Configuration overview

NXLog Agent uses an Apache-style, file-based configuration system comprised of blocks and directives. Any configuration files must use either the ANSI or UTF-8 without BOM encoding.

You can configure NXLog Agent instances from NXLog Platform by using the configuration builder or text editor. See Create your first NXLog Agent configuration in the NXLog Platform User Guide for an introduction to the NXLog Agent configuration.

Configuration components

The following is an overview of the NXLog Agent configuration components. Refer to Data processing overview for more information.

Constants

You can use constant values throughout the configuration. They’re typically used for directory paths, filenames, hostnames, or regular expressions.

define INSTALLDIR /opt/nxlog
define LOGDIR %INSTALLDIR%/var/log/nxlog
define MYLOGFILE %LOGDIR%/nxlog.log

Directives

Global directives control the overall NXLog Agent behavior. These include settings related to logging, batching, caching, and date format.

LogLevel INFO
LogFile  %MYLOGFILE%

Extensions

Use extension modules to process telemetry data, such as parsing or formatting records. You can add multiple instances of the same extension module.

<Extension syslog>
    Module    xm_syslog
</Extension>

Input

Add input module instances to collect or receive telemetry data from your sources. You can parse records into structured data, add or remove fields, and transform them into the required output format.

<Input input_file>
    Module    im_file
    File      '/var/log/syslog'
    Exec      parse_syslog();
</Input>

Output

Output modules send data to their destinations, such as files, databases, or SIEMs. You can also process records in output module instances.

<Output output_file>
    Module    om_file
    File      '/tmp/logs/nxlog_output'
    Exec      to_syslog_bsd();
</Output>

Route

Routes define the data flow and processing order. A route can include multiple input, processor, and output module instances. You can define more than one route.

<Route r1>
    Path    input_file => output_file
</Route>

Multiple lines

A directive and its value must be specified on the same line, but the value can span multiple lines. Values spanning multiple lines must have the newline escaped with a backslash (\) as shown below.

nxlog.conf

<Extension csv>
    Module    xm_csv
    Fields    $Version, $Device_Vendor, $Device_Product, $Device_Version, \
              $Signature_ID, $Name, $Severity, $_Extension
</Extension>

The backslash must be the last character before the end of the line character, either CR (carriage return) or LF (line feed).

Regular expressions and multiple lines

For NXLog Agent 6.8 and older, regular expressions must always be defined in a single line, as they are handled by a specific parser that does not recognize backslashes as line breaks.

Comments

Lines starting with a hash (#) are ignored and can be used as comments. The configuration does not support inline comments.

nxlog.conf

# This is a comment line
<Extension json>
    Module    xm_json
</Extension>

Hostname resolution

At startup, NXLog Agent reads the hostname reported by the operating system. If the name contains a dot (.), it uses this as both the short hostname and the FQDN. If not, NXLog Agent inspects the available network interfaces, prioritizing IPv4 addresses. It performs a reverse lookup on up to two addresses per family, skipping link-local ranges (169.254.0.0/16 and fe80::/10) when multiple addresses are available. The first lookup containing a dotted result is used as the FQDN. If no lookup yields a dotted value, NXLog Agent uses the short hostname as the FQDN. If that also fails, it uses localhost.localdomain as the final fallback.