Documentation forLoggly

Windows File Monitoring

Loggly provides the infrastructure to aggregate and normalize log events so they are available to explore interactively, build visualizations, or create threshold-based alerting. In general, any method to send logs from a system or application to an external source can be adapted to send logs to Loggly. The following instructions provide one scenario for sending logs to Loggly.

You can monitor log files on Windows systems and send the latest updates to Loggly continuously. We’ll show you how to use the free and open-source Nxlog tool to retrieve these logs and send them to Loggly. You can also use Snare or Syslog-NG for Windows.

This guide was written for Windows Vista or later in 64-bit, the latest version of Nxlog in the default installation directory, SQL Server 2008 R2, and can send TCP events out on port 514. It was tested on Amazon EC2 with Windows_Server-2008-R2_SP1-English-64Bit-SQL_2008_R2_SP2_Express-2013.11.13 (ami-1653c826). For alternatives, please see the Advanced Options section.

Install Nxlog

Install Nxlog using this guide if you haven’t already.

1. Open Nxlog Configuration File

Open your NXlog configuration file using a text editor. It’s normally located at:

C:\Program Files (x86)\nxlog\conf\nxlog.conf

2. Watch a File

Copy the below configuration into your nxlog.conf file. Paste it above the output and route modules. Choose a unique name for the file input by replacing MY_INPUT_NAME. Enter the full file name (with the path), escape the backslashes by doubling them \, and surround it with double quotes. You will need one file input for every file you want to monitor.

# Watch your own files.
<Input MY_INPUT_NAME>
  Module im_file
  File "MY_FILE_PATH" 
  SavePos TRUE
  Exec  $event = $raw_event;
  Exec  to_json();
</Input> 

Replace:

  • MY_INPUT_NAME: a name you pick to refer to this input. It must be unique for each file.
  • MY_FILE_PATH: the full path and file name you’d like to monitor, with escaped backslashes.

For an example configuration, see the configuration for IIS Server Logs.

3. Route the File to Loggly

In the existing route directive at the bottom of the configuration file, add the name of your file input to the list so that it gets sent to Loggly.

<Route 1>
  Path MY_INPUT_NAME, internal, eventlog => out
</Route> 

Replace:

  • MY_INPUT_NAME: the name of your file input.

4. Send Test Logs

Send some test logs by appending additional lines to the bottom of your log file. They have to be new lines because SavePos is set to true. This prevents large old files from being sent mistakenly and using up all your log volume.

5. Verify

In Loggly, search for logs that came from nxlog’s file watching module. Then, enter your own search term to refine your search more. Check you file logs in json.event field.

json.SourceModuleType:"im_file" 

Windows File Monitoring Example

Advanced Windows File Monitoring Options

Troubleshooting Windows File Monitoring

If you don’t see any data show up in the verification step, then check for these common problems.

The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.