Remote Management (xm_admin)

This module provides secure remote administration capabilities for NXLog Agent installations via JSON or SOAP over HTTP(S), making it easy to implement administrative scripts or create plugins for system monitoring tools such as Nagios, Munin, or Zabbix. With this module, NXLog Agent can accept or initiate connections over TCP, SSL, and Unix domain sockets.

Although the module can both initiate and accept connections, the direction of HTTP(S) requests is always the same: the module receives requests and returns an HTTP(S) response.

NXLog Platform uses this module to manage agents and requires that agent configurations contain certain elements. For more information, see NXLog Agent connectivity in the NXLog Platform User Guide.

To examine the supported platforms, see the list of installation packages.

Configuration

The xm_admin module accepts the following directives in addition to the common module directives.

Required directives

One of the following directives is required for the module to start. The xm_admin module either initiates a connection (using Host) or listens for connections (using ListenAddr), but not both simultaneously.

Host

The module connects to this IP address or hostname. If using a hostname, the module resolves the hostname to an IP address on each new connection.

You can define the port number by appending it to the IP address or hostname using a colon as a separator (host:port). The default port is 8080.

IPv6 addresses must be enclosed in square brackets ([addr]:port). For example, [2001:0db8:85a3:0:0:8a2e:0370:7334]:8080.

ListenAddr

The module listens for connections on this IP address or DNS hostname. The default is localhost.

You can define the port number by appending it to the IP address or hostname using a colon as a separator (host:port). The default port is 8080.

TLS/SSL directives

The following directives configure secure data transfer via TLS/SSL.

AllowExpired

Specifies if the connection should be allowed with an expired certificate. If set to TRUE, the remote host will be able to connect with an expired certificate. The default value is FALSE: the certificate must not be expired. This directive is only valid if RequireCert is set to TRUE.

AllowHostnameValidation

Specifies if the certificate FQDN should be validated against the server hostname or not. If set to TRUE, the connection will only be allowed if the certificate FQDN corresponds to the server hostname. The default value is FALSE: the remote server hostname is not validated.

AllowUntrusted

Specifies if the connection should be allowed regardless of the certificate verification results. If set to TRUE, the remote host will be able to connect with any unexpired certificate. The default value is FALSE: the remote host must present a trusted certificate.

CADir

Path to a directory containing certificate authority (CA) certificates. These certificates will be used to verify the certificate presented by the remote host. The certificate files must be named using the OpenSSL hashed format, i.e. the hash of the certificate followed by .0, .1 etc. To find the hash of a certificate using OpenSSL:

$ openssl x509 -hash -noout -in ca.crt

For example, if the certificate hash is e2f14e4a, then the certificate filename should be e2f14e4a.0. If there is another certificate with the same hash then it should be named e2f14e4a.1 and so on.

A remote host’s self-signed certificate (which is not signed by a CA) can also be trusted by including a copy of the certificate in this directory.

CAFile

Path of the certificate authority (CA) certificate that will be used to verify the certificate presented by the remote host. A remote host’s self-signed certificate (which is not signed by a CA) can be trusted by specifying the remote host certificate itself. In the case of certificates signed by an intermediate CA, the certificate specified must contain the complete certificate chain (certificate bundle).

CAPattern

You can use this directive on Windows to specify a PCRE2-compliant regular expression for locating a suitable Certificate Authority (CA) certificate from the Windows Certificate Store.

The pattern must be in the format "SUBJECT=, CN=; DN=CN=, O=, OU=, L=, ST=, C=; SAN=;". For example:

CAPattern    'DN=CN=SERVER01\.example\.com.*?SAN=DNS:SERVER01\.example\.com'

The above configuration will result in the following logging in the NXLog Agent log file:

matching pattern [DN=CN=SERVER01\.example\.com;.*?SAN=DNS:SERVER01\.example\.com] to certificate [SUBJECT=US, ClientState, ClientCity, ClientCompany, ClientUnit, SERVER01.example.com, CN=SERVER01.example.com; DN=CN=SERVER01.example.com, O=ClientCompany, OU=ClientUnit, L=ClientCity, ST=ClientState, C=US; SAN=DNS:SERVER01.example.com; DNS:www.SERVER01.example.com; IP:127.0.0.3; ]

If the pattern matches multiple certificates, NXLog Agent will use the first one. If the certificate changes, you must restart NXLog Agent for it to start using the new certificate.

This directive is mutually exclusive with the CAThumbprint, CADir, and CAFile directives.

CAThumbprint

This optional directive, supported only on Windows, specifies the thumbprint of the certificate authority (CA) certificate that will be used to verify the certificate presented by the remote host. The hexadecimal fingerprint string can be copied from Windows Certificate Manager (certmgr.msc). Whitespaces are automatically removed. The certificate must be added to a Windows certificate store that is accessible by NXLog Agent. This directive is mutually exclusive with the CADir, CAFile and CAPattern directives.

CertFile

Path of the certificate file that will be presented to the remote host during the SSL handshake.

CertKeyFile

Path of the private key file that was used to generate the certificate specified by the CertFile directive. This is used for the SSL handshake.

CertPattern

This optional directive, supported only on Windows, defines a pattern for identifying a corresponding certificate and its thumbprint within the native Windows Certificate Storage. The pattern must follow PCRE2 rules and use the format "SUBJECT=, CN=, DN=, SAN=" where DN is "CN=, O=, OU=, L=, ST=, C=". The certificate must be imported in PFX format into the Local Computer\Personal certificate store for NXLog Agent to locate it. During configuration, this directive is resolved into the corresponding CertThumbprint value. The first found thumbprint will be chosen if multiple certificates match the pattern. We recommend ensuring that the used certificate storage is well-maintained for optimal performance. This feature is not dynamic; the agent must be restarted if the certificate changes.

This directive is mutually exclusive with the following:

CertThumbprint
CertFile and CertKeyFile pair

Configuration examples:

CertPattern    $hostname + 'Cert'

CertPattern    DN=CN=Client\.example\.com;.*?SAN=DNS:Client\.example\.com

A normal log output example would look like as follows:

matching pattern [DN=CN=Client\.example\.com;.*?SAN=DNS:Client\.example\.com] to certificate [SUBJECT=US, ClientState, ClientCity, ClientCompany, ClientUnit, Client.example.com, CN=Client.example.com; DN=CN=Client.example.com, O=ClientCompany, OU=ClientUnit, L=ClientCity, ST=ClientState, C=US; SAN=DNS:Client.example.com; DNS:www.Client.example.com; IP:127.0.0.3; ]

CertThumbprint

This optional directive, supported only on Windows, specifies the thumbprint of the certificate that will be presented to the remote server during the HTTPS handshake. The hexadecimal fingerprint string can be copied from Windows Certificate Manager (certmgr.msc). Whitespaces are automatically removed. The certificate must be imported to the Local Computer\Personal certificate store in PFX format for NXLog Agent to find it. Run the following command to create a PFX file from the certificate and private key using OpenSSL:

$ openssl pkcs12 -export -out server.pfx -inkey server.key -in server.pem

When the global directive UseCNGCertificates is set to FALSE the private key associated with the certificate must be exportable.

If you generate the certificate request using Windows Certificate Manager, enable the Make private key exportable option from the certificate properties.
If you import the certificate with the Windows Certificate Import Wizard, make sure that the Mark this key as exportable option is enabled.
If you migrate the certificate and associated private key from one Windows machine to another, select Yes, export the private key when exporting from the source machine.

On the contrary, when the global directive UseCNGCertificates is set to TRUE the private key associated with the certificate does not have to be exportable. In cases like TPM modules, the private key is always nonexportable.

The usage of the directive is the same in all cases:

CertThumbprint    7c2cc5a5fb59d4f46082a510e74df17da95e2152

This directive is only supported on Windows and is mutually exclusive with the CertFile and CertKeyFile directives.

CRLDir

Path to a directory containing certificate revocation list (CRL) files. These CRL files will be used to check for certificates that were revoked and should no longer be accepted. The files must be named using the OpenSSL hashed format, i.e. the hash of the issuer followed by .r0, .r1 etc. To find the hash of the issuer of a CRL file using OpenSSL:

$ openssl crl -hash -noout -in crl.pem

For example if the hash is e2f14e4a, then the filename should be e2f14e4a.r0. If there is another file with the same hash then it should be named e2f14e4a.r1 and so on.

CRLFile

Path of the certificate revocation list (CRL) which will be used to check for certificates that have been revoked and should no longer be accepted. Example to generate a CRL file using OpenSSL:

$ openssl ca -gencrl -out crl.pem

DHFile

This optional directive specifies a file with dh-parameters for Diffie-Hellman key exchange. These parameters can be generated with dhparam(1ssl). If this directive is not specified, default parameters will be used. See the OpenSSL Wiki for further details.

KeyPass

Passphrase of the private key specified by the CertKeyFile directive. A passphrase is required when the private key is encrypted.

The following example generates a private key with Triple DES encryption using OpenSSL:

$ openssl genrsa -des3 -out server.key 2048

This directive is not required for passwordless private keys.

LoadCertificateChains

If set to TRUE, try to load higher-level certificates from the referenced PEM file which may contain only one certificate or the whole chain. The default value is FALSE: certificates will be instead loaded from the operating system certification storage.

This directive is only supported on Windows.

RequireCert

Specifies if the remote host must present a certificate. If set to TRUE and a certificate is not presented during the SSL handshake, the connection will be refused. The default value is TRUE: each connection must use a certificate.

SearchAllCertStores

This optional directive, supported only on Windows, if set to TRUE, enables the loading of all available Windows certificates into NXLog Agent for use during remote certificate verification. Any required certificates must be added to a Windows certificate store that NXLog Agent can access. This directive is mutually exclusive with the CAThumbprint, CADir, and CAFile directives.

Sigalgs

The signature algorithm parameter that is being sent to the Windows SSL library. Allowed values depend on the available encryption providers.

This directive is only supported on Windows.

SNI

This optional directive specifies the hostname used for Server Name Indication (SNI).

SSLCipher

This optional directive can be used to set the permitted cipher list for TLSv1.2 and below, overriding the default. Use the format described in the ciphers(1ssl) man page. For example specify RSA:!COMPLEMENTOFALL to include all ciphers with RSA authentication but leave out ciphers without encryption.

If RSA or DSA ciphers with Diffie-Hellman key exchange are used, DHFile can be set for specifying custom dh-parameters.

SSLCiphersuites

This optional directive can be used to set the permitted cipher list for TLSv1.3. Use the same format as in the SSLCipher directive. Refer to the OpenSSL documentation for a list of valid TLS v1.3 cipher suites. The default value is:

TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

SSLCompression

Specifies if data compression is enabled when sending data over the network. The compression mechanism is based on the zlib compression library. The default value is FALSE: compression is disabled.

Some Linux packages (for example, Debian) use the OpenSSL library provided by the OS and may not support the zlib compression mechanism. The module will emit a warning on startup if the compression support is missing. The generic deb/rpm packages are bundled with a zlib-enabled libssl library.

SSLProtocol

This directive can be used to set the allowed SSL/TLS protocol(s). It takes a comma-separated list of values which can be any of the following: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3. By default, the TLSv1.2 and TLSv1.3 protocols are allowed. Note that the OpenSSL library shipped by Linux distributions may not support SSLv2 and SSLv3, and these will not work even if enabled with this directive.

TLSConnectLog

This optional directive enables the logging of the TLS protocol version and cipher suite upon a successful SSL/TLS handshake. Setting this directive to TRUE includes the protocol and cipher used in the log output, which can be helpful for debugging, security audits, and ensuring compliance with encryption standards.

TLSCertLog

Use this directive to log the remote host’s certificate details when a TLS/SSL handshake fails, to help with debugging. Setting this directive to TRUE logs, if available, the Subject, Issuer, NotBefore, and NotAfter fields to the NXLog Agent log file. The default is FALSE.

This directive depends on the values of the AllowUntrusted and RequireCert directives:

AllowUntrusted RequireCert Outcome

FALSE

Output depends on TLSCertLog value

FALSE

TRUE

Output depends on TLSCertLog value

TRUE

FALSE

No output regardless of TLSCertLog value

TRUE

Output depends on TLSCertLog value

UseCNGCertificates

If set to TRUE, the module uses the Windows Cryptography API: Next Generation (CNG) to access the private keys associated with certificates identified by a thumbprint.

This directive is only supported on Windows.

Optional directives

ACL

This block directive makes a directory accessible via the GetFile and PutFile requests. These requests use the ACL name along with the filename. You can specify this directive multiple times for different directories.

AllowRead: If set to TRUE, GetFile requests are allowed on the specified directory.

AllowWrite: If set to TRUE, PutFile requests are allowed on the specified directory.

Directory: The path of the directory.

AllowIP

This optional directive can be used to allow IP addresses and/or networks to connect. The directive can be set multiple times to add different IPs or networks to allow. This directive is only active when the ListenAddr directive is present. In the absence of this directive, the BlockIP directive is considered. If both AllowIP and BlockIP are absent, then hosts are not restricted from connecting to a listening module.

The following formats may be used for the AllowIP directive:

0.0.0.0 (IPv4 address)
0.0.0.0/32 (IPv4 network with subnet bits)
0.0.0.0/0.0.0.0 (IPv4 network with subnet address)
aa::1 (IPv6 address)
aa::12/64 (IPv6 network with subnet bits)

BlockIP

This optional directive can be used to deny IP addresses and/or networks to connect. The directive can be set multiple times to add different IPs or networks to deny. This directive is only active when the ListenAddr directive is present. In the absence of this directive, the AllowIP directive is considered. If both AllowIP and BlockIP are absent, then hosts are not restricted from connecting to a listening module.

The following formats may be used for the BlockIP directive:

0.0.0.0 (IPv4 address)
0.0.0.0/32 (IPv4 network with subnet bits)
0.0.0.0/0.0.0.0 (IPv4 network with subnet address)
aa::1 (IPv6 address)
aa::12/64 (IPv6 network with subnet bits)

MaxConnections

With this optional directive it is possible to set the maximum number of allowed concurrent/active connections for a listening TCP socket. If not specified, the default value is 4294967295, unlimited. When the limit is reached, the incoming connection will be rejected and an error message is shown in the selflog

2024-03-01 22:29:16 ERROR [im_tcp|in_tcp] Number of allowed active connections(10) reached: 10. Refusing connection from 127.0.0.1

ConnectionIdleTimeout

This optional directive defines the maximum time in seconds before NXLog Agent closes TCP connections without traffic. The minimum timeout value is 15 seconds. If this directive is not specified, NXLog Agent does not close idle TCP connections.

ExclusiveAddrUse

This optional boolean directive specifies whether the module instance should exclusively bind to the specified port. The default value is FALSE; multiple module instances can bind to the same port.

This directive is only supported on Windows platforms.

ReuseAddr

This optional boolean directive determines whether the module instance should forcibly bind to a port already in use. The default value is TRUE; multiple instances can listen on the same port and process data simultaneously.

ReusePort

This optional boolean directive specifies whether multiple xm_admin module instances can listen on the same port. When you enable this directive, multiple instances run in a separate thread, allowing NXLog Agent to process incoming logs simultaneously. See the examples below. The default value is FALSE; multiple instances cannot bind to the same port.

This directive is not supported on Windows platforms.

DataTimeout

This directive sets the number of seconds that the module waits for an incoming request. If a valid request does not arrive before the timer expires, the module resets the connection. It accepts values between 5 and 3600. The default is 300 (5 minutes). Setting the value to 0 turns off the timeout mechanism.

Labels

Block directive to define custom key-value pairs to add metadata to an agent, such as the FQDN, geo-location, department, admin contact information, and so on. The module returns labels as part of the response to a ServerInfo API request.

You can set label values statically by specifying a string, a constant, or an environment variable. You can also set values by calling functions or using the include_stdout directive to execute a script. Label values are resolved only once during agent startup.

Event fields and module variables result in an Undef value since these are not available when processing labels during agent startup.

Labels should adhere to the POSIX.1-2017 standard for environment variables. Label names can only contain underscores and alphanumeric characters. The first character of a label name cannot be a digit. Symbols in label values should belong to the portable character set.

See Setting agent labels below for an example.

Reconnect

This optional directive sets the reconnect interval in seconds. If it is set, the module attempts to reconnect in every defined second. If it is not set, the reconnect interval will start at 1 second and double with every attempt. In the latter case, when the system decides that the reconnection is successful, the reconnect interval is immediately reset to 1 sec.

The Reconnect directive must be used with caution. If it is used on multiple systems, it can send reconnect requests simultaneously to the same destination, potentially overloading the destination system. It may also cause NXLog Agent to use unusually high system resources or cause NXLog Agent to become unresponsive.

ReconnectOnData

This optional directive defines the behavior when the connection with the remote host is lost. When set to TRUE, the module only attempts to reconnect when it has data to send. The default value is FALSE; it will always keep a connection open with the remote host.

NOTE: The Reconnect directive only works when used in conjunction with the Host directive.

ReversionTimeout

This directive specifies how much time, in seconds, the module should wait to acquire a connection before it reverts the managed configuration file to the previous version. It accepts values between 5 and 3600. The default is 300 (5 minutes). Setting the value to 0 turns off the reversion mechanism.

See PutFile for more information on configuration reversion.

SocketType

This directive sets the connection type. It can be one of the following:

SSL: TLS/SSL for secure network connections.

TCP: The default if SocketType is not specified.

Remote Management API

The way you request information from the API depends on whether you’re using JSON or SOAP.

JSON
SOAP

When using JSON, the HTTP POST request must include the Content-Type HTTP header with the value set to application/json. The following is an example header:

POST / HTTP/1.1
Host: 192.168.1.123:8080
Content-Type: application/json; charset=utf-8
Content-Length: nnn

Include the request details in a JSON object with the key name msg. This object should contain the following key/values:

command - A string value specifying the name of the method you’re requesting. This value is required.
params - A JSON object containing the required parameters. May be omitted for methods that do not require additional parameters.

You must send the JSON object in the body of the POST request as raw data. The following is a JSON request for ServerInfo.

{
  "msg": {
    "command": "serverInfo",
    "params": {
      "with-extensioninfo": true,
      "with-routeinfo": false
    }
  }
}

Below is an example response header to the above request.

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: nnnn

When using SOAP, the HTTP POST request must include the Content-Type HTTP header with the value set to text/xml. The following is an example header:

POST / HTTP/1.1
Host: 192.168.1.123:8080
Content-Type: text/xml; charset=utf-8
Content-Length: nnn

Add the request details to the Body element. You must send the XML data in the body of the POST request as raw data. The following is a SOAP request for ServerInfo.

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Header/>
  <SOAP-ENV:Body>
    <adm:serverInfo xmlns:adm="http://log4ensics.com/2010/AdminInterface">
        <with-extensioninfo>true</with-extensioninfo>
        <with-routeinfo>false</with-routeinfo>
    </adm:serverInfo>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Below is an example response header to the above request.

HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: nnnn

API endpoints

The following table lists the available xm_admin API endpoints. Click on each endpoint for details.

Endpoint	Description
GetFile	Download a file from the NXLog Agent host.
GetLog	Download the NXLog Agent log file.
GetUid	Retrieve the unique identifier (UID) of the NXLog Agent installation.
ModuleInfo	Request information about a module instance.
ModuleRestart	Restart a module instance.
ModuleStart	Start a module instance.
ModuleStop	Stop a module instance.
PutFile	Upload a file to the NXLog Agent host.
RouteInfoRequest	Request information about a route.
RouteRestart	Restart a route.
RouteStart	Start a route.
RouteStop	Stop a route.
ServerInfo	Request information about NXLog Agent and its host.
ServerRestart	Restart all module instances.
ServerStart	Start all module instances.
ServerStop	Stops all input, processor, and output module instances.
SetUid	Set the NXLog Agent’s unique identifier (UID) and signature.

Endpoint

Description

GetFile

Download a file from the NXLog Agent host.

GetLog

Download the NXLog Agent log file.

GetUid

Retrieve the unique identifier (UID) of the NXLog Agent installation.

ModuleInfo

Request information about a module instance.

ModuleRestart

Restart a module instance.

ModuleStart

Start a module instance.

ModuleStop

Stop a module instance.

PutFile

Upload a file to the NXLog Agent host.

RouteInfoRequest

Request information about a route.

Restart a route.

Start a route.

Stop a route.

Request information about NXLog Agent and its host.

ServerRestart

Restart all module instances.

ServerStart

Start all module instances.

ServerStop

Stops all input, processor, and output module instances.

SetUid

Set the NXLog Agent’s unique identifier (UID) and signature.

Examples

Example 1. Basic xm_admin configuration

The following is a basic configuration that listens for connections on all available network interfaces on port 8080. This configuration is more suitable for testing and troubleshooting.

%CERTDIR% and %CONFDIR% are constants defined in the default NXLog Agent configuration.

nxlog.conf

<Extension admin>
    Module            xm_admin
    ListenAddr        0.0.0.0:8080
    SocketType        TCP
    <ACL conf>
        Directory     %CONFDIR%
        AllowRead     TRUE
        AllowWrite    TRUE
    </ACL>
    <ACL cert>
        Directory     %CERTDIR%
        AllowRead     TRUE
        AllowWrite    TRUE
    </ACL>
</Extension>

Example 2. Secure xm_admin configuration

This configuration uses TLS/SSL certificates for secure communication with the remote host.

%CERTDIR% and %CONFDIR% are constants defined in the default NXLog Agent configuration.

nxlog.conf

<Extension admin>
    Module            xm_admin
    Host              agents.nxlog.example.com:5515
    SocketType        SSL
    CAFile            %CERTDIR%/agent-ca.pem (1)
    CertFile          %CERTDIR%/agent-cert.pem (2)
    CertKeyFile       %CERTDIR%/agent-key.pem (3)
    <ACL conf>
        Directory     %CONFDIR%
        AllowRead     TRUE
        AllowWrite    TRUE
    </ACL>
    <ACL cert>
        Directory     %CERTDIR%
        AllowRead     TRUE
        AllowWrite    TRUE
    </ACL>
    <ACL logs> (4)
        Directory     /tmp/logs
        AllowRead     TRUE
        AllowWrite    TRUE
    </ACL>
</Extension>

1	The CAFile directive specifies the path of the Certificate Authority (CA) certificate.
2	The CertFile directive specifies the path of the local server’s certificate.
3	The CertKeyFile directive specifies the path of the server’s certificate private key.
4	A custom ACL named `logs` that allows GetFile and PutFile requests for the specified directory.

Example 3. Setting agent labels

This configuration sets three static labels:

os_name using a static string.
agent_base using a constant defined with the define general directive.
os using an environment variable defined with the envvar general directive.

When using define or envvar, the values must be enclosed in quotes as shown below.

It also sets labels using two other methods:

The include_stdout general directive to set labels via a script.
The hostname_fqdn() function to set the host_fqdn label. This is a good practice if you need to view the host’s FQDN in NXLog Platform, since xm_admin only sends the short hostname by default.

include_stdout executes scripts during agent startup with elevated privileges. Use this feature cautiously, as it poses a security risk if the script is modified maliciously.

nxlog.conf

define BASE /opt/nxlog
envvar NXLOG_OS

<Extension admin>
   Module               xm_admin
   ...
   <labels>
      os_name           "Debian"
      agent_base        "%BASE%"
      os                "%NXLOG_OS%"

      include_stdout    /path/to/labels.sh
      host_fqdn         hostname_fqdn()
   </labels>
</Extension>

On Microsoft Windows, if the NXLog Agent service is running with a custom user account and NXLog Agent is managed from NXLog Platform, the account needs to be added to the built-in Performance Monitor Users Windows group to be able to access performance counter data. If not, the following error will be logged in the log file:

ERROR PdhAddEnglishCounterA for '\Processor(_Total)\% Processor Time' failed with error 0x800007d0: Unable to connect to the specified computer or the computer is offline.;

Furthermore, an error may be logged when NXLog Agent is configured to collect events from Windows Event Log:

ERROR xm_admin error: FormatMessage() call failed: The storage control block address is invalid.

This happens when the user account does not have permission to access the specified Windows Event Log channels. Refer to Access denied to a Windows Event Log channel in the Troubleshooting section for instructions on how to resolve this error.