NXLog Documentation



nxlog - collects, processes, converts, and forwards event logs in many different formats


nxlog [-c conffile] [-f]

nxlog [-c conffile] -v

nxlog [-r | -s]


NXLog can process high volumes of event logs from many different sources. Supported types of log processing include rewriting, correlating, alerting, filtering, and pattern matching. Additional features include scheduling, log file rotation, buffering, and prioritized processing. After processing, NXLog can store or forward event logs in any of many supported formats. Inputs, outputs, and processing are implemented with a modular architecture and a powerful configuration language.

While the details provided here apply to NXLog installations on Linux and other UNIX-style operating systems in particular, a few Windows-specific notes are included.


-c conffile, --conf conffile

Specify an alternate configuration file conffile. On Windows, this option must be used with -f. To change the configuration file used by the NXLog service on Windows, modify the service parameters.

-f, --foreground

Run in foreground, do not daemonize.

-h, --help

Print help.

-r, --reload

Reload configuration of a running instance.

-s, --stop

Send stop signal to a running instance.

-v, --verify

Verify configuration file syntax.


Various signals can be used to control the NXLog process. Some corresponding Windows control codes are also available; these are shown in parentheses where applicable.


This signal causes NXLog to reload the configuration and restart the modules. On Windows, "sc stop nxlog" and "sc start nxlog" can be used instead.

SIGUSR1 (200)

This signal generates an internal log message with information about the current state of NXLog and its configured module instances. The message will be generated with INFO log level, written to the log file (if configured with LogFile), and available via the im_internal module.

SIGUSR2 (201)

This signal causes NXLog to switch to the DEBUG log level. This is equivalent to setting the LogLevel directive to DEBUG but does not require NXLog to be restarted.


NXLog will exit if it receives one of these signals. On Windows, "sc stop nxlog" can be used instead.

On Linux/UNIX, a signal can be sent with the kill command. The following, for example, sends the SIGUSR1 signal:

kill -SIGUSR1 $(cat /run/nxlog/nxlog.pid)

On Windows, a signal can be sent with the sc command. The following, for example, sends the 200 signal:

sc control nxlog 200



The main NXLog executable


This tool can be used to check NXLog Language statements. All statements are read from standard input and then validated. If a statement is invalid, the tool prints an error to standard error and exits non-zero.


The default configuration file


The NXLog modules are located in this directory, by default. See the ModuleDir directive.


This is the position cache file where positions are saved. See the NoCache directive, in addition to CacheDir.


The process ID (PID) of the currently running NXLog process is written to this file. See the PidFile directive.


NXLog website: https://nxlog.co

NXLog User Guide: https://docs.nxlog.co

Copyright © NXLog Ltd. 2022

The NXLog Community Edition is licensed under the NXLog Public License. The NXLog Enterprise Edition is not free and has a commercial license.