going on?

2. Describe your environment:
debian 11

  • OS Information:
    debian 11

  • Package Version:
    11.5 bullseye
    graylog 4.3 server

  • Service logs, configurations, and environment variables:
    I need receive LOGS of the servers to make a control in a UBUNTO with NXLOG, maybe willbe do it in windows too.

3. What steps have you already taken to try and solve the problem?
I have changed the configuration but nothing at all. I have installed a service apache2 to it created nwe logs but nothing at all, so I am lost and this the why I write this post.

4. How can the community help?
Filebeat works ok and winlogbeat too but I would like to run with nxlog.

Thanks a lot to all… Best regards, best new year 2023.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Hey Jose Manuel, Can you post your nxlog config?
Have you tried to test your config?

/opt/nxlog/bin/nxlog -v
[OPTIONS]
   [-h] print help
   [-f] run in foreground, otherwise try to start the nxlog service
   [-c conffile] specify an alternate config file
   [-i] install service available to service manager
   [-u] uninstall service
   [-s] stop running nxlog service
   [-v] verify configuration file syntax

The output must be:

2023-01-16 08:05:06 INFO configuration OK

Hi Marvin1
Yes the NXLOG configuratios is this:

define ROOT /usr/bin

<Extension gelfExt>
  Module xm_gelf
  # Avoid truncation of the short_message field to 64 characters.
  ShortMessageLength 65536
</Extension>

<Extension syslogExt>
  Module xm_syslog
</Extension>

User nxlog
Group nxlog

Moduledir /usr/lib/nxlog/modules
CacheDir /var/spool/nxlog/data
PidFile /var/run/nxlog/nxlog.pid
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO


<Input file>
	Module im_file
	File '/var/log/*.log'
	File '/var/log/apache2/*.log'
	PollInterval 1
	SavePos	True
	ReadFromLast True
	Recursive False
	RenameCheck False
	Exec $FileName = file_name(); # Send file name with each message
</Input>

#<Input syslog-udp>
#	Module im_udp
#	Host 127.0.0.1
#	Port 514
#	Exec parse_syslog_bsd();
#</Input>

<Output gelf>
	Module om_tcp
	Host 192.168.194.63
	Port 12201
	OutputType  GELF_TCP
	<Exec>
	  # These fields are needed for Graylog
	  $gl2_source_collector = '${sidecar.nodeId}';
	  $collector_node_id = '${sidecar.nodeName}';
	</Exec>
</Output>


<Route route-1>
  Path file => gelf
</Route>
#<Route route-2>
#  Path syslog-udp => gelf
#</Route>

all running like you can see.

Thanks a lot.

Check the owner and the reading/writing permissions of the file you try to import the logs. Maybe Nxlog cant read the logs

Hi again
Who woulbe to be the owner of the files?
the files are all included in /var/log/*.log
Don´t ?

Uploading: image.png(1)…

this the result of the command ls -l

Thanks a lot

define INSTALLDIR /opt/nxlog
define CERTDIR %INSTALLDIR%/cert
define CONFDIR %INSTALLDIR%/etc/nxlog.d
define LOGDIR %INSTALLDIR%/var/log/nxlog
define MYLOGFILE %LOGDIR%/nxlog.log

LogLevel    INFO
LogFile     %MYLOGFILE%

<Extension syslog>
    Module        xm_syslog
</Extension>

<Extension gelf>
    Module        xm_gelf
</Extension>

<Input file>
    Module        im_file
    File          '/var/log/syslog'
    <Exec>
        parse_syslog(); 

        $gl2_source_collector = '${sidecar.nodeId}';
        $collector_node_id = '${sidecar.nodeName}';
    </Exec>
</Input>

<Output graylog_udp>
    Module        om_udp
    Host          192.168.194.63:12201 
    OutputType    GELF_UDP
</Output>

<Route 1>
    Path          file => graylog_udp
</Route>

I cant open the image :frowning:

this the text:

total 3184
-rw-r–r-- 1 root root 25494 janv. 12 11:20 alternatives.log
drwxr-x— 2 root adm 4096 janv. 16 09:45 apache2
drwxr-xr-x 2 root root 4096 janv. 16 09:44 apt
-rw-r----- 1 syslog adm 36922 janv. 16 11:17 auth.log
-rw------- 1 root root 39508 janv. 16 09:13 boot.log
-rw-r–r-- 1 root root 108494 août 9 13:48 bootstrap.log
-rw-rw---- 1 root utmp 0 août 9 13:48 btmp
drwxr-xr-x 2 root root 4096 janv. 12 10:54 cups
drwxr-xr-x 2 root root 4096 août 3 02:15 dist-upgrade
-rw-r----- 1 root adm 46576 janv. 16 09:13 dmesg
-rw-r----- 1 root adm 47811 janv. 12 13:50 dmesg.0
-rw-r----- 1 root adm 14107 janv. 12 11:22 dmesg.1.gz
-rw-r----- 1 root adm 14116 janv. 12 10:54 dmesg.2.gz
-rw-r–r-- 1 root root 1055750 janv. 16 09:44 dpkg.log
-rw-r–r-- 1 root root 32032 janv. 12 14:03 faillog
-rw-r–r-- 1 root root 11145 janv. 16 09:43 fontconfig.log
drwx–x–x 2 root gdm 4096 janv. 12 10:54 gdm3
-rw-r–r-- 1 root root 1300 janv. 16 09:13 gpu-manager.log
drwxr-xr-x 2 root root 4096 janv. 12 15:19 graylog-sidecar
drwxr-xr-x 3 root root 4096 août 9 13:49 hp
drwxrwxr-x 2 root root 4096 janv. 12 10:53 installer
drwxr-sr-x+ 3 root systemd-journal 4096 janv. 12 10:54 journal
-rw-r----- 1 syslog adm 357380 janv. 16 09:45 kern.log
-rw-rw-r-- 1 root utmp 292292 janv. 16 09:15 lastlog
drwxrwx— 2 nxlog nxlog 4096 janv. 12 14:03 nxlog
drwxr-xr-x 2 root root 4096 mars 22 2022 openvpn
drwx------ 2 root root 4096 août 9 13:48 private
-rwxrwxrwx 1 root root 1470 janv. 16 09:35 prueba.log
drwx------ 2 speech-dispatcher root 4096 juil. 21 17:15 speech-dispatcher
-rw-r----- 1 syslog adm 1293733 janv. 16 11:17 syslog
-rw-r–r-- 1 root root 0 août 9 13:48 ubuntu-advantage.log
-rw-r–r-- 1 root root 314 janv. 16 09:20 ubuntu-advantage-timer.log
drwxr-x— 2 root adm 4096 janv. 16 09:28 unattended-upgrades
-rw-rw-r-- 1 root root 21557 janv. 12 10:53 vboxpostinstall.log
-rw-rw-r-- 1 root utmp 9600 janv. 16 09:15 wtmp

Hi mister
the file /var/log/nxlog/nxlog.log make an error to read the file /var/log/boot.log and I made chmod 777 /var/log/boot.log and I am receiving data but now i am going to try receive the file that I want… With centos7 I am still lock.

Best regards.

Hello,

Just chiming in, I noticed you made you boot file to " World" (i.e., 777). You could achieve this in the setttings from nxlog.cong.

FROM:

TO

# User nxlog
# Group nxlog

The problem is that NXLOG i can touch it because SIDECAR controll NXLOG so, Have you got another idea? Beacuse chmod 777 is no good but works.

Best regards and thanks.

Not sure how you set up permissions and since were dealing with /var/log/boot.log the user for nxlog can be added to the user/Group who owns /var/log/boot.log. Its not the best but better then “Open World Wide” on your boot.log.

Thanks a lot mister Gsmith
chmod 444 would it be better?
I will try both options, well it is my jobs.
I am going to put graylog in ssl/tls mode, another war in the configuration so… TO BE CONTINUED…

Best regards.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.