Nxlog and elasticsearch

zen.xen · April 6, 2016, 2:04pm

Hello,
to send logs I use winlogbeat and it works, but I want to try to send logs from Windows machine to ELK installed on Windows with nxlog and it doesn't work, here is my nxlog.conf, maybe someone will correct it,

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension json> 
    Module      xm_json 
</Extension> 

<Input in>
    Module      im_msvistalog
    Exec to_json();
</Input>

<Output elasticsearch> 
    Module      om_http 
    URL         http://192.168.11.105:9200 
    ContentType application/json 
    Exec        set_http_request_path(strftime($EventTime, "/logstash-%Y.%m.%d/" + $SourceModuleName)); rename_field("timestamp","@timestamp"); to_json();         
</Output> 

<Route 1>
    Path        in => elasticsearch
</Route>

anhlqn · April 6, 2016, 4:35pm

Are you using nxlog Enterprise edition? Only the enterprise editon supports direct output from nxlog to ES via the elasticsearch module. I doubt that you can use om_http as a work around to post data to ES via HTTP

zen.xen · April 6, 2016, 4:54pm

no, I use Community Edition, in EE there was used module om_elasticsearch. Maybe you know other - let say - solution, I'm looking for a solution but until now I haven't found.
In the Internet there are a lot of examples of nxlog.conf but none of them is useful for me. I wanted use nxlog, there is a possibility to exclude some events from sending to log server.

anhlqn · April 6, 2016, 5:00pm

You can use this model nxlog > Logstash > Elasticsearch. nxlog output data via om_tcp. A sample config I'm using is as below:

nxlog.conf

<Output out_logstash>  
    Module  om_tcp
    Host    192.168.0.10
    Port    5544
    OutputType  LineBased
</Output>

You need to have Logstash installed and listen on tpc port 5544 (or any other port)

logstash.conf

input {

	# Receive from nxlog
	tcp {
		port => 5544
		type => "test"
	} 
}

filter {
	# Parse JSON fields from message field
	json {
		source => "message"
	}
	
	## Must be last filter!!! ##
	mutate {
		remove_field => ["message"]
	}	
}

output {	
	elasticsearch {
		hosts => ["192.168.0.10:9200"]     
		index => "test-index"
	}
}

You can have Logstash run on the same server as Elasticsearch.

zen.xen · April 6, 2016, 5:52pm

I'm using ELK on Windows, which files on server should I change?

anhlqn · April 6, 2016, 7:42pm

I've edited the previous post to include what files you need to change.

zen.xen · April 7, 2016, 10:32am

I did like you suggested, created logstash.conf in ...\logstash\bin but I don't know if this file is read by logstash.
logstash.conf should be initialized in some way?

In nxlog.log there is ERROR couldn't connect to tcp socket on 192.168.11.105:5544; A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

192.168.11.105 is my ELK server

anhlqn · April 7, 2016, 3:32pm

Run a netstat -na | findstr 5544 on the ELK server to see if it is listening to TCP 5544
Check Windows Firewall or other firewall to see if it is blocking incoming traffic.