NXLog Docs

Microsoft Windows

This topic describes how to install and upgrade NXLog on Microsoft Windows. It details the procedure for installing NXLog using an MSI and explains how to install NXLog via Group Policy.


First, download the NXLog MSI file from the NXLog website.

  1. Log in to your account, then click My account at the top of the page.

  2. Under the Downloads > NXLog Enterprise Edition files tab, choose the correct package for your system.

    Table 1. Available Windows installers
    Platform Package

    Microsoft Windows, 64-bit


    Starting from versions 5.x, the 32-bit version of NXLog is no longer supported. Only versions 4.x and older provide 32-bit installers.
    Using the 32-bit installer to install NXLog on a 64-bit system is unsupported and not recommended. To override the installer check and proceed anyway, use the SKIP_X64_CHECK=1 property (for example, msiexec /i nxlog-4.x.xxxx_windows_x86.msi /q SKIP_X64_CHECK=1).

The NXLog installer packages are digitally signed. For more details about package verification, see the Signature Verification for Windows section in the User Guide.

There are several ways that NXLog can be installed on Windows.

See also the MSI for NXLog agent setup add-on, which provides an example MSI package for bootstrapping NXLog agents.

The service Startup type of newer versions of NXLog is set to Automatic (Delayed Start) instead of Automatic. To change this option, open the service control manager and alter the Startup type in the General tab.

Installing interactively

  1. Run the installer by double-clicking the MSI file. After accepting the license agreement an option for choosing an alternate installation directory is presented. Click Install, to start the installation. Click Finish once it has completed, which will result in the README.txt file being opened by Notepad.

  2. Configure NXLog by editing nxlog.conf (by default, C:\Program Files\nxlog\conf\nxlog.conf). General information about configuring NXLog can be found in Configuration. For more details about configuring NXLog to collect logs on Windows, see the Microsoft Windows summary.

  3. The configuration file syntax can be checked by running the NXLog executable with the -v (verify) option.

    > "C:\Program Files\nxlog\nxlog.exe" -v
    2017-03-17 08:05:06 INFO configuration OK
  4. Start NXLog by opening the Service Manager, finding the nxlog service in the list, and starting it. To run it in the foreground instead, invoke the nxlog.exe executable with the -f command line argument.

  5. Open the NXLog log file (by default, C:\Program Files\nxlog\data\nxlog.log) with Notepad and check for errors.

    Some text editors (such as Wordpad) use exclusive locking and will refuse to open the log file while NXLog is running.

Installing with msiexec

Msiexec can be used for performing an unattended installation of NXLog. This command does not prompt the user at all, but it must be run as administrator.

> msiexec /i nxlog-6.3.9431_windows_x64.msi /q

To allow Windows to prompt for administrator privileges, but otherwise install unattended, use /qb instead.

> msiexec /i nxlog-6.3.9431_windows_x64.msi /qb

To specify a non-default installation directory, use the INSTALLDIR property.

> msiexec /i nxlog-6.3.9431_windows_x64.msi /q INSTALLDIR="C:\nxlog"

Deploying via Group Policy

For large deployments, it may be convenient to use Group Policy to manage the NXLog installation.

These steps were tested with a Windows Server 2016 domain controller and a Windows 7 client. There are multiple ways to configure NXLog deployment with Group Policy. The required steps for your network may vary from those listed below.
  1. Log on to the server as an administrator.

  2. Set up an Active Directory group for computers requiring an NXLog installation. NXLog will be automatically installed and configured on each computer in this group.

    1. Open the Active Directory Users and Groups console (dsa.msc).

    2. Under the domain, right-click on Computers and click Group.

    3. Provide a name for the group (for example, nxlog). Use the Security group type and Global context (or the context suitable for your case).

    4. Add computers to the group by selecting one or more, clicking Add to a group…, and entering the group name (nxlog).

  3. Create a network share for distributing the NXLog files.

    1. Create a folder in the desired location (for example, C:\nxlog-dist).

    2. Set up the folder as a share: right-click, select Properties, open the Sharing tab, and click Share….

    3. Add the group (nxlog) and click Share. Take note of the share name provided by the wizard, it will be needed later (for example, \\WINSERV1\nxlog-dist).

    4. Copy the required files to the shared folder. If using NXLog Manager, this will include at least three files: nxlog-6.3.9431_windows_x64.msi, managed.conf, and CA certificate agent-ca.pem. If not using NXLog Manager, use a custom nxlog.conf instead of managed.conf, omit the CA certificate, and include any other files required by the configuration.


      The file managed.conf is located in the C:\Program Files\nxlog\conf\nxlog.d\ directory. Prior to NXLog version 5, it had the name log4ensics.conf and was located in the C:\Program Files\nxlog\conf\ directory.

  4. Create a Group Policy Object (GPO) for the NXLog deployment.

    1. Open the Group Policy Management console (gpmc.msc).

    2. In the console tree, under Domains, right-click on your domain and click Create a GPO in this domain, and Link it here…; this will create a GPO under the Group Policy Objects folder and link it to the domain.

    3. Name the GPO (for example, nxlog) and click OK.

    4. Select the newly created GPO in the tree.

    5. In the Security Filtering list, add the Active Directory group created in step 2 (nxlog). Remove anything else.

    6. Right-click on the GPO and click Edit. The Group Policy Management Editor console will be opened for editing the GPO.

  5. Add the NXLog MSI to the GPO.

    Group Policy Management Editor
    Figure 1. Configured NXLog GPO
    1. Under Computer Configuration > Policies > Software Settings, right-click Software installation. Click New > Package… to create a deployment package for NXLog.

    2. Browse to the network share and open the nxlog-6.3.9431_windows_x64.msi package. It is important to use the Uniform Naming Convention (UNC) path (for example, \\WINSERV1\nxlog-dist) so the file will be accessible by remote computers.

    3. Select the Assigned deployment method.

  6. Add the required files to the GPO by following these steps for each file.

    1. Under Computer Configuration > Preferences > Windows Settings, right-click on Files. Click New > File.

    2. Select the Replace action in the drop-down.

    3. Choose the source file on the network share (for example, \\WINSERV1\nxlog-dist\managed.conf or \\WINSERV1\nxlog-dist\agent-ca.pem).

    4. Type in the destination path for the file (for example, C:\Program Files\nxlog\conf\nxlog.d\managed.conf or C:\Program Files\nxlog\cert\agent-ca.pem).

    5. Check Apply once and do not reapply under the Common tab for files that should only be deployed once. This is especially important for managed.conf because NXLog Manager will write configuration changes to that file.

    6. Click OK to create the File in the GPO.

  7. After the Group Policy is updated on the clients and NXLog is installed, one more reboot will be required before the NXLog service starts automatically.

For more information about Group Policy, see the following TechNet and MSDN articles:

Prevent automatic start of the NXLog service during installation

The default behavior of the NXLog Windows agent MSI installer is to automatically start the service during the installation process. In environments where this behavior is undesirable, the MSI installer can be edited to disable automatic start of the NXLog service.

InstEd is a free tool for editing MSI packages. Follow the steps below to use this tool and disable automatic service start for the NXLog MSI installer. These steps have been tested with InstEd version

InstEd is a third party software and using it subjects you to its terms and conditions. NXLog provides no guarantees and is not responsible for any loss or damage of any sort resulting from the use of third-party products.
  1. Download and install InstEd MSI editor.

  2. Open InstEd, click on File > Open, and select the desired NXLog MSI package.

  3. With the Tables tab selected, scroll down to locate ServiceControl.

  4. Change the Event column to 0x0004 and the Wait column to 0.

  5. Click on File > Save and specify a name for the new package.

  6. Close InstEd and install the NXLog agent package.

    InstEd Editor configuration

    InstEd Editor

    InstEd needs to be closed before installing the NXLog agent package.


To upgrade NXLog to the latest release, or to replace a trial installation of NXLog Enterprise Edition with a licensed copy, follow these steps. It is recommended to make a backup of the configuration files before starting this process.

To upgrade from NXLog Community Edition to NXLog Enterprise Edition, you need to uninstall NXLog Community Edition and then follow the instructions to install NXLog Enterprise Edition. Make a backup of the configuration files before uninstalling NXLog Community Edition, you will need to copy these manually to the new installation.
  1. Run the new MSI installer as described in the Installing section (interactively, with Msiexec, or via Group Policy). The installer will detect the presence of the previous version and perform the upgrade within the current installation directory.

    To upgrade from v3.x, uninstall the previous version before installing the new version (see Uninstalling). This is necessary to transition from a per-user to a per-machine installation. This check can be skipped by passing the SKIP_PERUSER_CHECK property (such as msiexec /i nxlog-6.3.9431_windows_x64.msi /q SKIP_PERUSER_CHECK=1). Note that using SKIP_PERUSER_CHECK is unsupported and not recommended.
    If the Services console (services.msc) is running, the installer may request the computer to be rebooted or display a permission denied error. Please ensure that the Services console is not running before attempting an upgrade.
  2. Start the upgraded NXLog service via the Services console (services.msc) or by rebooting the system. Check the log file (by default, C:\Program Files\nxlog\data\nxlog.log) to verify logging is working as expected.

For Group Policy deployments, follow these steps:

  1. Download the new MSI package as described in the Installing introduction.

  2. Place the new MSI in the distribution share (see Create a network share).

  3. Add this MSI as a new package to the NXLog GPO (follow the steps under Add the NXLog MSI).

  4. Right-click on the new package and click Properties. Open the Upgrades tab, click Add…, select the previous version from the list, and click OK.

If you want to downgrade to a previous version of NXLog, you will need to manually uninstall the current version first. See Uninstalling.


NXLog can be uninstalled in several different ways.

  • From the Control Panel (not discussed here).

  • By using msiexec and the original NXLog MSI.

  • Via the GPO it was originally deployed with in an AD Domain environment.

  • Via a downloadable batch script.

In addition to the above, NXLog provides a method to remove the Windows Registry traces after uninstalling.

NXLog v3.x installers will remove log4ensics.conf and nxlog.conf during the uninstallation process, even if they have been modified. If these files need to be preserved, they should be backed up to another location before uninstalling NXLog v3.x.

Uninstalling with msiexec

Uninstall NXLog using msiexec with the following command:

> msiexec /x nxlog-6.3.9431_windows_x64.msi /qb
This procedure may not remove all files that were created while configuring NXLog. Likewise, any files created as a result of NXLog’s logging operations will not be removed (except for v3.x installers as noted above). You may wish to remove the installation directory (by default, C:\Program Files\nxlog) once the uninstallation process has completed.

Uninstalling via Group Policy

For Group Policy deployments, follow these steps:

  1. Open the Group Policy Object (GPO) originally created for installation (see Create a Group Policy Object).

  2. For each NXLog version that has been deployed, right-click the package and either:

    • click All Tasks > Remove…, and choose the Immediately uninstall removal method; or

    • click Properties, open the Deployment tab, and check Uninstall this application when it falls out of the scope of management.

      In this case, NXLog will be uninstalled when the GPO is no longer applied to the computer. An additional action will be required, such as removing the selected computer(s) from the nxlog group created in Set up an Active Directory group.

Remove traces of NXLog

After uninstalling NXLog there will be some traces left in the Windows Registry. NXLog provides a list of Windows Registry entries to be removed in a form of a .reg file. Download the reg-entries.reg file from the public contrib repository of NXLog. It needs to be used as an argument for the Registry Editor regedit.exe.

To remove the possibly left Windows Registry entries, use the following command:

> regedit.exe /S reg-entries.reg

Uninstalling with the uninstall-x64.bat script

The script combines the steps of the Uninstalling with msiexec and Remove traces of NXLog procedures as well as prompts for the removal of the installation directory.

To complete the procedure, the following files need to be present in the same directory:

  • uninstall-x64.bat - The main script.

  • reg-entries.reg - The list of Windows Registry entries to remove.

  • The exact version of the MSI installer, with which NXLog was installed.

The necessary files can be downloaded from the windows-uninstall directory of NXLog’s public contrib repository.

To start the automatic uninstall and trace removal procedure, use the following command:

> uninstall-x64.bat nxlog-{productVersion}_windows_x64.msi

The Readme.MD file in the public contrib repository explains details of the script operation.

Configure with a custom MSI

NXLog can be configured using a custom built MSI package. The MSI will install the CA certificate and chosen custom configuration files. The package can be deployed alongside the NXLog MSI. For more information, see the MSI for NXLog agent setup add-on.

Deployment via Group Policy already provides a way to deploy the configuration files. For this reason, it might be more preferable to configure NXLog via GPO instead of creating a custom MSI as described in this section.