Skip to content

Instantly share code, notes, and snippets.



Last active Jan 14, 2020
What would you like to do?
NXLog configuration that can be used to send Windows events to Loggly. Include your unique customer token where specified.
## This is a sample NXLog configuration file created by Loggly. June 2013
## See the nxlog reference manual about the configuration options.
## It should be installed locally and is also available
## online at
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
# Include your Loggly Customer Token here
define CUSTOMER_TOKEN 1234-567-890123-4567890
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
# Include fileop while debugging, also enable in the output module below
#<Extension fileop>
# Module xm_fileop
<Extension json>
Module xm_json
<Extension syslog>
Module xm_syslog
<Input internal>
Module im_internal
Exec $Message = to_json();
# Watch any file you'd like
<Input file_watch>
Module im_file
File "C:\\Program Files (x86)\\nxlog\data\\nxlog.log"
SavePos TRUE
Exec $Message = to_json();
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
Exec $Message = to_json();
<Output out>
Module om_tcp
Port 514
# Be sure to replace <CUST_TOKEN> with your unique customer token
# Any tags specified will be accessible within Loggly. Space separated list.
Exec to_syslog_ietf();\
$raw_event = replace($raw_event, 'NXLOG@14506', '%CUSTOMER_TOKEN%@41058 tag="windows" tag="example"] [', 1);
#Use the following line for debugging (uncomment the fileop extension above as well)
#Exec file_write("C:\\Program Files (x86)\\nxlog\data\\nxlog_output.log", $raw_event);
<Route 1>
Path internal, file_watch, eventlog => out

This comment has been minimized.

Copy link

@jamescrowley jamescrowley commented Sep 4, 2013

The escape sequence on line 28 is invalid - you need some more backslashes in there!


This comment has been minimized.

Copy link
Owner Author

@ltudury ltudury commented Sep 4, 2013

Added! thanks. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment