NXLog Docs

Alerting

NXLog can be configured to generate alerts when specific conditions are met. Here are some ways alerting could be implemented.

Sending messages to an external program

The om_exec module can pipe messages to an external program or script, which will be executed once the om_exec module has started. The external script is required to run continuously until the om_exec module is stopped and the pipe is closed. This functionality can be used for alerting.

Example 1. Using om_exec with an external alerter

In this example Output, all messages not matching the regular expression are dropped, and remaining messages are piped to a custom alerter script.

nxlog.conf
<Output out>
    Module  om_exec
    Command /usr/bin/someprog
    Arg     -
</Output>

Without the Exec directive above, all messages received by the module would be passed to the alerter script as defined by the Command directive. The optional Arg directive passes its value to the Command script.

Invoking a program for each message

The xm_exec module provides two procedures, exec() and exec_async(), for spawning an external program or script. The script is executed once for each call, and is expected to terminate when it has finished processing the message.

Example 2. Using xm_exec with an external alerter

In this example Input, each message matching the regular expression is piped to a new instance of alerter, which is executed asynchronously (does not block additional processing by the calling module).

nxlog.conf
<Extension _exec>
    Module  xm_exec
</Extension>

<Input in>
    Module  im_tcp
    Host    0.0.0.0
    Port    1514
    <Exec>
        if $raw_event =~ /alertcondition/
            exec_async("/usr/local/sbin/alerter");
    </Exec>
</Input>
Example 3. Using xm_exec to send an email

In this example, an email is sent using exec_async() when the regular expression condition is met.

nxlog.conf
<Extension _exec>
    Module  xm_exec
</Extension>

<Input in>
    Module  im_tcp
    Host    0.0.0.0
    Port    1514
    <Exec>
        if $raw_event =~ /alertcondition/ 
        {
            exec_async("/bin/sh", "-c", 'echo "' + $Hostname + '\n\nRawEvent:\n' +
                       $raw_event + '"|/usr/bin/mail ' +
                       '-a "Content-Type: text/plain; charset=UTF-8" ' +
                       '-s "ALERT" user@domain.com');
        }
    </Exec>
</Input>

Generate an internal NXLog log message

NXLog can be configured to generate an internal log event when a specific condition is met. Internal log events can be generated with various severity levels using the log_error(), log_warning(), log_info(), and log_debug() procedures. Internal log messages will be written to the file specified by the global LogFile directive (according to the configured LogLevel) and will be generated by the im_internal module.

DEBUG level events are not generated by the im_internal module.
In NXLog Enterprise Edition version 5, the log_info() procedure will truncate messages larger than 1024 bytes. In subsequent versions, messages longer than specified at LogSizeLimit will be truncated.
Example 4. Using log_warning() for alerting

If a message matches the regular expression, an internal log event is generated with level WARNING.

nxlog.conf
<Input in>
    Module  im_file
    File    "/var/log/app.log"
    Exec    if $raw_event =~ /alertcondition/ log_warning("ALERT");
</Input>