Configure an NXLog Agent relay
The purpose of a relay is to gather logs from multiple sources and forward them to the final destination, such as NXLog Platform. See Centralized log collection for more information.
Below, we provide examples of configuring NXLog Agent as a relay and collecting logs from another NXLog Agent instance and other log sources.
Transfer logs between NXLog Agent instances
The NXLog Transport modules efficiently transport compressed logs between NXLog Agent instances. These modules preserve all the event fields, so you don’t need to parse log records again on the relay.
First, configure an NXLog Agent relay to receive logs using the im_batchcompress input module.
<Input nxlog_transport>
Module im_batchcompress
ListenAddr 0.0.0.0:2514
CAFile /opt/nxlog/cert/rootCA.pem (1)
CertFile /opt/nxlog/cert/agent-cert.pem (2)
CertKeyFile /opt/nxlog/cert/agent-key.pem (3)
</Input>
1 | The CAFile directive specifies the path to the CA certificate to verify the remote agent’s certificate. |
2 | The CertFile directive specifies the path to the relay server’s certificate. |
3 | The CertKeyFile directive specifies the public key that was used to sign the relay server’s certificate. |
Once your relay is up and running, configure your other NXLog Agent instances to send logs to it with the om_batchcompress output module.
<Output agent_relay>
Module om_batchcompress
Host 192.168.1.101:2514
UseSSL TRUE
CAFile /opt/nxlog/cert/rootCA.pem (1)
CertFile /opt/nxlog/cert/agent-cert.pem (2)
CertKeyFile /opt/nxlog/cert/agent-key.pem (3)
</Output>
1 | The CAFile directive specifies the path to the CA certificate to verify the remote agent’s certificate. |
2 | The CertFile directive specifies the path to the local server’s certificate. |
3 | The CertKeyFile directive specifies the public key that was used to sign the local server’s certificate. |
Receive logs from multiple sources
You can configure an NXLog Agent relay to collect logs from different sources, e.g., a network device that can only send logs over UDP and a software application that sends logs over TCP.
This configuration collects syslog messages over TCP and UDP. In both instances, it parses log records with the parse_syslog() procedure of xm_syslog.
<Extension syslog>
Module xm_syslog
</Extension>
<Input tcp>
Module im_tcp
ListenAddr 0.0.0.0:1514
Exec parse_syslog();
</Input>
<Input udp>
Module im_udp
ListenAddr 0.0.0.0:514
Exec parse_syslog();
</Input>