Windows File Monitoring
You can monitor log files on Windows systems and send the latest updates to Loggly continuously. We’ll show you how to use the free and open-source Nxlog tool to retrieve these logs and send them to Loggly. You can also use Snare or Syslog-NG for Windows.
This guide was written for Windows Vista or later in 64-bit, the latest version of Nxlog in the default installation directory, SQL Server 2008 R2, and can send TCP events out on port 514. It was tested on Amazon EC2 with Windows_Server-2008-R2_SP1-English-64Bit-SQL_2008_R2_SP2_Express-2013.11.13 (ami-1653c826). For alternatives, please see the Advanced Options section.
Install Nxlog using this guide if you haven’t already.
1. Open Nxlog Configuration File
Open your NXlog configuration file using a text editor. It’s normally located at:
C:\Program Files (x86)\nxlog\conf\nxlog.conf
2. Watch a File
Copy the below configuration into your nxlog.conf file. Paste it above the output and route modules. Choose a unique name for the file input by replacing MY_INPUT_NAME. Enter the full file name (with the path), escape the backslashes by doubling them \, and surround it with double quotes. You will need one file input for every file you want to monitor.
# Watch your own files. <Input MY_INPUT_NAME> Module im_file File "MY_FILE_PATH" SavePos TRUE Exec $event = $raw_event; Exec to_json(); </Input>
- MY_INPUT_NAME: a name you pick to refer to this input. It must be unique for each file.
- MY_FILE_PATH: the full path and file name you’d like to monitor, with escaped backslashes.
For an example configuration, see the configuration for IIS Server Logs.
3. Route the File to Loggly
In the existing route directive at the bottom of the configuration file, add the name of your file input to the list so that it gets sent to Loggly.
<Route 1> Path MY_INPUT_NAME, internal, eventlog => out </Route>
- MY_INPUT_NAME: the name of your file input.
4. Send Test Logs
Send some test logs by appending additional lines to the bottom of your log file. They have to be new lines because SavePos is set to true. This prevents large old files from being sent mistakenly and using up all your log volume.
In Loggly, search for logs that came from nxlog’s file watching module. Then, enter your own search term to refine your search more. Check you file logs in json.event field.
Advanced Windows File Monitoring Options
- Syslog-NG for Windows – with commercial support from Balabit
- Search or post your own Windows file monitoring questions in the community forum.
If you don’t see any data show up in the verification step, then check for these common problems.
- Verify there are current and ongoing logs in the file your are watching
- Check our guide on Troubleshooting Nxlog
- Search or post your own question in the community forum.
When the APM Integrated Experience is enabled, Loggly shares a common navigation and settings with the other integrated experiences' products. How you navigate Loggly and access its features may vary from these instructions. For more information, go to the APM Integrated Experience documentation.
The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.