Compress and encrypt logs with NXLog Agent
Two main concerns when storing log files on disk are reducing the size to save storage space and preventing unauthorized access. NXLog Agent provides compression and encryption functionality to help you address these.
Below, we provide examples of compressing and encrypting log files and their inverse operations—decompressing and decrypting log files to process the original logs. See NXLog Agent log compression and encryption for a further explanation of how compression and encryption data converters work.
Compress and decompress logs
Text compression is very efficient and reduces your log files' size significantly.
The bigger the file size, the higher the data compression ratio you will achieve.
NXLog Agent’s xm_zlib module provides file compression and decompression functionality that you can use with the im_file and om_file modules.
It supports the gzip and zlib file formats.
This configuration writes logs to a file with the om_file output module. It uses the default LineBased output format to write one record per line and compresses the log file in gzip format.
<Extension zlib> (1)
Module xm_zlib
</Extension>
<Output output_file>
Module om_file
File '/tmp/nxlog-output.txt.gz'
OutputType zlib.compress (2)
</Output>| 1 | This xm_zlib module instance is named zlib.
You must use this name when specifying compression and decompression data converters in the rest of the configuration. |
| 2 | Sets the OutputType directive to use the compress data converter of the zlib instance.
Since the configuration does not specify an output writer function, the om_file instance will use the default one, equivalent to setting OutputType = LineBased, zlib.compress. |
You can read back compressed log files with an im_file instance, specifying the decompression data converter in the input type. For example, the following configuration collects the log files created with the above configuration.
This configuration reads gzip-compressed files with the im_file input module. It expects text-based logs written one record per line.
<Extension zlib> (1)
Module xm_zlib
</Extension>
<Input input_file>
Module im_file
File '/tmp/nxlog-output.txt.gz'
InputType zlib.decompress (2)
</Input>| 1 | This xm_zlib module instance is named zlib.
You must use this name when specifying compression and decompression data converters in the rest of the configuration. |
| 2 | Sets the InputType directive to use the decompress data converter of the zlib instance.
Since the configuration does not specify an input reader function, the im_file instance will use the default one, equivalent to setting InputType = zlib.decompress, LineBased. |
Encrypt and decrypt logs
Encrypting logs adds a layer of security, preventing unauthorized access to log data. Compliance regulations often require logs to be encrypted. NXLog Agent’s xm_crypto module provides file encryption and decryption functionality that you can use with the im_file and om_file modules. It uses the AES symmetric encryption algorithm with a 256-bit key.
This configuration writes logs to a file with the om_file output module. It uses the default LineBased output format to write one record per line. It also encrypts and password-protects the output log file.
<Extension crypto> (1)
Module xm_crypto
Password MySecretPassword (2)
</Extension>
<Output output_file>
Module om_file
File '/tmp/nxlog-output.txt'
OutputType crypto.aes_encrypt (3)
</Output>| 1 | This xm_crypto module instance is named crypto.
You must use this name when specifying compression and decompression data converters in the rest of the configuration. |
| 2 | Uses the Password directive to password-protect the log file. Alternatively, use a PasswordFile. |
| 3 | Sets the OutputType directive to use the aes_encrypt data converter of the crypto instance.
Since the configuration does not specify an output writer function, the om_file instance will use the default one, equivalent to setting OutputType = LineBased, crypto.aes_encrypt. |
You can read back encrypted log files with an im_file instance, specifying the decryption data converter in the input type. For example, the following configuration collects the log files created with the above configuration.
This configuration reads AES-encrypted files with the im_file input module. It expects text-based logs written one record per line.
<Extension crypto> (1)
Module xm_crypto
Password MySecretPassword (2)
</Extension>
<Input input_file>
Module im_file
File '/tmp/nxlog-output.txt'
InputType crypto.aes_decrypt (3)
</Input>| 1 | This xm_crypto module instance is named crypto.
You must use this name when specifying compression and decompression data converters in the rest of the configuration. |
| 2 | The Password must match the password you used to encrypt the file. |
| 3 | Sets the InputType directive to use the aes_decrypt data converter of the crypto instance.
Since the configuration does not specify an input reader function, the im_file instance will use the default one, equivalent to setting InputType = crypto.aes_decrypt, LineBased. |
Combine compression and encryption
The previous examples demonstrated how you can compress and encrypt log files separately. However, you can combine the two to compress and encrypt your log files simultaneously.
This configuration writes logs to a file with the om_file output module. It uses the default LineBased output format to write one record per line. In addition, it compresses the output log file in gzip format and encrypts it.
<Extension zlib> (1)
Module xm_zlib
</Extension>
<Extension crypto> (2)
Module xm_crypto
Password MySecretPassword (3)
</Extension>
<Output output_file>
Module om_file
File '/tmp/nxlog-output.txt.gz'
OutputType zlib.compress, crypto.aes_encrypt (4)
</Output>| 1 | This xm_zlib module instance is named zlib.
You must use this name when specifying compression and decompression data converters in the rest of the configuration. |
| 2 | This xm_crypto module instance is named crypto.
You must use this name when specifying encryption and decryption data converters in the rest of the configuration. |
| 3 | Uses the Password directive to password-protect the log file. Alternatively, use a PasswordFile. |
| 4 | Sets the OutputType directive to use the compress data converter of the zlib instance and the aes_encrypt data converter of the crypto instance in that sequence.
Since the configuration does not specify an output writer function, the om_file instance will use the default one, equivalent to setting OutputType = LineBased, zlib.compress, crypto.aes_encrypt. |
You can read back compressed and encrypted log files with an im_file instance, specifying the decompression and decryption data converters in the input type. For example, the following configuration collects the log files created with the above configuration.
This configuration reads gzip-compressed and AES-encrypted files with the im_file input module. It expects text-based logs written one record per line.
<Extension zlib> (1)
Module xm_zlib
</Extension>
<Extension crypto> (2)
Module xm_crypto
Password MySecretPassword (3)
</Extension>
<Input input_file>
Module im_file
File '/tmp/nxlog-output.txt.gz'
InputType crypto.aes_decrypt, zlib.decompress (4)
</Input>| 1 | This xm_zlib module instance is named zlib.
You must use this name when specifying compression and decompression data converters in the rest of the configuration. |
| 2 | This xm_crypto module instance is named crypto.
You must use this name when specifying encryption and decryption data converters in the rest of the configuration. |
| 3 | The Password must match the password you used to encrypt the file. |
| 4 | Sets the InputType directive to use the decompress data converter of the zlib instance and the aes_decrypt data converter of the crypto instance in that sequence.
Since the configuration does not specify an input reader function, the im_file instance will use the default one, equivalent to setting InputType = crypto.aes_decrypt, zlib.decompress, LineBased. |