NXLog search
Let's Talk Start free
Let's Talk
1.12

Collect host metrics with NXLog Agent

NXLog Agent can collect and process metrics that provide insight into system performance and agent health.

Below, we demonstrate how to configure NXLog Agent to collect three common types of host metrics: NXLog Agent internal metrics, Windows performance counters, and Linux host metrics.

Collect NXLog Agent metrics

The Internal Metrics input module allows you to collect metrics focused on both the host system where NXLog Agent is installed and the NXLog Agent instance itself, including data throughput and operational status.

Example 1. Collecting NXLog Agent and host metrics

This configuration collects logs using the TCP input module. It also uses the Internal Metrics input module to collect metrics on the TCP module instance and the host system.

nxlog.conf
<Extension json>
    Module          xm_json
</Extension>

<Extension rewrite>
    Module          xm_rewrite (1)
    Delete          SourceModuleName, SourceModuleType, Hostname, json, rewrite
    Rename          EventReceivedTime, timestamp
</Extension>

<Input system_logs>
    Module          im_tcp
    ListenAddr      0.0.0.0:1514
</Input>

<Input nxlog>
    Module          im_internalmetrics
    CounterModule   system_logs (2)
    CounterServer   TRUE (3)
    <Exec>
        rewrite->process();
        to_json(); (4)
    </Exec>
</Input>
1 The Rewrite extension provides the functionality to normalize data records, including discarding and renaming fields.
2 The CounterModule directive specifies the name of the TCP input module instance.
3 The CounterServer directive is set to TRUE in order to collect host metrics.
4 The to_json() procedure converts the data to JSON and writes it to the $raw_event core field.

The following is a record generated by the NXLog Agent configuration above.

Output sample
{
  "system_logs_evt_recvd": 2,
  "system_logs_bytes_recvd": 1050,
  "system_logs_evt_drop": 0,
  "system_logs_evt_fwd": 2,
  "system_logs_batchsize": 50,
  "system_logs_bytes_recvd_raw": 198,
  "system_logs_status": "RUNNING",
  "system_logs_type": "INPUT",
  "system_logs_module": "im_tcp",
  "system_logs_variables": 0,
  "server_uid": "86aa2aae-fd38-11f0-80f8-57494e2d3538",
  "server_started": 1771929770867920,
  "server_load": "0.000000",
  "server_pid": 36304,
  "server_mem": 19959808,
  "server_version": "6.11.10436",
  "server_os": "Windows",
  "server_systeminfo": "Windows, 16 CPU(s), 15.8Gb memory",
  "server_hostname": "SRV01",
  "server_servertime": 1771929831130130,
  "server_cpu": 406250,
  "server_thread_count": 8,
  "server_fd_count": 11,
  "server_arch": "x86-64",
  "server_osrelease": "Windows Server 2025 Standard",
  "timestamp": "2026-02-24T11:43:51.130130+01:00"
}

Collect Windows performance counters

NXLog Agent provides the Windows Performance Counters input module to poll counter data. Execute the following command to list the counters available on the system:

> typeperf -q
Example 2. Collecting Windows host metrics

This configuration uses the Windows Performance Counters input module to collect metrics on available memory, system uptime, threads, processes, and logon sessions.

nxlog.conf
<Extension json>
    Module          xm_json
</Extension>

<Extension rewrite>
    Module          xm_rewrite (1)
    Delete          EventReceivedTime, Severity, SeverityValue, SourceName, \
                    ProcessID, SourceModuleName, SourceModuleType
</Extension>

<Input winperfcount>
    Module          im_winperfcount
    Counter         \Memory\Available MBytes
    Counter         \System\Processes
    Counter         \System\System Up Time
    Counter         \System\Threads
    Counter         \Terminal Services\Total Sessions
    Counter         \Terminal Services\Inactive Sessions
    Counter         \Terminal Services\Active Sessions
    PollInterval    60
    <Exec>
        rewrite->process();
        to_json(); (2)
    </Exec>
</Input>
1 The Rewrite extension provides the functionality to normalize data records, including discarding unwanted fields.
2 The to_json() procedure converts the data to JSON and writes it to the $raw_event core field.

The following is a record generated by the NXLog Agent configuration above.

Output sample
{
  "EventTime": "2026-02-24T12:23:56.043090+01:00",
  "Hostname": "SRV01",
  "\\Memory\\Available MBytes": "1903.000000",
  "\\System\\Processes": "114.000000",
  "\\System\\System Up Time": "4362.342068",
  "\\System\\Threads": "1059.000000",
  "\\Terminal Services\\Total Sessions": "2.000000",
  "\\Terminal Services\\Inactive Sessions": "1.000000",
  "\\Terminal Services\\Active Sessions": "1.000000"
}

Collect Linux host metrics

On Linux, you can collect host metrics using the Osquery input module. This module is a wrapper for the Osquery monitoring tool and is also available for Windows and macOS.

Example 3. Collecting Linux host metrics with Osquery

This configuration uses the Osquery input module to collect metrics on system load, memory, and disk usage. Refer to the Osquery schema for detailed information about available tables and their columns.

nxlog.conf
<Extension json>
    Module          xm_json
</Extension>

<Extension rewrite>
    Module          xm_rewrite (1)
    Delete          calendarTime, hostIdentifier, SourceModuleName, SourceModuleType
    Rename          EventReceivedTime, timestamp
</Extension>

<Input osquery>
    Module          im_osquery

    <QueryMap>
        Name        load
        Query       "SELECT average FROM load_average WHERE period == '5m'"
        Interval    60
    </QueryMap>

    <QueryMap>
        Name        memory
        Query       "SELECT memory_total, memory_free, memory_available, cached, \
                     swap_cached, active, inactive, swap_total, swap_free FROM memory_info"
        Interval    60
    </QueryMap>

    <QueryMap>
        Name        disk
        Query       "SELECT device, type, path, blocks * blocks_size AS total_bytes, \
                     blocks_available * blocks_size AS available_bytes_user, \
                     blocks_free * blocks_size AS free_bytes_total, \
                     (blocks - blocks_free) * blocks_size AS byte_used, \
                     (blocks_free * 100.0) / blocks AS byte_free_percent, inodes_free, \
                     (inodes - inodes_free) AS inodes_used, inodes AS inodes_total, \
                     (inodes_free * 100.0) / inodes AS inodes_free_percent, \
                     ((inodes - inodes_free) * 100.0) / inodes AS inodes_used_percent \
                     FROM mounts WHERE blocks > 0 AND inodes > 0 AND type NOT IN \
                     ("tmpfs", "devtmpfs", "squashfs", "overlay", "vboxsf")"
        Interval    60
    </QueryMap>

    <Exec>
       rewrite->process();
       to_json(); (2)
   </Exec>
</Input>
1 The Rewrite extension provides the functionality to normalize data records, including discarding and renaming fields.
2 The to_json() procedure converts the data to JSON and writes it to the $raw_event core field.

The following is a record generated by the NXLog Agent configuration above.

Output sample
{
  "action": "added",
  "columns": {
    "active": "952422400",
    "memory_available": "1964593152",
    "cached": "2001072128",
    "memory_free": "157790208",
    "inactive": "2484023296",
    "swap_cached": "0",
    "swap_free": "2145894400",
    "swap_total": "2147479552",
    "memory_total": "4005236736"
  },
  "counter": 0,
  "epoch": 0,
  "name": "memory",
  "numerics": false,
  "unixTime": 1772145390,
  "timestamp": "2026-02-26T23:36:30.298354+01:00",
  "Hostname": "SRV02"
}

© Copyright NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS