Collecting Syslog to OMS Log Analytics using NXLog for Windows

Currently Microsoft provides no way to ingest Syslog messages from network equipment and other devices into OMS Log Analytics in a Windows-only environment. The Linux OMS agent can act as a Syslog collector, but there is no equivalent feature in the Windows agent. I’ve heard rumblings that a windows syslog collector is in the works but in the meantime we need a solution allowing Log Analytics to be our one-stop logging platform.

Enter NXLog Community Edition, an open-source syslog collector and processor. We can use this very light-weight service to act as a syslog collector and then write incoming logs to a file which can be picked up by the OMS monitoring agent.

Setup NXLog

You’ll need a windows server with the OMS monitoring agent installed to act as your syslog collector.

Download and install NXLog CE from here:

https://nxlog.co/products/nxlog-community-edition

Once installed, you can reference this sample config file to setup Syslog ingestion and write-out to log files. With this config, NXLog will create a separate .log file for each logging device, and rotate the files after they reach 10Mb, keeping 5 logs per host.

Once your configuration file is set, restart the NXLog service. If successful you should now be able to point a syslog device to your NXLog server and see log files being written out right away.

Add a Custom Log type to Log Analytics

Now that incoming syslog is being written to a file, we can use the OMS monitoring agent already installed to collect the files and ingest them into Log Analytics. To do this, create a new Custom Log type in Log Analytics.

Open the OMS Log Analytics portal and go to:

Settings > Data > Custom Logs

1 Settings_Custom-Logs

Click Add + to create a new custom log type.

Upload one of the log files you are now generating as a sample to help Log Analytics learn to properly parse the files.

2 Upoad_sample_log

Make sure the records are delimited properly by Log Analytics, the New Line method should work well here.

3 Sample Uploaded

Configure the directory the Monitoring Agent should scan for log files. Keep in mind, this directory will be processed for all windows servers.

4 Collection directory

Name your new custom log type:

5 Name custom log type

 

After a short while, the OMS agent will begin picking up the log files and you can find your fresh syslogs in Log Analytics. From here you could create custom fields to pull out specific values, create alerts, or just leave as is.

6 Log Search