Tech

How to solve the challenge of centralised logging with nxlog

Feb 21, 2019 Written by Simon Yuen

At Infomentum we have successfully moved towards a centralised logged infrastructure where systems, application, network and security logs are parsed and made available in one central point. Using components such as Elasticsearch, Logstash and Kibana, our logging infrastructure provides us the ability to apply filters to perform queries and basic trends analysis or counts.

One of the challenges we faced was shipping Windows Server logs from a logfile onto Logstash’s syslog listener, and we found a tool that does exactly that - nxlog-ce-2.9.1716

With nxlog installed and configured following the official documentation, we have decided to setup a logging to help us debug/troubleshoot user account lockouts.

Using the Microsoft’s LockoutStatus tool, we have instructed our Active Directory Server to save Netlogon Debug Logs to C:\Windows\debug\Netlogon.log

Netlogon logging

We have configured the nxlog Windows service and configured it to forward the C:\Windows\debug\Netlogon.log input log file to our Logstash server by adding the following lines.

...

<Input netlogon_log>
Module im_file
File "C:\Windows\debug\Netlogon.log"
</Input>
 

<Route 1>
Path netlogon_log => elk_out
</Route> 

<Output elk_out>
Module om_udp
Host ** redacted **
Port 5140
OutputType LineBased
</Output>

... 

The log file appeared and is filled with logs from our users' logon requests, but Logstash has not received anything from the nxlog service.

The path to the log file had the correct cases, but somehow nxlog managed to truncate it when the config file gets parsed. 

nxlog’s logs: 

...
2019-02-11 11:47:58 INFO nxlog-ce-2.9.1716 started
2019-02-11 11:48:00 ERROR apr_stat failed on file C:\Windows\debug;etlogon.log; The filename, directory name, or volume label syntax is incorrect.
2019-02-11 11:48:06 ERROR last message repeated 2 times
...

I have tried a few things, but after a bit of trial and error, in the end, what fixed it was making some letters on the input log path UPPER case. 

...
<Input netlogon_log>
Module im_file
File "C:\Windows\DEBUG\Netlogon.log"
</Input>
...

Afterwards it worked like a charm, the error message no longer appeared on the nxlog log file and Logstash has successfully received the Netlogon Debug logs from Active Directory Windows server.

Netlogon debug logs

Having worked in many Unix-like environments, it is our second nature to use correct cases for filenames and folders, but in this case, doing the exact opposite has solved our problem.

I hope you found this tip useful. Let me know if you have any comments or questions.

We’d love to hear your opinion on this post