Installing NXLog Agent Minder

The product is delivered as a generic Linux package in DEB and RPM package formats. The binary is currently statically linked.

Installing on Debian and Ubuntu systems

apt install ./nxlog-minder_VERSION_ARCH.deb

Installing on Redhat, SUSE, and other RPM based systems

zypper install ./nxlog-minder-VERSION-1.ARCH.rpm
yum install ./nxlog-minder-VERSION-1.ARCH.rpm
dnf install ./nxlog-minder-VERSION-1.ARCH.rpm

Installing on Docker

tar xf nxlog-minder_VERSION_amd64-docker.tgz
docker-compose up -d

Starting and stopping NXLog Agent Minder

systemctl start minder.service

Checking the NXLog Agent Minder logs

systemctl status minder.service
journalctl --unit minder.service

Initial Configuration

NXLog Agent Minder will generate a CA key and certificate and a server key and certificate for the agent connection port and the API port. These are stored in /opt/minder/conf/cert and /opt/minder/conf/PKI

Using your own keys and certificates

Overwrite the existing keys and certificates as needed and they will be loaded on next start.

/opt/minder/conf/cert holds the files used for external communication.

  • agent communication

    • minder-cert.pem

    • minder-key.pem

  • API port communication

    • api-cert.pem

    • api-key.pem

/opt/minder/conf/PKI holds the files of the PKI

  • ca-cert.pem

  • ca-key.pem

We currently do not persist the agent keys and certificates on the server side. This will be implemented at a later time.

Connecting an agent

Agents will need to be set up with a simple configuration file.

This configuration file must be placed in /opt/nxlog/etc/nxlog.d and named managed.conf

The file must be included from the main nxlog.conf file located in /opt/nxlog/etc.

define NXLOG_MANAGER_ADDRESS 192.168.1.1
define NXLOG_MANAGER_PORT 4041

LogLevel    INFO
LogFile     %MYLOGFILE%

<Extension agent_managment>
    Module          xm_admin
    Connect         %NXLOG_MANAGER_ADDRESS%
    Port            %NXLOG_MANAGER_PORT%
    SocketType      SSL
    AllowUntrusted  TRUE
    RequireCert     FALSE
    <ACL conf>
        Directory   %CONFDIR%
        AllowRead   TRUE
        AllowWrite  TRUE
    </ACL>
    <ACL cert>
        Directory   %CERTDIR%
        AllowRead   TRUE
        AllowWrite  TRUE
    </ACL>
    <labels>
        dplstate "new"
    </labels>
</Extension>
nxlog.conf is set up with the required include when it is installed.
If you are running NXLog Enterprise Edition version 4.x the configuration file location is /opt/nxlog/var/lib/nxlog/log4ensics.conf

Configuring the new agent

First the agent needs to be enrolled. The IP address 192.68.1.1 belongs to the NXLog Agent Minder server, and 4041 is the agent management port.

./cli.sh enroll agent-1 192.168.1.1:4041

Specifying the wrong IP address here will take the agent offline. Make sure you use the address that will bevisible for the agent. Network and port address translation techniques, load balancers may occlude the actual IPaddress of the agent-manager.

Then the configuration can be edited:

./cli.sh edit-agent agent-1

This will load the current agent configuration in an editor:

LogLevel    INFO
LogFile     %MYLOGFILE%

<Extension admin>
    Module      xm_admin
    Host        192.168.1.1:4041
    SocketType  SSL
    CAFile      %CERTDIR%/agent-ca.pem
    CertFile    %CERTDIR%/agent-cert.pem
    CertKeyFile %CERTDIR%/agent-key.pem

    <ACL conf>
        Directory   %CONFDIR%
        AllowRead   TRUE
        AllowWrite  TRUE
    </ACL>

    <ACL cert>
        Directory   %CERTDIR%
        AllowRead   TRUE
        AllowWrite  TRUE
    </ACL>

    <labels>
        dplstate    "enrolled"
    </labels>
</Extension>

It is recommended to change the label dplstate to configured, to mark the agent as not needing additional configuration.

im_mark can be applied to generate heartbeat messages:

<Input mark>
    Module          im_mark
    MarkInterval    1
    Mark            NXLog heartbeat
</Input>

im_internal can collect the agent logs so they can also be sent to a central location:

<Input nxlog>
   Module im_internal
</Input>

Then an output module and a route can be set up so the messages are sent to a destination:

<Output tcp_out>
   Module om_tcp
   Host   your-syslog-server:1514
</Output>

<Route r_n>
   Path mark,nxlog => tcp_out
</Route>

Please take care to create a valid configuration. There is no configuration validation implemented at this point. If the new configuration breaks the agent, manual intervention on the agent will be necessary to recover.

Running a simple query

curl -k -sS -X GET 'https://minder-server:8080/agents/ids'

Prometheus quickstart

Prometheus can be deployed in a matter of minutes using docker and the following script.

Make sure you update the Prometheus configuration with the correct address of NXLog Agent Minder

#!/bin/bash

PROM_IMG=minder-prometheus-test
PROM_CONTAINER=minder-prometheus-2
GRAF_CONTAINER=minder-grafana-2
NET=minder-bridge
MINDER_SERVER=192.168.1.1:8080

# Create prometheus configuration
cat > prometheus.yml << EOF
global:
  scrape_interval:     15s # By default, scrape targets every 15 seconds.
  external_labels:
    monitor: 'codelab-monitor'
scrape_configs:
  - job_name: 'prometheus'
    scrape_interval: 5s
    static_configs:
      - targets: ['localhost:9090']
  - job_name: 'nxlog'
    scrape_interval: 60s
    scheme: https
    static_configs:
      - targets: ['$MINDER_SERVER']
    tls_config:
      insecure_skip_verify: true
EOF

cat > Dockerfile << EOF
FROM quay.io/prometheus/prometheus
ADD prometheus.yml /etc/prometheus
EOF
docker build -t $PROM_IMG .
docker create --name $PROM_CONTAINER --hostname $PROM_CONTAINER -p 9090:9090 $PROM_IMG
docker start $PROM_CONTAINER

docker run -h $GRAF_CONTAINER --name $GRAF_CONTAINER -d -p 3000:3000 grafana/grafana

docker network create -d bridge $NET
docker network connect  $NET $PROM_CONTAINER
docker network connect  $NET $GRAF_CONTAINER