Nxlog doesn't forward from file input

[kevXZY]

Problem description

Nxlog doesn't send from file input to graylog input. I'm not receiving any logs from the GELF UDP Input. I followed the guide and have no errors in nxlog.log or collector-sidecar.log

Here are the logs nxlog.log 2018-08-29 12:08:35 INFO configuration OK 2018-08-29 12:08:35 INFO reloading configuration and restarting modules 2018-08-29 12:08:35 INFO configuration reloaded successfully. 2018-08-29 12:08:38 INFO nxlog-ce-2.10.2102 started

collector-sidecar.log time="2018-08-29T12:08:35+02:00" level=info msg="[nxlog] Configuration change detected, rewriting configuration file." time="2018-08-29T12:08:35+02:00" level=info msg="[nxlog] Stopping" time="2018-08-29T12:08:38+02:00" level=info msg="[nxlog] Starting (exec driver)"

Configurations

/etc/graylog/collector-sidecar/generated/nxlog.conf

define ROOT /usr/bin

Module xm_gelf

User nxlog Group nxlog

Moduledir /usr/lib/nxlog/modules CacheDir /var/spool/collector-sidecar/nxlog PidFile /var/run/graylog/collector-sidecar/nxlog.pid

define LOGFILE /var/log/graylog/collector-sidecar/nxlog.log LogFile %LOGFILE% LogLevel INFO

Module xm_fileop When @daily Exec file_cycle('%LOGFILE%', 7);

<Input 5b866514343fba039df31245> Module im_file File '/var/spool/collector-sidecar/nxlog/access.log' PollInterval 1 SavePos True ReadFromLast True Recursive True RenameCheck False Exec $FileName = file_name(); # Send file name with each message

<Output 5b8664fe343fba039df3122b> Module om_udp Host 192.168.1.12 Port 12201 OutputType GELF Exec $short_message = $raw_event; # Avoids truncation of the short_message field. Exec $gl2_source_collector = 'f8002da4-a27b-4399-975c-11a3b9fcbccc'; Exec $collector_node_id = 'graylog'; Exec $Hostname = hostname_fqdn();

Path 5b866514343fba039df31245 => 5b8664fe343fba039df3122b

/etc/graylog/collector-sidecar/collector_sidecar.yml server_url: http://127.0.0.1:9000/api/ update_interval: 10 tls_skip_verify: true send_status: true list_log_files: collector_id: file:/etc/graylog/collector-sidecar/collector-id cache_path: /var/cache/graylog/collector-sidecar log_path: /var/log/graylog/collector-sidecar log_rotation_time: 86400 log_max_age: 604800 tags:

• linux
• apache backends:
• name: nxlog enabled: true binary_path: /usr/bin/nxlog configuration_path: /etc/graylog/collector-sidecar/generated/nxlog.conf
• name: filebeat enabled: false binary_path: /usr/bin/filebeat configuration_path: /etc/graylog/collector-sidecar/generated/filebeat.yml

Graylog GUI configuration:

Input

Output

Environment

• Sidecar Version: 0.1.6
• Graylog Version:Graylog 2.4.6+ceaa7e4
• Operntu 14 Trusty
• Elasticsearch Version:
• MongoDB Version:

[mariussturm]

Hi, are sure that /var/spool/collector-sidecar/nxlog/access.log does exist and is not empty? Usually you want to collect files like /var/log/apache2/access.log not sure what the nxlog access.log file should be.

Did you make sure that the GELF input on the server side is actually running and accessable from the host running nxlog? Which guide did you follow?

[kevXZY]

Yes the folder cotains the log file. I just changed to /tmp/logs folder and gave rights to nxlog to access it sudo chown -R nxlog.nxlog /tmp/logs/

Nxlog and the GELF input are running on the same host Netstat output

[kevXZY]

Solved. I uncheked these options