NXLog on Windows

NXLog is the workhorse of Windows logging plugins. You can drop in our configuration for it to get your Windows event logs into LogDNA – securely, quickly, and reliably.

Using NXLog to capture and send Windows Event logs is pretty easy. First, we'll install it, then we'll copy the LogDNA configuration and certificate files, and finally, we'll make some changes to the configuration file to have NXLog send to your custom syslog port. Follow along to see how it works, or check out the repo on GitHub!

Install NXLog

On Windows Server (2008 or newer), install the NXLog Community Edition from here, or using choco install -y nxlog in PowerShell.

Copy the LogDNA configuration

Head to where NXLog is installed – typically, it's in C:\Program Files (x86)\nxlog

Then download our zipfile containing the configuration file and the certificate to that folder, and unzip it. (Feel free to download it wherever you'd like, and remember the unzipped folder's path for the following instructions).

Now, copy the unzipped configuration file in logdna-nxlog\conf\nxlog.conf to conf\nxlog.conf. You can also copy and paste it from the end of this page into the existing conf\nxlog.conf file.

Download the certificate

From that same NXLog base folder (e.g. C:\Program Files (x86)\nxlog), run this command:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = "https://assets.logdna.com/rootca/ld-root-ca.crt"
$output = "cert\ca.pem"
(New-Object System.Net.WebClient).DownloadFile($url, $output)

Confirm that the cert folder now contains a ca.pem file. Now NXLog can securely send logs over SSL.

Configure NXLog

Now we'll edit the nxlog.conf file directly, putting in some info specific to your LogDNA account, an customizing which types of logs you'd like.

First, enter your LogDNA dashboard and provision a new Syslog port using these instructions. That’ll yield a URL like: syslog-a.logdna.com:12345

Now that you've got the information you need, head to C:\Program Files (x86)\nxlog\conf, and open the nxlog.conf file with your preferred text editor.

On line 83, replace CUSTOM_PORT in the nxlog.conf file with the one you just generated – in our example URL, the port is 12345.

By default, this conf file just watches System event logs.You can also uncomment lines in the <Input eventlog> section to enable NXLog to watch Application and Security logs, if you’ve enabled those on your system.

Finally, save the changes you've made to your nxlog.conf file.

Start NXLog

Just run the following command:

nssm start nxlog

Now, check your LogDNA account to see that it’s sending logs.

If logs aren’t showing up in your account, check C:\Program Files (x86)\nxlog\data\nxlog.log to see what the configuration problem might be. Please contact support@logdna.com, and let us know what you see.

Tail additional log files

You can add additional logfiles by creating a new <Input {name}> section that imitates the previous ones, and adding the name of that section to <Route 1> at the end. For example:

<Input newlog>
    Module im_file
    File '%LOGDIR%\\example.log'
    Exec $Message = to_json();
</Input>

…

<Route 1>
    Path internal, logfile, newlog, eventlog => buffer => out
</Route>

Our NXLog configuration

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\\Program Files (x86)\\nxlog
define CERTDIR  %ROOT%\\cert
define CONFDIR  %ROOT%\\conf
define LOGDIR   %ROOT%\\data
define LOGFILE  %LOGDIR%\\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\\modules
CacheDir  %ROOT%\\data
Pidfile   %ROOT%\\data\\nxlog.pid
SpoolDir  %ROOT%\\data

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension _exec>
    Module      xm_exec
</Extension>

<Extension json>
    Module	xm_json
</Extension>

<Input internal>
    Module im_internal
    Exec $Message = to_json();
</Input>

#######################################################################
##### This is just explicit version of internal input above ###########
#######################################################################
# <Input nxlog>
#     Module im_file
#     File '%LOGFILE%'
#     <Exec>
#         $Message = $raw_event;
#         if $Message == '' drop();
#         $SourceName = substr(file_name(), size('%LOGDIR%') + 1);
#     </Exec>
# </Input>
#######################################################################

# Define Directory for Making Substring Operation
define LOGFOLDER C:\\ProgramData\\logs

<Input filelog>
    Module im_file
    File '%LOGFOLDER%\\*.log'
    Recursive TRUE
    <Exec>
        $Message = $raw_event;
        if $Message == '' drop();
        $SourceName = substr(file_name(), size('%LOGFOLDER%') + 2);
    </Exec>
</Input>

<Input eventlog>
    Module im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id='0'>
#               <Select Path='Application'>*</Select>
                <Select Path='System'>*</Select>
#               <Select Path='Security'>*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    Exec $Message = to_json();
</Input>

<Processor buffer>
    Module pm_buffer
    MaxSize 102400
    Type disk
</Processor>

<Output out>
    Module om_ssl
    Host syslog-a.logdna.com
    Port CUSTOM_PORT
    CAFile %CERTDIR%\ca.pem
    Exec to_syslog_ietf();
</Output>

<Route 1>
    Path internal, filelog, eventlog => buffer => out
</Route>

Updated about a month ago

NXLog on Windows


NXLog is the workhorse of Windows logging plugins. You can drop in our configuration for it to get your Windows event logs into LogDNA – securely, quickly, and reliably.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.