Viewing the NXLog Agent logs

NXLog Agent logs messages about its operation to a file by default. These logs help troubleshoot NXLog Agent when it is not working as expected.

Below, we highlight how to customize logging settings, retrieve NXLog Agent status information, and run NXLog Agent interactively for live debugging.

Changing the log file path

The LogFile global directive specifies the path of the NXLog Agent log file. The path must point to an existing directory. NXLog Agent creates the file if it does not exist.

The default file path is C:\Program Files\nxlog\data\nxlog.log on Windows and /opt/nxlog/var/log/nxlog/nxlog.log on Linux and macOS. You can turn off logging to a file by removing the LogFile directive. You must restart NXLog Agent for new settings to come into effect.

Setting the log level

The LogLevel global directive specifies NXLog Agent’s logging level. The default level is INFO. You can record more detailed information by setting the log level to DEBUG. However, this level produces a lot of logging, so we only recommend it for troubleshooting. You must restart NXLog Agent before the new setting comes into effect.

Alternatively, you can temporarily change the logging level for a running instance as follows:

Linux

Send the SIGUSR2 signal:

$ sudo kill -SIGUSR2 `ps aux | grep [/]opt/nxlog/bin/nxlog | awk '{print $2}'`
Windows

Send the service control command 201:

> sc control nxlog 201

Restart the NXLog Agent service to revert to the configuration LogLevel value.

Getting NXLog Agent status information

You can instruct NXLog Agent to dump status information into the log file. This information can help you troubleshoot log processing issues, such as an input instance not forwarding logs to an output instance.

Linux

Send the SIGUSR1 signal:

$ sudo kill -SIGUSR1 `ps aux | grep [/]opt/nxlog/bin/nxlog | awk '{print $2}'`
Windows

Send the service control command 200:

> sc control nxlog 200

NXLog Agent writes status information similar to the following in its log file.

2024-06-28 15:25:42 INFO [CORE|main] event queue has 2 events:  TIMEOUT: 1;
CONFIG_CACHE_FLUSH: 1;jobgroup with priority 1;non-module job, events: 0;
jobgroup with priority 10;job of module system_logs/im_file, events: 0;job
of module file/om_file, events: 0;jobgroup with priority 99;non-module job,
events: 0;non-module job, events: 0;non-module job, events: 0;non-module job,
events: 0;[route r1]; - system_logs: type INPUT, status: RUNNING queuesize: 0;
- file: type OUTPUT, status: RUNNING queuesize: 0;

The instance status is the most important field in the debug dump. If the status is PAUSED, the following instance’s queue is full and cannot receive more logs. In this case, the queuesize value of the next instance will be over 99. An instance with a STOPPED status means it has terminated, most likely due to an error.

Using systemd journal on Linux

On Linux-based systems, systemd controls the NXLog Agent service. The systemd journal captures applications' standard output and standard error streams, including NXLog Agent’s logging. Logs are available in the journal database even if logging to a file is not enabled, or the log file is deleted. You can use the journalctl tool to view the logs. The following are some useful journalctl commands for troubleshooting.

A user must be a member of the systemd-journal group to access the systemd journal logs.

Execute the following command to show all NXLog Agent journal entries since it was installed, ordered by oldest first.

$ journalctl --unit nxlog

Use the -b option to show log entries from the current boot.

$ journalctl --unit nxlog -b

Use the --since and --until options to limit the logging to a specific timeframe. Specify the time in local time.

$ journalctl --unit nxlog --since "2024-06-28 15:00:00" --until "2024-06-28 15:30:00"

You can redirect the output to a file as follows.

$ journalctl --unit nxlog --since "2024-06-28 15:00:00" >nxlog.log

By default, journalctl shows logs in syslog-style. However, you can change the output format to JSON using the -o option.

$ journalctl --unit nxlog --since "2024-06-28 15:00:00" -o json

You can also actively follow live logs with the -f option.

$ journalctl --unit nxlog -f

Running NXLog Agent interactively

Running NXLog Agent interactively can be helpful for live debugging. Run NXLog Agent from the command line with the -f option to view its standard output and standard error streams.

Linux

Execute the following command:

$ sudo /opt/nxlog/bin/nxlog -f
Windows

Open the command prompt with administrative rights and execute the following command:

> "C:\Program Files\nxlog\nxlog.exe" -f