Skip to Content
Insightops- NXLog

NXLog

NXLog is an open source tool that can convert log data into JSON for easy searching and analysis.

NXLog can be configured to write to a new log file, or to send data directly to InsightOps.

Installation and configuration

Download and install the latest version of NXLog. Follow the steps from the NXLog documentation here: (http://nxlog.co/products/nxlog-community-edition/download)

Installation folder requirements

Make sure to install NXLog locally and set the ROOT to the folder in which it was installed. NXLog will not start if this installation requirement is not met.

Please see the NXLog reference manual about additional configuration options: http://nxlog.org/docs/

Once installed, open the NXLog configuration file located at: C:\Program Files (x86)\nxlog\conf\nxlog.conf and paste this sample text into the file, adjusting the values for your account as necessary:

Sample configuration file:

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

# Include fileop when rotating logs or while debugging, also enable in the output module below
#<Extension fileop>
# Module xm_fileop
#</Extension>

# Create the parse rule for IIS logs. You can copy these from the header of the IIS log file.
<Extension w3c>
    Module xm_csv
    Fields $date, $time, $s_ip, $cs_method, $cs_uri_stem, $cs_uri_query, $s_port, $cs_username, $c_ip, $cs_User_Agent, $cs_Referer, $sc_status, $sc_substatus, $sc_win32_status, $time_taken
    FieldTypes string, string, string, string, string, string, integer, string, string, string, string, integer, integer, integer, integer
    Delimiter ' '
</Extension>

<Extension json>
 Module xm_json
</Extension>
 
<Extension syslog>
 Module xm_syslog
</Extension>
 
<Input internal>
 Module im_internal
 Exec $Message = to_json(); 
</Input>

<Input eventlog>
#This is the Windows Event Log Section - for 2008 and above use im_msvistalog - for 2003 and earlier, use im_mseventlog
#
    Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog

# Prepend the JSON event with the log token if you're sending directly to InsightOps
Exec $raw_event = "<LOG TOKEN GOES HERE>" + to_json();

# If you're writing to a log file, then no need for the token
# Exec $raw_event = to_json();
 
</Input>

<Output eventlog_out>
# use this module to write to a text file that the agent can send in
    #Module      om_file
	#file		'c:\test\eventlog.txt'
	#Rotate created files
	#<Schedule>
		#Every 1 hour
		#Exec  file_cycle('c:\test\eventlog.txt', 2);
		#Exec  eventlog_out->reopen();
	#</Schedule>

# send log entries directly to InsightOps
 Module om_tcp
 Host ENDPOINT
 Port PORT
</Output>


<Route EventLog>
    Path        eventlog => eventlog_out
</Route>

Set up the event source

  1. Log in to InsightOps.
  2. Click Add Data in the top navigation.
  3. Click Quick add.
  4. Create a new log by selecting Token TCP.

Record the token and endpoint for later

Take note of the token and endpoint that are displayed when the log is created. You will need this information to configure NXLog in the next step.

Configure NXLog

  1. Replace the contents of the nxlog.conf file with the text in the sample configuration file.
  2. Replace the <LOG TOKEN GOES HERE> string with the log token you noted earlier.
  3. Replace ENDPOINT with the endpoint from the UI. For example, enter REGION.data.logs.insight.rapid7.com where REGION is your region code, such as eu, us, or ca.
  4. Replace PORT with 10000 for Token TCP.
  5. Restart the NXLog service by opening the services tool in the start menu. Search for NXLog in the services and then select Restart. This will restart NXLog and follow the new configuration.

Troubleshooting

If you find that the NXLog is not sending data, information can be found in the nxlog file at C:\\Program Files (x86)\\nxlog\\data\\nxlog.log.