Dears,
I’m using some NXLog collectors deployed by Graylog Sidecar to collect and send messages to my Graylog server. In order to be alerted in case of a collector goes down, I’ve configured the NXLog instances to periodically send some kind of heartbeat message:
<Input in_internal>
Module im_internal
</Input>
<Input in_eventlog>
<Schedule>
Every 15 min
Exec log_info("NXLog collector alive message");
</Schedule>
</Input>
<Output out_gelf_ssl>
...
</Output>
<Route eventlog_to_gelf_ssl>
Path in_eventlog => out_gelf_ssl
</Route>
<Route internal_to_gelf_ssl>
Path in_internal => out_gelf_ssl
</Route>
This is just a part of the NXLog config and needs to be completed with an input and output configuration.
In Graylog, it’s required to create some new Event, one per collector, which searches for the heartbeat messages and triggers a Notification in case of such message isn’t found:
- Create a search in order to find the heartbeat messages
- Search within the last 16 minutes
- Execute search every 15 minutes
- Create Events for Definition if Aggregation of results reaches a threshold
- Under “Create Events for Definition”, create a rule “if count() = 0”
BR,
Elix
Something to mention: With above NXLog configiguration, all entries of the NXLog log file are being transferred to Graylog. I’ve created a pipeline rule, which drops everything which is not the heartbeat message. Other way around is to filter it in NXLog.