Global settings
The following directives apply to the overall NXLog Agent operation.
- AbortOnDoubleSigterm
-
After receiving the first termination signal NXLog Agent might not terminate right away due to its shutdown sequence. This boolean directive specifies whether NXLog Agent should immediately terminate on second termination signal (
SIGINT
,SIGQUIT
orSIGTERM
). Default value isFALSE
.
- AgentUidDir
-
This directive specifies a directory where the agent files (
.nxlog.id
) and (.nxlog.id.sig
) should be written. This directive has a compiled-in value which is used by default.
- BatchSize
-
Modules accumulate multiple records together into a batch, and each batch is forwarded to the next module in the route. This directive specifies the maximum number of records to accumulate per batch. If not specified, it defaults to maximum 50 records per batch. The global batch size can be overridden per module with the BatchSize module-level directive.
- BatchFlushInterval
-
Input and processor modules accumulate multiple records together into a batch, and each batch is forwarded to the next module in the route. This directive specifies the timeout, in seconds, before a batch of records will be forwarded to the next module in the route, even if it has accumulated fewer than the maximum number of records given by the BatchSize directive. If this directive is not specified, it defaults to
0.1
(100 milliseconds). The flush interval can be overriden per module, with the BatchFlushInterval module level directive.This directive only applies to input and processor modules!
- CacheDir
-
This directive specifies a directory where the cache file (
configcache.dat
) should be written. This directive has a compiled-in value which is used by default.
- CacheFlushInterval
-
This directive specifies how often the in-memory position cache should be flushed to the cache file. A value of 0 indicates that the cache should only be flushed to file when the agent shuts down; if the server or agent crashes, the current position cache will be lost. A positive integer indicates the interval in seconds between flushes of the cache. The string
always
specifies that the cache should be flushed to file immediately when a module sets a value. If this directive is not specified the default value of 5 seconds is used. See also the CacheSync directive below.
- CacheInvalidationTime
-
NXLog Agent persists saved positions in cache that is written the disk. To prevent the cache growing indefinitely an invalidation period is used. This directive defines the invalidation period. If the last modification time of an entry exceeds the value set with this directive, the entry is discarded when the cache is read from disk. This directive accepts a positive Integer value. If the directive is not specified, the default value of 864000 (10 days) is used.
- CacheSync
-
When the in-memory position cache is flushed to the cache file, the cache may not be immediately written to the disk due to file system buffering. When this directive is set to
TRUE
, the cache file is synced to disk immediately when it is written. The default isFALSE
. CacheSync has no effect if CacheFlushInterval is set toFALSE
or 0. Setting CacheSync toTRUE
when CacheFlushInterval is set toalways
may reduce performance, yet it guarantees data integrity in the event of a crash.
- Capabilities
-
This directive allows you to define Linux capabilities that NXLog Agent must not drop after it has started.
For security reasons, NXLog Agent drops nearly all capabilities during startup, and as a trade-off, loses the ability to use them later in its life cycle. In some rare scenarios this can cause a problem, for example when NXLog Agent is started with an empty configuration, but configuration changes that require binding to a new privileged port are later added by NXLog Platform. In this case the binding will fail. Specifying the required capabilities upfront using this configuration directive eliminates this problem.
For usage examples, see Granting additional Linux capabilities.
- ConnectionIdleTimeout
-
This optional directive defines the maximum time in seconds before NXLog Agent closes TCP connections without traffic. The minimum timeout value is 15 seconds. If this directive is not specified, NXLog Agent does not close idle TCP connections.
The ConnectionIdleTimeout can also be defined at the module level. If both global and module directives are defined, the module directive takes precedence over the global directive.
- DateFormat
-
This directive can be used to change the default date format as it appears in the LogFile, in the
$raw_event
generated by the modules, and when a datetime type value is converted to a string. The following values are accepted (corresponding to the formats accepted by the NXLog Agent strftime() function):-
YYYY-MM-DD hh:mm:ss
(the default) -
YYYY-MM-DDThh:mm:ssTZ
-
YYYY-MM-DDThh:mm:ss.sTZ
-
YYYY-MM-DD hh:mm:ssTZ
-
YYYY-MM-DD hh:mm:ss.sTZ
-
YYYY-MM-DDThh:mm:ssUTC
-
YYYY-MM-DDThh:mm:ss.sUTC
-
YYYY-MM-DD hh:mm:ssUTC
-
YYYY-MM-DD hh:mm:ss.sUTC
-
A format string accepted by the strftime() function in the C library
-
- EscapeGlobPatterns
-
This boolean directive specifies whether the backslash (
\
) character in glob patterns or wildcarded entries should be enabled as an escape sequence. If set toTRUE
, this directive implies that the backslash character (\
) needs to be escaped by another backslash character (\\
). File and directory patterns on Windows do not require escaping and are processed as non-escaped even if this directive is set toTRUE
. The default isFALSE
. This directive is used in the im_file, im_fim, and im_regmon modules.
- FlowControl
-
This optional boolean directive specifies the flow control default for input and processor module instances. Output module instances do not inherit from this directive. By default, the global FlowControl value is
TRUE
. See the description of the module-level FlowControl directive for more information.
- FlowControlFIFO
-
This bolean directive, when set to
TRUE
, which is also the default, enables FIFO mode for modules that have flow control disabled. In this mode, when the log queue of a module is full, older records will be dropped in order to make room for newer ones. When set toFALSE
, the old behavior is in effect: while the log queue is full, no records will be dropped, but new incoming records will be discarded instead.
- GenerateDateInUTC
-
If set to
TRUE
, this boolean directive specifies that UTC should be used when generating dates in the formatYYYY-MM-DD hh:mm:ss
. If set toFALSE
, local time will be used when generating dates in this format. The default isFALSE
. See also ParseDateInUTC.
- Group
-
Similar to User, NXLog Agent will set the group ID to run under. The group can be specified by name or numeric ID. This directive has no effect when running on the Windows platform or with nxlog-processor(8).
- IgnoreErrors
-
If set to
FALSE
, NXLog Agent will stop when it encounters a problem with the configuration file (such as an invalid module directive) or if there is any other problem which would prevent all modules functioning correctly. If set toTRUE
, NXLog Agent will start after logging the problem. The default value isTRUE
.
- LogFile
-
NXLog Agent will write its internal log to this file. If this directive is not specified, self logging is disabled. Note that the im_internal module can also be used to direct internal log messages to files or different output destinations, but this does not support log level below
INFO
. This LogFile directive is especially useful for debugging.
- LogLevel
-
This directive has five possible values:
CRITICAL
,ERROR
,WARNING
,INFO
, andDEBUG
. It will set both the logging level used for LogFile and the standard output if NXLog Agent is started in the foreground. The default LogLevel isINFO
. This directive can also be used at the module level.
- LogSizeLimit
-
This directive specifies the maximum size of the log lines in bytes, created by NXLog Agent’s
log_*()
procedures. The default is 1024 bytes. The minimum allowed value is 128, while the maximum is 65536 bytes. The closest limit value (128 or 65536) will be used if the value is below or over the allowed limits. Lines that exceed this limit will be truncated. The actual output will always be at least two bytes shorter than the specified value.
- LogqueueDir
-
This directive specifies the directory where the files of the persistent queues are stored for processor and output module instances. Even if PersistLogqueue is set to
FALSE
, NXLog Agent will persist in-memory queues to the LogqueueDir on shutdown. If not specified, the default is the value of CacheDir. This directive can also be used at the module level to specify a log queue directory for a specific module instance.
- LogqueueSize
-
Maximum size of the log queue in bytes. The log queue is an input log queue for events waiting to be processed by that module instance. The default is 2097152 bytes (2 MiB). The minimum allowed value is 524288 bytes (512 KiB), which NXLog Agent enforces if you enter a smaller value. This directive is only valid for processor and output module instances.
When the log queue of a module instance is full and FlowControl is enabled for the preceding module, the preceding module will be suspended. If flow control is not enabled for the preceding module, events will be discarded. This directive can be used at the module level to affect a single module instance.
The use of this directive may produce high memory usage. Also, note that the actual queue size depends on the number of event records (and their size) in the module queue. The limit, which is set by this directive, is not a hard one as the sizes of the events are based on approximations and the queue can store an extra batch of records even after reaching the size limit. See Buffering and flow control for a detailed explanation of log queues.
- ManagedConfigFile
-
This directive controls which configuration file will be backed-up when a new version is written by the xm_admin PutFile command. The default is
managed.conf
.
- ModuleDir
-
By default the NXLog Agent binaries have a compiled-in value for the directory to search for loadable modules. This can be overridden with this directive. The module directory contains sub-directories for each module type (extension, input, output, and processor), and the module binaries are located in those.
- NoCache
-
Some modules save data to a cache file which is persisted across a shutdown/restart. Modules such as im_file will save the file position in order to continue reading from the same position after a restart. This caching mechanism can be explicitly turned off with this directive. This is mostly useful with nxlog-processor(8) in offline mode. If this boolean directive is not specified, it defaults to
FALSE
(caching is enabled). Note that many input modules, such as im_file, provide a SavePos directive that can be used to disable the position cache for a specific module instance. SavePos has no effect if the cache is disabled globally withNoCache TRUE
.
- NoFreeOnExit
-
This directive is for debugging. When set to
TRUE
, NXLog Agent will not free module resources on exit, allowing tools like Valgrind to show proper stack trace locations in module function calls. The default value isFALSE
.
- Panic
-
A panic condition is a critical state which usually indicates a bug. Assertions are used in NXLog Agent code for checking conditions where the code will not work unless the asserted condition is satisfied, and for security. Failing assertions result in a panic and suggest a bug in the code. A typical case is checking for NULL pointers before pointer dereference. This directive can take three different values:
HARD
,SOFT
, orOFF
.HARD
will cause an abort in case the assertion fails. This is how most C based programs work.SOFT
will cause an exception to be thrown at the place of the panic/assertion. In case of NULL pointer checks this is identical to a NullPointerException in Java. It is possible that NXLog Agent can recover from exceptions and can continue to process log messages, or at least the other modules can. In case of assertion failure the location and the condition is printed atCRITICAL
log level inHARD
mode andERROR
log level inSOFT
mode. If Panic is set toOFF
, the failing condition is printed in the logs but the execution will continue on the normal code path. Most of the time this will result in a segmentation fault or other undefined behavior, though in some cases turning off a buggy assertion or panic will solve the problems caused by it inHARD
/SOFT
mode. The default value for Panic isSOFT
.
- ParseDateInUTC
-
If set to
TRUE
, this boolean directive specifies that dates in the formatYYYY-MM-DD hh:mm:ss
should be parsed as UTC. If set toFALSE
, dates in this format are assumed to be in local time. The default isFALSE
. See also GenerateDateInUTC.
- PersistLogqueue
-
This boolean directive specifies that log queues of processor and output module instances should be disk-based. See the module level PersistLogqueue directive for more information.
See Buffering and flow control for a detailed explanation of log queues.
- PidFile
-
Under Unix operating systems, NXLog Agent writes a PID file as other system daemons do. The default PID file can be overridden with this directive in case multiple daemon instances need to be running. This directive has no effect when running on the Windows platform or with nxlog-processor(8).
- ReadTimeout
-
This directive is specific to nxlog-processor(8). It controls the exit condition of nxlog-processor(8). Its value is a timeout in seconds. If nxlog-processor(8) gets no data to process during this period then it will stop waiting for more data and will exit. The default value is 0.05 s. For any non-negative value which is less than 0.05 this will be 0.05. In case nxlog-processor(8) is configured to read data from the network it is recommended to set this to a higher value.
- RootDir
-
NXLog Agent will set its root directory to the value specified with this directive. If SpoolDir is also set, this will be relative to the value of RootDir (chroot() is called first). This directive has no effect when running on the Windows platform or with the nxlog-processor(8).
- SpoolDir
-
NXLog Agent will change its working directory to the value specified with this directive. This is useful with files created through relative filenames (for example, with om_file) and in case of core dumps. This directive has no effect with the nxlog-processor(8).
- StringLimit
-
To protect against memory exhaustion (and possibly a denial-of-service) caused by over-sized strings, there is a limit on the length of each string (in bytes). The default value is 5242880 bytes (strings will be truncated at 5 MiB).
- SuppressRepeatingLogs
-
Under some circumstances it is possible for NXLog Agent to generate an extreme amount of internal logs consisting of the same message due to an incorrect configuration or a software bug. In this case, the LogFile can quickly consume the available disk space. With this directive, NXLog Agent will write at most 2 lines per second if the same message is generated successively, by logging "last message repeated n times" messages. If this boolean directive is not specified, it defaults to
TRUE
(suppression of repeating messages is enabled).
- SyncLogqueue
-
When this directive is set to
TRUE
and PersistLogqueue is enabled, the disk-based queues of processor and output module instances will be immediately synced after each new entry is added to the queue. This greatly reduces performance but makes the queue more reliable and crash-safe. If this boolean directive is not specified, it defaults toFALSE
(immediate syncing is disabled). This directive can also be used at the module level.See Buffering and flow control for a detailed explanation of log queues.
- Threads
-
This directive specifies the number of worker threads to use. The number of worker threads is calculated and set to an optimal value if this directive is not defined. Do not set this unless you know what you are doing.
- UseCNGCertificates
-
You must set this directive to
TRUE
when the certificates you plan to use are nonexportable; this includes software crypto storage and TPM modules.When UseCNGCertificates is
TRUE
, the behavior is the following:-
All types of certificates are loaded through the CNG API.
When UseCNGCertificates is
FALSE
(default), the behavior is the following:-
The certificates are loaded through the older Windows API and OpenSSL functions.
-
Exportable certificates work normally.
-
However, nonexportable certificates fail to load as the CNG API engine is not used.
-
- User
-
NXLog Agent will drop to the user specified with this directive. This is useful if NXLog Agent needs privileged access to some system resources (such as kernel messages or to bind a port below 1024). On Linux systems NXLog Agent will use capabilities to access these resources. In this case NXLog Agent must be started as root. The user can be specified by name or numeric ID. This directive has no effect when running on the Windows platform or with nxlog-processor(8).