In this guide, we are going to learn how to configure NXLog to forward system logs to Rsyslog server on Ubuntu. There are various NXLog log collection solutions. In this guide, we are going to configure the opensource version of NXLog.
Table of Contents
Configuring NXLog to Forward to Rsyslog Server
Configure Rsyslog Server
You can check our previous articles on configuration of Rsyslog and Syslog by following the links below;
Configure Rsyslog on Solaris 11.4 to Send logs to Remote Log Server
Configure Syslog on Solaris 11.4 for Remote Logging
How to Configure Remote Logging with Rsyslog on Ubuntu
Install NXLog CE on Ubuntu
Check how to install NXLog CE on Ubuntu by following the link below;
Configure NXLog to Forward Logs on Ubuntu
Now that NXLog CE has been installed, you need to configure it to forward logs to the remote Rsyslog server.
The default configuration file for NXLog CE is /etc/nxlog/nxlog.conf.
This is how the default configuration file looks like;
cat /etc/nxlog/nxlog.conf## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally under
## /usr/share/doc/nxlog-ce/ and is also available online at
## http://nxlog.org/docs
########################################
# Global directives #
########################################
User nxlog
Group nxlog
include /etc/nxlog/nxlog.d/*.conf
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO
########################################
# Modules #
########################################
<Extension _syslog>
Module xm_syslog
</Extension>
<Input in1>
Module im_udp
Port 514
Exec parse_syslog_bsd();
</Input>
<Input in2>
Module im_tcp
Port 514
</Input>
<Output fileout1>
Module om_file
File "/var/log/nxlog/logmsg.txt"
Exec if $Message =~ /error/ $SeverityValue = syslog_severity_value("error");
Exec to_syslog_bsd();
</Output>
<Output fileout2>
Module om_file
File "/var/log/nxlog/logmsg2.txt"
</Output>
########################################
# Routes #
########################################
<Route 1>
Path in1 => fileout1
</Route>
<Route tcproute>
Path in2 => fileout2
</Route>
NXLog can be configured to receive and read logs from different types of sources including;
- log data received over the network
- events stored in databases
- messages read from files
- data retrieved using executables
This guide focuses on configuring NXLog CE to receive, read and forward logs from system log files to a remote logging server.
Therefore, make a backup of the original configuration so that you can make any adjustments that suit your environment.
mv /etc/nxlog/nxlog.conf{,.original}Create a new configuration file.
touch /etc/nxlog/nxlog.confThe NXLog configuration file consists of;
global directivesmodule instances, androutes
To begin with, set the ROOT to the main directory of NXLog configuration.
# Set the NXLog main directory
define ROOT /etc/nxlogDefine the Global directives
There are quite a number of global directives that can be set.
However, in its simplest, we will define;
- the NXLog modules directory
- directory to write the cached data
- the logging level,
- NXLog PID file,
- NXLog working directory,
- NXLog log file etc
This can be done by using the following directives respectively; ModuleDir, CacheDir, LogLevel, PidFile, SpoolDir respectively.
# Global Directives
Moduledir /usr/lib/nxlog/modules
CacheDir %ROOT%/data
SpoolDir %ROOT%/data
Pidfile /tmp/nxlog.pid
LogFile /var/log/nxlog/nxlog.log
Some of the other important global directives include User and Group.
NXLog runs as user nxlog by default with the limitation being this user cannot read the /var/log directory where most system logs are written to.
To circumvent this, NXlog can be set to run as root by omitting the User option. However, it is more secure if you can add NXlog user to a group with permissions to read the log file.
Define Input Module Directives
Basically, we are going to define basic input modules directives that read various log files for sending to a remote log server.
# Define Input Modules
<Input in1>
Module im_file
File "/var/log/auth.log"
SavePos TRUE
ReadFromLast TRUE
</Input>
<Input in2>
Module im_file
File "/var/log/syslog"
SavePos TRUE
ReadFromLast TRUE
</Input>
The SavePos directive ensures that log file state is cached when NXLog exits. The log file will be read from that position when NXLog starts. This can however be turned off by using NoCache directive.
The ReadFromLast directive ensures that NXLog reads the logs received after NXLog started.
Define the Processor Modules
Processor modules are used process logs between the Input and Output modules. This can be achieved by use of pm_buffer modules which supports both disk and memory log buffering. In this guide, we are going to set disk buffering. You also need to set the maximum size of the logs that can be buffered.
#Define Processor Modules
<Processor buffer>
Module pm_buffer
MaxSize 512000 # Buffer logs upto 512MB
Type Disk # Disk buffering
</Processor>
Define the Output Module
There are different types of output modules. We are going to set UDP as our output module. You can check about other modules here. You need to set the remote Host IP and Port.
# Define Output Modules
<Output udp>
Module om_udp
Host 192.168.43.208
Port 514
</Output>
Define the Route Directives
Define the data flow using the Path directive. More than one Input feeding logs into the route are comma separated. The list of Input modules is followed by an arrow (=>). Processor modules or Output modules follow after. Multiple Processors are separated by arrows. The syntax is;
Path INPUT1[, INPUT2...] => [PROCESSOR1 [=> PROCESSOR2...] =>] OUTPUT1[, OUTPUT2...]Hence, we can define this in our configuration file as;
# Route definition
<Route 1>
Path in1,in2 => buffer => udp
</Route>
That is all about our configuration in its simplest form.
In general, it should look like;
# Set the NXLog main directory
define ROOT /etc/nxlog
# Global Directives
Moduledir /usr/lib/nxlog/modules
CacheDir %ROOT%/cache_dir
SpoolDir %ROOT%/spool_dir
Pidfile /tmp/nxlog.pid
LogFile /var/log/nxlog/nxlog.log
# Define Input Modules
<Input in1>
Module im_file
File "/var/log/auth.log"
SavePos TRUE
ReadFromLast TRUE
</Input>
<Input in2>
Module im_file
File "/var/log/syslog"
SavePos TRUE
ReadFromLast TRUE
</Input>
#Define Processor Modules
<Processor buffer>
Module pm_buffer
MaxSize 512000
Type Disk
</Processor>
# Define Output Modules
<Output udp>
Module om_udp
Host 0.0.0.0 # IP of Rsyslog Server
Port 514
</Output>
# Route Definition
<Route 1>
Path in1,in2 => buffer => udp
</Route>
Create the Cache and Spool Directories.
mkdir -p /etc/nxlog/{cache_dir,spool_dir}Check the configuration to verify the syntax;
nxlog -vIf you get INFO configuration OK, you are good to proceed.
Restart NXLog and set it to run on system boot.
systemctl restart nxlog
systemctl enable nxlogCheck the status.
systemctl status nxlog● nxlog.service - NXLog daemon
Loaded: loaded (/lib/systemd/system/nxlog.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2023-08-28 19:48:20 UTC; 29min ago
Process: 2692 ExecStartPre=/usr/bin/nxlog -v (code=exited, status=0/SUCCESS)
Main PID: 2693 (nxlog)
Tasks: 7 (limit: 2257)
Memory: 1.9M
CGroup: /system.slice/nxlog.service
└─2693 /usr/bin/nxlog -f
Aug 28 19:48:20 focal systemd[1]: Starting NXLog daemon...
Aug 28 19:48:20 focal nxlog[2692]: 2023-08-28 19:48:20 INFO configuration OK
Aug 28 19:48:20 focal systemd[1]: Started NXLog daemon.
Confirm that you can receive logs on the remote server.
As a POC, ssh into Ubuntu 18.04 server with nxlog running from a different server.
At the same time, tail the logs on remote Rsyslog server and there you go.
tail -f /var/log/remotelogs/192.168.43.203.log
2022-10-16T19:32:40-04:00 u18svr sshd[21327]: Connection closed by 127.0.0.1 port 50630 [preauth]
2022-10-16T19:34:12-04:00 u18svr sshd[21335]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.43.149 user=kifarunix
2022-10-16T19:34:14-04:00 u18svr sshd[21335]: Failed password for kifarunix from 192.168.43.149 port 48224 ssh2
2022-10-16T19:34:18-04:00 u18svr sshd[21335]: Accepted password for kifarunix from 192.168.43.149 port 48224 ssh2
2022-10-16T19:34:18-04:00 u18svr sshd[21335]: pam_unix(sshd:session): session opened for user kifarunix by (uid=0)
2022-10-16T19:34:18-04:00 u18svr systemd-logind[581]: New session 26 of user kifarunix.
Feel free to read more about NXLog on their reference manual.
Related Tutorials
Install and Configure NXLog CE on Ubuntu 20.04
Configure Rsyslog on Solaris 11.4 to Send logs to Remote Log Server
Configure Syslog on Solaris 11.4 for Remote Logging
How to Configure Remote Logging with Rsyslog on Ubuntu 18.04
