Nxlog configuration for parsing server logs on graylog V1

Hello,

im trying to configure my Nxlog in order to prase a server.log file in graylog. i managed so far to get the logs to show up in graylog but im encountering the problem, that when searching for some logs in graylog they wont show. can this problem be solved by changing the configuration of the Nxlog or show this be solved using a pipeline rule in graylog. the server.log file is on a linux VM using graylog V1

the configuration is:

define ROOT /usr
define CONFDIR /etc/nxlog
define INSTALLDIR /opt/nxlog
define LOGDIR %INSTALLDIR%/var/log/nxlog
define MYLOGFILE %LOGDIR%/nxlog.lo
define BASEDIR /var/log

Moduledir /usr/lib/nxlog/modules
CacheDir %CONFDIR%/data
PidFile %CONFDIR%/nxlog.pid
LogLevel INFO
LogFile %MYLOGFILE%

Module xm_syslog Module xm_multiline HeaderLine /([Ee]xception|[Ee]rror)/ Module im_file File "/root/server.log.2025-01-13.1" SavePos TRUE ReadFromLast TRUE PollInterval 1 Recursive FALSE
# Use the multiline extension for grouping stack traces
InputType    multiline
Module om_tcp Host 172.20.252.251 Port 601 # Replace with your Graylog/Rsyslog port Path server_log_in => to_syslog

This is my input in graylog.


i cant seem to find any helpful configurations online that can solve the problem. can someone tell me what i need to do to solve this problem

Okay,

Here is a config file we use, even using multiline parsing on the time that is in the header on a windows environment.

The input on graylog should be a GELF TCP input to work with this.

Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

<Extension gelf>
    Module xm_gelf
 ShortMessageLength 65536
</Extension>
<Extension multiline>
    Module xm_multiline
    #HeaderLine /(?:Category)./
    # HeaderLine /[0-9]{4}-[0-9]{2}-[0-9]{2}.[0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{3} .0000.ERROR.*/
    HeaderLine /^[0-9]{4}-[0-9]{2}-[0-9]{2}.[0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{3}(.*)/
    # EndLine /.*... \d{1,} more\R\R/
    # Exec if $raw_event =~ /\d\d\d\d-\d\d-\d\d \d\d\:\d\d\:\d\d,\d+ \S+\s+(.+)/ $raw_event = $1;
</Extension>

<Input application_log>
    Module im_file
    InputType multiline
    File "R:\logs\logfile.log"
    SavePos TRUE
   #Exec $Message = $raw_event;
    #SavePos TRUE
    #ReadFromLast TRUE
</Input>

<Output tcp>
    Module om_tcp
    Host 10.64.91.138
    Port 8110
 OutputType GELF_TCP
</Output>

#<Output OutputData>
# Module om_file
# File "R:\\logs\\nxlogging.log"
# #OutputType GELF
#</Output>

<Route messages_to_tcp>
    Path application_log => tcp
</Route>

#<Route localtxt>
# Path application_log => OutputData
#</Route>

Good luck.