Graylog

Graylog is a popular open source log management tool with a GUI that uses Elasticsearch as a backend. It provides centralized log collection, analysis, searching, visualization, and alerting features. NXLog can be configured as a Graylog collector using one of the output writers provided by the xm_gelf module. In such a setup, NXLog acts as a forwarding agent on the client machine, sending messages to a Graylog node.

This integration guide explains how to configure NXLog to forward logs to Graylog and how to manage NXLog agents remotely using Graylog Sidecar.

Configuring Graylog

To learn how to install and configure Graylog, see the Installing Graylog section of the Graylog documentation.

To accept data from collectors like NXLog, Graylog uses inputs. Separate inputs should be configured for each network protocol. For example, you can collect data in GELF format over TCP and UDP using two inputs. To configure an input, open the Graylog web interface and follow the instructions below.

  1. Using the Graylog web interface, go to System > Inputs.

  2. From the Select input dropdown list, select the input and click Launch new input. In this example, GELF TCP has been selected.

    The Select input dropdown list
  3. In the Launch new <Input Type> input window, provide the required input parameters.

  4. Using the Node dropdown list, select the Graylog node for your input. Or, check the Global checkbox to make the input global.

  5. In the Title field, provide the input name.

  6. In the Bind address field, specify the IP address to listen on.

  7. Using the Port field, indicate the port the input will listen on.

    The Launch new input window
  8. If applicable, additionally configure the TLS-related fields.

  9. Click Save. After saving, the input will appear shortly.

After the input is configured and running, it is available for viewing under System > Inputs as shown below.

Configured TCP input

Configuring NXLog to forward data to Graylog

The following examples show how to configure NXLog to forward log data to Graylog using its inputs.

Example 1. Sending Windows trace logs over UDP

The NXLog configuration below uses the im_etw module to capture events from the Microsoft-Windows-DNS-Client trace provider.

The om_udp module instance specifies GELF_UDP as the output type for sending data over UDP.

nxlog.conf
<Extension gelf>
    Module        xm_gelf
</Extension>

<Input from_dns>
    Module        im_etw
    Provider      Microsoft-Windows-DNS-Client
</Input>

<Output to_graylog_udp>
    Module        om_udp
    Host          192.168.43.29:12201
    OutputType    GELF_UDP
</Output>

To accept messages from NXLog over UDP, Graylog should have the GELF UDP input up and running.

The following example demonstrates how to forward log data to Graylog over SSL/TLS.

Example 2. Forwarding systemd logs over SSL/TLS

This NXLog configuration uses the im_systemd module to read log data from Linux.

To forward messages to Graylog, the GELF_TCP output type is specified for the om_ssl module instance. The CertFile and CertKeyFile directives provide access to the certificate and private key files.

nxlog.conf
<Extension gelf>
    Module          xm_gelf
</Extension>

<Input from_systemd>
    Module          im_systemd
</Input>

<Output to_graylog_ssl>
    Module          om_ssl
    Host            192.168.43.29:10500
    CertFile        /tmp/certificate.crt
    CertKeyFile     /tmp/privateKey.key
    OutputType      GELF_TCP
    AllowUntrusted  TRUE
</Output>

To collect encrypted events from NXLog, follow the Graylog input configuration instructions for GELF TCP inputs and configure the TLS-related fields.

Installing and configuring Graylog Sidecar

Graylog Sidecar is a lightweight configuration management system that enables you to manage multiple remote NXLog instances from a single Graylog web interface.

  1. Before installing and configuring Sidecar, configure the NXLog log collector using the Graylog web interface.

    1. To prepare the NXLog collector configuration, navigate to System > Sidecars and click Configuration.

    2. In the Log Collectors section, click the Edit button corresponding to the configuration you would like to edit.

    3. On the Log Collector page, provide the necessary parameters and click Update. The table below contains the parameters that differ between Windows and Linux versions of NXLog based on the default installation settings of their respective installation packages.

      Table 1. Configuration parameters
      Parameter name Microsoft Windows Linux

      Executable Path

      C:\Program Files\nxlog\nxlog.exe

      /opt/nxlog/bin/nxlog

      Execute Parameters

      -c "%s"

      -f -q -c %s

      Configuration Validation Parameters

      -v -f -c "%s"

      -v -c %s

  2. Create a configuration using the Graylog web interface.

    1. Click Configuration, then click Create Configuration under the Configurations section.

    2. On the New Collector Configuration page, specify the configuration name, select the collector name from the Collector dropdown list, and provide the NXLog configuration which will override the default collector configuration. In the output instance of the NXLog configuration, use the IP addresses of the configured Graylog inputs. Click Create to create the configuration.

    3. Click Overview to navigate to the Sidecars Overview page. On this page, click Create or reuse a token for the <UserName> user. In the Create and Edit Tokens section, fill out the Token Name field and click Create Token.

  3. Install Graylog Sidecar on each machine where NXLog will be running. For details on how to install Graylog Sidecar, see the Graylog Sidecar section of the Graylog documentation. Once installed, you will need the token from the previous step for editing the sidecar.yml configuration file. See the sidecar.yml Reference table for details regarding the server_api_token parameter.

  4. Install NXLog and disable it per the Install collectors section of the Sidecar documentation.

  5. After the Sidecar has been successfully started, bind a NXLog configuration with it using the Graylog web interface.

    1. Navigate to System > Sidecars.

    2. On the Sidecars Overview page, click Manage sidecar.

    3. On the Collectors Administration page, select the sidecar you would like to assign a configuration to, expand the Configuration dropdown list, and click the configuration you would like to assign to the collector.

Verifying data collection in Graylog

  1. To verify collection of log messages, navigate to Sidecar > Inputs.

  2. On the Inputs page, click Show received messages for the input which should be verified.

    The Inputs page
  3. This is the message page that contains metrics and the list of messages which can be filtered and exported.

    Page with input messages
  4. Click a message to expand the information about it.

    Information about the message
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

NXLog 5.3.6720 on Linux (Ubuntu 18.04) and Windows Server 2019
Graylog 4.0.6 running on Ubuntu 18.04
Graylog sidecar 1.1.0 running on Ubuntu 18.04 and Windows Server 2019

Last revision: 30 April 2021