Create your first configuration with the configuration builder

To complete this tutorial, you will need:

Navigate to Agents > Configurations Overview, then click Add new template. In the Configuration Information panel, provide a name and an optional comment for your configuration.

You are now ready to drag and drop input and output modules into your configuration or switch to a text-based configuration.

You typically use constant values for directory paths, filenames, hostnames, regular expressions, or any values you will reference more than once within the configuration.

Use the following syntax to define a constant:

Start by adding the following constants to your configuration by switching to the text-based editor, as explained in the previous step. These three constants define the NXLog Agent installation and logging directories and the agent log file path. Line numbers 1, 2, and 3 in the image below.

Global directives control the overall behavior of NXLog Agent. These include logging, batching, caching, and date format settings.

The following is the syntax for defining a global directive:

Continue building your configuration by adding the following two directives to configure the NXLog Agent LogLevel and LogFile path. Line numbers 5 and 6 below.

Input module instances define the sources from which to collect or receive logs. Since we want to collect Windows events, drag Windows 2008/Vista and Later Event Logging from the snippets list and drop it on the Collect From slot. This utilizes the im_msvistalog input module.

To further narrow down the events, we will configure the QueryXML directive of this module to only collect security event IDs 4624 (successful logon) and 4625 (failed logon attempt).

You can learn more about Filtering Windows logs in our Windows Event Log integration guide.

Add the following log source to your input module by clicking the settings button on the log source you added, then copy the following Xpath query to the QueryXML field.

The next step is to configure the destination of your logs with an output module instance. Destinations may include a file, a sylog server, SIEM, or NXLog Platform. For simplicity and to see results immediately, we’ll use the File drag-and-drop item from the Send to snippet list, which utilizes the om_file output module to save the Windows Event Log records in a file.

The only thing left in this step is to specify the path we need to collect logs from (C:\logs\windows_events.log). Add the output location by clicking the settings button on the log destination.

Your configuration is fully functional at this point. The below image shows what your screen should display.

You can process logs further by parsing or transforming logs to a specific format. In this instance, you will use Convert to JSON, which utilizes the xm_json extension to convert Windows Event Log records to JSON format.

Finally, you need to define your logs' flow and processing order. In this case, you built your configuration within the default_route, which is automatically created, so nothing further is needed. If you add more sources and destinations to this route, NXLog Agent routes all log data from your sources to each of the destinations.

When you are ready, click Save Configuration at the bottom of the page.

Your configuration template is now ready to use! All you need to do is to assign it to an agent.

The only thing left is to assign the configuration to an agent so it can start collecting logs. Click the actions menu adjacent to the configuration, then select Assign agent.

Select the agents you want to assign the configuration to, then click the + Assign agents button.

To confirm that the configuration was applied successfully, navigate to Agents and search for your agent. You should now see the status of your agent set to Configured.