NXLog search
Let's Talk Start free
Let's Talk
1.12

Convert events to metrics

Log events provide detailed records of activities, but monitoring trends and detecting anomalies at scale requires aggregated, numerical data. Converting events to metrics lets you compute counters and rates at the source, producing values that integrate with monitoring and alerting systems.

NXLog Agent supports aggregating values using Statistical counters, allowing you to track metrics such as event counts or data transfer rates over a defined period. You can then forward these aggregated metrics to a monitoring system using output modules such as the OpenTelemetry Exporter or Prometheus module.

Count failed login attempts

The example below demonstrates how to track the rate of failed login attempts from Windows Security events, using a statistical counter to compute a per-minute count.

Example 1. Counting failed login attempts from Windows events

This configuration collects failed login events with the Event Log for Windows input module. It uses two Schedule blocks to initialize a statistical counter at startup and log its value every minute. An Internal input module instance then collects and parses NXLog Agent’s logging to extract the metrics.

nxlog.conf
<Input failed_login>
    Module    im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[(EventID=4625)]]</Select>
            </Query>
        </QueryList>
    </QueryXML>

    <Schedule>
        When     @startup
        Exec     create_stat("failed_logins", "RATE", 60); (1)
    </Schedule>

    <Schedule>
        Every    1 min
        Exec     log_info("failed_logins_per_minute=" + get_stat("failed_logins")); (2)
    </Schedule>

    Exec      add_stat("failed_logins", 1); (3)
</Input>

<Input internal>
    Module    im_internal
    <Exec>
        if ($Message =~ /^failed_logins_per_minute/) {
            $raw_event = "hostname=" + $Hostname + ",timestamp=" + $EventTime + "," + $Message; (4)
        }
        else {
            drop();
        }
    </Exec>
</Input>
1 Initializes the counter at startup with a 60-second sliding window.
2 Writes the metric to the NXLog Agent log file every minute.
3 Updates the counter for each failed login.
4 Sets the value of the $raw_event core field to a set of key-value pairs. Stream-oriented output modules, such as the File and TCP output modules, use this field to forward data.

The following is an event record from the NXLog Agent log file.

Event sample
2026-04-03 16:49:47 INFO [im_msvistalog|failed_login] failed_logins_per_minute=2

When the NXLog Agent configuration above processes this event, it transforms it into the following metric.

Output sample
hostname=SRV01,timestamp=2026-04-03 16:49:47,failed_logins_per_minute=2

Monitor web server data transfer

The example below demonstrates how to measure data transfer rates from NGINX access logs, using statistical counters to compute cumulative and per-minute throughput values in MB.

Example 2. Converting web server access logs into data transfer metrics

This configuration collects NGINX access logs with the File input module and uses a regular expression to parse records into structured data. It uses two Schedule blocks to initialize statistical counters at startup and log their value every minute. An Internal input module instance then collects and parses NXLog Agent’s logging to extract the metrics.

nxlog.conf
<Input nginx_access>
    Module      im_file
    File        '/var/log/nginx/access.log'

    <Schedule>
        When    @startup
        <Exec>
            create_stat("mbps_total", "COUNT", 60); (1)
            create_stat("mbps_rate", "RATE", 60);
        </Exec>
    </Schedule>

    <Schedule>
        # Emit value every minute
        Every   1 min
        <Exec>
            log_info("data_transfer_mbps_total=" + get_stat("mbps_total") + ",data_transfer_mbps_rate=" + get_stat("mbps_rate")); (2)
        </Exec>
    </Schedule>

    <Exec>
        if ($raw_event =~ /(?x)^(\S+)\ \S+\ (\S+)\ \[([^\]]+)\]\ \"(\S+)\ (.+)
                          \ HTTP\/\d\.\d\"\ (\S+)\ (\S+)\ \"([^\"]+)\"
                          \ \"([^\"]+)\"/) {
            if ($7 != '-') {
                $file_size = integer($7) / 1048576; (3)
            }

            add_stat("mbps_total", $file_size); (4)
            add_stat("mbps_rate", $file_size);
        }

        drop();
    </Exec>
</Input>

<Input internal>
    Module      im_internal
    <Exec>
        if ($Message =~ /^data_transfer_mbps_total/) {
            $raw_event = "hostname=" + $Hostname + ",timestamp=" + $EventTime + "," + $Message; (5)
        }
        else {
            drop();
        }
    </Exec>
</Input>
1 Initializes the counters at startup with a 60-second sliding window.
2 Writes the metric to the NXLog Agent log file every minute.
3 Converts the file size portion of the log record to an integer and divides it by 1048576 to obtain the value in MB.
4 Updates the counters for each event.
5 Sets the value of the $raw_event core field to a set of key-value pairs. Stream-oriented output modules, such as the File and TCP output modules, use this field to forward data.

The following is an event record from the NXLog Agent log file.

Event sample
2026-04-03 13:16:27 INFO [im_file|nginx_access] data_transfer_mbps_total=4765,data_transfer_mbps_rate=4764

When the NXLog Agent configuration above processes this event, it transforms it into the following metric.

Output sample
hostname=WEBSRV,timestamp=2026-04-03 13:16:27,data_transfer_mbps_total=4765,data_transfer_mbps_rate=4764

© Copyright NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS