AymanDeda
(Ayman Deda)
February 5, 2025, 1:29pm
1
Hello,
im trying to configure my Nxlog in order to prase a server.log file in graylog. i managed so far to get the logs to show up in graylog but im encountering the problem, that when searching for some logs in graylog they wont show. can this problem be solved by changing the configuration of the Nxlog or show this be solved using a pipeline rule in graylog. the server.log file is on a linux VM using graylog V1
the configuration is:
define ROOT /usr
define CONFDIR /etc/nxlog
define INSTALLDIR /opt/nxlog
define LOGDIR %INSTALLDIR%/var/log/nxlog
define MYLOGFILE %LOGDIR%/nxlog.lo
define BASEDIR /var/log
Moduledir /usr/lib/nxlog/modules
CacheDir %CONFDIR%/data
PidFile %CONFDIR%/nxlog.pid
LogLevel INFO
LogFile %MYLOGFILE%
Module xm_syslog
Module xm_multiline
HeaderLine /([Ee]xception|[Ee]rror)/
Module im_file
File "/root/server.log.2025-01-13.1"
SavePos TRUE
ReadFromLast TRUE
PollInterval 1
Recursive FALSE
# Use the multiline extension for grouping stack traces
InputType multiline
Module om_tcp
Host 172.20.252.251
Port 601 # Replace with your Graylog/Rsyslog port
Path server_log_in => to_syslog
This is my input in graylog.
i cant seem to find any helpful configurations online that can solve the problem. can someone tell me what i need to do to solve this problem
Arie
(Arie van den Heuvel)
February 6, 2025, 10:13am
2
Okay,
Here is a config file we use, even using multiline parsing on the time that is in the header on a windows environment.
The input on graylog should be a GELF TCP input to work with this.
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension gelf>
Module xm_gelf
ShortMessageLength 65536
</Extension>
<Extension multiline>
Module xm_multiline
#HeaderLine /(?:Category)./
# HeaderLine /[0-9]{4}-[0-9]{2}-[0-9]{2}.[0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{3} .0000.ERROR.*/
HeaderLine /^[0-9]{4}-[0-9]{2}-[0-9]{2}.[0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{3}(.*)/
# EndLine /.*... \d{1,} more\R\R/
# Exec if $raw_event =~ /\d\d\d\d-\d\d-\d\d \d\d\:\d\d\:\d\d,\d+ \S+\s+(.+)/ $raw_event = $1;
</Extension>
<Input application_log>
Module im_file
InputType multiline
File "R:\logs\logfile.log"
SavePos TRUE
#Exec $Message = $raw_event;
#SavePos TRUE
#ReadFromLast TRUE
</Input>
<Output tcp>
Module om_tcp
Host 10.64.91.138
Port 8110
OutputType GELF_TCP
</Output>
#<Output OutputData>
# Module om_file
# File "R:\\logs\\nxlogging.log"
# #OutputType GELF
#</Output>
<Route messages_to_tcp>
Path application_log => tcp
</Route>
#<Route localtxt>
# Path application_log => OutputData
#</Route>
Good luck.