Configuration overview

NXLog Agent uses an Apache-style, file-based configuration system comprised of blocks and directives. Any configuration files must use either the ANSI or UTF-8 without BOM encoding.

You can configure NXLog Agent instances from NXLog Platform by using the configuration builder or text editor. See Create your first NXLog Agent configuration in the NXLog Platform User Guide for an introduction to the NXLog Agent configuration.

Configuration components

The following is an overview of the NXLog Agent configuration components. Refer to Data processing overview for more information.

Constants

You can use constant values throughout the configuration. They’re typically used for directory paths, filenames, hostnames, or regular expressions.

define INSTALLDIR /opt/nxlog
define LOGDIR %INSTALLDIR%/var/log/nxlog
define MYLOGFILE %LOGDIR%/nxlog.log

Global settings

Global settings control the overall NXLog Agent behavior. These include settings related to logging, batching, caching, and date format.

LogLevel INFO
LogFile  %MYLOGFILE%

Extensions

Use extension modules to process telemetry data, such as parsing or formatting records. You can add multiple instances of the same extension module.

<Extension syslog>
    Module    xm_syslog
</Extension>

Input

Add input module instances to collect or receive telemetry data from your sources. You can parse records into structured data, add or remove fields, and transform them into the required output format.

<Input input_file>
    Module    im_file
    File      '/var/log/syslog'
    Exec      parse_syslog();
</Input>

Output

Output modules send data to their destinations, such as files, databases, or SIEMs. You can also process records in output module instances.

<Output output_file>
    Module    om_file
    File      '/tmp/logs/nxlog_output'
    Exec      to_syslog_bsd();
</Output>

Route

Routes define the data flow and processing order. A route can include multiple input, processor, and output module instances. You can define more than one route.

<Route r1>
    Path    input_file => output_file
</Route>

Directives

Directives are settings that configure the behavior of NXLog Agent. Each directive consists of a name and a value separated by whitespace:

DirectiveName    value

Directives can be global, appearing at the top level of the configuration file outside any block, or module-level, appearing inside a module block:

nxlog.conf

LogLevel      INFO

<Input in>
    Module    im_file
    File      '/var/log/syslog'
</Input>

Some directives can also be used as block directives, in which the value spans multiple lines and is enclosed between an opening tag and a matching closing tag. Others must be specified as block directives and cannot be used inline.

nxlog.conf

<Exec>
    log_info("Processing event");
    $Message = "Processed: " + $Message;
</Exec>

Some block directives also support sub-directives, which are nested inside the block and configure specific aspects of that directive. For example, the Protocol block directive of the Packet capture module uses sub-directives to specify the protocol type, ports, and fields to capture:

nxlog.conf

<Protocol>
    Type    http
    Field   http.request.uri
    Field   http.request.method
</Protocol>

Refer to the relevant module documentation for the directives supported by each module.

Multiple lines

A directive and its value must be specified on the same line, but the value can span multiple lines. Values spanning multiple lines must have the newline escaped with a backslash (\) as shown below.

nxlog.conf

<Extension csv>
    Module    xm_csv
    Fields    $Version, $Device_Vendor, $Device_Product, $Device_Version, \
              $Signature_ID, $Name, $Severity, $_Extension
</Extension>

The backslash must be the last character before the end of the line character, either CR (carriage return) or LF (line feed).

Regular expressions and multiple lines

For NXLog Agent 6.8 and older, regular expressions must always be defined in a single line, as they are handled by a specific parser that does not recognize backslashes as line breaks.

Comments

Lines starting with a hash (#) are ignored and can be used as comments. The configuration does not support inline comments.

nxlog.conf

# This is a comment line
<Extension json>
    Module    xm_json
</Extension>

Hostname resolution

At startup, NXLog Agent reads the hostname reported by the operating system. If the name contains a dot (.), it uses the portion before the first dot as the short hostname and the complete value as the Fully Qualified Domain Name (FQDN). If not, NXLog Agent inspects the available network interfaces, prioritizing IPv4 addresses. It performs a reverse lookup on up to two addresses per family, skipping link-local ranges (169.254.0.0/16 and fe80::/10) when multiple addresses are available. The first lookup containing a dotted result is used as the FQDN. If no lookup yields a dotted value, NXLog Agent uses the short hostname as the FQDN. If that also fails, it falls back to:

localhost.localdomain for the hostname_fqdn() function.
null for the ServerInfo response.